VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00我是余欢水
file size: 373739
file type: application/x-dosexec
MD5: 814d871913edb177fb340b9cea09ebe1
sha1: 7fa3c78464c745c4904be4afe3a2abfc5cd6b924

 CreateProcess

ApplicationName:
CmdLine: C:\Windows\system32\wermgr.exe
childid: 2928
childname: wermgr.exe
childpath: C:\Windows\System32\wermgr.exe
drop_type:
name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1621094451197_814d871913edb177fb340b9cea09ebe1.exe
pid: 1580
ApplicationName:
CmdLine:
childid: 1580
childname: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1621094451197_814d871913edb177fb340b9cea09ebe1.exe
drop_type:
name:
noNeedLine:
path:
pid: 2580

 Dropped_Save

analysis_result: 安全
create: 0
how: del
md5: b70f387f3a702ac9dd09cdedd94daf8c
name: logB74.tmp
new_size: 595bytes
operation: 释放后删除文件
path: C:\Users\Administrator\AppData\Local\Temp\logB74.tmp
processid: 1580
processname: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
sha1: 56298395e0e537a33c74ec11dc0b62e8e4f03627
sha256: d1967e0034d240174f6694ce80e6480314e149d5ff97acb63f2b607d8acccc8e
size: 595
this_path: /data/cuckoo/storage/analyses/6000479/files/7430269171/logB74.tmp
type: Non-ISO extended-ASCII text, with CRLF line terminators
analysis_result: 安全
create: 0
how: write
md5: eca9c9d9e879269e5cd955063929aea4
name: a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
new_size: 1036bytes
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3531488231-4160719598-983141384-500\a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
processid: 1580
processname: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
sha1: 3c684d25e2d87b955e994c1d35134840e5b1bf23
sha256: 54afe7e8eb837d3326a4374e0e00205dfa595e280ba464f0031007805284f7d0
size: 1036
this_path: /data/cuckoo/storage/analyses/6000479/files/1000/a18ca4003deb042bbee7a40f15e1970b_ff1996c6-1c32-48f3-a89c-1ab09b8477c7
type: data

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 9066
process_id: 1580
process_name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
rulename: 从资源段释放文件并运行
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 9066
process_id: 1580
process_name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 9068
process_id: 1580
process_name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 9071
process_id: 1580
process_name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
rulename: 调用加密算法库
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 9176
process_id: 1580
process_name: 1621094451197_814d871913edb177fb340b9cea09ebe1.exe
rulename: 遍历系统中的进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户网卡信息的方式,以达到获取敏感信息的目的
num: 232
process_id: 2928
process_name: wermgr.exe
rulename: 收集电脑网卡信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 233
process_id: 2928
process_name: wermgr.exe
rulename: 调用加密算法库
attck_tactics: 持久化
level: 1
matchedinfo: 恶意程序通过打开服务控制管理器(Service Control Manager),以达到对服务进行控制的目的
num: 255
process_id: 2928
process_name: wermgr.exe
rulename: 打开服务控制管理器
attck_tactics: 执行
level: 2
matchedinfo: 恶意程序通过启动恶意服务,以达到通过服务方式执行恶意代码的目的
num: 257
process_id: 2928
process_name: wermgr.exe
rulename: 启动服务