VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00锦绣未央
file size: 18933111
file type: application/x-dosexec
MD5: bae4a20ab703b5417d394ccb815a3d61
sha1: 0b03f28c0d40275eacfba227cdd4f40f1296d698

 CreateProcess

ApplicationName: C:\Windows\svchost.exe
CmdLine: "C:\Windows\svchost.exe"
childid: 160
childname: svchost.exe
childpath: C:\Windows\svchost.exe
drop_type:
name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
pid: 960
ApplicationName:
CmdLine:
childid: 960
childname: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
drop_type:
name:
noNeedLine:
path:
pid: 252

 Summary

buffer: 0
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
type: REG_DWORD
valuename: EnableLUA
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
type: REG_SZ
valuename: svchost
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
type: REG_SZ
valuename: Run
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
type: REG_SZ
valuename: Load
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe
type: REG_SZ
valuename: Debugger
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe
type: REG_SZ
valuename: Debugger
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe
type: REG_SZ
valuename: Debugger
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
type: REG_SZ
valuename: Debugger
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe
type: REG_SZ
valuename: Debugger
buffer: C:\Users\Administrator\AppData\Local\Temp\1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
processid: 960
szSubkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
type: REG_SZ
valuename: Debugger

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 16
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 获取当前鼠标位置
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 43
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 遍历文件
attck_tactics: 持久化
level: 2
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 50
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 写入自启动注册表,增加自启动2
attck_tactics: 持久化
level: 3
matchedinfo: 恶意程序通过修改注册表的方式实现随系统自启动,以达到长期控制或驻留系统的目的
num: 53
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 写入自启动注册表,增加自启动1
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过拷贝文件到系统目录的方式,以达到隐藏恶意文件的目的
num: 85
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 拷贝文件到系统目录
attck_tactics: 防御逃逸
level: 4
matchedinfo: 通过创建特殊进程名字的进程假装成正常程序,以达到混淆视听欺骗用户的目的
num: 436
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 创建伪装进程
attck_tactics: 基础信息获取
level: 1
matchedinfo: 恶意程序通过获取用户磁盘信息的方式,以达到获取敏感信息的目的
num: 439
process_id: 960
process_name: 1618819251074_bae4a20ab703b5417d394ccb815a3d61.exe
rulename: 收集磁盘信息