VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00星球大战
file size: 32768
file type: application/x-dosexec
MD5: 664723d226784e7d51656769bb793dc9
sha1: 856239b4feb7e551519a497b2d411507d9fe9268

 CreateProcess

ApplicationName:
CmdLine: regedit.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\~dfds3.reg
childid: 1656
childname: regedit.exe
childpath: C:\Windows\SysWOW64\regedit.exe
drop_type:
name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620820818139_664723d226784e7d51656769bb793dc9.exe
pid: 2876
ApplicationName:
CmdLine: a.bat
childid: 1384
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620820818139_664723d226784e7d51656769bb793dc9.exe
pid: 2876
ApplicationName:
CmdLine:
childid: 2876
childname: 1620820818139_664723d226784e7d51656769bb793dc9.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620820818139_664723d226784e7d51656769bb793dc9.exe
drop_type:
name:
noNeedLine:
path:
pid: 2764

 Summary

buffer: C:\Users\Administrator\AppData\Local\wcncsvc.exe
processid: 1656
szSubkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: wcncsvc

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: d41d8cd98f00b204e9800998ecf8427e
name: ~dfds3.reg
new_size: 0bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\~dfds3.reg
processid: 2876
processname: 1620820818139_664723d226784e7d51656769bb793dc9.exe
sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709
sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
size: 0
this_path: /data/cuckoo/storage/analyses/1000831/files/4564114557/~dfds3.reg
type: empty
analysis_result: 安全
create: 0
how: del
md5: ad97ab7112b81194a071c7d85a9b9876
name: a.bat
new_size: 1024bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\a.bat
processid: 1384
processname: cmd.exe
sha1: aae8cd2f8c1233ef72c257ff1211950682aafbb6
sha256: 2b3014fab664665f4b0c3c24f392a50890d9136d7b8f9854a1b82464a8e6de1a
size: 1024
this_path: /data/cuckoo/storage/analyses/1000831/files/5249515586/a.bat
type: ASCII text, with CRLF line terminators

 Dropped Unsave

analysis_result: HEUR:Trojan.Win32.Miancha.gen
create: 0
how: del
md5: 664723d226784e7d51656769bb793dc9
name: wcncsvc.exe
new_size: 32KB (32768bytes)
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\wcncsvc.exe
processid: 1384
processname: cmd.exe
sha1: 856239b4feb7e551519a497b2d411507d9fe9268
sha256: e858b5d1f75b097742c7f723098fb47830f22ff752558c36e57cc97a246b37d0
size: 32768
this_path: /data/cuckoo/storage/analyses/1000831/files/1965160230/wcncsvc.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows
analysis_result: HEUR:Trojan.Win32.Miancha.gen
create: 0
how: move
md5: a424ac54f455abe438f9d5cd814d52bd
name: wcncsvc.exe
new_size: 32KB (32768bytes)
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Local\wcncsvc.exe
processid: 1384
processname: cmd.exe
sha1: 9d3995d408fe4cf8e344d7b75525d9ee7a8ab5c9
sha256: 44f775e23f88d0c9eeaa7ce5025a5ba4716e5f2c8a4c92cc4180c8c453d28cfb
size: 32768
this_path: /data/cuckoo/storage/analyses/1000831/files/1000/wcncsvc.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 1
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 5
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 从资源段释放文件并运行
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 12
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 打开服务控制管理器
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 15
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 调用加密算法库
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 21
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 遍历文件
attck_tactics: 其他恶意行为
level: 4
matchedinfo: 恶意程序通过使用批处理进行敏感操作,比如删除文件,设置计划任务等
num: 226
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 使用批处理进行敏感操作
attck_tactics: 防御逃逸
level: 3
matchedinfo: 恶意程序通过使用批处理删除正常文件或恶意文件自身或恶意文件释放的文件,以达到破坏正常文件或隐藏恶意文件的目的
num: 226
process_id: 2876
process_name: 1620820818139_664723d226784e7d51656769bb793dc9.exe
rulename: 删除文件(使用批处理方式)
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 8
process_id: 1656
process_name: regedit.exe
rulename: 遍历文件
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 38
process_id: 1656
process_name: regedit.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 1384
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 26
process_id: 1384
process_name: cmd.exe
rulename: 遍历文件