VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:54988abc00108cb2a349645c483bf5a9
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Elan
Subfile information:QQ加好友助手.exedumpFile / f71f65f9d1a647baab5408acf70ccd0d / EXE
QQ加好友助手.exe / f71f65f9d1a647baab5408acf70ccd0d / EXE
Key behavior
Behavior description:连接QQ登录服务器
details:WinHttpConnect: ServerName = xui.ptlogin2.qq.com, PORT = 443, UserName = , Password = , hSession = 0x010a3100, hConnect = 0x010a3200, Flags = 0x00000000
Behavior description:获取TickCount值
details:TickCount = 276812, SleepMilliseconds = 60000.
TickCount = 276828, SleepMilliseconds = 60000.
TickCount = 276906, SleepMilliseconds = 60000.
TickCount = 276937, SleepMilliseconds = 60000.
TickCount = 276953, SleepMilliseconds = 60000.
TickCount = 277125, SleepMilliseconds = 60000.
TickCount = 277234, SleepMilliseconds = 60000.
TickCount = 277437, SleepMilliseconds = 60000.
TickCount = 277750, SleepMilliseconds = 60000.
TickCount = 278062, SleepMilliseconds = 60000.
TickCount = 278375, SleepMilliseconds = 60000.
TickCount = 278687, SleepMilliseconds = 60000.
TickCount = 279000, SleepMilliseconds = 60000.
TickCount = 279125, SleepMilliseconds = 60000.
TickCount = 279312, SleepMilliseconds = 60000.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: QQ加好友助手.exe, InheritedFromPID = 2000, ProcessID = 2624, ThreadID = 2636, StartAddress = 00404E84, Parameter = 00000000
TargetProcess: QQ加好友助手.exe, InheritedFromPID = 2000, ProcessID = 2624, ThreadID = 2644, StartAddress = 77C0A341, Parameter = 00A07488
TargetProcess: QQ加好友助手.exe, InheritedFromPID = 2000, ProcessID = 2624, ThreadID = 2648, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: QQ加好友助手.exe, InheritedFromPID = 2000, ProcessID = 2624, ThreadID = 2652, StartAddress = 77E56C7D, Parameter = 001B89C0
TargetProcess: QQ加好友助手.exe, InheritedFromPID = 2000, ProcessID = 2624, ThreadID = 2656, StartAddress = 769AE43B, Parameter = 001BAA08
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Config.ini
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\已经加过的QQ.txt
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\已经加过的QQ.txt
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ss****om, PORT = 443, UserName = , Password = , hSession = 0x01093100, hConnect = 0x01093200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x010a3100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x01093100
Behavior description:建立到一个指定的套接字连接
details:URL: xu****om, IP: **.133.40.**:443, SOCKET = 0x00000194
URL: ss****om, IP: **.133.40.**:443, SOCKET = 0x000000a4
URL: ss****om, IP: **.133.40.**:443, SOCKET = 0x00000240
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: xu****om:443/cgi-bin/xlogin?proxy_url=https%3a//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=https%3a%2f%2fqzs.qzone.qq.co, hConnect = 0x010a3200, hRequest = 0x010d2000, Verb: GET, Referer: , Flags = 0x00800080
WinHttpOpenRequest: ss****om:443/ptqrshow?appid=549000912&e=2&l=m&s=3&d=72&v=4&t=0.6372461656378562&daid=5, hConnect = 0x01093200, hRequest = 0x010d0000, Verb: GET, Referer: , Flags = 0x00800080
WinHttpOpenRequest: ss****om:443/ptqrlogin?u1=https%3a%2f%2fqzs.qzone.qq.com%2fqzone%2fv5%2floginsucc.html%3fpara%3dizone%26from%3diqq&ptqrtoken=0&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1500185102216&js_ver=10222&js_type=1&login_sig=&pt_uistyle=40&a, hConnect = 0x01093200, hRequest = 0x010d0000, Verb: GET, Referer: , Flags = 0x00800080
Behavior description:按名称获取主机地址
details:GetAddrInfoW: xu****om
GetAddrInfoW: ss****om
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:窗口信息
details:Pid = 2624, Hwnd=0x10350, Text = 确定, ClassName = Button.
Pid = 2624, Hwnd=0x10352, Text = 登录失败, ClassName = Static.
Pid = 2624, Hwnd=0x2034c, Text = 信息:, ClassName = #32770.
Pid = 2624, Hwnd=0x10342, Text = 程序异常, ClassName = WTWindow.
Pid = 2624, Hwnd=0x1039a, Text = 确定, ClassName = Button.
Pid = 2624, Hwnd=0x1039e, Text = 运行时出错! 错误信息:指定窗口或窗口组件不存在或尚未载入 , ClassName = Static.
Pid = 2624, Hwnd=0x10398, Text = 错误, ClassName = #32770.
Pid = 2624, Hwnd=0x1038a, Text = 状态, ClassName = msctls_statusbar32.
Pid = 2624, Hwnd=0x1037a, Text = 控制面板, ClassName = Button(GroupBox).
Pid = 2624, Hwnd=0x10394, Text = 你好,很高兴认识你, ClassName = Edit.
Pid = 2624, Hwnd=0x10392, Text = 附加信息, ClassName = _EL_Label.
Pid = 2624, Hwnd=0x1038e, Text = 5, ClassName = Edit.
Pid = 2624, Hwnd=0x1038c, Text = 添加等待/秒, ClassName = _EL_Label.
Pid = 2624, Hwnd=0x10388, Text = 0, ClassName = Edit.
Pid = 2624, Hwnd=0x10386, Text = 分组ID, ClassName = _EL_Label.
Behavior description:获取TickCount值
details:TickCount = 276812, SleepMilliseconds = 60000.
TickCount = 276828, SleepMilliseconds = 60000.
TickCount = 276906, SleepMilliseconds = 60000.
TickCount = 276937, SleepMilliseconds = 60000.
TickCount = 276953, SleepMilliseconds = 60000.
TickCount = 277125, SleepMilliseconds = 60000.
TickCount = 277234, SleepMilliseconds = 60000.
TickCount = 277437, SleepMilliseconds = 60000.
TickCount = 277750, SleepMilliseconds = 60000.
TickCount = 278062, SleepMilliseconds = 60000.
TickCount = 278375, SleepMilliseconds = 60000.
TickCount = 278687, SleepMilliseconds = 60000.
TickCount = 279000, SleepMilliseconds = 60000.
TickCount = 279125, SleepMilliseconds = 60000.
TickCount = 279312, SleepMilliseconds = 60000.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2624
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
Behavior description:连接QQ登录服务器
details:WinHttpConnect: ServerName = xui.ptlogin2.qq.com, PORT = 443, UserName = , Password = , hSession = 0x010a3100, hConnect = 0x010a3200, Flags = 0x00000000
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Edit]
[Window,Class] = [程序异常,WTWindow]
[Window,Class] = [,_EL_CommonDlg]
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号