VirSCAN VirSCAN

1, Sie können jede Datei UPLOADEN, aber beachten Sie das 20 MB Limit pro Datei.
2, VirSCAN unterstützt ZIP und RAR mit weniger als 20 Dateien im Archiv
3, VirSCAN unterstützt die Standard Passwörter 'infected' und 'virus' bei Archiven.
4, Wenn Ihr Browser keine Dateien hochladen kann, laden Sie bitte VirSCAN-Uploader herunter.

Sprache
Server Auslastung
Server Load
VirSCAN
VirSCAN

1, Sie können jede Datei UPLOADEN, aber beachten Sie das 20 MB Limit pro Datei.
2, VirSCAN unterstützt ZIP und RAR mit weniger als 20 Dateien im Archiv
3, VirSCAN unterstützt die Standard Passwörter 'infected' und 'virus' bei Archiven.

Grundlegende Informationen

Dateiname: 00特搜战队刑事连者
Dateigröße: 420685
Dateityp: application/x-dosexec
MD5: e6b568e7dbfab0929054d35aa0628f40
sha1: a17fd8efa9911f5b867a1b78c9f7dfe8ee544a7b

 CreateProcess

ApplicationName: C:\ProgramData\nefecl.exe
CmdLine:
childid: 3004
childname: nefecl.exe
childpath: C:\ProgramData\nefecl.exe
drop_type: 1
name: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
pid: 892
ApplicationName:
CmdLine:
childid: 892
childname: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
drop_type:
name:
noNeedLine:
path:
pid: 516

 Summary

buffer: C:\ProgramData\nefecl.exe
processid: 3004
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 892
processname: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/4000486/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 982a6bd58f9b7d5d23d0e6f62e82a9ba
name: $Recycle.Bin .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 3004
processname: nefecl.exe
sha1: 5977bfaeac09cb6474f736ee608de251c4939b4c
sha256: 5e06010dbbd9e36d061afae6309c0ddd7ca50bc40c25446fa97729ff4ee45238
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 11e965b0d981767e42098b86e8b86a7b
name: Documents and Settings .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 3004
processname: nefecl.exe
sha1: 37365f6fbf5c558fd87f58250045f8643fac7ee8
sha256: c31e41570376c8ea047cc4a3e09d085e6e2bb0dbf01b2278478e96935541bfb9
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 4b7b5810459f7b676741e85e94209b0a
name: mnlsx .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 3004
processname: nefecl.exe
sha1: 723f7187bb376b0ec5a3c178e37ab67a4130af3a
sha256: 9d2193bab283a4ab0a91df42fff1e1dda82bd8788d75e8d6006ea04d2484b420
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1004/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 23b21221acc3e812f04e5854cb7c4266
name: MSOCache .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 3004
processname: nefecl.exe
sha1: fb5b4874a7f2538a094146aae832039d7ba460ef
sha256: d8627db6cfdf12068c46f561bee0ba6b970aa27d42fa1838fad28b9674a87876
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1005/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c1a9477bac5f589d0b3aa4d22fe387d6
name: pagefile.sys .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 3004
processname: nefecl.exe
sha1: 57177e1103209d1f32ae64f3afcee36400cff41a
sha256: e2fab01a8abb25bf78118747f1fb91f03012911f8561a431cc22f61e6c93d648
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1006/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c9712bee6d2f3cbda1610c987086e9bd
name: PerfLogs .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 3004
processname: nefecl.exe
sha1: 530dbf0787187dcebead02cf821fe37e0af19b75
sha256: 2b80753ef130cb19dd27b25323768750cfdb28ff150a39f6826156f9b52ad059
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1007/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d8ecbaafab8782229445758cc978db41
name: Program Files .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 3004
processname: nefecl.exe
sha1: c78512d0a63b015ec302c96a7799603142b06243
sha256: 79b2fe452f5a7bbcd168c23fad8e2e101cf775047bab7a44b80e3cdb4d0fd603
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1008/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 0fa9ccf8cbbf30b6050b4d3fedc4610a
name: Program Files (x86) .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 3004
processname: nefecl.exe
sha1: 8b955886f4e10c19fa513934fdacb0fc509cffcc
sha256: cecf9990c3ce1017eb037b46a0baf3a746725b83c8ae5223eae4484515c5ad09
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1009/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a30abfabb8c99fcc0dc4738762b8c75e
name: ProgramData .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 3004
processname: nefecl.exe
sha1: 209fc3436aefd2ccc1a2f9323b976e39d92a958d
sha256: 540f9af1b644abd2b2bc1d3c567f8a05c9444a9185d48ad95437b4b44ecef8b6
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1010/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 480d400e21d9612d401e354c5e21db0c
name: Python27 .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 3004
processname: nefecl.exe
sha1: 53d090f55d5437a5bed51e25f95260b30b6755c3
sha256: ab70a09d13efa6946e61070f586f5c680f473a8eca70434a96aa37c912d0c173
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1011/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 704a668654ebde11c0611d787cc5a70c
name: RBADPUCQFK .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\RBADPUCQFK .exe
processid: 3004
processname: nefecl.exe
sha1: c90029e61355c1495ed72faf247cafdd41d1978d
sha256: b492f528e3d53a25530aac8de4a6dbb2de1f3d619201de665d909fd79648f40f
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1012/RBADPUCQFK .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 48b1fdd1c286dcdd788bfe1ca1fd48d2
name: Recovery .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 3004
processname: nefecl.exe
sha1: cf51bb9ddad6c1a241537572cf1e6c083ea5d727
sha256: c2cda515e017de053e01b29404d1d01b6dafd126c53348bb3bcfa65396e4f5e6
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1013/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b28a88be0d095560517e6ec42c0fd5ae
name: System Volume Information .exe
new_size: 410KB (420687bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 3004
processname: nefecl.exe
sha1: 904874c903cde7fd7ad8f854bf017353b247818e
sha256: 10ec72d702d546be0a7e97b37fb3900a00ba5d7a5748e195ccad12e3a2fe5bc8
size: 420687
this_path: /data/cuckoo/storage/analyses/4000486/files/1014/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 37ed449e6a3013e47dd478cf176c866a
name: Users .exe
new_size: 402KB (412377bytes)
operation: 修改文件
path: C:\Users .exe
processid: 3004
processname: nefecl.exe
sha1: a17ba0932b4cfdefc4ece4a08a3eb4ab47a6178c
sha256: 3d1dfc6f00e4dd792f61035aa8b741260cc68ef9a41122c54a10105b766a4342
size: 412377
this_path: /data/cuckoo/storage/analyses/4000486/files/1015/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 6650ea463ec1135842d02ddd917ac1d7
name: nefecl.exe
new_size: 260KB (266864bytes)
operation: 修改文件
path: C:\ProgramData\nefecl.exe
processid: 892
processname: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
sha1: fce77ec965273117cc75557e54c99ab86c835aa9
sha256: 63bf8244ca16d215663402c346b2996f1505b3e47c7eb984bf7409fe4af227d0
size: 266864
this_path: /data/cuckoo/storage/analyses/4000486/files/1000/nefecl.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 892
process_name: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 892
process_name: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 892
process_name: 1620579630275_e6b568e7dbfab0929054d35aa0628f40.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 3004
process_name: nefecl.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 3004
process_name: nefecl.exe
rulename: 遍历文件