VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00半妖倾城
file size: 168448
file type: application/x-dosexec
MD5: 6d08add413b335b20159e72ac8b90a19
sha1: c51b6699638d605f00b9daed0cd8f2a04619ac74

 CreateProcess

ApplicationName:
CmdLine: "C:\Users\Administrator\AppData\Roaming\cqh944F.tmp.bat" "C:\Users\Administrator\AppData\Local\Temp\1621056610343_6d08add413b335b20159e72ac8b90a19.exe"
childid: 1320
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621056610343_6d08add413b335b20159e72ac8b90a19.exe
pid: 2916
ApplicationName: C:\Windows\System32\attrib.exe
CmdLine: attrib -r -s -h "C:\Users\Administrator\AppData\Local\Temp\1621056610343_6d08add413b335b20159e72ac8b90a19.exe"
childid: 2600
childname: attrib.exe
childpath: C:\Windows\SysWOW64\attrib.exe
drop_type:
name: cmd.exe
noNeedLine:
path: C:\Windows\SysWOW64\cmd.exe
pid: 1320
ApplicationName:
CmdLine:
childid: 2916
childname: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621056610343_6d08add413b335b20159e72ac8b90a19.exe
drop_type:
name:
noNeedLine:
path:
pid: 3044

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: 4eb1b6ed91659f9d41fe458a9dd8941b
name: cqh944F.tmp.bat
new_size: 53bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Roaming\cqh944F.tmp.bat
processid: 1320
processname: cmd.exe
sha1: 68b261cbb2fbf0111ed0832fcc58428a910b3244
sha256: 254d8883ba9766e1a4e79479d32e2740e93e16ed33b3455d62e8f9ff0a095050
size: 53
this_path: /data/cuckoo/storage/analyses/5000310/files/4999124733/cqh944F.tmp.bat
type: ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: 28a6708081abfd4d7add1f2fabe84eb5
name: 2d17e659d34601689591
new_size: 29bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\2d17e659d34601689591
processid: 2916
processname: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
sha1: e902aece2e2b703243ded7b22a14561816acda6c
sha256: 0649560ba108d6a6834ff489d2cf7e8b23849178b0c9665cb40c0278752804b3
size: 29
this_path: /data/cuckoo/storage/analyses/5000310/files/1001/2d17e659d34601689591
type: ASCII text, with no line terminators

 Dropped Unsave

analysis_result: Trojan-Banker.Win32.Shifu.eph
create: 0
how: write
md5: ecd2d61e0ecfd526a6f2d60a95197d21
name: db4db48224.exe
new_size: 164KB (168448bytes)
operation: 修改文件
path: C:\ProgramData\db4db48224.exe
processid: 2916
processname: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
sha1: a35c8765e17ad4e24f06761f47318f7b56aec785
sha256: f513c1e994ebd3eb327ce11f07e413117c0f625d386bf242b0203aea6c1bd24c
size: 168448
this_path: /data/cuckoo/storage/analyses/5000310/files/1000/db4db48224.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 18
process_id: 2916
process_name: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
rulename: 调用加密算法库
attck_tactics: 防御逃逸
level: 3
matchedinfo: 恶意程序通过使用批处理删除正常文件或恶意文件自身或恶意文件释放的文件,以达到破坏正常文件或隐藏恶意文件的目的
num: 56
process_id: 2916
process_name: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
rulename: 删除文件(使用批处理方式)
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 212
process_id: 2916
process_name: 1621056610343_6d08add413b335b20159e72ac8b90a19.exe
rulename: 获取隐藏文件设置
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 1320
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 27
process_id: 1320
process_name: cmd.exe
rulename: 遍历文件
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 2
process_id: 2600
process_name: attrib.exe
rulename: 遍历文件