VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00网游之近战法师
file size: 415457
file type: application/x-dosexec
MD5: e851e4cba03844cdb639c3386e75c22c
sha1: 6e2bd030ede83b7f4f7c552e4e54bb916e73863c

 CreateProcess

ApplicationName: C:\ProgramData\vchyr.exe
CmdLine:
childid: 1356
childname: vchyr.exe
childpath: C:\ProgramData\vchyr.exe
drop_type: 1
name: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
pid: 2988
ApplicationName:
CmdLine:
childid: 2988
childname: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
drop_type:
name:
noNeedLine:
path:
pid: 3036

 Summary

buffer: C:\ProgramData\vchyr.exe
processid: 1356
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 2988
processname: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/477/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: e300f6d47a15a746a4b7ef79791ddb39
name: $Recycle.Bin .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 1356
processname: vchyr.exe
sha1: fab55a308085f384094f0da89138c749e85eba90
sha256: d01e7b7faa3f779701882ee9a6aa6a793d24ad14b188338fa4393d1eb46ba677
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c4c60c33b8d417299a2849d5d7a37f36
name: Documents and Settings .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 1356
processname: vchyr.exe
sha1: 6bbb98d0e173728a80d4664074d8fbf82bf78fd2
sha256: ccbd6679937367ff2de212cadd1b8c10ce064ce1f1dc08ddd74ad5a8bb35e902
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 459db1f3a2807ac6e44a08a1bfaa131f
name: JAHoiedFf .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\JAHoiedFf .exe
processid: 1356
processname: vchyr.exe
sha1: 8ee3938ede9000bbf74ee60714ab610bc55ea14e
sha256: 7fcd8e15630bae4e1065155ff659b26ee83d10e3a6239d7c014edd3d544659bd
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1004/JAHoiedFf .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a6ce85c1d66675c38bba7e33b584acc0
name: mnlsx .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 1356
processname: vchyr.exe
sha1: 5183188ba6cbfd99899e2557fa8791c1482da98a
sha256: 748b7e25d77e4de575eba6556703bf6ce096eaf8335d40c8fd4ed31375173dfe
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1005/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 1a2ad2880556dd17ef0948c9962c33c5
name: MoIWFQ .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\MoIWFQ .exe
processid: 1356
processname: vchyr.exe
sha1: ffa24b500997d1991f39a3db022cdee9f9767bac
sha256: 7c2d3ebcc60f7582b3e1a44176fcc8231112fe17c3bee6439f7a4f9898375c44
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1006/MoIWFQ .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 906f2d694a0317e75fe1fe35e2496c15
name: MSOCache .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 1356
processname: vchyr.exe
sha1: 9c99e097d7fed29bbcdac45f2922be4af753460c
sha256: e7b09e1629e7bb55e518436ab32aa14cd4bff587ca5934ffac24a8f732a73472
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1007/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ae9836818489a07c066cf3fb2bc78020
name: OAPDEQVBVG .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\OAPDEQVBVG .exe
processid: 1356
processname: vchyr.exe
sha1: 3e3e0f196420363865426d41a341aa8923be9e6c
sha256: c620aa5d39eb1e27e0f3fb7a1734ad7127d3b924d0eb6ab1ab66536c5f854cae
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1008/OAPDEQVBVG .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 4fb9a3e73e280f16d568530d6ef7f9e9
name: pagefile.sys .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 1356
processname: vchyr.exe
sha1: 571d16e5e390bc675aa980b99a893c9996a1ce23
sha256: 1e16c521f1cdcaf7d319699b675558f8fa126519a04e4ac0689e7834f5c68a8d
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1009/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 86823d699f5e75a470729f2bd51f4726
name: PerfLogs .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 1356
processname: vchyr.exe
sha1: deca5f8f828920c1f626de789f666214be26ccca
sha256: 3a02faa0f5ff32b98f71fba3f5c9d36865a61ce78080e46bb0198c00a6dbe023
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1010/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 235c255d3865808b1f1804cebc1b1453
name: Program Files .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 1356
processname: vchyr.exe
sha1: d724952981e077c2f6f7dda8c4dfafa3a49773f4
sha256: 003c8cdd85b3f2b42eb5ccdefde9c6dcaa8c0fbf272114e5a83f1f0217ce2c6f
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1011/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 3cb009179d7f64100e91eaeba9039bd3
name: Program Files (x86) .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 1356
processname: vchyr.exe
sha1: d521021789916be7cb2eecd6d0822e35c406abf9
sha256: d84aeece48ada8fa5f04198d07d1e5a7ad9125c662dfe7d1aa83b73365c8b247
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1012/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 3825ebedfe2646570eeb69245d9f0716
name: ProgramData .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 1356
processname: vchyr.exe
sha1: 0873e9b25e018914f27b793a5b0958b51f712a1a
sha256: 7adcbec53785390fca1e9432f438f41893e5ec7761d12fb95e08680e1afe63d4
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1013/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: aa4e04d5cf64b4c1ed710bb14dcef792
name: Python27 .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 1356
processname: vchyr.exe
sha1: cdc9f8f34d82c2fc5d716a92b286d89cdf5e5299
sha256: 7ffb61f831484d124e4ad6d92d0dfba6a7f9b531fbea37b183d490cb3f874c14
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1014/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: bd8ef27c134b4b48babf493f694214a8
name: Recovery .exe
new_size: 405KB (415459bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 1356
processname: vchyr.exe
sha1: 15a97395da72ddb3a400cf5801d45b9ef93ad2b3
sha256: 6ffa52331129e1aa8ead50d90c576dc574e49c808c688e120d70770952cacdae
size: 415459
this_path: /data/cuckoo/storage/analyses/477/files/1015/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9dca6800363b211604b7e6791cc21560
name: System Volume Information .exe
new_size: 396KB (405734bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 1356
processname: vchyr.exe
sha1: 3e4e4d3f9fed041443caebc8699cd5cbd32685ca
sha256: 8912491b91b9a24c36c1a247fbae17eb8c9083aa7176493b5487f974086aee11
size: 405734
this_path: /data/cuckoo/storage/analyses/477/files/1016/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 8974f11825f5a301d8cbdbe7278d866e
name: vchyr.exe
new_size: 255KB (261636bytes)
operation: 修改文件
path: C:\ProgramData\vchyr.exe
processid: 2988
processname: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
sha1: dc4a268428680b173c5927b6f2acfc9972a05fe5
sha256: 1b1c6fb1cf0842628ec24db31bfd5ce11b679bbf031267a33c1bd463a133e09f
size: 261636
this_path: /data/cuckoo/storage/analyses/477/files/1000/vchyr.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 2988
process_name: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 2988
process_name: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 2988
process_name: 1620583217206_e851e4cba03844cdb639c3386e75c22c.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 1356
process_name: vchyr.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 1356
process_name: vchyr.exe
rulename: 遍历文件