VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :55
基本信息
MD5:75809e1ada75564c40cee173d412e2b8
文件类型:EXE
出品公司:
版本:1.0.1.49---1, 0, 1, 49
壳或编译器信息:COMPILER:PE+(64)
子文件信息:0101dumpFile / abcadd2799685a284eeb3a68e8076762 / DLL
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = 360se.exe, WriteAddress = 0x0000000001D20000, Size = 0x00000004
行为描述:在系统目录释放敏感文件
详情信息:C:\Windows\System32\zh-CN\nCXS.exe.mui
行为描述:获取TickCount值
详情信息:TickCount = 757578, SleepMilliseconds = 1000.
TickCount = 759187, SleepMilliseconds = 1000.
TickCount = 759265, SleepMilliseconds = 1000.
TickCount = 759531, SleepMilliseconds = 1000.
TickCount = 839343, SleepMilliseconds = 80000.
TickCount = 839359, SleepMilliseconds = 80000.
TickCount = 762812, SleepMilliseconds = 1000.
TickCount = 763875, SleepMilliseconds = 2000.
TickCount = 762518, SleepMilliseconds = 50.
TickCount = 768250, SleepMilliseconds = 2000.
行为描述:查找PE资源信息
详情信息:(FindResourceExA) hModule = 0x3BC60000, ResName: , ResType: BIN
行为描述:创建系统服务
详情信息:[服务创建成功]: ewfhlbi, C:\windows\system32\BJBcaqv.sys
[服务创建成功]: dvegkac, C:\windows\system32\EoSNcof.sys
行为描述:查找文件方式探测虚拟机
详情信息:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*.*
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = C:\Windows\run.bat
ImagePath = , CmdLine = C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe
行为描述:跨进程写入数据
详情信息:TargetProcess = 360se.exe, WriteAddress = 0x0000000001D20000, Size = 0x00000004
行为描述:创建本地线程
详情信息:ProcessId = 2972, ThreadId = 3488.
ProcessId = 2972, ThreadId = 4000.
ProcessId = 2972, ThreadId = 3436.
ProcessId = 1484, ThreadId = 3564.
ProcessId = 1484, ThreadId = 1956.
ProcessId = 2972, ThreadId = 3376.
ProcessId = 2972, ThreadId = 3952.
ProcessId = 3104, ThreadId = 2488.
ProcessId = 3104, ThreadId = 3032.
ProcessId = 2972, ThreadId = 488.
ProcessId = 2972, ThreadId = 1068.
ProcessId = 2972, ThreadId = 3472.
ProcessId = 2972, ThreadId = 3916.
ProcessId = 2972, ThreadId = 2592.
ProcessId = 2972, ThreadId = 1324.
行为描述:创建新文件进程
详情信息:[0x00000c20]ImagePath = C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe
行为描述:创建进程
详情信息:[0x00000c68]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c C:\Windows\run.bat
[0x000005cc]ImagePath = C:\Windows\System32\conhost.exe, CmdLine = \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
[0x00000520]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c dir "C:\Users\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\*.default" /B
[0x00000bdc]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c dir "C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\*.default" /B
文件行为
行为描述:创建文件
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp
C:\Windows\run.bat
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe
C:\Users\Administrator\AppData\Roaming\temp\SidStm.exe
C:\Users\Administrator\AppData\Roaming\temp\AkRmPNold.exe
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxlg.tmp
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxgg.tmp
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\config.ini
C:\Users\Administrator\AppData\Roaming\temp\sm7pLn.tmp
C:\Users\Administrator\AppData\Roaming\temp\tqonre.exe
C:\Windows\System32\nCXS.exe
C:\Users\Administrator\AppData\Roaming\temp\wxpp32.tmp
行为描述:创建可执行文件
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe
C:\Users\Administrator\AppData\Roaming\temp\SidStm.exe
C:\Users\Administrator\AppData\Roaming\temp\AkRmPNold.exe
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxlg.tmp
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxgg.tmp
C:\Users\Administrator\AppData\Roaming\temp\sm7pLn.tmp
C:\Users\Administrator\AppData\Roaming\temp\tqonre.exe
C:\Windows\System32\nCXS.exe
C:\Windows\System32\zh-CN\nCXS.exe.mui
C:\Users\Administrator\AppData\Roaming\temp\wxpp32.tmp
C:\Users\Administrator\AppData\Roaming\temp\unhk.tmp
行为描述:删除文件
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe
C:\Users\Administrator\AppData\Roaming\temp\sm7pLn.tmp
C:\Windows\run.bat
C:\Windows\System32\EoSNcof.sys
行为描述:修改脚本文件
详情信息:C:\Windows\run.bat ---> Offset = 0
C:\Windows\run.bat ---> Offset = 4096
行为描述:查找文件
详情信息:FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\/*.*
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\/*.*
FileName = C:\Users
FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Windows\run.bat
FileName = C:\Windows
FileName = C:\Users\Administrator\Local Settings\Temporary Internet Files\*.gif
FileName = C:\Users\Administrator\Local Settings\Temporary Internet Files\*
FileName = C:\Users\Administrator\Local Settings\Temporary Internet Files\*.png
FileName = C:\Users\Administrator\Local Settings\Temporary Internet Files\*.jpg
FileName = C:\Users\Administrator\Local Settings\Temporary Internet Files\*.html
行为描述:在系统目录释放敏感文件
详情信息:C:\Windows\System32\zh-CN\nCXS.exe.mui
行为描述:复制文件
详情信息:C:\Windows\System32\cmd.exe ---> C:\Windows\System32\nCXS.exe
C:\Windows\System32\zh-CN\cmd.exe.mui ---> C:\Windows\System32\zh-CN\nCXS.exe.mui
行为描述:重命名文件
详情信息:C:\Users\Administrator\AppData\Roaming\temp\AkRmPNold.exe ---> C:\Users\Administrator\AppData\Roaming\temp\AkRmPN.exe
行为描述:修改文件内容
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp ---> Offset = 11972608
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp ---> Offset = 11972608
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp ---> Offset = 11976704
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp ---> Offset = 12029952
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe ---> Offset = 53248
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe ---> Offset = 53248
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe ---> Offset = 57344
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe ---> Offset = 40960
C:\Users\Administrator\AppData\Roaming\temp\SidStm.exe ---> Offset = 0
网络行为
行为描述:联网打开网址
详情信息:InternetOpenUrlA: http://ap****cn/short_url/shorten.xml?source=3271760578&url_long=https://www.2345.com/?kb0987p, hInternet = 0x00cc0004, Flags = 0x80000000
InternetOpenUrlA: http://ap****cn/short_url/shorten.json?source=3271760578&url_long=https://www.2345.com/?kb0987p, hInternet = 0x00cc0004, Flags = 0x80000000
行为描述:打开HTTP连接
详情信息:InternetOpenA: UserAgent: WinInet, hSession = 0x00cc0004
行为描述:按名称获取主机地址
详情信息:GetAddrInfoW: ap****cn
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1609
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
行为描述:修改注册表_组策略
详情信息:\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory
行为描述:删除注册表键
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ewfhlbi\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dvegkac\
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:e8699a53be2cc5b4a87fb43728403d6e
Local\SessionImmersiveColorMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
DBWinMutex
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [C:\Windows\system32\cmd.exe,ConsoleWindowClass]
[Window,Class] = [C:\Windows\System32\VBoxService.exe,ConsoleWindowClass]
[Window,Class] = [,ATL:00002C49]
行为描述:查找指定窗口
详情信息:FindWindowA: [Class,Window] = [,MsgDebugView]
FindWindowExA: [Class,Window] = [Progman,]
FindWindowExA: [Class,Window] = [SHELLDLL_DefView,]
FindWindowExA: [Class,Window] = [SysListView32,]
FindWindowExA: [Class,Window] = [Shell_TrayWnd,]
行为描述:启动系统服务
详情信息:[服务启动失败]: NT AUTHORITY\LocalService, Base Filtering Engine, C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
[服务启动成功]: , ewfhlbi, \??\C:\windows\system32\BJBcaqv.sys
[服务启动失败]: , dvegkac, \??\C:\windows\system32\EoSNcof.sys
行为描述:获取TickCount值
详情信息:TickCount = 757578, SleepMilliseconds = 1000.
TickCount = 759187, SleepMilliseconds = 1000.
TickCount = 759265, SleepMilliseconds = 1000.
TickCount = 759531, SleepMilliseconds = 1000.
TickCount = 839343, SleepMilliseconds = 80000.
TickCount = 839359, SleepMilliseconds = 80000.
TickCount = 762812, SleepMilliseconds = 1000.
TickCount = 763875, SleepMilliseconds = 2000.
TickCount = 762518, SleepMilliseconds = 50.
TickCount = 768250, SleepMilliseconds = 2000.
行为描述:获取光标位置
详情信息:CursorPos = (156,18470), SleepMilliseconds = 50.
CursorPos = (6449,26503), SleepMilliseconds = 50.
CursorPos = (19284,15727), SleepMilliseconds = 1.
CursorPos = (11593,29361), SleepMilliseconds = 10.
CursorPos = (27077,24467), SleepMilliseconds = 50.
CursorPos = (5820,28148), SleepMilliseconds = 2000.
CursorPos = (23396,16830), SleepMilliseconds = 50.
CursorPos = (10076,494), SleepMilliseconds = 50.
CursorPos = (3110,11945), SleepMilliseconds = 1.
CursorPos = (4942,5439), SleepMilliseconds = 10.
CursorPos = (32506,14607), SleepMilliseconds = 10.
CursorPos = (4017,156), SleepMilliseconds = 1.
CursorPos = (407,12385), SleepMilliseconds = 10.
CursorPos = (17536,18719), SleepMilliseconds = 50.
CursorPos = (19833,19898), SleepMilliseconds = 10.
行为描述:打开事件
详情信息:\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
Global\TermSrvReadyEvent
Global\SvcctrlStartEvent_A3752DX
行为描述:查找PE资源信息
详情信息:(FindResourceExA) hModule = 0x3BC60000, ResName: , ResType: BIN
行为描述:调整进程token权限
详情信息:SE_DEBUG_PRIVILEGE
SE_INC_WORKING_SET_PRIVILEGE
行为描述:可执行文件签名信息
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\SidStm.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\AkRmPNold.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxlg.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxgg.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\sm7pLn.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\tqonre.exe(签名验证: 未通过)
C:\Windows\System32\nCXS.exe(签名验证: 通过)
C:\Windows\System32\zh-CN\nCXS.exe.mui(签名验证: 通过)
C:\Users\Administrator\AppData\Roaming\temp\wxpp32.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\temp\unhk.tmp(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 500.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 500.
[10]: MilliSeconds = 1000.
[1]: MilliSeconds = 80000.
行为描述:可执行文件MD5
详情信息:C:\Users\Administrator\AppData\Local\Temp\wxdlold.tmp ---> 文件过大!
C:\Users\Administrator\AppData\Local\Temp\kdnqvm.tmp ---> 文件过大!
C:\Users\Administrator\AppData\Roaming\temp\PPcUjzold.exe ---> 6784cdf281b067dd3966e35cb536e3e7
C:\Users\Administrator\AppData\Roaming\temp\PPcUjz.exe ---> fc1e447d49dcbd4a2c94e2c388e4974f
C:\Users\Administrator\AppData\Roaming\temp\SidStmold.exe ---> 7b943fc024a064bcc532d4abc64d0861
C:\Users\Administrator\AppData\Roaming\temp\SidStm.exe ---> 1cd458b4992133f2315babea70f467de
C:\Users\Administrator\AppData\Roaming\temp\AkRmPNold.exe ---> b7e8ad8510a123cf98b5c01c64ec45f2
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxlg.tmp ---> ec00d1e56b1be60eb5b40f48dd4d7efe
C:\Users\Administrator\AppData\Roaming\Tncent2\QQ\wxgg.tmp ---> e1ea9288327f0a2e231a7b824cbb9e17
C:\Users\Administrator\AppData\Roaming\temp\sm7pLn.tmp ---> 25a8ad6c2edaf64893a25200b2d4edbc
C:\Users\Administrator\AppData\Roaming\temp\tqonre.exe ---> e250ddb190569621fc4088cd5ec77296
C:\Windows\System32\nCXS.exe ---> 41e25e514d90e9c8bc570484dbaff62b
C:\Windows\System32\zh-CN\nCXS.exe.mui ---> 2ae12726064e383d4c3093adb1431799
C:\Users\Administrator\AppData\Roaming\temp\wxpp32.tmp ---> 9d7325bebe2981dded8fdcd8de0d2708
C:\Users\Administrator\AppData\Roaming\temp\unhk.tmp ---> d47e3d79f6790442b9e27e0b6757515e
行为描述:打开互斥体
详情信息:Local\ShimViewer
WxproRunOnlyOnce
EAC6EC00-55BE-046F-0237-BD56F8C0AADF5DB-7320-F640-EB55
Local\MSCTF.Asm.MutexDefault1S-1-5-21-1170589654-2814428265-349930785-500
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault1
Local\MSCTF.Asm.MutexDefault0S-1-5-18
CicLoadWinStaService-0x0-3e7$
行为描述:创建系统服务
详情信息:[服务创建成功]: ewfhlbi, C:\windows\system32\BJBcaqv.sys
[服务创建成功]: dvegkac, C:\windows\system32\EoSNcof.sys
行为描述:加载新释放的文件
详情信息:Image: C:\Users\ADMINI~1\AppData\Local\Temp\kdnqvm.tmp.
行为描述:查找文件方式探测虚拟机
详情信息:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*.*
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号