VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:11
Behavior list
Basic Information
MD5:01781b1a5b3ee97535e60539f9268480
file type:EXE
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe---> Offset = 262144
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Shell_TrayWnd]
[Window,Class] = [「开始」菜单,DV2ControlHost]
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\HsAkIMow.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TMUsgwMU.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:杀掉进程
details:C:\WINDOWS\system32\taskmgr.exe
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a2, Text = CkYMwUoM, ClassName = rYUUUYgQ.
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe
C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe
C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
Behavior description:写权限映射文件
details:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow
\Documents and Settings\All Users\cwogYQwE\TMUsgwMU
CiceroSharedMemDefaultS-*
DfSharedHeap3D5570
DFMap0-4019594
DfRoot0003D5570
MSCTF.MarshalInterface.FileMap.AJK..IFOGH
MSCTF.MarshalInterface.FileMap.AJK.B.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.C.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.D.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.E.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.F.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.G.IFOGH
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bMoI.exe
MSCTF.Shared.SFM.AJK
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\UIsgYAcw
C:\Documents and Settings\All Users\cwogYQwE
C:\Documents and Settings\All Users\dKIMIokk
C:\Documents and Settings\LocalService\UIsgYAcw
Behavior description:创建系统服务
details:[服务创建成功]: pEEAoAZu, C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
Behavior description:按名称获取主机地址
details:google.com
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = c:\docume~1\admini~1\locals~1\temp\wcimammm.bat, CmdLine = c:\docume~1\admini~1\locals~1\temp\acrobatupdater.exe
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrobatUpdater.exe
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe, CmdLine = "C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe"
ImagePath = C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe, CmdLine = "C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe"
ImagePath = C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe, CmdLine = "C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrobatUpdater.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrobatUpdater.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\WINDOWS\system32\taskmgr.exe
File behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe---> Offset = 262144
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe
C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe
C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrobatUpdater.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bMoI.exe
C:\RCX40.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\LIUM.exe
C:\RCX41.tmp
C:\222c25ed\installer.zip.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\EYga.exe
C:\RCX42.tmp
C:\AnalyzeControl.rar.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\AgYI.exe
C:\RCX43.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\poIU.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\UIsgYAcw
FileName = C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe
FileName = C:\Documents and Settings\All Users\cwogYQwE
FileName = C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wCIMAMMM.bat
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\reg.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AcrobatUpdater.exe
FileName = C:\Program Files
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow.exe
C:\Documents and Settings\All Users\cwogYQwE\TMUsgwMU.exe
C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
Behavior description:写权限映射文件
details:\Documents and Settings\Administrator\UIsgYAcw\HsAkIMow
\Documents and Settings\All Users\cwogYQwE\TMUsgwMU
CiceroSharedMemDefaultS-*
DfSharedHeap3D5570
DFMap0-4019594
DfRoot0003D5570
MSCTF.MarshalInterface.FileMap.AJK..IFOGH
MSCTF.MarshalInterface.FileMap.AJK.B.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.C.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.D.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.E.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.F.IFOGH
MSCTF.MarshalInterface.FileMap.AJK.G.IFOGH
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bMoI.exe
MSCTF.Shared.SFM.AJK
Behavior description:重命名文件
details:C:\RCX40.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bMoI.exe
C:\RCX41.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\LIUM.exe
C:\RCX42.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\EYga.exe
C:\RCX43.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\AgYI.exe
C:\RCX44.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\poIU.exe
C:\RCX45.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\GQsC.exe
C:\RCX46.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\QQIm.exe
C:\RCX47.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\yskK.exe
C:\RCX48.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\OwYK.exe
C:\RCX49.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\GkUa.exe
C:\RCX4A.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\WwQS.exe
C:\RCX4B.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Dkos.exe
C:\RCX4C.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\MMIU.exe
C:\RCX4D.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\MMwK.exe
C:\RCX4E.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\ZQYS.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\UIsgYAcw
C:\Documents and Settings\All Users\cwogYQwE
C:\Documents and Settings\All Users\dKIMIokk
C:\Documents and Settings\LocalService\UIsgYAcw
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AdobeARM.log---> Offset = 89
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\VckM.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\akAc.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\uKgU.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\WUIk.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\NcYk.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\xAsA.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\tokI.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\muIs.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\TGws.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Osog.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\JAcw.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\xSwU.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\yAQU.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\digc.ico---> Offset = 22
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000144, TotalSize = 36, Offset = 0, ReadSize = 36.
SOCKET = 0x00000140, TotalSize = 36, Offset = 0, ReadSize = 36.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
Behavior description:按名称获取主机地址
details:google.com
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\iCanExit
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Adobe\Adobe ARM\1.0\ARM\iCanExit
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\HsAkIMow.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TMUsgwMU.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Other behavior
Behavior description:创建互斥体
details:fmgcEgQU
SUcAwckk
?@
1@
qkYoEsYs0
SeMQAIEA0
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
SHIMLIB_LOG_MUTEX
oleacc-msaa-loaded
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Shell_TrayWnd]
[Window,Class] = [「开始」菜单,DV2ControlHost]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,CkYMwUoM]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,Open File]
NtUserFindWindowEx: [Class,Window] = [,Windows Internet Explorer]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
NtUserFindWindowEx: [Class,Window] = [ConsoleWindowClass,]
NtUserFindWindowEx: [Class,Window] = [,TMUsgwMU.exe]
NtUserFindWindowEx: [Class,Window] = [,Microsoft Windows]
NtUserFindWindowEx: [Class,Window] = [,HsAkIMow.exe]
NtUserFindWindowEx: [Class,Window] = [,Run]
NtUserFindWindowEx: [Class,Window] = [,Open]
NtUserFindWindowEx: [Class,Window] = [BUTTON,START]
NtUserFindWindowEx: [Class,Window] = [DV2ControlHost,]
NtUserFindWindowEx: [Class,Window] = [WorkerW,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, pEEAoAZu, C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
Behavior description:创建系统服务
details:[服务创建成功]: pEEAoAZu, C:\Documents and Settings\All Users\dKIMIokk\dCwIMYoY.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 485357, SleepMilliseconds = 170.
TickCount = 486560, SleepMilliseconds = 170.
TickCount = 486982, SleepMilliseconds = 170.
TickCount = 487503, SleepMilliseconds = 50.
TickCount = 487550, SleepMilliseconds = 50.
TickCount = 487565, SleepMilliseconds = 50.
TickCount = 487612, SleepMilliseconds = 50.
TickCount = 487675, SleepMilliseconds = 50.
TickCount = 487721, SleepMilliseconds = 50.
TickCount = 487800, SleepMilliseconds = 50.
TickCount = 487815, SleepMilliseconds = 50.
TickCount = 487831, SleepMilliseconds = 50.
TickCount = 487846, SleepMilliseconds = 50.
TickCount = 487893, SleepMilliseconds = 50.
TickCount = 487909, SleepMilliseconds = 50.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a2, Text = CkYMwUoM, ClassName = rYUUUYgQ.
Behavior description:窗口信息
details:Pid = 2168, Hwnd=0x202a2, Text = CkYMwUoM, ClassName = rYUUUYgQ.
Behavior description:打开图片文件
details:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\bg_rextop.jpg
\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_google.jpg
\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_youdao.jpg
\Documents and Settings\Administrator\Application Data\Tencent\QQ\Skins\system\1.45_1\main.jpg
\Documents and Settings\Administrator\Application Data\Tencent\QQ\Skins\system\1.45_10\main.jpg
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号