VirSCAN VirSCAN

1, Sie können jede Datei UPLOADEN, aber beachten Sie das 20 MB Limit pro Datei.
2, VirSCAN unterstützt ZIP und RAR mit weniger als 20 Dateien im Archiv
3, VirSCAN unterstützt die Standard Passwörter 'infected' und 'virus' bei Archiven.
4, Wenn Ihr Browser keine Dateien hochladen kann, laden Sie bitte VirSCAN-Uploader herunter.

Sprache
Server Auslastung
Server Load
VirSCAN
VirSCAN

1, Sie können jede Datei UPLOADEN, aber beachten Sie das 20 MB Limit pro Datei.
2, VirSCAN unterstützt ZIP und RAR mit weniger als 20 Dateien im Archiv
3, VirSCAN unterstützt die Standard Passwörter 'infected' und 'virus' bei Archiven.

Grundlegende Informationen

Dateiname: 00终极教师
Dateigröße: 170144
Dateityp: application/x-dosexec
MD5: e802b798485ff0b7f6c361e5ea17a488
sha1: e1b45ad3d872dd8837e3d2876ee4c113f847bb3b

 CreateProcess

ApplicationName:
CmdLine: C:\Users\ADMINI~1\AppData\Local\Temp\aJ4exi3XiILvDoD.exe
childid: 2300
childname: aJ4exi3XiILvDoD.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\aJ4exi3XiILvDoD.exe
drop_type: 2
name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
pid: 1428
ApplicationName: C:\Windows\CTS.exe
CmdLine:
childid: 932
childname: CTS.exe
childpath: C:\Windows\CTS.exe
drop_type: 1
name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
pid: 1428
ApplicationName:
CmdLine:
childid: 1428
childname: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
drop_type:
name:
noNeedLine:
path:
pid: 1716

 Summary

buffer: C:\Windows\CTS.exe
processid: 1428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: CTS
buffer: C:\Windows\CTS.exe
processid: 932
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: CTS

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: 0d0b992d2d4b7619f49ee0458d3469b1
name: aJ4exi3XiILvDoD.exe
new_size: 140KB (143496bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\aJ4exi3XiILvDoD.exe
processid: 1428
processname: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
sha1: 5d9835b408a231902654d516b48843890f4130e5
sha256: 55c3f3f02b48a1e69d8b58d195c53f2d604acd890d09d7310272dcd289cf2d94
size: 143496
this_path: /data/cuckoo/storage/analyses/4000491/files/1000/aJ4exi3XiILvDoD.exe
type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 286211b8e0aad0533c45d8b8c351cc70
name: CTS.exe
new_size: 26KB (26624bytes)
operation: 修改文件
path: C:\Windows\CTS.exe
processid: 1428
processname: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
sha1: cb54a305a566c00742fb972c4ee62266e880ea78
sha256: 1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3
size: 26624
this_path: /data/cuckoo/storage/analyses/4000491/files/1001/CTS.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 76be74faf7a1bb20c18e6fffd686fd06
name: setup.exe
new_size: 1263KB (1294176bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\53.0.2785.89\Installer\setup.exe
processid: 932
processname: CTS.exe
sha1: c9ee0bd0708017187a429df7686aff395cad5c31
sha256: c4856344549c3a5126e7fb5d9e31207ad2b7fd0537982d36a17d3760ed6eede0
size: 1294176
this_path: /data/cuckoo/storage/analyses/4000491/files/1002/setup.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 9487d6ded7f9a26fd0ea16f9df6482a9
name: nacl64.exe
new_size: 2413KB (2471776bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\53.0.2785.89\nacl64.exe
processid: 932
processname: CTS.exe
sha1: a78175798e672f5340dae289690a709cb2b2d8db
sha256: ce1d050d395a9e28d0685e97b92545a8e33ffb0150115548cf1f3a3d09329c9c
size: 2471776
this_path: /data/cuckoo/storage/analyses/4000491/files/1003/nacl64.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 2aa6264e66e23791bd03ae8314a4ca75
name: chrome.exe
new_size: 970KB (994144bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
processid: 932
processname: CTS.exe
sha1: 2b5777cb7851ca4c888d149810a6cbc81e7018d1
sha256: 4befcdb82b81699ee80992635f93ed17542552bd349ecc94f258fe60abb64ba9
size: 994144
this_path: /data/cuckoo/storage/analyses/4000491/files/1004/chrome.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 887ad1686f3345e6bd80723bcc332b10
name: PCHunter64[1].exe
new_size: 9MB (9560808bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWT0WKJS\PCHunter64[1].exe
processid: 932
processname: CTS.exe
sha1: 52b69258c438eac89563bb905a26fc3cc66eb96f
sha256: 632da1f27eb64b88e7b99848fac1790b8c0a2f40c8b18bb9ab76c23c4405cec8
size: 9560808
this_path: /data/cuckoo/storage/analyses/4000491/files/1005/PCHunter64[1].exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 25ec0e9a990e2bfc138f620d4ad71848
name: 1620581448791_e6b6995c733800868a939a08ff9e021c.exe
new_size: 250KB (256536bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\1620581448791_e6b6995c733800868a939a08ff9e021c.exe
processid: 932
processname: CTS.exe
sha1: 43f146ecfe48e0a90cf0104dac68a9e07ede8f75
sha256: 2219763e03de793dbb569a3ae5f5255c386c833edcccaadc5ae44b301d96f8a5
size: 256536
this_path: /data/cuckoo/storage/analyses/4000491/files/1006/1620581448791_e6b6995c733800868a939a08ff9e021c.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: fdb5f0f9a97abcfc2d2444e83a3a5854
name: setup.exe
new_size: 1263KB (1294176bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\CR_41A3E.tmp\setup.exe
processid: 932
processname: CTS.exe
sha1: 2c0abe625c0432b3ff0d104d9f62386364591a9e
sha256: 634ee0e751db25a2e003d8246e127d462c3226f09807fd3803232bf9491e8c3e
size: 1294176
this_path: /data/cuckoo/storage/analyses/4000491/files/1007/setup.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: ded38805b443f0f40fff3225b73ec729
name: Au_.exe
new_size: 1007KB (1031232bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\wps\~151835\Au_.exe
processid: 932
processname: CTS.exe
sha1: 1af4a7a6464d06774b458b5dbf477e60276375fd
sha256: 34459be5dc36dcdd56f0d14e4efee382a27e202bd86353755eb18e5241a13e25
size: 1031232
this_path: /data/cuckoo/storage/analyses/4000491/files/1008/Au_.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 5bcdd43ce578c9c44bcb54dfa9225d71
name: downloadtool.exe
new_size: 751KB (769184bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\wps\~4ba63\downloadtool.exe
processid: 932
processname: CTS.exe
sha1: 1c8ee9eff61f80c546818dedbf5344b7835a5dbd
sha256: 3383ffa911e4a1775817cccdbb2e64694cf9fcb0128d8b5b0770fe375eddc82c
size: 769184
this_path: /data/cuckoo/storage/analyses/4000491/files/1009/downloadtool.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 9de0156cd33e27556c29ca4ad280f8f3
name: rcmmndd.exe
new_size: 315KB (322720bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\wps\~4ba63\rcmmndd.exe
processid: 932
processname: CTS.exe
sha1: 8ddfe707bcc6ba0fb5e80d0dfaddcf470f64b51e
sha256: ef346a045e2b33244a34fcb176c6338407568a419728b68a1fa6b30c201991ee
size: 322720
this_path: /data/cuckoo/storage/analyses/4000491/files/1010/rcmmndd.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 85640576073ca3cd7f1f4483300b687d
name: wpsupdate.exe
new_size: 575KB (589080bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\kingsoft\office6\update\down\wpsupdate.exe
processid: 932
processname: CTS.exe
sha1: 187ff2ad3030e1721e5ea4b3c46777381d0a402d
sha256: 244d00e94990c97514966a8c603c6832d075c28777d7aab3c1c100bc5aca5151
size: 589080
this_path: /data/cuckoo/storage/analyses/4000491/files/1011/wpsupdate.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 2a1b928f7a97f3cfed2cae664b501f45
name: wpsupdatesvr.exe
new_size: 163KB (167192bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\kingsoft\office6\update\down\wpsupdatesvr.exe
processid: 932
processname: CTS.exe
sha1: 79942ec02654f3b935bd39b3fcf0ce4de071b38d
sha256: 60e6f8c3d2a6beb33dc02c3428600a72b470f72dfb8fa5cd7a1de24791bc5ee7
size: 167192
this_path: /data/cuckoo/storage/analyses/4000491/files/1012/wpsupdatesvr.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 51602c2ab43129a56b9f1b2c995591d4
name: kscreensaverapp.exe
new_size: 382KB (391328bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\kscreensaver_1.0.0.32\kscreensaverapp.exe
processid: 932
processname: CTS.exe
sha1: a9f0c7063506a21bac65fabe070e2e373ca6e081
sha256: c9d247b5518c7975db2b7f53fcde148c520b9fffb3aae0bf6e9d23bb75288e21
size: 391328
this_path: /data/cuckoo/storage/analyses/4000491/files/1013/kscreensaverapp.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 3c62f51580abf9d1b5a3f2f06f34ee5f
name: wpsrepair.exe
new_size: 630KB (645248bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsrepair_actqy_1.0.0.27\wpsrepair.exe
processid: 932
processname: CTS.exe
sha1: e4459fae8e143255c17e9df47a69c5e925852b81
sha256: 619ab9d2673822b95a7d04145b9fee2ff3b29fbcf8047f7f170a9e4f0728a2e1
size: 645248
this_path: /data/cuckoo/storage/analyses/4000491/files/1014/wpsrepair.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: 1433851d2388094fb38fe83533e7bde0
name: wpsrepair.exe
new_size: 627KB (642872bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\kingsoft\wps\addons\pool\win-i386\wpsrepair_qqlive_1.0.0.10\wpsrepair.exe
processid: 932
processname: CTS.exe
sha1: 7d4e2b0a1a78f36865eac87033b217bd78fe28d6
sha256: 834f58f5f08690d8f5be003f048877cb45b1b2ca0df9195457c373eb0bf7daef
size: 642872
this_path: /data/cuckoo/storage/analyses/4000491/files/1015/wpsrepair.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
analysis_result: Trojan.Win32.Agent.neyndy
create: 0
how: write
md5: f5cec6babeb3bfb9c34a1efc4dcc5267
name: winsysmaintenance.exe
new_size: 967KB (990336bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\Maintenance\winsysmaintenance.exe
processid: 932
processname: CTS.exe
sha1: b9ee8231dfd968590e6e131ea5dcfc8e232a00db
sha256: 2b5e11c9d0a69b5a94e3a5f4fc6d80af2f84df7e3f0ac2da2f3ed839c804cc8b
size: 990336
this_path: /data/cuckoo/storage/analyses/4000491/files/1016/winsysmaintenance.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

 Malicious

attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 4
process_id: 1428
process_name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
rulename: 收集磁盘信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 144
process_id: 1428
process_name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
rulename: 调用加密算法库
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 157
process_id: 1428
process_name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 161
process_id: 1428
process_name: 1620583225500_e802b798485ff0b7f6c361e5ea17a488.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 152
process_id: 2300
process_name: aJ4exi3XiILvDoD.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 3
process_id: 932
process_name: CTS.exe
rulename: 收集磁盘信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 143
process_id: 932
process_name: CTS.exe
rulename: 调用加密算法库
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 148
process_id: 932
process_name: CTS.exe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 150
process_id: 932
process_name: CTS.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 155
process_id: 932
process_name: CTS.exe
rulename: 遍历文件