Examples of Troj/Agent-QLE include:
Example 1
File Information
- Size
- 88K
- SHA-1
- 370ca54ac7d26774b1942126439c8aed35086124
- MD5
- 5a40ab0e1a11a3d59884e7c43bdf7fe7
- CRC-32
- 1239a5db
- File type
- application/x-ms-dos-executable
- First seen
- 2011-02-21
Example 2
File Information
- Size
- 619K
- SHA-1
- 5e026a236d19a8a949b754c899f4d736d72b65cb
- MD5
- 3f69cf1c40fccf4e91bd5f013b598a95
- CRC-32
- 5b2db3ed
- File type
- application/x-ms-dos-executable
- First seen
- 2011-02-21
Runtime Analysis
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Temp\php_bcompiler.dll
- C:\WINDOWS\system32\php_bcompiler.dll
- c:\Documents and Settings\test user\Local Settings\Temp\php4ts.dll
- Size
- 1.6M
- SHA-1
- 33d32eafd23304ee053c647579aa4d9db97a2348
- MD5
- 572ad0eb355d5725904c5e9d74b1a696
- CRC-32
- 699bda8d
- File type
- application/x-ms-dos-executable
- First seen
- 2011-01-19
- c:\Documents and Settings\test user\Local Settings\Temp\hello.exe
- Size
- 88K
- SHA-1
- 370ca54ac7d26774b1942126439c8aed35086124
- MD5
- 5a40ab0e1a11a3d59884e7c43bdf7fe7
- CRC-32
- 1239a5db
- File type
- application/x-ms-dos-executable
- First seen
- 2011-02-21
- C:\WINDOWS\system32\FacebookSystems.exe
- Size
- 88K
- SHA-1
- 370ca54ac7d26774b1942126439c8aed35086124
- MD5
- 5a40ab0e1a11a3d59884e7c43bdf7fe7
- CRC-32
- 1239a5db
- File type
- application/x-ms-dos-executable
- First seen
- 2011-02-21
- C:\WINDOWS\system32\php4ts.dll
- Size
- 1.6M
- SHA-1
- 33d32eafd23304ee053c647579aa4d9db97a2348
- MD5
- 572ad0eb355d5725904c5e9d74b1a696
- CRC-32
- 699bda8d
- File type
- application/x-ms-dos-executable
- First seen
- 2011-01-19
- c:\Documents and Settings\test user\Local Settings\Temp\system.vbs
- Size
- 113
- SHA-1
- 05cb07bb6b488ce1514228fae4f97c2aeedbf965
- MD5
- bc15a89320bc1e20276f1bc1e32023c1
- CRC-32
- 7a2273be
- File type
- application/octet-stream
- First seen
- 2011-02-21
- C:\WINDOWS\system32\FacebookSystems.vbs
- Size
- 120
- SHA-1
- d61fe862d6241655a73697bc2cecb372e578be9c
- MD5
- 5efdc328cffa3444a5a00c4783aa9fdb
- CRC-32
- 78e12ef6
- File type
- application/octet-stream
- First seen
- 2011-02-21
- c:\Documents and Settings\test user\Local Settings\Temp\system.bat
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA
- 0x00000000
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
- LogSessionName
- stdout
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
- BitNames
- NAP_TRACE_BASE NAP_TRACE_NETSH
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- FacebookSystems
- C:\WINDOWS\system32\FacebookSystems.vbs
- HKLM\SOFTWARE\Microsoft\Security Center
- UACDisableNotify
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
- EnableFileTracing
- 0x00000000
Processes Created
- c:\docume~1\support\locals~1\temp\hello.exe
- c:\windows\system32\attrib.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\net.exe
- c:\windows\system32\net1.exe
- c:\windows\system32\netsh.exe
- c:\windows\system32\reg.exe
- c:\windows\system32\wscript.exe
Example 3
File Information
- Size
- 113
- SHA-1
- 05cb07bb6b488ce1514228fae4f97c2aeedbf965
- MD5
- bc15a89320bc1e20276f1bc1e32023c1
- CRC-32
- 7a2273be
- File type
- application/octet-stream
- First seen
- 2011-02-21