VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00速度与激情特别行动
file size: 404510
file type: application/x-dosexec
MD5: a8985e42eac8bb81fa21d3128dad8a07
sha1: e8f75482e7f51df0997201937a0a878c546bf438

 CreateProcess

ApplicationName: C:\Users\Administrator\AppData\Local\Temp\buner.exe
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\buner.exe" hi
childid: 1660
childname: buner.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\buner.exe
drop_type: 1
name: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
pid: 576
ApplicationName:
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\_vslite.bat"
childid: 3568
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
pid: 576
ApplicationName: C:\Users\Administrator\AppData\Local\Temp\zevoco.exe
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\zevoco.exe" OK
childid: 1436
childname: zevoco.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\zevoco.exe
drop_type: 1
name: buner.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\buner.exe
pid: 1660
ApplicationName:
CmdLine:
childid: 576
childname: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
drop_type:
name:
noNeedLine:
path:
pid: 2076

 Summary

buffer: C:\Users\ADMINI~1\AppData\Local\Temp\buner.exe
processid: 576
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
type: REG_SZ
valuename: Run

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: b2d59ed3455786b94303da94e8143f15
name: _vslite.bat
new_size: 331bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\_vslite.bat
processid: 3568
processname: cmd.exe
sha1: 9c5fa81b0ba67f7c1907f80936c11a6129c71cdb
sha256: afdfb6e330b850a71c550b6843d068747f5de0a3636c387570a299d222f881b6
size: 331
this_path: /data/cuckoo/storage/analyses/1000065/files/8566435758/_vslite.bat
type: ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: ee4b22224ebf17e24528dc55b7b66648
name: golfinfo.ini
new_size: 512bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\golfinfo.ini
processid: 576
processname: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
sha1: c868b94fae81cd152deacca5a6fc2823471ecb3f
sha256: 5f7788889a8881fd4b3e007ef3e118b733d687c8925944b59876b3d209271315
size: 512
this_path: /data/cuckoo/storage/analyses/1000065/files/1000/golfinfo.ini
type: Non-ISO extended-ASCII text, with very long lines, with NEL line terminators

 Dropped Unsave

analysis_result: Backdoor.Win32.Plite.bhty
create: 0
how: write
md5: 669ce619ea4d1844aaec84c7c42f73ae
name: buner.exe
new_size: 395KB (404590bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\buner.exe
processid: 576
processname: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
sha1: 5a0fba5d63ae4ba391b16c8c049c9359b2027280
sha256: 8d72b39123dcca81f3e1996ec27d3131a5b275fe36c32c5517f11ad3df29b519
size: 404590
this_path: /data/cuckoo/storage/analyses/1000065/files/1001/buner.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: Backdoor.Win32.Plite.bhty
create: 0
how: write
md5: 9f3f55d0948b85fa132f7c56d9588eee
name: zevoco.exe
new_size: 395KB (404640bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\zevoco.exe
processid: 1660
processname: buner.exe
sha1: 3e09c428e31565448cc76677bd4cb86c6af4d8d1
sha256: a02e6ef88ad602f5e36597854ec5f73f795cee79621a6a491218099f30bc3aeb
size: 404640
this_path: /data/cuckoo/storage/analyses/1000065/files/1002/zevoco.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 61
process_id: 576
process_name: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
rulename: 从资源段释放文件并运行
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 108
process_id: 576
process_name: 1620286260965_a8985e42eac8bb81fa21d3128dad8a07.exe
rulename: 写入自启动注册表,增加自启动1
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 60
process_id: 1660
process_name: buner.exe
rulename: 从资源段释放文件并运行
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 3568
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 27
process_id: 3568
process_name: cmd.exe
rulename: 遍历文件