VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: Settings32.exe
file size: 1002496
file type: application/x-dosexec
MD5: 20409097f54824845cc578008ad9147f
sha1: 230eb9649e1f88e322511644982cf992bd48ba00

 CreateProcess

ApplicationName:
CmdLine: "C:\Users\ADMINI~1\AppData\Local\Temp\temp.cmd"
childid: 4012
childname: cmd.exe
childpath: C:\Windows\SysWOW64\cmd.exe
drop_type:
name: 1620612012768_20409097f54824845cc578008ad9147f.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1620612012768_20409097f54824845cc578008ad9147f.exe
pid: 3912
ApplicationName: C:\Windows\System32\taskkill.exe
CmdLine: TASKKILL /F /IM "1620612012768_20409097f54824845cc578008ad9147f.exe"
childid: 3044
childname: taskkill.exe
childpath: C:\Windows\SysWOW64\taskkill.exe
drop_type:
name: cmd.exe
noNeedLine: 1
path: C:\Windows\SysWOW64\cmd.exe
pid: 4012
ApplicationName: C:\Windows\System32\timeout.exe
CmdLine: TIMEOUT 1
childid: 1740
childname: timeout.exe
childpath: C:\Windows\SysWOW64\timeout.exe
drop_type:
name: cmd.exe
noNeedLine:
path: C:\Windows\SysWOW64\cmd.exe
pid: 4012
ApplicationName: C:\Windows\System32\timeout.exe
CmdLine: TIMEOUT 1
childid: 3108
childname: timeout.exe
childpath: C:\Windows\SysWOW64\timeout.exe
drop_type:
name: cmd.exe
noNeedLine:
path: C:\Windows\SysWOW64\cmd.exe
pid: 4012
ApplicationName: C:\Users\Administrator\AppData\Local\Temp\Settings32.exe
CmdLine: "C:\Users\Administrator\AppData\Local\Temp\Settings32.exe"
childid: 1092
childname: Settings32.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\Settings32.exe
drop_type: 2
name: cmd.exe
noNeedLine:
path: C:\Windows\SysWOW64\cmd.exe
pid: 4012
ApplicationName:
CmdLine:
childid: 3912
childname: 1620612012768_20409097f54824845cc578008ad9147f.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1620612012768_20409097f54824845cc578008ad9147f.exe
drop_type:
name:
noNeedLine:
path:
pid: 3256

 Summary

buffer: 0
processid: 3912
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: UNCAsIntranet
buffer: 1
processid: 3912
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: AutoDetect
buffer: 0
processid: 3912
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: UNCAsIntranet
buffer: 1
processid: 3912
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
type: REG_DWORD
valuename: AutoDetect

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: 9e1ae315e43aff9e620a9bfabafd62d9
name: temp.cmd
new_size: 341bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\temp.cmd
processid: 4012
processname: cmd.exe
sha1: a26d95e126c0dd51aa53188d866a1a74d9fb40fa
sha256: bc81c919ff0f3290797d55e528cda00c962d032269a7494b3cb066e07ec86b07
size: 341
this_path: /data/cuckoo/storage/analyses/2000514/files/2359264533/temp.cmd
type: ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: move
md5: 20409097f54824845cc578008ad9147f
name: Settings32.exe
new_size: 979KB (1002496bytes)
operation: 拷贝覆盖文件
path: C:\Users\Administrator\AppData\Local\Temp\Settings32.exe
processid: 4012
processname: cmd.exe
sha1: 230eb9649e1f88e322511644982cf992bd48ba00
sha256: e98abba3a049d4f9482c5c59c112af25969da5f118eb0bff6b13b95046798a0b
size: 1002496
this_path: /data/cuckoo/storage/analyses/2000514/files/1000/Settings32.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 130
process_id: 3912
process_name: 1620612012768_20409097f54824845cc578008ad9147f.exe
rulename: 从资源段释放文件并运行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 147
process_id: 3912
process_name: 1620612012768_20409097f54824845cc578008ad9147f.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 686
process_id: 3912
process_name: 1620612012768_20409097f54824845cc578008ad9147f.exe
rulename: 获取隐藏文件设置
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过写入注册表,以达修改用户修改代理
num: 1100
process_id: 3912
process_name: 1620612012768_20409097f54824845cc578008ad9147f.exe
rulename: 修改浏览器代理
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过调用关键api的获取系统的用户名,以达到收集用户信息的目的
num: 1140
process_id: 3912
process_name: 1620612012768_20409097f54824845cc578008ad9147f.exe
rulename: 获取当前用户名
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 2
process_id: 4012
process_name: cmd.exe
rulename: 打开其他线程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 27
process_id: 4012
process_name: cmd.exe
rulename: 遍历文件
attck_tactics: 恶劣影响
level: 2
matchedinfo: 通过调用系统命令结束进程,以达到影响进程正常运行的目的
num: 225
process_id: 4012
process_name: cmd.exe
rulename: 调用taskkill关闭其他进程
attck_tactics: 防御逃逸
level: 1
matchedinfo: 恶意程序通过终止其它程序运行,可达到躲避监控、查杀、破坏等目的
num: 204
process_id: 3044
process_name: taskkill.exe
rulename: 关闭其他进程
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 204
process_id: 3044
process_name: taskkill.exe
rulename: 获取当前鼠标位置
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 146
process_id: 1092
process_name: Settings32.exe
rulename: 遍历文件
attck_tactics: 基础信息获取
level: 2
matchedinfo: 使用WMI获取系统信息,如进程、硬盘信息等,该行为常见于脚本文件
num: 560
process_id: 1092
process_name: Settings32.exe
rulename: 使用WMI获取系统信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 790
process_id: 1092
process_name: Settings32.exe
rulename: 调用加密算法库