VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:43eb495943799c54662029d6cdaf3421
file type:EXE
Production company:2019888
version:1.1.1.1---1.1.1.1
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Key behavior
Behavior description:直接获取CPU时钟
details:EAX = 0x23ced6c4, EDX = 0x000000b7
EAX = 0x23ced710, EDX = 0x000000b7
EAX = 0x23ced75c, EDX = 0x000000b7
EAX = 0x23ced7a8, EDX = 0x000000b7
EAX = 0x23ced7f4, EDX = 0x000000b7
EAX = 0x23ced840, EDX = 0x000000b7
EAX = 0x23ced88c, EDX = 0x000000b7
EAX = 0x23ced8d8, EDX = 0x000000b7
EAX = 0x23ced924, EDX = 0x000000b7
EAX = 0x23ced970, EDX = 0x000000b7
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001044c, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010410, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010410, DC = 0x01010055.
Foreground window Info: HWND = 0x00010410, DC = 0x35010260.
Foreground window Info: HWND = 0x00010428, DC = 0x35010260.
Foreground window Info: HWND = 0x0002044e, DC = 0x01010055.
Foreground window Info: HWND = 0x00010428, DC = 0x01010055.
Foreground window Info: HWND = 0x00010428, DC = 0x0a010375.
Foreground window Info: HWND = 0x0003044c, DC = 0x35010260.
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2508, ThreadID = 3056, StartAddress = 5FE01259, Parameter = 00000000
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\SoftXLic.dll
C:\SoftXLic.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\SoftXLic.dll
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\SoftXLic.dll ---> Offset = 0
C:\SoftXLic.ini ---> Offset = 0
C:\SoftXLic.ini ---> Offset = 266
C:\SoftXLic.ini ---> Offset = 1489
C:\SoftXLic.ini ---> Offset = 272
C:\SoftXLic.ini ---> Offset = 2442
Behavior description:查找文件
details:FileName = c:/mydebug.log
FileName = C:\Windows\System32\drivers\etc\hosts
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x02064000, hConnect = 0x02064100, Flags = 0x00000000
WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x02064000, hConnect = 0x02064200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 494237783), hSession = 0x02064000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 933754458), hSession = 0x02064000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 133202278), hSession = 0x02064000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 629486771), hSession = 0x02064000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 411890808), hSession = 0x02064000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 731076939), hSession = 0x02064000
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000118
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000012c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000130
Behavior description:发送HTTP包
details:POST /kss_io/io.php?v=10&b=1&s=10000002&e=get&kstoken=97384473297 HTTP/1.1 Cookie: kstoken=97384473297 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 494237783) Host: ww****om Content-Length: 111 Connection: Keep-Alive o=dxf20196626B8YOnGCXtAhcMLWg4KcOWHFgmpwVr|FXkwIHTn6E15DGdfPGeS7H|JNYsNuYlo46wr4uix3wSAfH6awfGwVSS2wNr7RXeWgYkG
POST /kss_io/io.php?v=10&b=1&s=10000002&e=get&kstoken=34553948734 HTTP/1.1 Cookie: kstoken=34553948734 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 933754458) Host: ww****om Content-Length: 111 Connection: Keep-Alive o=dxf20196626B8YOnGCXtAhcMLWg4KcOWHFgmpwVr|FXkwIHTn6E15DGdfPGeS7H|JNYsNuYlo46wr4uix3wSAfH6awfGwVSS2wNr7RXeWgYkG
POST /kss_io/io.php?v=10&b=1&s=10000002&kstoken=32073128232 HTTP/1.1 Cookie: kstoken=32073128232 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 133202278) Host: ww****om Content-Length: 619 Connection: Keep-Alive o=dxf201966225A2xSwOJi8X1bn32sH1x3RC2lo4gDACJbDA6Mr3Zn4RS8Cc3lL9ZUl|2sCRg0ZsQ46C6muQtUtRu8B_z3ePJcBX7brdQcXcuU|Q5wxAf3IhOWXTQAGI85RR2r9jw5q2znzI3LQO54fTQs2UwQL3Tkick5kcZ5VySwGeqmr_k3zOwmNXgS8D1GODv832Rc9Ag53eRi9D21f|yc_C6wE94imp2UqAODY2k1H|ke76IL5TReaPv7ZhxGNs456Xq91ydcpUT0T|rn673S8h4GwUyvgsRiT|8bwRRnKXw9IOOkZo89_723wSSrOh45nDJ5NhcygITmuQQWV43GdqSAwR6ck7ywl|tIlLQ4z|uA6cunsYHlK6ktN1QwhoIxyPR3uoTG49JnhCa1GhJWbo80n7Tdk0RrMdzSLd53CL_eT18Q2puG6dz9388WtT8Gl266DoEhdyxbk9SAZ_Ue60zwdoRDdIt9jjTH32qrg7RDyDPkuZp5|6MeY2unz2UOsIQb9yQ3FARrhyHGu34LS9u1IpUx6ry4P4Q4cTziRhGiV|zUmRZ1ELuk2aOS6cRUxdSk6dbYXCqlJDTcD2ILGKgTiy31|eTWBCPOX
POST /kss_io/io.php?v=10&b=1&s=10000002&kstoken=26879661427 HTTP/1.1 Cookie: kstoken=26879661427 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 629486771) Host: ww****om Content-Length: 619 Connection: Keep-Alive o=dxf201966225A2xSwOJi8X1bn32sH1x3RC2lo4gDACJbDA6Mr3Zn4RS8Cc3lL9ZUl|2sCRg0ZsQ46C6muQtUtRu8B_z3ePJcBX7brdQcXcuU|Q5wxAf3IhOWXTQAGI85RR2r9jw5q2znzI3LQO54fTQs2UwQL3Tkick5kcZ5VySwGeqmr_k3zOwmNXgS8D1GODv832Rc9Ag53eRi9D21f|yc_C6wE94imp2UqAODY2k1H|ke76IL5TReaPv7ZhxGNs456Xq91ydcpUT0T|rn673S8h4GwUyvgsRiT|8bwRRnKXw9IOOkZo89_723wSSrOh45nDJ5NhcygITmuQQWV43GdqSAwR6ck7ywl|tIlLQ4z|uA6cunsYHlK6ktN1QwhoIxyPR3uoTG49JnhCa1GhJWbo80n7Tdk0RrMdzSLd53CL_eT18Q2puG6dz9388WtT8Gl266DoEhdyxbk9SAZ_Ue60zwdoRDdIt9jjTH32qrg7RDyDPkuZp5|6MeY2unz2UOsIQb9yQ3FARrhyHGu34LS9u1IpUx6ry4P4Q4cTziRhGiV|zUmRZ1ELuk2aOS6cRUxdSk6dbYXCqlJDTcD2ILGKgTiy31|eTWBCPOX
POST /kss_io/io.php?v=10&b=1&s=10000002&kstoken=10901408818 HTTP/1.1 Cookie: kstoken=10901408818 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 411890808) Host: ww****om Content-Length: 619 Connection: Keep-Alive o=dxf2019662110bKQhqyO4fac6mKJUaNmMZKgSXv5wZyc5wBi9m76XMQ4Jxmg0z7tgGKJZMv27JYXBZBVIYCtCMI4HWpmu_yxHfes9kYxfxItGYFhNwTmbEq1flYwPb4FMMK9z8hF|Kp6pKQ0YqFXTlYJKthY0mlsOxsFsx7FdLQhPu|V9WsmpqhV1fvQ45aPq5r4mKMxzwvFmuMOz5KaTGLxWZBh3zXOVnK5|wq5RKsaUGsueBb0FlMuj_re7ENPAJXFBf|zaLkxnai2lG96BemQ4EXPhtLrvJMOlG4chMM6Dfhzbqqs7S4zweKmhQQ9qEXF65yFAExLvblVIYY1dXmPk|QwhMBxseLPgGCbg0YXpGIwBxI6JRUgDBsCAaYhESbNL_MmISlPXwq6EZjaPEy1yzmJNXiks2M9ikpQ0kFmZ0Wula4YKnIP_kpzm441Cl4X7YagnS3EkLNcszQw7WtuB2phkSM5kbCB88lUmK|9v_7iEZNcI7nFGBiuRKI6pKtqJbYczLYmozT9ELUPImX0oSqVzE4NB9LX_XYXxlpOMEPOdGptVM7ac0IsKjqQBxM96t4w_kcRfZ|gy5lx5Kb0PDvlOLmaGul4HZ_qf
POST /kss_io/io.php?v=10&b=1&s=10000002&kstoken=36731769039 HTTP/1.1 Cookie: kstoken=36731769039 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://www.test2019888.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 731076939) Host: ww****om Content-Length: 619 Connection: Keep-Alive o=dxf2019662110bKQhqyO4fac6mKJUaNmMZKgSXv5wZyc5wBi9m76XMQ4Jxmg0z7tgGKJZMv27JYXBZBVIYCtCMI4HWpmu_yxHfes9kYxfxItGYFhNwTmbEq1flYwPb4FMMK9z8hF|Kp6pKQ0YqFXTlYJKthY0mlsOxsFsx7FdLQhPu|V9WsmpqhV1fvQ45aPq5r4mKMxzwvFmuMOz5KaTGLxWZBh3zXOVnK5|wq5RKsaUGsueBb0FlMuj_re7ENPAJXFBf|zaLkxnai2lG96BemQ4EXPhtLrvJMOlG4chMM6Dfhzbqqs7S4zweKmhQQ9qEXF65yFAExLvblVIYY1dXmPk|QwhMBxseLPgGCbg0YXpGIwBxI6JRUgDBsCAaYhESbNL_MmISlPXwq6EZjaPEy1yzmJNXiks2M9ikpQ0kFmZ0Wula4YKnIP_kpzm441Cl4X7YagnS3EkLNcszQw7WtuB2phkSM5kbCB88lUmK|9v_7iEZNcI7nFGBiuRKI6pKtqJbYczLYmozT9ELUPImX0oSqVzE4NB9LX_XYXxlpOMEPOdGptVM7ac0IsKjqQBxM96t4w_kcRfZ|gy5lx5Kb0PDvlOLmaGul4HZ_qf
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&e=get&kstoken=97384473297, hConnect = 0x02064100, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&e=get&kstoken=34553948734, hConnect = 0x02064200, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&kstoken=32073128232, hConnect = 0x02064100, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&kstoken=26879661427, hConnect = 0x02064200, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&kstoken=10901408818, hConnect = 0x02064100, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ww****om:80/kss_io/io.php?v=10&b=1&s=10000002&kstoken=36731769039, hConnect = 0x02064200, hRequest = 0x023f0000, Verb: POST, Referer: , Flags = 0x00000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.ANJ
Lock-826b110ebbc69a36
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = EXE::init_dxxxxxb
EventName = MSCTF.SendReceive.Event.ANJ.IC
EventName = MSCTF.SendReceiveConection.Event.ANJ.IC
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 2508, Hwnd=0x1044c, Text = 确定, ClassName = Button.
Pid = 2508, Hwnd=0x1044e, Text = WinHttpQueryHeaders_len,取接收的数据头失败!GetLastError:12019, ClassName = Static.
Pid = 2508, Hwnd=0x2044a, Text = 信息:, ClassName = #32770.
Pid = 2508, Hwnd=0x10444, Text = 充 值, ClassName = Button(GroupBox).
Pid = 2508, Hwnd=0x10442, Text = 已有帐号, ClassName = Edit.
Pid = 2508, Hwnd=0x10440, Text = 充 值 , ClassName = Button.
Pid = 2508, Hwnd=0x1043e, Text = 卡号1, ClassName = Edit.
Pid = 2508, Hwnd=0x1043c, Text = 卡号2, ClassName = Edit.
Pid = 2508, Hwnd=0x1043a, Text = 卡号3, ClassName = Edit.
Pid = 2508, Hwnd=0x10438, Text = 查 询, ClassName = Button(GroupBox).
Pid = 2508, Hwnd=0x10436, Text = 改 密 , ClassName = Button.
Pid = 2508, Hwnd=0x10434, Text = 查 询 , ClassName = Button.
Pid = 2508, Hwnd=0x10432, Text = 新的密码, ClassName = Edit.
Pid = 2508, Hwnd=0x10430, Text = 安全密码, ClassName = Edit.
Pid = 2508, Hwnd=0x1042e, Text = 请输入账号, ClassName = Edit.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
EXE::init_dxxxxxb
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001044c, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010410, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010410, DC = 0x01010055.
Foreground window Info: HWND = 0x00010410, DC = 0x35010260.
Foreground window Info: HWND = 0x00010428, DC = 0x35010260.
Foreground window Info: HWND = 0x0002044e, DC = 0x01010055.
Foreground window Info: HWND = 0x00010428, DC = 0x01010055.
Foreground window Info: HWND = 0x00010428, DC = 0x0a010375.
Foreground window Info: HWND = 0x0003044c, DC = 0x35010260.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\SoftXLic.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [注 册,Button]
[Window,Class] = [查 询,Button]
[Window,Class] = [充 值,Button]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\SoftXLic.dll ---> 241b5d6679069042b5456e691a3a8e32
Behavior description:直接获取CPU时钟
details:EAX = 0x23ced6c4, EDX = 0x000000b7
EAX = 0x23ced710, EDX = 0x000000b7
EAX = 0x23ced75c, EDX = 0x000000b7
EAX = 0x23ced7a8, EDX = 0x000000b7
EAX = 0x23ced7f4, EDX = 0x000000b7
EAX = 0x23ced840, EDX = 0x000000b7
EAX = 0x23ced88c, EDX = 0x000000b7
EAX = 0x23ced8d8, EDX = 0x000000b7
EAX = 0x23ced924, EDX = 0x000000b7
EAX = 0x23ced970, EDX = 0x000000b7
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SoftXLic.dll.
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号