VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00同一屋檐下
file size: 781112
file type: application/x-dosexec
MD5: 4992e8494f868275938031a31f694161
sha1: fa1447beb579fcbb289486202d14076537f403bf

 CreateProcess

ApplicationName:
CmdLine: C:\Users\ADMINI~1\AppData\Local\Temp\nsm60BA.tmp\internal1617805825567_4992e8494f868275938031a31f694161.exe C:/Users/ADMINI~1/AppData/Local/Temp/nsm60BA.tmp /baseInstaller='C:/Users/Administrator/AppData/Local/Temp/1617805825567_4992e8494f868275938031a31f694161.exe' /fallbackfolder='C:/Users/ADMINI~1/AppData/Local/Temp/nsm60BA.tmp/fallbackfiles/'
childid: 1076
childname: internal1617805825567_4992e8494f868275938031a31f694161.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\nsm60BA.tmp\internal1617805825567_4992e8494f868275938031a31f694161.exe
drop_type:
name: 1617805825567_4992e8494f868275938031a31f694161.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1617805825567_4992e8494f868275938031a31f694161.exe
pid: 2352
ApplicationName:
CmdLine:
childid: 2352
childname: 1617805825567_4992e8494f868275938031a31f694161.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1617805825567_4992e8494f868275938031a31f694161.exe
drop_type:
name:
noNeedLine:
path:
pid: 1852
ApplicationName:
CmdLine:
childid: 1304
childname: explorer.exe
childpath: C:\Windows\explorer.exe
drop_type:
name:
noNeedLine:
path:
pid: 1256

 Summary

buffer: 3791EE3B6D6848309714DB9D2CF76EB1
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\PTECH\44
type: REG_SZ
valuename: userid
buffer: 0
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\internal1617805825567_4992e8494f868275938031a31f694161_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: tempo_2258
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\tempo_2258
type: REG_SZ
valuename: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\tempo_2258\(Default)
buffer: 1
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecisionReason
buffer: @2UE\x0c,\xd7\x01
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_DWORD
valuename: WpadDecision
buffer: 网络 2
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\{42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
type: REG_SZ
valuename: WpadNetworkName
buffer: 1
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecisionReason
buffer: @2UE\x0c,\xd7\x01
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_BINARY
valuename: WpadDecisionTime
buffer: 3
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
type: REG_DWORD
valuename: WpadDecision
buffer: F\x00\x00\x00\x0e\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00@2UE\x0c,\xd7\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\xc0\xa88\xca\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x11\x00\x00\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00 \x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xea\x03\x00\x00 \x06\x02\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xa0\x1a\x0f\xe7\x8b\xab\xcf\x11\x8c\xa3\x00\x80_H\xa1\x92\x17\x00\x00\x00\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\\xfb\xf7!\xcf\xcc\xddK\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
processid: 1076
szSubkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
type: REG_BINARY
valuename: DefaultConnectionSettings
buffer: {42E7C687-3C56-48E6-A2A2-AB48DD2D7BC7}
processid: 1076
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
type: REG_SZ
valuename: WpadLastNetwork

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 168
process_id: 2352
process_name: 1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 3906
process_id: 2352
process_name: 1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 从资源段释放文件并运行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 3913
process_id: 2352
process_name: 1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 遍历文件
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 309
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 遍历文件
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序会通过收集电脑配置信息来进行信息的统计
num: 859
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 系统配置信息收集
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 920
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 打开服务控制管理器
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过打开线程,以达到操作其它线程的目的
num: 933
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 打开其他线程
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 1188
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 获取隐藏文件设置
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 1728
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 5683
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 5743
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 5833
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 遍历系统中的进程
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 9873
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 创建网络套接字连接
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 11455
process_id: 1076
process_name: internal1617805825567_4992e8494f868275938031a31f694161.exe
rulename: 收集电脑网卡信息
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 28
process_id: 1304
process_name: explorer.exe
rulename: 获取当前鼠标位置