VirSCAN VirSCAN

1, Můžete zaslat více souborů, avšak limit velikosti jednoho souboru je 20Mb.
2, VirSCAN podporuje Rar/Zip dekompresi, ale maximum je 20 souborů v archivu.
3, VirSCAN otestuje komprimované soubory, které jsou chráněné heslem 'infected' nebo 'virus'.

Jazyk
Zatížení serveru
Server Load

Informace o souboru
Bezpečnostní hodnocení:76
behaviorlist
Základní informace
MD5:0b1b08f67c98ff79a97e222677be9cd0
Typ souboru:EXE
Produkční společnost:pwnGwBm Inc
Verze:3.1.7.6---3.1.7.6
Informace o Shell nebo kompilátoru:COMPILER:Microsoft Visual C# / Basic .NET
klíčová opatření
Popis chování:跨进程写入数据
Podrobnosti:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd4008, Size = 0x00000004 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd3008, Size = 0x00000004 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000d34
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000d34
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000d34
Popis chování:设置线程上下文
Podrobnosti:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
C:\minie\minie.exe
Popis chování:跨进程写代码段数据
Podrobnosti:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d34
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d58
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d9c
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000ddc
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000df0
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e24
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e58
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e60
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e9c
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000ee8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000efc
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000f14
Popis chování:设置特殊文件属性
Podrobnosti:C:\minie\minie.exe
Popis chování:获取TickCount值
Podrobnosti:TickCount = 230359, SleepMilliseconds = 10000.
TickCount = 230500, SleepMilliseconds = 10000.
TickCount = 230671, SleepMilliseconds = 10000.
TickCount = 230687, SleepMilliseconds = 10000.
TickCount = 223046, SleepMilliseconds = 2000.
TickCount = 223140, SleepMilliseconds = 2000.
TickCount = 223156, SleepMilliseconds = 2000.
TickCount = 223187, SleepMilliseconds = 2000.
TickCount = 223203, SleepMilliseconds = 2000.
TickCount = 223234, SleepMilliseconds = 2000.
TickCount = 223296, SleepMilliseconds = 2000.
TickCount = 223484, SleepMilliseconds = 2000.
TickCount = 223828, SleepMilliseconds = 2000.
TickCount = 224171, SleepMilliseconds = 2000.
TickCount = 224187, SleepMilliseconds = 2000.
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0x2ab2d4e5, EDX = 0x000000b6
EAX = 0x2ab2d531, EDX = 0x000000b6
EAX = 0x3a8e70b7, EDX = 0x000000b6
EAX = 0xbe4fb95a, EDX = 0x000000b6
EAX = 0xbe4fb9a6, EDX = 0x000000b6
EAX = 0xbe4fb9f2, EDX = 0x000000b6
EAX = 0xbe4fba3e, EDX = 0x000000b6
EAX = 0xc0d789c7, EDX = 0x000000b6
EAX = 0xc0d78a13, EDX = 0x000000b6
EAX = 0xc38a898f, EDX = 0x000000b6
EAX = 0x0acd0471, EDX = 0x000000ba
EAX = 0x0acd04bd, EDX = 0x000000ba
EAX = 0x0acd0509, EDX = 0x000000ba
EAX = 0x0acd0555, EDX = 0x000000ba
EAX = 0x156dd26e, EDX = 0x000000ba
Chování procesu
Popis chování:隐藏窗口创建进程
Podrobnosti:ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = "C:\WINDOWS\system32\schtasks.exe" /Create /TN "Update\audio" /XML "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\z95"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES4.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES6.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC5.tmp"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES8.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC7.tmp"
ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = "C:\WINDOWS\system32\schtasks.exe" /Create /TN "Update\audio" /XML "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\z662"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESA.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC9.tmp"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\l7vawmoe.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESC.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSCB.tmp"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\xlagyyiy.cmdline"
ImagePath = , CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESE.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSCD.tmp"
ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\07zr4th9.cmdline"
Popis chování:跨进程写入数据
Podrobnosti:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd4008, Size = 0x00000004 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffd3008, Size = 0x00000004 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x00000200 TargetPID = 0x00000d34
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x004e4000, Size = 0x0005b800 TargetPID = 0x00000d34
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00540000, Size = 0x00000200 TargetPID = 0x00000d34
Popis chování:创建本地线程
Podrobnosti:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2668, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2672, StartAddress = 79F91FCF, Parameter = 00195778
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2772, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2836, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2876, StartAddress = 77E56C7D, Parameter = 001E9FA0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2880, StartAddress = 769AE43B, Parameter = 001ECDB0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2884, StartAddress = 79F91FCF, Parameter = 001C5750
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 2888, ThreadID = 2904, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 2888, ThreadID = 2908, StartAddress = 79F91FCF, Parameter = 00195778
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 2888, ThreadID = 2960, StartAddress = 77E56C7D, Parameter = 001CF060
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 2888, ThreadID = 2964, StartAddress = 769AE43B, Parameter = 001C41E8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 2888, ThreadID = 2984, StartAddress = 79FDA29C, Parameter = 00000000
TargetProcess: minie.exe, InheritedFromPID = 2888, ProcessID = 2976, ThreadID = 3004, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: minie.exe, InheritedFromPID = 2888, ProcessID = 2976, ThreadID = 3008, StartAddress = 791F59C0, Parameter = 0018F348
TargetProcess: %temp%\****.exe, InheritedFromPID = 2632, ProcessID = 3024, ThreadID = 3032, StartAddress = 79F0237F, Parameter = 00000000
Popis chování:创建进程
Podrobnosti:[0x00000b34]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = "C:\WINDOWS\system32\schtasks.exe" /Create /TN "Update\audio" /XML "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\z95"
[0x00000b48]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
[0x00000b60]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.cmdline"
[0x00000b80]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES4.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp"
[0x00000bd0]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
[0x00000c34]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.cmdline"
[0x00000c68]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES6.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC5.tmp"
[0x00000c98]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
[0x00000cf8]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.cmdline"
[0x00000d00]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES8.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC7.tmp"
[0x00000d34]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
[0x00000d40]ImagePath = C:\WINDOWS\system32\schtasks.exe, CmdLine = "C:\WINDOWS\system32\schtasks.exe" /Create /TN "Update\audio" /XML "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\z662"
[0x00000d84]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.cmdline"
[0x00000d94]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESA.tmp" "c:\Documents and Settings\Administrator\Local Settings\Temp\CSC9.tmp"
[0x00000ddc]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
Popis chování:创建新文件进程
Podrobnosti:[0x00000ba0]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000d58]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000d9c]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000df0]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000e24]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000e58]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000e9c]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000ee8]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000f14]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000f54]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000fa4]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000fc4]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
[0x00000788]ImagePath = C:\minie\minie.exe, CmdLine = "c:\minie\minie.exe"
Popis chování:设置线程上下文
Podrobnosti:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
C:\minie\minie.exe
Popis chování:枚举进程
Podrobnosti:N/A
Popis chování:跨进程写代码段数据
Podrobnosti:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000b48
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000bd0
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000c98
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d34
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d58
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000d9c
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000ddc
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000df0
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e24
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e58
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e60
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000e9c
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000ee8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000efc
TargetProcess = C:\minie\minie.exe, WriteAddress = 0x00402000, Size = 0x000e0e00 TargetPID = 0x00000f14
Chování souborů
Popis chování:创建文件
Podrobnosti:C:\Documents and Settings\Administrator\Application Data\host.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\z95
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.cmdline
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.out
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.err
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp
C:\minie\minie.exe
C:\minie\minie.exe.config
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.0.cs
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.dll
Popis chování:创建可执行文件
Podrobnosti:C:\Documents and Settings\Administrator\Application Data\host.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll
C:\minie\minie.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\l7vawmoe.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\xlagyyiy.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\07zr4th9.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\4y8nrila.dll
Popis chování:覆盖已有文件
Podrobnosti:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RES6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RES8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC9.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RESA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\CSCB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\RESC.tmp
Popis chování:复制文件
Podrobnosti:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> c:\minie\minie.exe
Popis chování:设置特殊文件属性
Podrobnosti:C:\minie\minie.exe
Popis chování:删除文件
Podrobnosti:C:\Documents and Settings\Administrator\Local Settings\Temp\z95
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.cmdline
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.err
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.out
C:\Documents and Settings\Administrator\Local Settings\Temp\RES6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.0.cs
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.out
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.cmdline
Popis chování:查找文件
Podrobnosti:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
Popis chování:修改文件内容
Podrobnosti:C:\Documents and Settings\Administrator\Application Data\host.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\z95 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.0.cs ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.cmdline ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.out ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp ---> Offset = 140
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp ---> Offset = 364
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp ---> Offset = 462
C:\Documents and Settings\Administrator\Local Settings\Temp\RES4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll ---> Offset = 0
Chování registru
Popis chování:修改注册表
Podrobnosti:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\schtasks.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\minie\minie.exe
Další chování
Popis chování:检测自身是否被调试
Podrobnosti:IsDebuggerPresent
Popis chování:创建互斥体
Podrobnosti:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
VlszwhOEnBtzvHGWWxEcGTujrj
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
7d79e5dea6204d388e5deaf63986fc2b
Popis chování:创建事件对象
Podrobnosti:EventName = Global\CorDBIPCSetupSyncEvent_2632
EventName = Global\CorDBIPCSetupSyncEvent_2888
EventName = Global\CPFATE_2976_v4.0.30319
EventName = Global\CorDBIPCSetupSyncEvent_3024
EventName = Global\CorDBIPCSetupSyncEvent_3224
EventName = Global\CorDBIPCSetupSyncEvent_3380
EventName = Global\CPFATE_3416_v4.0.30319
EventName = Global\CPFATE_3484_v4.0.30319
EventName = Global\CorDBIPCSetupSyncEvent_3548
EventName = Global\CPFATE_3568_v4.0.30319
EventName = Global\CPFATE_3620_v4.0.30319
EventName = Global\CPFATE_3672_v4.0.30319
EventName = Global\CorDBIPCSetupSyncEvent_3680
EventName = Global\CPFATE_3740_v4.0.30319
EventName = Global\CPFATE_3816_v4.0.30319
Popis chování:打开互斥体
Podrobnosti:ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Local\!IETld!Mutex
Popis chování:查找指定窗口
Podrobnosti:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Popis chování:窗口信息
Podrobnosti:Pid = 2976, Hwnd=0x10400, Text = File, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Popis chování:获取TickCount值
Podrobnosti:TickCount = 230359, SleepMilliseconds = 10000.
TickCount = 230500, SleepMilliseconds = 10000.
TickCount = 230671, SleepMilliseconds = 10000.
TickCount = 230687, SleepMilliseconds = 10000.
TickCount = 223046, SleepMilliseconds = 2000.
TickCount = 223140, SleepMilliseconds = 2000.
TickCount = 223156, SleepMilliseconds = 2000.
TickCount = 223187, SleepMilliseconds = 2000.
TickCount = 223203, SleepMilliseconds = 2000.
TickCount = 223234, SleepMilliseconds = 2000.
TickCount = 223296, SleepMilliseconds = 2000.
TickCount = 223484, SleepMilliseconds = 2000.
TickCount = 223828, SleepMilliseconds = 2000.
TickCount = 224171, SleepMilliseconds = 2000.
TickCount = 224187, SleepMilliseconds = 2000.
Popis chování:调整进程token权限
Podrobnosti:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Popis chování:打开事件
Podrobnosti:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
MSFT.VSA.COM.DISABLE.2632
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2888
MSFT.VSA.COM.DISABLE.3024
MSFT.VSA.COM.DISABLE.3224
MSFT.VSA.COM.DISABLE.2976
MSFT.VSA.COM.DISABLE.3380
MSFT.VSA.COM.DISABLE.3548
MSFT.VSA.COM.DISABLE.3680
MSFT.VSA.COM.DISABLE.3836
Popis chování:可执行文件签名信息
Podrobnosti:C:\Documents and Settings\Administrator\Application Data\host.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll(签名验证: 未通过)
C:\minie\minie.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\l7vawmoe.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\xlagyyiy.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\07zr4th9.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\4y8nrila.dll(签名验证: 未通过)
Popis chování:调用Sleep函数
Podrobnosti:[1]: MilliSeconds = 10000.
[2]: MilliSeconds = 2000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = -1.
[3]: MilliSeconds = 20.
[5]: MilliSeconds = 2000.
[6]: MilliSeconds = 2000.
[7]: MilliSeconds = 2000.
[8]: MilliSeconds = 2000.
[9]: MilliSeconds = 2000.
[10]: MilliSeconds = 2000.
Popis chování:隐藏指定窗口
Podrobnosti:[Window,Class] = [,ComboLBox]
Popis chování:可执行文件MD5
Podrobnosti:C:\Documents and Settings\Administrator\Application Data\host.exe ---> 0b1b08f67c98ff79a97e222677be9cd0
C:\Documents and Settings\Administrator\Local Settings\Temp\fsuuy8md.dll ---> ce27e931a5eaa0ae5cdf5f17fc1d5145
C:\minie\minie.exe ---> 0b1b08f67c98ff79a97e222677be9cd0
C:\Documents and Settings\Administrator\Local Settings\Temp\fncvd7f-.dll ---> e500046b99445ec5713e80910d691b08
C:\Documents and Settings\Administrator\Local Settings\Temp\dzju8sva.dll ---> 12c0ee3c2264342f044af43f8f41b2ef
C:\Documents and Settings\Administrator\Local Settings\Temp\i0nd1pmr.dll ---> c76e8c79b4dc386cb1a0953ea6c289e6
C:\Documents and Settings\Administrator\Local Settings\Temp\l7vawmoe.dll ---> 8c5b09f80b8cc41249ad1e74139155ad
C:\Documents and Settings\Administrator\Local Settings\Temp\xlagyyiy.dll ---> 67a1da7fe4d515592820153bbb9601c2
C:\Documents and Settings\Administrator\Local Settings\Temp\07zr4th9.dll ---> f6380b5af760f3112e0b3c5f6824df59
C:\Documents and Settings\Administrator\Local Settings\Temp\4y8nrila.dll ---> 3bd81545850c4db82cc0e2aa04842ef5
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0x2ab2d4e5, EDX = 0x000000b6
EAX = 0x2ab2d531, EDX = 0x000000b6
EAX = 0x3a8e70b7, EDX = 0x000000b6
EAX = 0xbe4fb95a, EDX = 0x000000b6
EAX = 0xbe4fb9a6, EDX = 0x000000b6
EAX = 0xbe4fb9f2, EDX = 0x000000b6
EAX = 0xbe4fba3e, EDX = 0x000000b6
EAX = 0xc0d789c7, EDX = 0x000000b6
EAX = 0xc0d78a13, EDX = 0x000000b6
EAX = 0xc38a898f, EDX = 0x000000b6
EAX = 0x0acd0471, EDX = 0x000000ba
EAX = 0x0acd04bd, EDX = 0x000000ba
EAX = 0x0acd0509, EDX = 0x000000ba
EAX = 0x0acd0555, EDX = 0x000000ba
EAX = 0x156dd26e, EDX = 0x000000ba
Popis chování:导入密钥
Podrobnosti:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001AF5BC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001BD284, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x011D1BF0, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001BF8BC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x011F67C7, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001D9F7C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001DB7AC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x014CAB86, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001D9A54, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001DB284, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001D9B64, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001DB394, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001B6B84, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001C109C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x03461BF0, DataLen: 148, Flags: 0x00000000
Spustit snímek obrazovky
VirSCAN

O VirSCAN | Ochrana soukromí | Kontakt | 友情链接 | Pomozte VirSCAN
Překlad strongy
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号