VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00锦衣夜行
file size: 174605
file type: application/x-dosexec
MD5: 962c1438170e83444480efdaeee7aafd
sha1: b4ecd19ae9bf9af5a9f3ee4b1a2fc53d8916a342

 CreateProcess

ApplicationName:
CmdLine:
childid: 2428
childname: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1619141412554_962c1438170e83444480efdaeee7aafd.exe
drop_type:
name:
noNeedLine:
path:
pid: 2904

 Summary

buffer: "C:\Users\Administrator\AppData\Roaming\Microsoft\snszim.exe"
processid: 2428
szSubkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
type: REG_SZ
valuename: grigvoupwil
buffer: 0
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASAPI32
type: REG_EXPAND_SZ
valuename: FileDirectory
buffer: 0
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_DWORD
valuename: EnableFileTracing
buffer: 0
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_DWORD
valuename: EnableConsoleTracing
buffer: 4294901760
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_DWORD
valuename: FileTracingMask
buffer: 4294901760
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_DWORD
valuename: ConsoleTracingMask
buffer: 1048576
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_DWORD
valuename: MaxFileSize
buffer: %windir%\tracing\x00
processid: 2428
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\1619141412554_962c1438170e83444480efdaeee7aafd_RASMANCS
type: REG_EXPAND_SZ
valuename: FileDirectory

 Dropped Unsave

analysis_result: Trojan-Ransom.Win32.GandCrypt.jfg
create: 0
how: write
md5: c19b2382d37003c76caf7104d68f23f4
name: snszim.exe
new_size: 170KB (174605bytes)
operation: 修改文件
path: C:\Users\Administrator\AppData\Roaming\Microsoft\snszim.exe
processid: 2428
processname: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
sha1: d33cb064bcb63419cf05d412e61e85f085440913
sha256: abe15e000b30de49377ec613204db9a869fd0288ac62542e28650c866ccc9eb3
size: 174605
this_path: /data/cuckoo/storage/analyses/6000035/files/1000/snszim.exe
type: PE32 executable (GUI) Intel 80386, for MS Windows

 Malicious

attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 9553
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序会通过收集电脑配置信息来进行信息的统计
num: 9559
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 系统配置信息收集
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 9732
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 收集磁盘信息
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 12348
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 调用加密算法库
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 14512
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过遍历系统中进程,可以用于特定杀软逃逸、虚拟机逃逸等
num: 14515
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 遍历系统中的进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过调用关键api的获取系统的用户名,以达到收集用户信息的目的
num: 14610
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 获取当前用户名
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意程序通过创建网络连接的方式,以达到通过网络连接进行通信的目的
num: 14739
process_id: 2428
process_name: 1619141412554_962c1438170e83444480efdaeee7aafd.exe
rulename: 创建网络套接字连接