VirSCAN VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー
4, アップロードできませんでした。Virscan Uploaderを使ってください。

言語
サーバーロード
Server Load
VirSCAN
VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー

基本情報

ファイル名: 00红海行动
ファイルサイズ: 415483
ファイルタイプ: application/x-dosexec
MD5: cf3b11f19737fa4245042b59af6d12ac
sha1: 533c96e38a23e47b9a38953c24eeee2324ae27f4

 CreateProcess

ApplicationName: C:\ProgramData\qleidb.exe
CmdLine:
childid: 1448
childname: qleidb.exe
childpath: C:\ProgramData\qleidb.exe
drop_type: 1
name: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
pid: 1544
ApplicationName:
CmdLine:
childid: 1544
childname: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
drop_type:
name:
noNeedLine:
path:
pid: 2780

 Summary

buffer: C:\ProgramData\qleidb.exe
processid: 1448
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 1544
processname: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/6000769/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ee4bd92d9182091fc294465053994672
name: $Recycle.Bin .exe
new_size: 308KB (315840bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 1448
processname: qleidb.exe
sha1: cafd16972f24facc07a9cf787a3eaaf6f1228f46
sha256: 8b8d5d18755d9645c9a0abfd8a3ac1625e86746b198e072552a34ea2368e0b9c
size: 315840
this_path: /data/cuckoo/storage/analyses/6000769/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 90062a626354f6980ca5bdc3fdbe2487
name: Documents and Settings .exe
new_size: 308KB (315840bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 1448
processname: qleidb.exe
sha1: 8ba10486be309bd9e51094542a78275c3b425e48
sha256: e6499d4e95002ca0ede5103563abba7bba727c0db8a74c00eeabd9b018ece249
size: 315840
this_path: /data/cuckoo/storage/analyses/6000769/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 890ad1985af399cded812805f804c734
name: mnlsx .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 1448
processname: qleidb.exe
sha1: a49ca0e43f5ae649b66bbff2112d66a7cee2e579
sha256: 0ad72ba0ee1fdcf45883aba985827907e51e9f7e821a937b411672bf678b6af4
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1004/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 812e0224a91835e602f29384962f09ae
name: MSOCache .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 1448
processname: qleidb.exe
sha1: 61f0398a627a70d9ab818ba6c6104987fdd6def0
sha256: 9b195511ba30afac1dd27fd7ef064e2726836c85c5cbb82558d1539d364d7baa
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1005/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 221eee3169b7a0ef256aaef3ff0a7bb0
name: mxwePBjfjZ .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\mxwePBjfjZ .exe
processid: 1448
processname: qleidb.exe
sha1: 7c6b09935787d27fb2cdbd4314291c9732d5b34d
sha256: 310710208328db4b8765e7fb890a68b55cc47f83117843e0e4dcc2bc4eeea4f0
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1006/mxwePBjfjZ .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b7570959f3266ef12643f9773f29fa0f
name: pagefile.sys .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 1448
processname: qleidb.exe
sha1: 02e14e1537486c96addcc67d3616bc34a9c73669
sha256: eded735b73d95486db87e6ca150756624c2a8ea83620db7a6121e72ee4bd2023
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1007/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b649d7821298b9ea59c7577f43aad97e
name: PerfLogs .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 1448
processname: qleidb.exe
sha1: cb3a17c72afa0f4def65c62287fb092ce68e11b1
sha256: 4b892f235366b6be8732d41b6b559213855d1fe8a78752bd3beaea8a3899fe3f
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1008/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9a334b468bbd88a99e3a13fd43c38139
name: Program Files .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 1448
processname: qleidb.exe
sha1: 4552c880499e3fc7c31e43260d577ff3415fe216
sha256: 389eca17fb8faf8279f9e9e3ee4548e42b46fe21b8e3a99c4f7d1e9448b74f0c
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1009/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 44e534937716f984af46ffaa884461db
name: Program Files (x86) .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 1448
processname: qleidb.exe
sha1: 43693a08cfb1481b45571dcc5e952409e4b0cccb
sha256: 2bd671bee5ab36eea5f936ca97ead2be89d9e201fe160e7d5196221696a08097
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1010/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: dd26282cc14a0a1f9160662ffabc14cb
name: ProgramData .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 1448
processname: qleidb.exe
sha1: af40942b6c1e08a43c314c59cacd34942412214c
sha256: 6b9d8c96604c43f1586d6a918602ba41162efe1bf1335f8a9396c0c19a13314d
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1011/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 53f91c6c3b8e9852c3437b67565750a6
name: Python27 .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 1448
processname: qleidb.exe
sha1: a38555deb945dfa6818d4880d737788633206c43
sha256: 95020b64eed4e748f4a1b10d740af067147a3695b8780e7ac88b7added731a74
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1012/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 8fa591077f87bc05c5dd25ef3b231f9b
name: Recovery .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 1448
processname: qleidb.exe
sha1: 3e577a79074c50adfaa6d0d1dc6a509072603b9c
sha256: a2788aa43c3a6cde416567509432168cdf52272b4ce744b82b78e2baf287265f
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1013/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: cb6083a6fecc2c3e30af9681b9764a9e
name: System Volume Information .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 1448
processname: qleidb.exe
sha1: 502eafc00571be9253d3cb0fe49078d3ae3ec473
sha256: 5302a4cc0c2fe215fe8d1e3c566a64f81dc895bde4fbe9799406e0e169928dd0
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1014/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 795198ec2695c3c02ef24750645aa5f2
name: Users .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Users .exe
processid: 1448
processname: qleidb.exe
sha1: 7f1c789b218d8cfcb426cd6ef17e177a0dcf7099
sha256: 0610421dd24f59c067606a708f3f59dba13de3985e4e6df72131c19a1887af53
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1015/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 0e08f29adcbb84ad2d933380d7a8a5a6
name: VIVXOBMZCLDF .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\VIVXOBMZCLDF .exe
processid: 1448
processname: qleidb.exe
sha1: 0eda74fb89bcd8fc089318a4268793465313c811
sha256: 1bb5abac7a8e283afc92c3e89cea14b731928c82a04cc4ce870abf32a276c7dd
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1016/VIVXOBMZCLDF .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 172a66b47091bb2a3c66d3e24bc12cf7
name: Windows .exe
new_size: 405KB (415485bytes)
operation: 修改文件
path: C:\Windows .exe
processid: 1448
processname: qleidb.exe
sha1: e6be70a6c6a18262702e7215ba079cef05c0d686
sha256: d8b3857270db9294b2adea4191b9ebf07ba8522d2b3d5bb2ab4c441ffdf5d4cf
size: 415485
this_path: /data/cuckoo/storage/analyses/6000769/files/1017/Windows .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ee4bd92d9182091fc294465053994672
name: $RECYCLE.BIN .exe
new_size: 308KB (315840bytes)
operation: 修改文件
path: C:\$RECYCLE.BIN .exe
processid: 1448
processname: qleidb.exe
sha1: cafd16972f24facc07a9cf787a3eaaf6f1228f46
sha256: 8b8d5d18755d9645c9a0abfd8a3ac1625e86746b198e072552a34ea2368e0b9c
size: 315840
this_path: /data/cuckoo/storage/analyses/6000769/files/1018/$RECYCLE.BIN .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: c39425932f81b5825b2fa33a25210a9d
name: qleidb.exe
new_size: 255KB (261662bytes)
operation: 修改文件
path: C:\ProgramData\qleidb.exe
processid: 1544
processname: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
sha1: 68b90c7b70b5e4098f796eb9dd86d35fdb101453
sha256: 75baf4c85011d8e706298bf52306e9fa5cafec792854430eba52ff4bf0812fdb
size: 261662
this_path: /data/cuckoo/storage/analyses/6000769/files/1000/qleidb.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 1544
process_name: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 1544
process_name: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 1544
process_name: 1621222203890_cf3b11f19737fa4245042b59af6d12ac.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 1448
process_name: qleidb.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 1448
process_name: qleidb.exe
rulename: 遍历文件