VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00盖世双谐
file size: 174605
file type: application/x-dosexec
MD5: e7e895122dc1842534b3d8fb71516bec
sha1: 235eeccb12221b2557096fb0f09da14ac06848ea

 CreateProcess

ApplicationName:
CmdLine:
childid: 13984
childname: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
drop_type:
name:
noNeedLine:
path:
pid: 18632

 Summary

buffer: "C:\Users\Administrator\AppData\Roaming\Microsoft\fkdpvd.exe"
processid: 13984
szSubkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
type: REG_SZ
valuename: qdztqfnekit
buffer: 0
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1620581409218_e7e895122dc1842534b3d8fb71516bec_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 1
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: t\xf3\x05EE\xd7\x01
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: t\xf3\x05EE\xd7\x01
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision
buffer: F\x00\x00\x00\x0e\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00 t\xf3\x05EE\xd7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xcb\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\xa5E\xe7~\xbc)\x1fn\x0b\x00\x00\x00\x00\x00\x00\x00\x1c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xc0\xa88\xcb\x00\x00\x00\x00\x00\x00\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\xa5E\xe7~\xbc)\x1fn\x0b\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x0c+\xf7\x00\x00\xc8\xafK\x00\x80\xdaL\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
processid: 13984
szSubkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
type: REG_BINARY
valuename: DefaultConnectionSettings
buffer: {42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
type: REG_SZ
valuename: WpadLastNetwork
buffer: 1
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x90\xac,\x06EE\xd7\x01
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: \x90\xac,\x06EE\xd7\x01
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 0
processid: 13984
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped Unsave

analysis_result: Trojan-Ransom.Win32.GandCrypt.jfg
create: 0
how: write
md5: 3514f01c0f42a7a1696a54454ffb5d8e
name: fkdpvd.exe
new_size: 170KB (174605bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\fkdpvd.exe
processid: 13984
processname: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
sha1: 35cf0143785ee986f645d71b323852557134a248
sha256: 531af28522bc8ced27a3768d3a60d05e7f050223e161a71ebab329caf048a9be
size: 174605
this_path: /data/cuckoo/storage/analyses/2000468/files/1000/fkdpvd.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 9553
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序会通过收集电脑配置信息来进行信息的统计
num: 9559
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 系统配置信息收集
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 9732
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 收集磁盘信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 11844
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 调用加密算法库
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 16962
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 16965
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 遍历系统中的进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过调用关键api的获取系统的用户名,以达到收集用户信息的目的
num: 17056
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 获取当前用户名
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 17185
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 创建网络套接字连接
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 17342
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 打开服务控制管理器
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 17355
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 17561
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 收集电脑网卡信息
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 17624
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 遍历文件
attck_tactics: 命令与控制
level: 1
matchedinfo: 恶意程序通过使用InternetReadFile读取远程文件,以达到读取恶意信息、恶意指令或恶意文件的目的
num: 17676
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 读取远程服务器文件
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 当前运行环境不符合时(如:检测到杀毒软件等),程序会主动退出达到规避检测的目的。恶意行为可能没有完全触发
num: 17721
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 结束自身进程
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 17721
process_id: 13984
process_name: 1620581409218_e7e895122dc1842534b3d8fb71516bec.exe
rulename: 获取当前鼠标位置