VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:3954b169ae535c49d40a81f139ec992f
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:NSIS
Subfile information:1000_1000_packed_packed_packed.exe / 03fe95d95e61fbf138c24144f9bc2b42 / EXE
[NSIS].nsi / 3d25886ac28fb57ff38f989a9c613267 / Unknown
盔夯.exe / 6bdec8b1dfb9d856fefe9154cac0c5fc / EXE
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建远程线程
details:TargetProcess: winlogon.exe, InheritedFromPID = 532, ProcessID = 612, ThreadID = 2592, StartAddress = 7FF91CDE, Parameter = 00000004
Behavior description:关闭系统文件保护
details:N/A
Behavior description:创建系统服务
details:[服务创建成功]: Nationalmkk, C:\WINDOWS\system32\xardwe.exe
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x2a01069a.
Foreground window Info: HWND = 0x00000000, DC = 0x04010263.
Foreground window Info: HWND = 0x00000000, DC = 0x05010262.
Foreground window Info: HWND = 0x00000000, DC = 0x06010303.
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:获取TickCount值
details:TickCount = 5430056, SleepMilliseconds = 10.
TickCount = 5430072, SleepMilliseconds = 10.
TickCount = 5430088, SleepMilliseconds = 10.
TickCount = 5430119, SleepMilliseconds = 10.
TickCount = 5430135, SleepMilliseconds = 10.
TickCount = 5430197, SleepMilliseconds = 10.
TickCount = 5430875, SleepMilliseconds = 250.
TickCount = 5430666, SleepMilliseconds = 10.
TickCount = 5431666, SleepMilliseconds = 10.
Behavior description:直接获取CPU时钟
details:EAX = 0x3a502ebe, EDX = 0x00001193
EAX = 0x3cd7fe47, EDX = 0x00001193
EAX = 0xc783f4d5, EDX = 0x00001193
EAX = 0xca36f451, EDX = 0x00001193
EAX = 0x0dc9f247, EDX = 0x00001195
EAX = 0x0dc9f293, EDX = 0x00001195
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = 盔夯.exe
TargetProcess = xardwe.exe
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\services.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d090, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d580, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d130, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d140, Size = 0x00000005
TargetProcess = C:\WINDOWS\system32\lsass.exe, WriteAddress = 0x7c92d7e0, Size = 0x00000005
Behavior description:创建新文件进程
details:ImagePath = C:\1000_1000_packed_packed_packed.exe, CmdLine = "C:\1000_1000_packed_packed_packed.exe"
ImagePath = C:\盔夯.exe, CmdLine = "C:\盔夯.exe"
ImagePath = C:\WINDOWS\system32\xardwe.exe, CmdLine = C:\WINDOWS\system32\xardwe.exe
Behavior description:创建远程线程
details:TargetProcess: winlogon.exe, InheritedFromPID = 532, ProcessID = 612, ThreadID = 2592, StartAddress = 7FF91CDE, Parameter = 00000004
Behavior description:枚举进程
details:N/A
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2520, ThreadID = 2568, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: winlogon.exe, InheritedFromPID = 532, ProcessID = 612, ThreadID = 2612, StartAddress = 7FF91867, Parameter = 01CF8000
TargetProcess: winlogon.exe, InheritedFromPID = 532, ProcessID = 612, ThreadID = 2632, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: winlogon.exe, InheritedFromPID = 532, ProcessID = 612, ThreadID = 2636, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 656, ProcessID = 984, ThreadID = 2640, StartAddress = 75D0F0A3, Parameter = 027A49C0
TargetProcess: xardwe.exe, InheritedFromPID = 656, ProcessID = 2668, ThreadID = 2692, StartAddress = 77DC3519, Parameter = 001856F8
TargetProcess: xardwe.exe, InheritedFromPID = 656, ProcessID = 2668, ThreadID = 2696, StartAddress = 00401BE0, Parameter = 00000000
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = 盔夯.exe
TargetProcess = xardwe.exe
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsd51.tmp
C:\1000_1000_packed_packed_packed.exe
C:\盔夯.exe
C:\WINDOWS\system32\xardwe.exe
Behavior description:创建可执行文件
details:C:\1000_1000_packed_packed_packed.exe
C:\盔夯.exe
C:\WINDOWS\system32\xardwe.exe
Behavior description:复制文件
details:C:\1000_1000_packed_packed_packed.exe ---> C:\WINDOWS\system32\xardwe.exe
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsd51.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = \盔夯.exe
FileName = C:\1000_1000_packed_packed_packed.exe
FileName = C:\盔夯.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Tencent
FileName = C:\Documents and Settings\Administrator\Application Data\Tencent\QQ
FileName = C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\STemp
FileName = C:\WINDOWS\system32\config\systemprofile
FileName = C:\WINDOWS\system32\config\systemprofile\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\1000_1000_packed_packed_packed.exe ---> Offset = 0
C:\1000_1000_packed_packed_packed.exe ---> Offset = 32173
C:\1000_1000_packed_packed_packed.exe ---> Offset = 64941
C:\1000_1000_packed_packed_packed.exe ---> Offset = 86525
C:\1000_1000_packed_packed_packed.exe ---> Offset = 111696
C:\盔夯.exe ---> Offset = 0
C:\盔夯.exe ---> Offset = 31593
C:\盔夯.exe ---> Offset = 64361
C:\盔夯.exe ---> Offset = 97129
C:\盔夯.exe ---> Offset = 125586
C:\WINDOWS\system32\xardwe.exe ---> Offset = 0
C:\WINDOWS\system32\xardwe.exe ---> Offset = 65536
C:\WINDOWS\system32\xardwe.exe ---> Offset = 131072
C:\WINDOWS\system32\xardwe.exe ---> Offset = 4096
C:\WINDOWS\system32\wbem\Logs\wbemess.log ---> Offset = 6126
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: ma****om, IP: **.133.40.**:8080, SOCKET = 0x000000a0
Behavior description:按名称获取主机地址
details:gethostbyname: ma****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\1000_1000_packed_packed_packed.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Epoch\Epoch
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\盔夯.exe
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\Type
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\ErrorControl
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\DisplayName
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\Security\Security
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\ObjectName
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\ServiceCurrent\
\REGISTRY\MACHINE\SAM\SAM\Domains\Account\Users\000001F4\F
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NATIONALMKK\0000\Control\ActiveService
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\Description
Behavior description:修改注册表_服务项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\Start
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Nationalmkk\ImagePath
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
qrgm
RasPbFile
Nationalmkk
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Nationalxgk Instruments Domain Service, C:\WINDOWS\system32\xardwe.exe
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Behavior description:获取TickCount值
details:TickCount = 5430056, SleepMilliseconds = 10.
TickCount = 5430072, SleepMilliseconds = 10.
TickCount = 5430088, SleepMilliseconds = 10.
TickCount = 5430119, SleepMilliseconds = 10.
TickCount = 5430135, SleepMilliseconds = 10.
TickCount = 5430197, SleepMilliseconds = 10.
TickCount = 5430875, SleepMilliseconds = 250.
TickCount = 5430666, SleepMilliseconds = 10.
TickCount = 5431666, SleepMilliseconds = 10.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_TCB_PRIVILEGE
SE_AUDIT_PRIVILEGE
Behavior description:关闭系统文件保护
details:N/A
Behavior description:枚举窗口
details:N/A
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x2a01069a.
Foreground window Info: HWND = 0x00000000, DC = 0x04010263.
Foreground window Info: HWND = 0x00000000, DC = 0x05010262.
Foreground window Info: HWND = 0x00000000, DC = 0x06010303.
Behavior description:可执行文件签名信息
details:C:\1000_1000_packed_packed_packed.exe(签名验证: 未通过)
C:\盔夯.exe(签名验证: 未通过)
C:\WINDOWS\system32\xardwe.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 10.
[1]: MilliSeconds = 250.
[1]: MilliSeconds = 500.
Behavior description:可执行文件MD5
details:C:\1000_1000_packed_packed_packed.exe ---> 03fe95d95e61fbf138c24144f9bc2b42
C:\盔夯.exe ---> 6bdec8b1dfb9d856fefe9154cac0c5fc
C:\WINDOWS\system32\xardwe.exe ---> 03fe95d95e61fbf138c24144f9bc2b42
Behavior description:直接获取CPU时钟
details:EAX = 0x3a502ebe, EDX = 0x00001193
EAX = 0x3cd7fe47, EDX = 0x00001193
EAX = 0xc783f4d5, EDX = 0x00001193
EAX = 0xca36f451, EDX = 0x00001193
EAX = 0x0dc9f247, EDX = 0x00001195
EAX = 0x0dc9f293, EDX = 0x00001195
Behavior description:创建系统服务
details:[服务创建成功]: Nationalmkk, C:\WINDOWS\system32\xardwe.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号