VirSCAN VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.
4, Se il tuo browser non può caricare file, per favore scarica uploader VirSCAN per caricare.

Lingua
Carico del server
Server Load
VirSCAN
VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.

Informazioni di base

Nome del file: 00皇帝成长计划
Dimensione del file: 1906744
Tipo di file: application/x-dosexec
MD5: c770caa9af28060035dc308225a315c5
sha1: 62e308f97a6ddeb771f96b457da349eb61608272

 CreateProcess

ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Administrator\AppData\Local\Temp\1620370853185_c770caa9af28060035dc308225a315c5.exe"
childid: 1912
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620370853185_c770caa9af28060035dc308225a315c5.exe
pid: 888
ApplicationName: C:\Windows\System32\PING.EXE
CmdLine: ping 127.0.0.1
childid: 844
childname: PING.EXE
childpath: C:\Windows\SysWOW64\PING.EXE
drop_type:
name: cmd.exe
noNeedLine:
path: C:\Windows\SysWOW64\cmd.exe
pid: 1912
ApplicationName:
CmdLine:
childid: 888
childname: 1620370853185_c770caa9af28060035dc308225a315c5.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620370853185_c770caa9af28060035dc308225a315c5.exe
drop_type:
name:
noNeedLine:
path:
pid: 1928

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Malicious

attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 9
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 打开其他线程
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序是否运行在VirtualBox环境下。一般被恶意软件用于沙盒逃逸
num: 49
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 沙盒逃逸-检查VirtualBox
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序是否运行在Sandboxie环境下。一般被恶意软件用于沙盒逃逸
num: 52
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 沙盒逃逸-检查Sandboxie
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 105
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 182
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 创建网络套接字连接
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 216
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 从资源段释放文件并运行
attck_tactics: 命令与控制
level: 2
matchedinfo: 恶意程序可能连接非常规端口网络连接进行数据偷取操作
num: 451
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 连接非常规端口
attck_tactics: 防御逃逸
level: 3
matchedinfo: 恶意程序通过命令行的方式删除文件,以达到欺骗用户迷惑用户或影响恶意文件取证的目的
num: 529
process_id: 888
process_name: 1620370853185_c770caa9af28060035dc308225a315c5.exe
rulename: 删除文件(在命令行下)
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 1912
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 27
process_id: 1912
process_name: cmd.exe
rulename: 遍历文件