VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 5c1c7300434d225463380047e752d786
file size: 420663
file type: application/x-dosexec
MD5: 5c1c7300434d225463380047e752d786
sha1: 3a865775da2f140a5dbce6f1f0a13607d8d548f9

 CreateProcess

ApplicationName: C:\ProgramData\npdfwy.exe
CmdLine:
childid: 1084
childname: npdfwy.exe
childpath: C:\ProgramData\npdfwy.exe
drop_type: 1
name: 1620835228263_5c1c7300434d225463380047e752d786.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620835228263_5c1c7300434d225463380047e752d786.exe
pid: 2976
ApplicationName:
CmdLine:
childid: 2976
childname: 1620835228263_5c1c7300434d225463380047e752d786.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620835228263_5c1c7300434d225463380047e752d786.exe
drop_type:
name:
noNeedLine:
path:
pid: 2748

 Summary

buffer: C:\ProgramData\npdfwy.exe
processid: 1084
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 2976
processname: 1620835228263_5c1c7300434d225463380047e752d786.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/4000872/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c1264538a8e5e27663a8b98dd8735cf6
name: $Recycle.Bin .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 1084
processname: npdfwy.exe
sha1: e9754dd8aa68f627c9761bf838e1d3ccbf5226d3
sha256: b84b7e5459500bab2227b2645afee5bbfbadf91e6570d950a9aacdbef35e9852
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 522052a639ba1046fb67385963ac58b5
name: Documents and Settings .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 1084
processname: npdfwy.exe
sha1: 8c477db71eed3285721d5c867ffa12bcebff5008
sha256: 940feef5cb604bb35077aa091c2d027b38b7948794814407c8ba1806a28fe0f7
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c7321924f2bb3885cc2f0169e77efcb0
name: mnlsx .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 1084
processname: npdfwy.exe
sha1: 0c81aef2aa873721b0b2eae0584f813a92ab7658
sha256: 690ab0fa4c024162aeabf4d10ee1b15c2e97c5c4f541d2817d2dfaebbeea7264
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1004/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 7fb2f8e40a92a1099e82c0095c39fd01
name: MSOCache .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 1084
processname: npdfwy.exe
sha1: 136f86b075fa1ec9ab2d6a1329385991ebfcefc1
sha256: b102822a6971965b74f938f848aeab98d17dfd5b1b0099d6e63a4bed5a951937
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1005/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 2e8a1a38f166813693dc6ce072e22b46
name: ORIWJJFMSCD .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\ORIWJJFMSCD .exe
processid: 1084
processname: npdfwy.exe
sha1: 3ae093bec87b6b1bb4ca7d8f2482fda5455bed30
sha256: 2bf3c342a8ff2b2a788ba4a9b30acc4153468eda3cc2889087934b0fc72a3980
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1006/ORIWJJFMSCD .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 842e3b07a180fd401f250046a4e52909
name: oSiBQgUtC .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\oSiBQgUtC .exe
processid: 1084
processname: npdfwy.exe
sha1: 2222b4898bb26e9eabec5678cef0251dcbfd304f
sha256: 7d8e9f4e5263675f65ba2f81a57b1daeda52871c9395c13b8d53bf878cefec21
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1007/oSiBQgUtC .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 63b2375685fd1df402a0d495d477026c
name: pagefile.sys .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 1084
processname: npdfwy.exe
sha1: bd02d2f02271730f408a151e69020e6642325832
sha256: 1f78c8e0672d252f058ebd383b5c9811cd4530df4877c90dd72696e630e67cbe
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1008/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d3b74489b6aca30f67da1c800186fb61
name: PerfLogs .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 1084
processname: npdfwy.exe
sha1: 8d73269ac258f0db8b852640dbd42e330dfc7f05
sha256: 63d0079f2c1113c5e71ef195fd15804c95df9643bde9520f64735c44fdd22e53
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1009/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 2d7e2bfa5d1db9ebb3cd9f560a06e179
name: Program Files .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 1084
processname: npdfwy.exe
sha1: 221cdf381e205cb891f1e58afb6135718886d892
sha256: 8e7e6b228669de1caaf88105efd2b5bc53ca6f10a182fcf51068f3a1c7e179f9
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1010/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 8a137d07c9a429f4f0d3ff74b1fac3af
name: Program Files (x86) .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 1084
processname: npdfwy.exe
sha1: 79c4a9fa28bda8405e08d2a3b4f05c432158b94d
sha256: 9cc6c0e110af6e87656c1275d77605d3ecc00e2f7d5c4ef258b0c7407def8e4c
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1011/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 1d8f13ff64ded72d68202dcf42d4bb5a
name: ProgramData .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 1084
processname: npdfwy.exe
sha1: 204364d587fadc5ff407bfdefa4c531fa66e0c60
sha256: 10c766d513b87e4275796748c25b5e62f26fb59d53f2372ebf7576085faaac2b
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1012/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: e6e8ff7bb6b1cdaa5c07d642af605526
name: Python27 .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 1084
processname: npdfwy.exe
sha1: d6c1786aba73555e112dc1ceade5fc7929e1a9b1
sha256: b69f6ff90c3a050d761a344a619abcf098b0c08a699f186ce0a6cde9164d8e7a
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1013/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d32bb053694dd3b6ff913ffc06a4bc0d
name: Recovery .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 1084
processname: npdfwy.exe
sha1: 8c4d6650efc2d64b77fa056870bec57b6ac73205
sha256: 530ef0b5abd9391248a2eda7065d34348394fca2e776fddd1dee4ec34a3764d4
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1014/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 153c2804b7bd753b05f09ffc7972f8aa
name: System Volume Information .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 1084
processname: npdfwy.exe
sha1: 9c98a68bffe95c53d21bb8fc3dfc5f098062a31e
sha256: 353d4ec857190873eea4a67572c8f29d00f8567d9bf2cac8f7c7e09d547d388a
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1015/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9588ec8610be2ad5cd599e1a1c936213
name: Users .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Users .exe
processid: 1084
processname: npdfwy.exe
sha1: 28a9065c57ade710eb9eb4843d18c89d3210883f
sha256: 6db4ea4c89cda9797d49c0e83ad7da893a6bac6b0d3fd2a0c09f683698701284
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1016/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: e4f7384634ac30169b18ca23cb8b9227
name: Windows .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\Windows .exe
processid: 1084
processname: npdfwy.exe
sha1: db58dbe69900a20b0cb7ba57c768b31e42ebcec3
sha256: 1d1c9f0ac825f26703f027b262aa5433c6188cbacba0197a1f14f92def2585ba
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1017/Windows .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: c1264538a8e5e27663a8b98dd8735cf6
name: $RECYCLE.BIN .exe
new_size: 410KB (420665bytes)
operation: 修改文件
path: C:\$RECYCLE.BIN .exe
processid: 1084
processname: npdfwy.exe
sha1: e9754dd8aa68f627c9761bf838e1d3ccbf5226d3
sha256: b84b7e5459500bab2227b2645afee5bbfbadf91e6570d950a9aacdbef35e9852
size: 420665
this_path: /data/cuckoo/storage/analyses/4000872/files/1018/$RECYCLE.BIN .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: d438a9cb11c8802e793d8a886b436a09
name: npdfwy.exe
new_size: 260KB (266842bytes)
operation: 修改文件
path: C:\ProgramData\npdfwy.exe
processid: 2976
processname: 1620835228263_5c1c7300434d225463380047e752d786.exe
sha1: 08fda53b73810bdc74bb439ab8c6547577289288
sha256: 9d088c2e865b38791673532e002cadbb7722cde9410d756cb6421c65b83bdc9a
size: 266842
this_path: /data/cuckoo/storage/analyses/4000872/files/1000/npdfwy.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 2976
process_name: 1620835228263_5c1c7300434d225463380047e752d786.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 2976
process_name: 1620835228263_5c1c7300434d225463380047e752d786.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 2976
process_name: 1620835228263_5c1c7300434d225463380047e752d786.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 1084
process_name: npdfwy.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 1084
process_name: npdfwy.exe
rulename: 遍历文件