VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00重庆森林
file size: 420134
file type: application/x-dosexec
MD5: a8b63be22d34efba19558cdda481b8d4
sha1: 13a4b27b7ec79085303a3029987c71107a984791

 CreateProcess

ApplicationName: C:\ProgramData\nyllbi.exe
CmdLine:
childid: 2000
childname: nyllbi.exe
childpath: C:\ProgramData\nyllbi.exe
drop_type: 1
name: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
pid: 1948
ApplicationName:
CmdLine:
childid: 1948
childname: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
drop_type:
name:
noNeedLine:
path:
pid: 1128

 Summary

buffer: C:\ProgramData\nyllbi.exe
processid: 2000
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: aef10b9ba25f907727558514f2dfbab0
name: Mira.h
new_size: 150KB (154322bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 1948
processname: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
sha1: d67383ef1b23d4da72339d66de9541c2e1efaf53
sha256: f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad
size: 154322
this_path: /data/cuckoo/storage/analyses/58/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: aabd2f162bedc8488b4d34a92f43d12c
name: $Recycle.Bin .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 2000
processname: nyllbi.exe
sha1: 15bcdda3f0a8b04388afdca78e28e11ee4e725ca
sha256: 8a6a43cdf5b98472513dd5b026b34c1d47c109f60a85ead44378fd299c7c7dda
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 0bd8efce7684f6a299a14c8e755e7523
name: ArtWGCd .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\ArtWGCd .exe
processid: 2000
processname: nyllbi.exe
sha1: 05820b1fe9686d2398d98c0723788a6675637066
sha256: 4c809d6f4ab7eab8c98b8eee13c9242aa33c0a0657859fbc5a4e774ab864291b
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1003/ArtWGCd .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a6229fff2776e373328de0c92e27767e
name: Documents and Settings .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 2000
processname: nyllbi.exe
sha1: 7147d3da5e6eee5aebc9fab4a8b9cf8d5fa9e1e7
sha256: 15c16485558986f81e31513eb37e69b1434347e705ea481aa6661310dd8a8f63
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1004/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: bdcca429afc317f9b37da6fe5a2eeea2
name: mnlsx .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 2000
processname: nyllbi.exe
sha1: 3fdb781e7cce67dd244c2afdce318f74b2bf3323
sha256: 47dd6b9ec51f1a97d1fb1081368ef1cfca80b209233feb5c78c29998afc34bad
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1005/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 933aec751371824875a4c34ea8e556a0
name: MSOCache .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 2000
processname: nyllbi.exe
sha1: d0e8a61e8460e1425ddf99253935676923a808cf
sha256: b79ea9d6290f1c8f54883f2e50b80e5c28433570390b00672f6ece56b3e11001
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1006/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: da76d99b6af674fcb159e16161f5b9e5
name: pagefile.sys .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 2000
processname: nyllbi.exe
sha1: e2efa5d8811d8e1f57b058e8ea0244a29c2f9782
sha256: 8e31061ae9a57aed4853725f9626f54dad65b3fab018bc526903ec88dbc9acd7
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1007/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 78fef3c2c64792acf78e44841f6ef650
name: PerfLogs .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 2000
processname: nyllbi.exe
sha1: 206cdc01c77ad1f0761c46fd17617ac5043b4d90
sha256: 088b565d564fc8f52c4a3fdafec518810d2575763661377b010e1df15de663df
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1008/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 346331fea5ec71878e7d973c6d432f25
name: Program Files .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 2000
processname: nyllbi.exe
sha1: c9f2e971818c42c75112b34d7433a81d6d7ec2a9
sha256: 8c0ec116dd0ee900f3a95f77df7ea1312b397af0fb2450817e291c22805946c2
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1009/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 448068c2ab4769eb6d7e7ec296c57f66
name: Program Files (x86) .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 2000
processname: nyllbi.exe
sha1: 696021cbc02897fd102018899e8556b774074a41
sha256: 5dae7097005990de80b5f64db14bb2c7e13b0e00a93e805bdd1aec201e97fa71
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1010/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 42d297f646c61b7d660d936525facad7
name: ProgramData .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 2000
processname: nyllbi.exe
sha1: dfb9136102ae054fea19365bf284625c7c1aaeb6
sha256: e5ae41470f1f8aaa8dcd2028490ccedb2a01a05e56fda922640770199f08ae36
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1011/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 2f50d69de5a3245a97dbd4ce3a046d59
name: Python27 .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 2000
processname: nyllbi.exe
sha1: eebc1aa50cd9d8aad33f0dc3f65e29cdad7f78af
sha256: 03aed730304e4fc115e779fa12428e9fe2f93de85ff984a5daeec1318bb186bd
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1012/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 4967af9a861de0585c6e78199373768e
name: Recovery .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 2000
processname: nyllbi.exe
sha1: e111371200608f0dd1f53f8245bc2bc0b3037f43
sha256: a582502ee2d5cfa4c2a5e43165496f2e614e3a768d3f9cce41849d5e49fab659
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1013/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 70a5b341902abf8f3984f34eb6d401b8
name: System Volume Information .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 2000
processname: nyllbi.exe
sha1: 4974ede9836568c6512b6837f633dc92d8bd32fb
sha256: 1789c784773c58686832e82079bfbc7f9b78e5ffee97c44b9ddc6893cd0740a7
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1014/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a68f023083888098a05f32be40c913eb
name: Users .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Users .exe
processid: 2000
processname: nyllbi.exe
sha1: 4b1ac69d13a07f35bc9598d4f139a80ce7ba507a
sha256: 351c2b556b92e8d12ae733d65aaf372c4b5d42e3fa8a374802b54d1d38aacbea
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1015/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 6d568c83382c0cd3c30e165b551f595f
name: Windows .exe
new_size: 410KB (420136bytes)
operation: 修改文件
path: C:\Windows .exe
processid: 2000
processname: nyllbi.exe
sha1: 51ae3e5bb75193506c879dc15ccd7726e3c2776a
sha256: 2a7b89233955714345ba47f4e98a5d208324672989330e8367797fdc5dd3cab8
size: 420136
this_path: /data/cuckoo/storage/analyses/58/files/1016/Windows .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 6fb41ebe437c739b8ca246cfe9b7cd49
name: nyllbi.exe
new_size: 259KB (265802bytes)
operation: 修改文件
path: C:\ProgramData\nyllbi.exe
processid: 1948
processname: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
sha1: fa7da5681d08f845f2e3154df3b8c84d0eff163d
sha256: 3c8a68e42a8c9835c534d9195e9be4acde03ca6df03ed5332795b053c5c4e735
size: 265802
this_path: /data/cuckoo/storage/analyses/58/files/1000/nyllbi.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 1948
process_name: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 1948
process_name: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 1948
process_name: 1620286256053_a8b63be22d34efba19558cdda481b8d4.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 2000
process_name: nyllbi.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 2000
process_name: nyllbi.exe
rulename: 遍历文件