VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load
VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Basic Information

file name: 00道君
file size: 1122315
file type: application/x-dosexec
MD5: 782377cb6acd93187551710226e8d65f
sha1: 4f6ea274a5c70a50873bae6de1709167a680a3a4

 CreateProcess

ApplicationName:
CmdLine: C:\Users\ADMINI~1\AppData\Local\Temp\.1618605017083_782377cb6acd93187551710226e8d65f.exe
childid: 2860
childname: .1618605017083_782377cb6acd93187551710226e8d65f.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\.1618605017083_782377cb6acd93187551710226e8d65f.exe
drop_type:
name: 1618605017083_782377cb6acd93187551710226e8d65f.exe
noNeedLine: 1
path: C:\Users\Administrator\AppData\Local\Temp\1618605017083_782377cb6acd93187551710226e8d65f.exe
pid: 2232
ApplicationName:
CmdLine: explorer.exe "tencent://groupwpa/?subcmd=all¶m=7b2267726f757055696e223a3235393537303731392c2274696d655374616d70223a313538333636373633372c22617574684b6579223a22397a704b666673384d746f6a534d313249344b4a51346f77514e4a74733965537443666e6138666f5a4f55695330394e3756764b62673d3d227d"
childid: 2584
childname: explorer.exe
childpath: C:\Windows\SysWOW64\explorer.exe
drop_type:
name: 1618605017083_782377cb6acd93187551710226e8d65f.exe
noNeedLine:
path: C:\Users\Administrator\AppData\Local\Temp\1618605017083_782377cb6acd93187551710226e8d65f.exe
pid: 2232
ApplicationName:
CmdLine:
childid: 2232
childname: 1618605017083_782377cb6acd93187551710226e8d65f.exe
childpath: C:\Users\Administrator\AppData\Local\Temp\1618605017083_782377cb6acd93187551710226e8d65f.exe
drop_type:
name:
noNeedLine:
path:
pid: 3048
ApplicationName:
CmdLine:
childid: 592
childname: svchost.exe
childpath: C:\Windows\System32\svchost.exe
drop_type:
name:
noNeedLine:
path:
pid: 456
ApplicationName:
CmdLine:
childid: 2408
childname: explorer.exe
childpath: C:\Windows\explorer.exe
drop_type:
name: svchost.exe
noNeedLine:
path: C:\Windows\System32\svchost.exe
pid: 592

 Behavior_analysis

message: 企图通过长时间休眠躲避沙箱检测
name: 长时间休眠
szSubkey:
score: 2

 Malicious

attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 1
process_id: 2232
process_name: 1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 获取当前鼠标位置
attck_tactics: 防御逃逸
level: 2
matchedinfo: 恶意程序通过从资源段释放文件并运行的方式,以达到隐藏恶意代码的目的
num: 27
process_id: 2232
process_name: 1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 从资源段释放文件并运行
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 315
process_id: 2232
process_name: 1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 遍历文件
attck_tactics: 防御逃逸
level: 2
matchedinfo: 检查程序运行时监视鼠标是否移动。一般被恶意软件用于沙盒逃逸
num: 15
process_id: 2860
process_name: .1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 获取当前鼠标位置
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 53
process_id: 2860
process_name: .1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 加载资源到内存
attck_tactics: 基础信息获取
level: 1
matchedinfo: 通过文件遍历查找指定目标文件
num: 297
process_id: 2860
process_name: .1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 遍历文件
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 307
process_id: 2860
process_name: .1618605017083_782377cb6acd93187551710226e8d65f.exe
rulename: 修改内存地址为可读可写可执行
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 一般被用于文件的加密、数据的加密传输或可能被用于勒索者病毒中
num: 398
process_id: 2408
process_name: explorer.exe
rulename: 调用加密算法库
attck_tactics: 其他恶意行为
level: 2
matchedinfo: 恶意程序通过从资源段释放资源到内存中,进行解密操作
num: 914
process_id: 2408
process_name: explorer.exe
rulename: 加载资源到内存
attck_tactics: 其他恶意行为
level: 1
matchedinfo: 恶意软件通过修改内存属性,以达到在内存中解密&执行恶意代码
num: 1006
process_id: 2408
process_name: explorer.exe
rulename: 修改内存地址为可读可写可执行