VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00大清隐龙
file size: 1663125
file type: application/x-dosexec
MD5: 952996f25ca9fdfbcad800c28078468f
sha1: f06744c612bf923fcb2ae3f5c6dfaa574a7cda9b

 CreateProcess

ApplicationName:
CmdLine:
childid: 2168
childname: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621089028964_952996f25ca9fdfbcad800c28078468f.exe
drop_type:
name:
noNeedLine:
path:
pid: 2380

 Summary

buffer: C:\Windows\system32\CSRLT.EXE
processid: 2168
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: CSRLT.EXE
buffer: C:\Windows\MSBLT.EXE
processid: 2168
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
type: REG_SZ
valuename: MSBLT.EXE

 Dropped Unsave

analysis_result: HEUR:Trojan-Banker.Win32.Banker.gen
create: 0
how: write
md5: 9f5fa4dbc26c7fed269298f172e43dfe
name: MSBLT.EXE
new_size: 1624KB (1663125bytes)
operation: 修改文件
path: C:\Windows\MSBLT.EXE
processid: 2168
processname: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
sha1: a8f43c7b4a67ab521374b161274bfe5c47f78b77
sha256: 062949dc3446a2c23513fdcf6ef25e5633c26ddc5508fcc7477514e8c9e514d1
size: 1663125
this_path: /data/cuckoo/storage/analyses/6000467/files/1000/MSBLT.EXE
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: HEUR:Trojan-Banker.Win32.Banker.gen
create: 0
how: write
md5: 8c9e2935347640c51d446b3219678e7b
name: CSRLT.EXE
new_size: 1624KB (1663125bytes)
operation: 修改文件
path: C:\Windows\SysWOW64\CSRLT.EXE
processid: 2168
processname: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
sha1: 9e3c81ae12e91de9f7b9ca8ef7d1dc9e6e16b5dd
sha256: c1efbf385f3ef9654eedbf7e7b0c4026d31f5da98f1be38956e4595ec7cc5398
size: 1663125
this_path: /data/cuckoo/storage/analyses/6000467/files/1001/CSRLT.EXE
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 89
process_id: 2168
process_name: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 123
process_id: 2168
process_name: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 290
process_id: 2168
process_name: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
rulename: 获取当前鼠标位置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 297
process_id: 2168
process_name: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 307
process_id: 2168
process_name: 1621089028964_952996f25ca9fdfbcad800c28078468f.exe
rulename: 拷贝文件到系统目录