VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:11
Behavior list
Basic Information
MD5:1e9332818d25b084ace640944ae6c100
file type:EXE
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe---> Offset = 262144
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\xgEgcYcg.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JucgoQAM.exe
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe
C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe
Behavior description:写权限映射文件
details:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg
\Documents and Settings\All Users\SoIUsMMw\JucgoQAM
\WINDOWS\system32\zh-cn\cscript.exe.mui
CiceroSharedMemDefaultS-*
DfSharedHeap3D8690
\WINDOWS\system32\zh-cn\wshext.dll.mui
DfSharedHeap3D9D4C
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bAMM.exe
DfSharedHeap3DCD9F
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Asoo.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\nMwe.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\JwkQ.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zEAi.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\wEEQ.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\jUQS.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\eqYgEcQI
C:\Documents and Settings\All Users\SoIUsMMw
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319763.820779.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319763.827749.exe
Behavior description:按名称获取主机地址
details:google.com
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = c:\docume~1\admini~1\locals~1\temp\bykouuqa.bat, CmdLine = "c:\docume~1\admini~1\locals~1\%temp%\996e"
ImagePath = c:\docume~1\admini~1\locals~1\temp\ysiekwae.bat, CmdLine = ""c:\docume~1\admini~1\locals~1\temp\ysiekwae.bat" "c:\docume~1\admini~1\locals~1\%temp%\1446319763.064867.exe""
ImagePath = c:\docume~1\admini~1\locals~1\temp\dqoieuqq.bat, CmdLine = "c:\docume~1\admini~1\locals~1\%temp%\996e"
ImagePath = c:\docume~1\admini~1\locals~1\temp\kasucisq.bat, CmdLine = ""c:\docume~1\admini~1\locals~1\temp\kasucisq.bat" "c:\docume~1\admini~1\locals~1\%temp%\1446319763.071914.exe""
ImagePath = c:\docume~1\admini~1\locals~1\temp\vqkciqqq.bat, CmdLine = "c:\docume~1\admini~1\locals~1\%temp%\996e"
ImagePath = c:\docume~1\admini~1\locals~1\temp\oqckmsqg.bat, CmdLine = ""c:\docume~1\admini~1\locals~1\temp\oqckmsqg.bat" "c:\docume~1\admini~1\locals~1\%temp%\1446319763.078956.exe""
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E"
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ysIEkwAE.bat" "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319762.849487.exe""
ImagePath = C:\WINDOWS\system32\cscript.exe, CmdLine = cscript C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp/file.vbs
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KasUcIsQ.bat" "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319762.870535.exe""
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\oqckMsQg.bat" "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319762.891589.exe""
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe, CmdLine = "C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe"
ImagePath = C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe, CmdLine = "C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319761.728235.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319761.731743.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\SogouPY\SogouExplorer.exe---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\commonf_inst\TXSSOSetup.exe---> Offset = 262144
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe
C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bAMM.exe
C:\RCX3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Asoo.exe
C:\RCX4.tmp
C:\222c25ed\installer.zip.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\nMwe.exe
C:\RCX6.tmp
C:\AnalyzeControl.rar.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\JwkQ.exe
C:\RCX7.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zEAi.exe
C:\RCX8.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\wEEQ.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\eqYgEcQI
FileName = C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe
FileName = C:\Documents and Settings\All Users\SoIUsMMw
FileName = C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bykoUUQA.bat
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\reg.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E.COM
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.exe
C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.exe
Behavior description:写权限映射文件
details:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg
\Documents and Settings\All Users\SoIUsMMw\JucgoQAM
\WINDOWS\system32\zh-cn\cscript.exe.mui
CiceroSharedMemDefaultS-*
DfSharedHeap3D8690
\WINDOWS\system32\zh-cn\wshext.dll.mui
DfSharedHeap3D9D4C
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bAMM.exe
DfSharedHeap3DCD9F
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Asoo.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\nMwe.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\JwkQ.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zEAi.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\wEEQ.exe
\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\jUQS.exe
Behavior description:重命名文件
details:C:\RCX3.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\bAMM.exe
C:\RCX4.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Asoo.exe
C:\RCX6.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\nMwe.exe
C:\RCX7.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\JwkQ.exe
C:\RCX8.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zEAi.exe
C:\RCX9.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\wEEQ.exe
C:\RCXA.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\jUQS.exe
C:\RCXB.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\fsoc.exe
C:\RCXC.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\LEQu.exe
C:\RCXD.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\IgYI.exe
C:\RCXE.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zMsU.exe
C:\RCXF.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\hUgq.exe
C:\RCX10.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\FQcO.exe
C:\RCX11.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\zcIs.exe
C:\RCX12.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\tsss.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\eqYgEcQI
C:\Documents and Settings\All Users\SoIUsMMw
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\eqYgEcQI\xgEgcYcg.inf---> Offset = 0
C:\Documents and Settings\All Users\SoIUsMMw\JucgoQAM.inf---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\file.vbs---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\hAoE.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\qcwK.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\HwES.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\xYgS.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Vgco.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\IkMq.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\OkUU.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\CUcO.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\sIES.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\aQUc.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\FUwq.ico---> Offset = 22
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\hkQK.ico---> Offset = 22
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319763.820779.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446319763.827749.exe
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000114, TotalSize = 36, Offset = 0, ReadSize = 36.
SOCKET = 0x0000010c, TotalSize = 4, Offset = 0, ReadSize = 4.
SOCKET = 0x0000010c, TotalSize = 148, Offset = 0, ReadSize = 148.
SOCKET = 0x0000010c, TotalSize = 36, Offset = 0, ReadSize = 36.
SOCKET = 0x00000100, TotalSize = 4, Offset = 0, ReadSize = 4.
SOCKET = 0x00000100, TotalSize = 148, Offset = 0, ReadSize = 148.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
200.87.164.69:9999
200.119.204.12:9999
190.186.45.170:9999
Behavior description:枚举网络共享资源
details:N/A
Behavior description:按名称获取主机地址
details:google.com
Registry behavior
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\xgEgcYcg.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JucgoQAM.exe
Other behavior
Behavior description:创建互斥体
details:fmgcEgQU
SUcAwckk
SHIMLIB_LOG_MUTEX
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,JucgoQAM.exe]
NtUserFindWindowEx: [Class,Window] = [,xgEgcYcg.exe]
Behavior description:打开图片文件
details:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\res\bg_rextop.jpg
\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_google.jpg
\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.translator\0.0.0.4\images\title_option_youdao.jpg
\Documents and Settings\Administrator\Application Data\Tencent\QQ\Skins\system\1.45_1\main.jpg
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 485696, SleepMilliseconds = 228.
TickCount = 486331, SleepMilliseconds = 50.
TickCount = 486903, SleepMilliseconds = 169.
TickCount = 487628, SleepMilliseconds = 50.
TickCount = 488743, SleepMilliseconds = 197.
TickCount = 489550, SleepMilliseconds = 50.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号