VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00幽灵行动
file size: 420704
file type: application/x-dosexec
MD5: 9b0a5b81a6ddc661f459b7fc14782439
sha1: 54ee5213d527edc9996b15df207061be60233e0e

 CreateProcess

ApplicationName: C:\ProgramData\tbdoyp.exe
CmdLine:
childid: 924
childname: tbdoyp.exe
childpath: C:\ProgramData\tbdoyp.exe
drop_type: 1
name: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
pid: 2088
ApplicationName:
CmdLine:
childid: 2088
childname: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
drop_type:
name:
noNeedLine:
path:
pid: 588

 Summary

buffer: C:\ProgramData\tbdoyp.exe
processid: 924
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 2088
processname: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/4/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: bdc72b1be89c822f080eefa8fb11f86c
name: $Recycle.Bin .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 924
processname: tbdoyp.exe
sha1: 5b68441789d58b2877a1c687765d6bbbe76859c1
sha256: b4e7e3d81e8171a3d1516af40c7d8a2d1c686a577452a6e6e2d74846834ab572
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 84d39d50b69b2ea6a368a675ce541637
name: DAKMMJWPHZP .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\DAKMMJWPHZP .exe
processid: 924
processname: tbdoyp.exe
sha1: 202e9bfa57c847fc759c7fde8b9800f99960a924
sha256: d1779fa063f1aad9a06dd2e66e6c6b7a6b5ba360b4bbc6413598f878da5255b4
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1003/DAKMMJWPHZP .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 4916286986f85ed186a53b0de25241d1
name: Documents and Settings .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 924
processname: tbdoyp.exe
sha1: 30b6f85b3a64c73dc48b958a4880897fdf70297c
sha256: ab34fcf4cb36ed574233291f72e64c1ff585b78d136f0f47011e6f35cbbac131
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1004/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: fba1c692754abb9a8955801ed3a0bb1e
name: mnlsx .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 924
processname: tbdoyp.exe
sha1: d5a05c6edb098a90f0381b929cec01d19497cbd8
sha256: e30c667e8b9861938a481c50117ad538176c1e8540893e86f93cec8d4af48e9e
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1005/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b000859a6695ff9b56ea1dcc59ec44b1
name: MSOCache .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 924
processname: tbdoyp.exe
sha1: a5a454355ceb3f41f81d672200957d9905e36b21
sha256: 08310269e8d3ead543325c7b068f3691efbc0c3c4f0f947494df43c53f533f57
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1006/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 85b9b7c6ad5b90e9ec8c3b527f97d202
name: pagefile.sys .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 924
processname: tbdoyp.exe
sha1: 0bb94cfe52cd9fa03651499af8a21844c84a88af
sha256: 85aca512585c3c5b70cdeab8c580b833b6f2680b78e42a458db0a780c13a75da
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1007/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: b2a179bab13f6bb34ffd97b564fd44d1
name: PerfLogs .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 924
processname: tbdoyp.exe
sha1: 8f09b8a61624cd61b3c4ad512afd364d1e2187fc
sha256: 2271a86f86fe5c02667728ce2d6cc347f98b7078b6a13c2ec8a8e52766a4f8fc
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1008/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: f486902e64e8c5e68d89e8696b9ac042
name: Program Files .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 924
processname: tbdoyp.exe
sha1: df7ac11e0ffa395ee2675eb10919eb966411c72a
sha256: a2bbae43782755054c664202347a91e1809a6a97020fa1dda6eb9bbbbda4fc61
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1009/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: bfc8c7b2e770e5fb93e49b581a13c826
name: Program Files (x86) .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 924
processname: tbdoyp.exe
sha1: 6179cc453aab6411aa904fba5915cfd8faba1f92
sha256: 4b1e688aa53ad11f11901d847af411fa6ae6cc4eca3db31a8012ae85762df1af
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1010/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 7fdad59fb10577c34d2f811afbdc2d6d
name: ProgramData .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 924
processname: tbdoyp.exe
sha1: 288c3746b7c782ba204a2a2501635c7c7a040313
sha256: ad7392b6080628a57d3f3827f02e936a746089ef29d753038a6468e5b501bc07
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1011/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 95833d879af13bc58d77f84a15f6239d
name: Python27 .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 924
processname: tbdoyp.exe
sha1: 62562d287a26e49c05fd2c6a2664139d683ea604
sha256: 11bf88f64b9d3ad35c486fbd7fa7e4e1cf4e0c037b305e7ce330012361378ab5
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1012/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: af38ed64b9481048a49abbf7597e795a
name: QwLMaj .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\QwLMaj .exe
processid: 924
processname: tbdoyp.exe
sha1: 4a93245da9897adc633306a87c865dd48af8d0f4
sha256: f2bcab2219e960ee43ee9334badcac9271e0bb02459bf8ac214bf5e3b02b4377
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1013/QwLMaj .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 84c0fd60a0abcef82c7bf77ec56b135a
name: Recovery .exe
new_size: 410KB (420706bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 924
processname: tbdoyp.exe
sha1: 63aec288d4b45d518f6b38ca776884e078e21a6e
sha256: 96baf08f70efd11756a92d82c4a4ecdfe6beb46b77bef97e529f977aacb6ade9
size: 420706
this_path: /data/cuckoo/storage/analyses/4/files/1014/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c863746cbb74799211c2d4f32df0f639
name: System Volume Information .exe
new_size: 329KB (337771bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 924
processname: tbdoyp.exe
sha1: cdc6131937d2b6bc3f9c69a9979cbb6733913f22
sha256: 56465a584d1cc177a283530f4995026b0e99df0eab71c07290414b2ae4c5072f
size: 337771
this_path: /data/cuckoo/storage/analyses/4/files/1015/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 671b17730df540422a0c031575b5d752
name: tbdoyp.exe
new_size: 260KB (266883bytes)
operation: 修改文件
path: C:\ProgramData\tbdoyp.exe
processid: 2088
processname: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
sha1: c36c9aff1295e7dc8e1c9dfbc959f7deb5fd04c4
sha256: edb939f2510fbdb115de57bc58a2aaace5c79c6872792935c41aef00436c35e0
size: 266883
this_path: /data/cuckoo/storage/analyses/4/files/1000/tbdoyp.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 2088
process_name: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 2088
process_name: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 2088
process_name: 1619116211264_9b0a5b81a6ddc661f459b7fc14782439.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 924
process_name: tbdoyp.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 924
process_name: tbdoyp.exe
rulename: 遍历文件