VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00祖宗十九代
file size: 420160
file type: application/x-dosexec
MD5: e5a83697deefa650e3a5cc12d88d19b8
sha1: 2716ed04501f62882a271b21549fd402386156c5

 CreateProcess

ApplicationName: C:\ProgramData\ufgnui.exe
CmdLine:
childid: 2880
childname: ufgnui.exe
childpath: C:\ProgramData\ufgnui.exe
drop_type: 1
name: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
pid: 1332
ApplicationName:
CmdLine:
childid: 1332
childname: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
drop_type:
name:
noNeedLine:
path:
pid: 2060

 Summary

buffer: C:\ProgramData\ufgnui.exe
processid: 2880
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: aef10b9ba25f907727558514f2dfbab0
name: Mira.h
new_size: 150KB (154322bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 1332
processname: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
sha1: d67383ef1b23d4da72339d66de9541c2e1efaf53
sha256: f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad
size: 154322
this_path: /data/cuckoo/storage/analyses/5000468/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: e7fdb6d555a1a875da683cf7892deeda
name: $Recycle.Bin .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 2880
processname: ufgnui.exe
sha1: 71a5f6e018917eb9597846482072c791853a4743
sha256: 1070b3b1101cf8ad16ab8c951d268195776b8272ff4e55ad0c77d8fc90421d0a
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d0bc9fa6cf3d64f454b79a1a18c5feb9
name: Documents and Settings .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 2880
processname: ufgnui.exe
sha1: eeb545c77121e06f880cd258d49b29d4c4c2a813
sha256: a277ed95a1df3d843f7e541207d1e88fc3768f45dcaefd84cc54c7abb79b5b8e
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: f4ee568ea954462a4d21affd217de20c
name: mnlsx .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 2880
processname: ufgnui.exe
sha1: aa91e02c2b3e195e5f8358bc073c46d800f18691
sha256: 21724f89d5caef7f75e2f746be992486b354f00011badbb2295a24eacfd10a30
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1004/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a9ad39233f5ac7d03d44910e406bb3f4
name: MSOCache .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 2880
processname: ufgnui.exe
sha1: b7d1b282f5183b7c3fcb60eea27c29dbd47455e4
sha256: aa313cbed0100a81302b960ae1d89420d0bf6b39459ed6fd1e9968a44a32e3b9
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1005/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d9486c11474211a2841412b9a582a7b5
name: pagefile.sys .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 2880
processname: ufgnui.exe
sha1: 88f83cbd6129722ec7474119fd5fe9e72553cc59
sha256: 9624fd59d00c739eb36b99c6f8dbbeb017e2602fe067dbb52b6ffde1fb5366e0
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1006/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 20bfd9960b324595937e72fcb9f495e6
name: PerfLogs .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 2880
processname: ufgnui.exe
sha1: 7c68a661771e3a564d30fefdc80d5fa228967102
sha256: 5c2b3ad5cb058e09e362cc6e22eb19920f6afb21ed3431b3db4f7334cfa6d06a
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1007/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: ff92c9f52a6c956dae1eeccd229dbf13
name: Program Files .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 2880
processname: ufgnui.exe
sha1: 8f1624467262f981cf6ad4db9fd5d1270cebb274
sha256: 5647491f7ed2946148e335de03d40fe6bb74cc5144c21b06be7188730234cd38
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1008/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 0b240a5fd81b251291be5e804e2ebf97
name: Program Files (x86) .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 2880
processname: ufgnui.exe
sha1: c5d8d327476a947dfbc5f433bdeaf972cbcc98ac
sha256: fabd8c8091be0ed90ba43470eab0d768405cb808aa768b6b35661dfc5189e101
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1009/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: dff1ba23afa747494bf93f763bc8d0c0
name: ProgramData .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 2880
processname: ufgnui.exe
sha1: c8e7f6047fc3055698a643a7e2ae7b989c50c8d5
sha256: 7b780a6b826424f36099d2f7f15b1457e5166f646c4db5090ecf5836ba1936f0
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1010/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 454eeced8677fba0d1015325f4b5aef8
name: Python27 .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 2880
processname: ufgnui.exe
sha1: cb119f69c81f66a008ffa0e216959408e05cc456
sha256: 7b932ba14582ca007935644013536f78161eb314428d9154f5577128fabb70bd
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1011/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: f01f7ee43c53da0d6c0ffdddffa08272
name: Recovery .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 2880
processname: ufgnui.exe
sha1: c88a84402d78a297a7ff7ab3ec742546ee394fee
sha256: 4f209621da191a8b916b848b51e118153f6b94919c41eaf368d2dcf37f07beca
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1012/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 1622e29d893e280bf455fa0e87d8b833
name: RuTPKWyc .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\RuTPKWyc .exe
processid: 2880
processname: ufgnui.exe
sha1: 3fab839c414f0869c05a3fbebed72486de58a19f
sha256: 4b0c6c68029865a671dc2baba5d20dbdcc92fb04cee1f5fc65c3000bfcd9582b
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1013/RuTPKWyc .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: d87265c49723806b0b644e56c7daeb07
name: System Volume Information .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 2880
processname: ufgnui.exe
sha1: 5f6c453ae83965ed01ffb95fd271c8ece972e264
sha256: d2636d2b6b87cf3ff148aef6f28182deb1805fd5147720afa80e9d54927765b1
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1014/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 8098db199a190a05256345e06b17dc2d
name: tYZYnRvS .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\tYZYnRvS .exe
processid: 2880
processname: ufgnui.exe
sha1: b5141928bb9df6e898adb41e23e9030bc78434a5
sha256: b6e903d500ffdd9878c47f5d072de54cb43251bacb3930f31df888315224a410
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1015/tYZYnRvS .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 937691c96d7cc1c47683a443e185b1d0
name: Users .exe
new_size: 410KB (420162bytes)
operation: 修改文件
path: C:\Users .exe
processid: 2880
processname: ufgnui.exe
sha1: f1904d5d25f2b450e71f69edb79e31086f3b6768
sha256: 42807feef4f53913cb6f10f224ddf6b28d11250d405e5d076fb0bc40a217079e
size: 420162
this_path: /data/cuckoo/storage/analyses/5000468/files/1016/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: f59ad4d63652b475cb96694aeb8a185b
name: VBQMNUNJMXN .exe
new_size: 81KB (83804bytes)
operation: 修改文件
path: C:\VBQMNUNJMXN .exe
processid: 2880
processname: ufgnui.exe
sha1: 7749fa389813f98d94f6126e147a619784cca4d7
sha256: d37bd70f0f5a9b48bedb6d4035c0c657715046b0c0504c5b8aba8b5608963a11
size: 83804
this_path: /data/cuckoo/storage/analyses/5000468/files/1017/VBQMNUNJMXN .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 54373c96ab0b9af988cdc83daea2fb59
name: ufgnui.exe
new_size: 259KB (265828bytes)
operation: 修改文件
path: C:\ProgramData\ufgnui.exe
processid: 1332
processname: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
sha1: d1917620f0bc747893634cc8b6092da3694e1101
sha256: ac94debb5acd2012b35f4564ae7f310e4b9a17038f4fc4f7eac975629e9f35b7
size: 265828
this_path: /data/cuckoo/storage/analyses/5000468/files/1000/ufgnui.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 1332
process_name: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 1332
process_name: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 1332
process_name: 1620581413800_e5a83697deefa650e3a5cc12d88d19b8.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 2880
process_name: ufgnui.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 2880
process_name: ufgnui.exe
rulename: 遍历文件