VirSCAN VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。
4, 如果您的浏览器无法上传文件,请下载Virscan Uploader进行上传。

选择语言
服务器负载
Server Load
VirSCAN
VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。
4, 如果您的浏览器无法上传文件,请下载夸克浏览器。

基本信息

文件名称: 00大头儿子小头爸爸
文件大小: 420712
文件类型: application/x-dosexec
MD5: 8986502bb325212c90ec9dccdc6c97c7
sha1: e5adff097d28aa50d742eca180d74a6a4339bf90

 CreateProcess

ApplicationName: C:\ProgramData\avwody.exe
CmdLine:
childid: 2536
childname: avwody.exe
childpath: C:\ProgramData\avwody.exe
drop_type: 1
name: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
pid: 904
ApplicationName:
CmdLine:
childid: 904
childname: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
drop_type:
name:
noNeedLine:
path:
pid: 2452

 Summary

buffer: C:\ProgramData\avwody.exe
processid: 2536
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: Microsoft\xae Windows\xae Operating System

 Dropped_Save

analysis_result: 安全
create: 0
how: write
md5: a52d6cb53c4c31e9f5ad53a356adf9dd
name: Mira.h
new_size: 150KB (153811bytes)
operation: 修改文件
path: C:\ProgramData\Saaaalamm\Mira.h
processid: 904
processname: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
sha1: 4e9b2d208dc3c3a6e23decb0a7d7381c73f7b101
sha256: f6bc441488529eadccfef115d11fa10c5cb8cb125b6c08c52a2bbc144bd4f7d8
size: 153811
this_path: /data/cuckoo/storage/analyses/2000483/files/1001/Mira.h
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 58e5638483127bf764b3b52279b2bba9
name: $Recycle.Bin .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\$Recycle.Bin .exe
processid: 2536
processname: avwody.exe
sha1: a28d6b9c0db8b2e31d0a9a7f1ec16a223f04b2c6
sha256: 67eeb1c92d39f9330b5b19ac7d3b3e803fc5cba3e81cb2bc700255c0731e1d5f
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1002/$Recycle.Bin .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a416fc6926b24a06424158665db01eb1
name: Documents and Settings .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Documents and Settings .exe
processid: 2536
processname: avwody.exe
sha1: 4377df4bd8a9866e7dcd76c94c88a11bdeecb711
sha256: e0936018b14b3882e6c6c5a43d18f9c2ec1b72560c07d7a1fd69e9c1c6cf6531
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1003/Documents and Settings .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: a88c27c1e4a2142d4dec87c085a9d350
name: FIEOHZSIXGU .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\FIEOHZSIXGU .exe
processid: 2536
processname: avwody.exe
sha1: 028607237b17f4c95a1e256567e2fc7d7c603e25
sha256: 687699985a050fe1d51a5e06979bf80677e41a590baef3afc21e541f2300ab38
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1004/FIEOHZSIXGU .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9e6103bff0b1d96171ac42295a9b63af
name: fZpQVxOy .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\fZpQVxOy .exe
processid: 2536
processname: avwody.exe
sha1: e2c14132b9d40f6cc1d747d8821bae64fdd13dba
sha256: e73dbdf733907b64f47f245f5c52f0217d300dde7043dd2bd7058763663fe301
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1005/fZpQVxOy .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 2911b19c5940e98bb0e50c1d8b799ca1
name: mnlsx .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\mnlsx .exe
processid: 2536
processname: avwody.exe
sha1: e9807d0a8730cf45a86089bba2058043e775bfda
sha256: f8efdc3a74a7da3f60e2c0becf34044a4abd31761c47a1a2b67e7bcd19142871
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1006/mnlsx .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 44ea273a7c775c83dd66e3108fb7a96c
name: MSOCache .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\MSOCache .exe
processid: 2536
processname: avwody.exe
sha1: b0e27324d12da5654aa51aa49485505236c89e13
sha256: 62a41cb432b5892120b72f8d89ab461fc33683aa8b611fba73c2d0f12d51ca6f
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1007/MSOCache .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 08582c0227563282b7a11d2e63fd1a49
name: pagefile.sys .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\pagefile.sys .exe
processid: 2536
processname: avwody.exe
sha1: 50a138cff3576cbc441ec2e30a4a5fd815068131
sha256: f2f2b4df4d45536ff3199dfeacf805964211813a22c9cc9d46180d184c0d8410
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1008/pagefile.sys .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: dd4dbe2fbbd4889cc94d973521514650
name: PerfLogs .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\PerfLogs .exe
processid: 2536
processname: avwody.exe
sha1: 43a7bf7ee2ab24ea238a4a4ab6340a953d8e839f
sha256: a89fd281052f85b6f821fb807b2d2d56517bae1f9ec66aac0835c76fa34a6834
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1009/PerfLogs .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: f14a5107577d96fa033cfb995e29589d
name: Program Files .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Program Files .exe
processid: 2536
processname: avwody.exe
sha1: f920277fb47edc7c731d2217033ad9aeb04a6fea
sha256: 8d25405f2357046394acee305e9fa88ec7262743a4d6424631ef45ee3ae37d16
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1010/Program Files .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 58764cfc12bf05fcff167f354757c3e9
name: Program Files (x86) .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Program Files (x86) .exe
processid: 2536
processname: avwody.exe
sha1: b86fd554734139417c58c8b6556c833f51dc9559
sha256: 56ea29787f10bb6b1e54b807d35368587ae0c70f5b1fab344a2cdac76ed9c437
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1011/Program Files (x86) .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 8f9715b7347ddc44dc8fae9f3443f250
name: ProgramData .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\ProgramData .exe
processid: 2536
processname: avwody.exe
sha1: 7f7808e618750ceb2de51a5bebd109b8deaab448
sha256: 6aa9b5178adf1b66c6afb3569f34d991223128420393c895d85e59916024db7e
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1012/ProgramData .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: cecec356749f59e277b64cc20ab74ed4
name: Python27 .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Python27 .exe
processid: 2536
processname: avwody.exe
sha1: c4782b01f57ac4beaa1051191266c4932ff4fae8
sha256: e7103ef6689477cc97a35043be9d1d243603c10c90fec54eaf77a00420b605db
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1013/Python27 .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: bbc69bda9542ed5d7f06892a260c626e
name: Recovery .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Recovery .exe
processid: 2536
processname: avwody.exe
sha1: d2dfbdf84b72d4fca3211a48a4d64517258a0626
sha256: f2e884a1ea17b8d7d7d251a2d4cc5246efa0fa53c265cb604fc503b0f6facdb1
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1014/Recovery .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: dc93a1287ba4fbf922038db8b99dbdf8
name: System Volume Information .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\System Volume Information .exe
processid: 2536
processname: avwody.exe
sha1: f714a4e642ac448e56e7a982a8bd134373258921
sha256: d977eab5f2ce3462892f258a9a45493c3a2115633fa00aaab5999ad362c1ebe7
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1015/System Volume Information .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 9b26b23891ad5f76bd6c4517a8f4c9bf
name: Users .exe
new_size: 410KB (420714bytes)
operation: 修改文件
path: C:\Users .exe
processid: 2536
processname: avwody.exe
sha1: 920aaa6bc00fee2b6aabc4dd4d39c957648b2aa6
sha256: d76db2a6d23503eacb92e1ce712515c3d008c78b0653f91bb142de292414569a
size: 420714
this_path: /data/cuckoo/storage/analyses/2000483/files/1016/Users .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
analysis_result: 安全
create: 0
how: write
md5: 845ad08943c0ca26c4481fd6f223790d
name: Windows .exe
new_size: 141KB (144613bytes)
operation: 修改文件
path: C:\Windows .exe
processid: 2536
processname: avwody.exe
sha1: 655c30733bbae04b24b75dae65fda33006a6fe6f
sha256: fdea389ada55a94bf50dc57266eb6768c8fc3a922a08172c3516ec56b22fd5b3
size: 144613
this_path: /data/cuckoo/storage/analyses/2000483/files/1017/Windows .exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Dropped Unsave

analysis_result: Trojan.Win32.Agent.nezvfi
create: 0
how: write
md5: 195c964e3468433f06aa48abf4e3b7b5
name: avwody.exe
new_size: 260KB (266891bytes)
operation: 修改文件
path: C:\ProgramData\avwody.exe
processid: 904
processname: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
sha1: f9f94283344e5eddfc4c65763c67aa6f14ee86ff
sha256: fa04ff74fa1aee5ef199a1f63832edf9b4f1c7843d4a86ce9daf9efc187693db
size: 266891
this_path: /data/cuckoo/storage/analyses/2000483/files/1000/avwody.exe
type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 3
process_id: 904
process_name: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 30
process_id: 904
process_name: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 180
process_id: 904
process_name: 1621089025604_8986502bb325212c90ec9dccdc6c97c7.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 8
process_id: 2536
process_name: avwody.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 18
process_id: 2536
process_name: avwody.exe
rulename: 遍历文件