VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00我的大叔
file size: 512000
file type: application/x-dosexec
MD5: 8386e9bd0683466efb377db827b6728e
sha1: b949a40e7fba61c497317cf15ec8d510d3218f6a

 CreateProcess

ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 728
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
pid: 2824
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
childid: 1776
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
pid: 2824
ApplicationName: C:\Users\Public\Pictures\svchost.eXe
CmdLine: "C:\Users\Public\Pictures\svchost.eXe"
childid: 2600
childname: svchost.eXe
childpath: C:\Users\Public\Pictures\svchost.eXe
drop_type:
name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
pid: 2824
ApplicationName: C:\Users\Public\Music\svchost.eXe
CmdLine: "C:\Users\Public\Music\svchost.eXe"
childid: 2220
childname: svchost.eXe
childpath: C:\Users\Public\Music\svchost.eXe
drop_type:
name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
pid: 2824
ApplicationName: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
CmdLine: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe"
childid: 1852
childname: msmsgs.eXe
childpath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
drop_type:
name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
pid: 2824
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 1056
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: svchost.eXe
noNeedLine: 1
path: C:\Users\Public\Pictures\svchost.eXe
pid: 2600
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
childid: 1752
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: svchost.eXe
noNeedLine: 1
path: C:\Users\Public\Pictures\svchost.eXe
pid: 2600
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 2888
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: svchost.eXe
noNeedLine:
path: C:\Users\Public\Pictures\svchost.eXe
pid: 2600
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 1640
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: svchost.eXe
noNeedLine:
path: C:\Users\Public\Pictures\svchost.eXe
pid: 2600
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 1908
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: svchost.eXe
noNeedLine:
path: C:\Users\Public\Pictures\svchost.eXe
pid: 2600
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 984
childname: reg.exe
childpath: C:\Windows\System32\reg.exe
drop_type:
name: svchost.eXe
noNeedLine: 1
path: C:\Users\Public\Music\svchost.eXe
pid: 2220
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
childid: 2036
childname: reg.exe
childpath: C:\Windows\System32\reg.exe
drop_type:
name: svchost.eXe
noNeedLine: 1
path: C:\Users\Public\Music\svchost.eXe
pid: 2220
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 2628
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: msmsgs.eXe
noNeedLine: 1
path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
pid: 1852
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" export HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice C:\Windows\regedit.reg
childid: 3068
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: msmsgs.eXe
noNeedLine: 1
path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
pid: 1852
ApplicationName: C:\Windows\System32\reg.exe
CmdLine: "C:\Windows\System32\reg.exe" import C:\Windows\regedit.reg
childid: 2816
childname: reg.exe
childpath: C:\Windows\SysWOW64\reg.exe
drop_type:
name: msmsgs.eXe
noNeedLine:
path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\msmsgs.eXe
pid: 1852
ApplicationName:
CmdLine:
childid: 2824
childname: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621094431022_8386e9bd0683466efb377db827b6728e.exe
drop_type:
name:
noNeedLine:
path:
pid: 2952

 Summary

buffer: 2
processid: 2824
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2824
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2824
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 2600
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF
buffer: 2
processid: 2220
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 2220
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 2220
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 2220
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 2220
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF
buffer: 2
processid: 1852
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: Hidden
buffer: 1
processid: 1852
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
type: REG_DWORD
valuename: HideFileExt
buffer: 1
processid: 1852
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
type: REG_DWORD
valuename: NoSetFolders
buffer: 2
processid: 1852
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
type: REG_DWORD
valuename: DisableRegistryTools
buffer: 2
processid: 1852
szSubkey: HKEY_CURRENT_USER\Qmdvucpg^Rmnkakgq^Okapmqmdv^Uklfmuq^Q{qvgo
type: REG_DWORD
valuename: Fkqc`ngAOF

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 1
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 获取当前鼠标位置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 37
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 从资源段释放文件并运行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 124
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过写文件到自启动目录,以达到开机自启动的目的
num: 4749
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 新增自动运行功能 (通过写文件到自启动目录)
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 4801
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 4818
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 创建伪装进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 8513
process_id: 2824
process_name: 1621094431022_8386e9bd0683466efb377db827b6728e.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 0
process_id: 2600
process_name: svchost.eXe
rulename: 获取当前鼠标位置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 36
process_id: 2600
process_name: svchost.eXe
rulename: 从资源段释放文件并运行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 98
process_id: 2600
process_name: svchost.eXe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过写文件到自启动目录,以达到开机自启动的目的
num: 3031
process_id: 2600
process_name: svchost.eXe
rulename: 新增自动运行功能 (通过写文件到自启动目录)
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 3100
process_id: 2600
process_name: svchost.eXe
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 3117
process_id: 2600
process_name: svchost.eXe
rulename: 创建伪装进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 3274
process_id: 2600
process_name: svchost.eXe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 0
process_id: 2220
process_name: svchost.eXe
rulename: 获取当前鼠标位置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 36
process_id: 2220
process_name: svchost.eXe
rulename: 从资源段释放文件并运行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 98
process_id: 2220
process_name: svchost.eXe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过写文件到自启动目录,以达到开机自启动的目的
num: 2201
process_id: 2220
process_name: svchost.eXe
rulename: 新增自动运行功能 (通过写文件到自启动目录)
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 2251
process_id: 2220
process_name: svchost.eXe
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 2268
process_id: 2220
process_name: svchost.eXe
rulename: 创建伪装进程
attck_tactics: 数据窃取
level: 4
matchedinfo: 通过构造加密数据包后使用ICMP协议进行隐秘数据传输
num: 2502
process_id: 2220
process_name: svchost.eXe
rulename: 使用ICMP协议进行隐秘数据传输
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 0
process_id: 1852
process_name: msmsgs.eXe
rulename: 获取当前鼠标位置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 36
process_id: 1852
process_name: msmsgs.eXe
rulename: 从资源段释放文件并运行
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 120
process_id: 1852
process_name: msmsgs.eXe
rulename: 拷贝文件到系统目录
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过写文件到自启动目录,以达到开机自启动的目的
num: 1410
process_id: 1852
process_name: msmsgs.eXe
rulename: 新增自动运行功能 (通过写文件到自启动目录)
attck_tactics: 防御逃逸
level: 2
matchedinfo: 通过修改查看隐藏文件设置,达到隐藏文件的目的
num: 1479
process_id: 1852
process_name: msmsgs.eXe
rulename: 获取隐藏文件设置
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 1496
process_id: 1852
process_name: msmsgs.eXe
rulename: 创建伪装进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 1670
process_id: 1852
process_name: msmsgs.eXe
rulename: 遍历系统中的进程