VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.
4, Não FOI possível enviar, por favor use o upload VirSCAN

Idioma
Carga do sistema
Server Load
VirSCAN
VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

Informação básica

Nome do arquivo: 00热血江湖
Tamanho do arquivo: 352168
Tipo de arquivo: application/x-dosexec
MD5: a804e39f264e56005ea0056fc0154bc3
sha1: 7acca59bf3da2af6ac1ff7f99994e95e6286cbe5

 CreateProcess

ApplicationName:
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\is-OOQSU.tmp\1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp" /SL5="$40158,106590,54272,C:\Users\Administrator\AppData\Local\Temp\1620250214730_a804e39f264e56005ea0056fc0154bc3.exe"
childid: 1800
childname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
childpath: C:\Users\Administrator\AppData\Local\Temp\is-OOQSU.tmp\1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
drop_type: 2
name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
pid: 1720
ApplicationName:
CmdLine:
childid: 1720
childname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
drop_type:
name:
noNeedLine:
path:
pid: 1456

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: 8aa8c628f7b7b7f3e96eff00557bd0bf
name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
new_size: 696KB (712704bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\is-OOQSU.tmp\1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
processid: 1720
processname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
sha1: 9af9cf61707cbba7bf0d7cbed94e8db91aff8bd6
sha256: 14d4fa3ea6c3fbf6e9d284de717e73a1ebb5e77f3d5c8c98808e40ade359ea9d
size: 712704
this_path: /data/cuckoo/storage/analyses/3/files/1000/1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 0ee914c6f0bb93996c75941e1ad629c6
name: _RegDLL.tmp
new_size: 4096bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\is-420NU.tmp\_isetup\_RegDLL.tmp
processid: 1800
processname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
sha1: 12e2cb05506ee3e82046c41510f39a258a5e5549
sha256: 4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
size: 4096
this_path: /data/cuckoo/storage/analyses/3/files/1001/_RegDLL.tmp
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 4ff75f505fddcc6a9ae62216446205d9
name: _setup64.tmp
new_size: 6144bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\is-420NU.tmp\_isetup\_setup64.tmp
processid: 1800
processname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
sha1: efe32d504ce72f32e92dcf01aa2752b04d81a342
sha256: a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
size: 6144
this_path: /data/cuckoo/storage/analyses/3/files/1002/_setup64.tmp
type: PE32+ executable (console) x86-64, for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 92dc6ef532fbb4a5c3201469a5b5eb63
name: _shfoldr.dll
new_size: 22KB (23312bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\is-420NU.tmp\_isetup\_shfoldr.dll
processid: 1800
processname: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
sha1: 3e89ff837147c16b4e41c30d6c796374e0b8e62c
sha256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
size: 23312
this_path: /data/cuckoo/storage/analyses/3/files/1003/_shfoldr.dll
type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 58
process_id: 1720
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 67
process_id: 1720
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 64
process_id: 1800
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 92
process_id: 1800
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 521
process_id: 1800
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 1783
process_id: 1800
process_name: 1620250214730_a804e39f264e56005ea0056fc0154bc3.tmp
rulename: 获取当前鼠标位置