VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00无忧无虑
file size: 40992
file type: application/x-dosexec
MD5: 8ae678b9a09b3dea9e48296a778a2f84
sha1: 9f2f68f01a5853018136a71df767ef60613360ea

 CreateProcess

ApplicationName: C:\Users\Administrator\AppData\Local\Temp\kdwco.exe
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\kdwco.exe"
childid: 1908
childname: kdwco.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\kdwco.exe
drop_type: 1
name: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
pid: 2932
ApplicationName:
CmdLine:
childid: 2932
childname: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
drop_type:
name:
noNeedLine:
path:
pid: 2460

 Summary

buffer: 0
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\kdwco_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 1
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: @\xd4m9\xe73\xd7\x01
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: @\xd4m9\xe73\xd7\x01
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision
buffer: F\x00\x00\x00\x0e\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00@\xd4m9\xe73\xd7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xcd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s\x005\x004\x005\x006\x005\x004\x000\x006\x006\x00\x00\x00\x00\x005\x00 \x00\x00\x00\x1c\x00\xc0\x00\x00\x00\x00\x00\x00F\x00\x00\x00\x00\x13\x00\x00\x13u\xe0\x00\x00\x00\xafR\x00PsR\x00\x8c\xa3\x00\x80_H\xa1\x92\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\xa5P\x0f\xe4\x95\xb1\xe0\xe0\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
processid: 1908
szSubkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
type: REG_BINARY
valuename: DefaultConnectionSettings
buffer: {42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
processid: 1908
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
type: REG_SZ
valuename: WpadLastNetwork

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped Unsave

analysis_result: HEUR:Trojan.Win32.Generic
create: 0
how: write
md5: 34ceb323c978361abfcbba68b324d7ad
name: kdwco.exe
new_size: 40KB (41178bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Local\Temp\kdwco.exe
processid: 2932
processname: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
sha1: 98b6e375418b3b896a083cf497bc462ed917061b
sha256: 76ad4ff8aa09cb5bc93999323c20cb81a9a20febddb5999e1d28d678abe9489a
size: 41178
this_path: /data/cuckoo/storage/analyses/4000025/files/1000/kdwco.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 130
process_id: 2932
process_name: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 130
process_id: 2932
process_name: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 141
process_id: 2932
process_name: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序创建隐藏进程在背后偷偷运行
num: 226
process_id: 2932
process_name: 1618675250083_8ae678b9a09b3dea9e48296a778a2f84.exe
rulename: 创建隐藏子进程
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 130
process_id: 1908
process_name: kdwco.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 141
process_id: 1908
process_name: kdwco.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 779
process_id: 1908
process_name: kdwco.exe
rulename: 创建网络套接字连接
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 935
process_id: 1908
process_name: kdwco.exe
rulename: 打开服务控制管理器
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 948
process_id: 1908
process_name: kdwco.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 1157
process_id: 1908
process_name: kdwco.exe
rulename: 收集电脑网卡信息
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 1221
process_id: 1908
process_name: kdwco.exe
rulename: 遍历文件