VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:39
Behavior list
Basic Information
MD5:4e13950c53e6943858305264bdd4ec82
file type:EXE
Production company:Samsung Electronics.
version:1.0.0.1---4, 4, 0, 0
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000de4
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000de4
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000de4
Behavior description:设置特殊文件夹属性
details:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:创建系统服务
details:[服务创建成功]: jgumfoxl update, C:\Windows\system\lsacs.exe
Behavior description:获取TickCount值
details:TickCount = 143282, SleepMilliseconds = 1.
TickCount = 143579, SleepMilliseconds = 1.
TickCount = 143610, SleepMilliseconds = 1.
TickCount = 143657, SleepMilliseconds = 1.
TickCount = 143688, SleepMilliseconds = 1.
TickCount = 143719, SleepMilliseconds = 1.
TickCount = 143735, SleepMilliseconds = 1.
TickCount = 143751, SleepMilliseconds = 1.
TickCount = 143766, SleepMilliseconds = 1.
TickCount = 143829, SleepMilliseconds = 1.
TickCount = 143844, SleepMilliseconds = 1.
TickCount = 143860, SleepMilliseconds = 1.
TickCount = 143891, SleepMilliseconds = 1.
TickCount = 143907, SleepMilliseconds = 1.
TickCount = 143922, SleepMilliseconds = 1.
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
Behavior description:杀掉进程
details:C:\Windows\system\lsacs.exe
Behavior description:直接获取CPU时钟
details:EAX = 0xddd416d0, EDX = 0x00000074
EAX = 0xfd8b4d90, EDX = 0x00000074
EAX = 0x76d6f959, EDX = 0x00000075
EAX = 0x96630026, EDX = 0x00000075
EAX = 0x96630072, EDX = 0x00000075
EAX = 0x966300be, EDX = 0x00000075
EAX = 0x9663010a, EDX = 0x00000075
EAX = 0x99160086, EDX = 0x00000075
EAX = 0x991600d2, EDX = 0x00000075
EAX = 0x9916011e, EDX = 0x00000075
EAX = 0xf6798855, EDX = 0x00000075
EAX = 0xfbb4570e, EDX = 0x00000075
EAX = 0x75e7daf7, EDX = 0x00000076
EAX = 0x7b22a9b0, EDX = 0x00000076
EAX = 0x5775e812, EDX = 0x00000077
Behavior description:自删除
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Process behavior
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000cf8
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000de4
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000de4
TargetProcess = C:\Windows\system\lsacs.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000de4
Behavior description:创建新文件进程
details:[0x00000cf8]ImagePath = C:\Windows\system\lsacs.exe, CmdLine = "C:\Windows\system\lsacs.exe"
[0x00000d6c]ImagePath = C:\Windows\system\lsacs.exe, CmdLine = C:\Windows\system\lsacs.exe
[0x00000de4]ImagePath = C:\Windows\system\lsacs.exe, CmdLine = C:\Windows\system\lsacs.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\Windows\system\lsacs.exe
File behavior
Behavior description:创建文件
details:C:\Windows\system\lsacs.exe
C:\Windows\Temp\WER305D.tmp
C:\Windows\Temp\WER305D.tmp.appcompat.txt
C:\Windows\Temp\WER3204.tmp
C:\Windows\Temp\WER3204.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER3224.tmp
C:\Windows\Temp\WER3224.tmp.hdmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4YA3Y3T\wpad[1].dat
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Windows\Temp\WER3532.tmp
C:\Windows\Temp\WER3532.tmp.mdmp
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER305D.tmp.appcompat.txt
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3204.tmp.WERInternalMetadata.xml
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3224.tmp.hdmp
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3532.tmp.mdmp
Behavior description:创建可执行文件
details:C:\Windows\system\lsacs.exe
Behavior description:覆盖已有文件
details:C:\Windows\Temp\WER3204.tmp.WERInternalMetadata.xml
Behavior description:复制文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Windows\system\lsacs.exe
C:\Windows\Temp\WER305D.tmp.appcompat.txt ---> C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER305D.tmp.appcompat.txt
C:\Windows\Temp\WER3204.tmp.WERInternalMetadata.xml ---> C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3204.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER3224.tmp.hdmp ---> C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3224.tmp.hdmp
C:\Windows\Temp\WER3532.tmp.mdmp ---> C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_lsacs.exe_11b6d11849d4182753e0446b86eb44c2202a5d_cab_0e9635fa\WER3532.tmp.mdmp
Behavior description:删除文件
details:C:\Windows\Temp\WER305D.tmp
C:\Windows\Temp\WER305D.tmp.appcompat.txt
C:\Windows\Temp\WER3204.tmp
C:\Windows\Temp\WER3224.tmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4YA3Y3T\wpad[1].dat
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Windows\Temp\WER3532.tmp
C:\Windows\Temp\WER3204.tmp.WERInternalMetadata.xml
C:\Windows\Temp\WER3224.tmp.hdmp
C:\Windows\Temp\WER3532.tmp.mdmp
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\cbshandler\state
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\Windows6.1-KB2999226-x86.cab
Behavior description:查找文件
details:FileName = C:\Windows
FileName = C:\Windows\system
FileName = C:\Windows\system\lsacs.exe
FileName = C:\Windows\system\*.*
FileName = C:\Windows\TEMP
FileName = C:\Windows\Temp
FileName = C:\Windows\system\*
FileName = C:\Windows\system32\kernel32.dll
FileName = C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_*_11b6d11849d4182753e0446b86eb44c2202a5d_cab_*
FileName = C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_*_11b6d11849d4182753e0446b86eb44c2202a5d_cab_*
FileName = C:\Windows\system32\drivers\*.mrk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
Behavior description:设置特殊文件夹属性
details:C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:修改文件内容
details:C:\Windows\system\lsacs.exe ---> Offset = 0
C:\Windows\system\lsacs.exe ---> Offset = 65536
C:\Windows\system\lsacs.exe ---> Offset = 131072
C:\Windows\system\lsacs.exe ---> Offset = 196608
C:\Windows\system\lsacs.exe ---> Offset = 262144
C:\Windows\WindowsUpdate.log ---> Offset = 90112
C:\Windows\WindowsUpdate.log ---> Offset = 90206
C:\Windows\WindowsUpdate.log ---> Offset = 90326
C:\Windows\WindowsUpdate.log ---> Offset = 90410
C:\Windows\WindowsUpdate.log ---> Offset = 90493
C:\Windows\WindowsUpdate.log ---> Offset = 90549
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 19018
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 19022
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 16
C:\Windows\Temp\WER305D.tmp.appcompat.txt ---> Offset = 0
Behavior description:自删除
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://r.****om/fcg-bin/cgi_get_portrait.fcg?uins=3441476838, hInternet = 0x00cc0004, Flags = 0x04000000
InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0008, Flags = 0x00000010
InternetOpenUrlA: http://r.****om/fcg-bin/cgi_get_portrait.fcg?uins=3441476838, hInternet = 0x00cc0008, Flags = 0x04000000
InternetOpenUrlA: http://r.****om/fcg-bin/cgi_get_portrait.fcg?uins=3441476838, hInternet = 0x00cc000c, Flags = 0x04000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: , hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0008
InternetOpenA: UserAgent: , hSession = 0x00cc0008
InternetOpenA: UserAgent: , hSession = 0x00cc000c
Behavior description:建立到一个指定的套接字连接
details:URL: wpad, IP: **.133.40.**:128, SOCKET = 0x000003ac
URL: r.****om, IP: **.133.40.**:80, SOCKET = 0x00000218
URL: r.****om, IP: **.133.40.**:80, SOCKET = 0x000003b4
URL: r.****om, IP: **.133.40.**:80, SOCKET = 0x0000025c
Behavior description:读取网络文件
details:hFile = 0x00cc0010, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc000c, BytesToRead =512000, BytesRead = 364544.
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /fcg-bin/cgi_get_portrait.fcg?uins=3441476838 HTTP/1.1 Host: r.****om
Behavior description:按名称获取主机地址
details:GetAddrInfoW: a-PC
GetAddrInfoW: wpad
GetAddrInfoW: r.****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jgumfoxl update\DeleteFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jgumfoxl update\ConnectGroup
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jgumfoxl update\Description
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jgumfoxl update\MarkTime
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lsacs_RASMANCS\FileTracingMask
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\jgumfoxl update\DeleteFiles
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Global\WindowsUpdateTracingMutex
Global\Instance0: ESENT Performance Data Schema Version 85
Local\WERReportingForProcess3436
Global\5e513f2d-8d23-11e7-828e-080027488980
Local\_!MSFTHISTORY!_
Local\c:!windows!system32!config!systemprofile!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!windows!system32!config!systemprofile!appdata!roaming!microsoft!windows!cookies!
Local\c:!windows!system32!config!systemprofile!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:创建事件对象
details:EventName = MXIANG*
EventName = DbgEngEvent_00000E94
Behavior description:打开互斥体
details:Local\_!MSFTHISTORY!_
Local\c:!windows!system32!config!systemprofile!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!windows!system32!config!systemprofile!appdata!roaming!microsoft!windows!cookies!
Local\c:!windows!system32!config!systemprofile!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, update Image Acquisition (WDA), C:\Windows\system\lsacs.exe
Behavior description:获取TickCount值
details:TickCount = 143282, SleepMilliseconds = 1.
TickCount = 143579, SleepMilliseconds = 1.
TickCount = 143610, SleepMilliseconds = 1.
TickCount = 143657, SleepMilliseconds = 1.
TickCount = 143688, SleepMilliseconds = 1.
TickCount = 143719, SleepMilliseconds = 1.
TickCount = 143735, SleepMilliseconds = 1.
TickCount = 143751, SleepMilliseconds = 1.
TickCount = 143766, SleepMilliseconds = 1.
TickCount = 143829, SleepMilliseconds = 1.
TickCount = 143844, SleepMilliseconds = 1.
TickCount = 143860, SleepMilliseconds = 1.
TickCount = 143891, SleepMilliseconds = 1.
TickCount = 143907, SleepMilliseconds = 1.
TickCount = 143922, SleepMilliseconds = 1.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_AUDIT_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Global\TermSrvReadyEvent
\KernelObjects\SystemErrorPortReady
3436-AppRecorderEnabled
\KernelObjects\MemoryErrors
MSFT.VSA.COM.DISABLE.3556
MSFT.VSA.IEC.STATUS.6c736db0
N/A
Behavior description:可执行文件签名信息
details:C:\Windows\system\lsacs.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 500.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 200.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 200.
[7]: MilliSeconds = 200.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 200.
[10]: MilliSeconds = 60000.
Behavior description:可执行文件MD5
details:C:\Windows\system\lsacs.exe ---> 4e13950c53e6943858305264bdd4ec82
Behavior description:直接获取CPU时钟
details:EAX = 0xddd416d0, EDX = 0x00000074
EAX = 0xfd8b4d90, EDX = 0x00000074
EAX = 0x76d6f959, EDX = 0x00000075
EAX = 0x96630026, EDX = 0x00000075
EAX = 0x96630072, EDX = 0x00000075
EAX = 0x966300be, EDX = 0x00000075
EAX = 0x9663010a, EDX = 0x00000075
EAX = 0x99160086, EDX = 0x00000075
EAX = 0x991600d2, EDX = 0x00000075
EAX = 0x9916011e, EDX = 0x00000075
EAX = 0xf6798855, EDX = 0x00000075
EAX = 0xfbb4570e, EDX = 0x00000075
EAX = 0x75e7daf7, EDX = 0x00000076
EAX = 0x7b22a9b0, EDX = 0x00000076
EAX = 0x5775e812, EDX = 0x00000077
Behavior description:创建系统服务
details:[服务创建成功]: jgumfoxl update, C:\Windows\system\lsacs.exe
Behavior description:加载新释放的文件
details:Image: C:\Windows\system\lsacs.exe.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号