VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00一起混过的日子
file size: 415455
file type: application/x-dosexec
MD5: ca8e98c8fddc27bb2295509e4e89aea0
sha1: 1372a5c1239132c662e2622911b46724685ab632

 CreateProcess

ApplicationName: C:\ProgramData\bfevwp.exe
CmdLine:
childid: 1904
childname: bfevwp.exe
childpath: C:\ProgramData\bfevwp.exe
drop_type: 1
name: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
pid: 1604
ApplicationName:
CmdLine:
childid: 1604
childname: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
drop_type:
name:
noNeedLine:
path:
pid: 956

 Summary

buffer: C:\ProgramData\bfevwp.exe
processid: 1904
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 1604
processname: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/2000707/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b11b9ff8af693f0016cd147e01ffe0f7
name: $Recycle.Bin .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 1904
processname: bfevwp.exe
sha1: 49ae8431b8195bb81d9644c95f097fc59d0e57dc
sha256: 80a66b45b799e41b302fd42b657125e595cc76530c57d78f03c6f5684314bff1
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ad15f23336568b13cd98ae7b1563a7c5
name: Documents and Settings .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 1904
processname: bfevwp.exe
sha1: 0d5e9591b7a917631adbd43f4828e9c970240735
sha256: 26fab8c904d0aeeb16ab0bbec741c7265d41f21f31e0e1bb30dbccdc0d3781cb
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 78009a575fab4ee28ff91509c42416dc
name: IHZKXYWKTV .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\IHZKXYWKTV .exe
processid: 1904
processname: bfevwp.exe
sha1: 8d4794a386476681f074aa409a36a91f38d5033e
sha256: c21b478881dc26793c7c4701224febe838eac81d754efd130fb2e7c5a6ae1df9
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1004/IHZKXYWKTV .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: caa8e0d2644f2b120122d5fc140a4fa5
name: mnlsx .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 1904
processname: bfevwp.exe
sha1: 09705e8d5ab6614905b5eb8c414bdd34d4b9bf1c
sha256: aebdc16affd85d15843aa1189ede7d60e46e5b4d45d0941c5b464860da06aa12
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1005/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 49f2e7efed20c2542c5c18615f6b06c3
name: MSOCache .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 1904
processname: bfevwp.exe
sha1: faa912b1592c13eed5b48dcb15ef3bee114922db
sha256: 4d2823adf7eda592d4d82ee711b698a3f5d46a0c1965459f7ef8f4eddf65caf8
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1006/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 266595ee393a59aa1be40a95bc7ea9f6
name: pagefile.sys .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 1904
processname: bfevwp.exe
sha1: 5478c9dfd21f4c541337c87868d2faf41622eec9
sha256: 0814331de648be5f7bdd2caf22a8be2fdd4289f449fac918579258f7485dbd27
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1007/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 8261850817a2dd4a6a8d8b1845270ffb
name: PerfLogs .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 1904
processname: bfevwp.exe
sha1: 07e1126e64b7c286140c29a0af40885f0ceacb66
sha256: 4def8ddb295aeafbad53eb236daf6f69121c9d3e8b45b94e1b22c213aefd08f8
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1008/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 6a71d1c05b63da1262abaf2653f21f14
name: Program Files .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 1904
processname: bfevwp.exe
sha1: 8bc04d45f7eeeda6fd9845e7c7c238bd65f3ff5f
sha256: 9395ee546d94224a0532d8f2ff83916d1706b022446da86846b03f7694d7a6f2
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1009/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 80a9aae3772c379fd79cada4bb01636a
name: Program Files (x86) .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 1904
processname: bfevwp.exe
sha1: f95ebbd26d87d4e685a8e5017c445d2e8d616e60
sha256: b38dca20f13f64ae92081b779745866b709051bf641cd57aa494dccb9d70afbc
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1010/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ba98c5c7cf7cca961f4b813586e10615
name: ProgramData .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 1904
processname: bfevwp.exe
sha1: f1fc11411c06a04d330784e95c04c4d609a2929e
sha256: 20a011ccedf07e2e81e394d18d7d798c03b12d8bf5e4482c65552537e929421c
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1011/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 7417470515daf63a36368a8518c11f2e
name: Python27 .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 1904
processname: bfevwp.exe
sha1: e344943766737f82b20c99bd87844d52f806b103
sha256: dc7b370d64970b7466a6f185a650f66e3a9d8eeec60426ab850b46e92812474f
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1012/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d9cd35655fc3f64ce295cd94e4e795cf
name: Recovery .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 1904
processname: bfevwp.exe
sha1: f8ed1d2d91aaaa5a2a3e0d6afc8404934c0302f3
sha256: 844da4f2f90280d35d338c5943a74fb4313f1c883e6e1680f3867d8a8c72818a
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1013/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9cd81416a34bdf4e29382492d0e258b2
name: System Volume Information .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 1904
processname: bfevwp.exe
sha1: 77d0ae9fcdda5afef6f5d190b9876e879b008f9d
sha256: 31bfb5a6087a1fc7fae83af16a84abcd9b8f73f70595c275dc59d21957bd0028
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1014/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c38f23e9748ff5a5becba5bc99588195
name: tCaBwCPT .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\tCaBwCPT .exe
processid: 1904
processname: bfevwp.exe
sha1: 21412d675cf93860024f3392ff2fdb4127539a5a
sha256: ef6609a3761f1bd5891a865d0570f848edff7f0160f5920af2b95c94fd5fdb5a
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1015/tCaBwCPT .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 96343c4a317a857d8a21afa029d04d04
name: TRYMho .exe
new_size: 405KB (415457bytes)
operation: 修改文件
path: C:\TRYMho .exe
processid: 1904
processname: bfevwp.exe
sha1: e44a61511beb612e71b239a84a2bada97c34f052
sha256: 92085eebfd8f40ea8c79e76b2799a75505ebef8b8daa53d83485bcba010b447d
size: 415457
this_path: /data/cuckoo/storage/analyses/2000707/files/1016/TRYMho .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9acc8af8dcdbb987d567dc82076c0d9b
name: Users .exe
new_size: 68KB (70518bytes)
operation: 修改文件
path: C:\Users .exe
processid: 1904
processname: bfevwp.exe
sha1: f617e8c408a9e5ee627852d8788fcbc19f5c3aa6
sha256: 66443c6734add12dd97e21e2b780412450a20f20a2a7f6d941a63787ed6a8376
size: 70518
this_path: /data/cuckoo/storage/analyses/2000707/files/1017/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 03a42f8be64646864310b3cdfb37f1f5
name: bfevwp.exe
new_size: 255KB (261634bytes)
operation: 修改文件
path: C:\ProgramData\bfevwp.exe
processid: 1604
processname: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
sha1: 03cb11b3da3b5a16b3908a722652ad8185746c64
sha256: b685d353c087309325d0e2598b832f4ba93107e1b13fdfeeaeaaca3a71f29ee9
size: 261634
this_path: /data/cuckoo/storage/analyses/2000707/files/1000/bfevwp.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 1604
process_name: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 1604
process_name: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 1604
process_name: 1621170038911_ca8e98c8fddc27bb2295509e4e89aea0.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 1904
process_name: bfevwp.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 1904
process_name: bfevwp.exe
rulename: 遍历文件