VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:88
Behavior list
Basic Information
MD5:864eadb46128953a15e5ed669a7e2e5a
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:PE+(32)
Subfile information:mpress_623ec34bdumpFile / c04e9c0609d921f3bfe23ae250d1aa0b / EXE
CGI.exedumpFile / 5f3221db6021545e93e8166c8f3b6ac8 / EXE
CGI.exe / 5f3221db6021545e93e8166c8f3b6ac8 / EXE
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00403FAB
Behavior description:杀掉进程
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\wimlib-imagex.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00400000, ResName: #868, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #866, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #867, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #861, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #863, ResType: EXEDATA
Behavior description:获取TickCount值
details:TickCount = 5437579, SleepMilliseconds = 1.
TickCount = 5437594, SleepMilliseconds = 1.
TickCount = 5437610, SleepMilliseconds = 1.
TickCount = 5437626, SleepMilliseconds = 1.
TickCount = 5437641, SleepMilliseconds = 1.
TickCount = 5437657, SleepMilliseconds = 1.
TickCount = 5437672, SleepMilliseconds = 1.
TickCount = 5437688, SleepMilliseconds = 1.
TickCount = 5437704, SleepMilliseconds = 1.
TickCount = 5437719, SleepMilliseconds = 1.
TickCount = 5437735, SleepMilliseconds = 1.
TickCount = 5437751, SleepMilliseconds = 1.
TickCount = 5437766, SleepMilliseconds = 1.
TickCount = 5437782, SleepMilliseconds = 1.
TickCount = 5437797, SleepMilliseconds = 1.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000e02b4, Text = < CGI 3.3.0.0 By CloneCD > 修改:JexChan QQ:527104427, ClassName = #32770.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\wimlib-imagex.exe, CmdLine = Wimlib_exe --version
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = Ghost_exe -ver
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2736 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = USORT_EXE -mohong
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2772 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.1109773333~.tmp"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = HDSIZEID_EXE -mohong
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2808 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.612627558~.tmp"
ImagePath = , CmdLine = CMD.EXE /C ver
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.com, CmdLine = OSFMount_EXE -d -m Z:
Behavior description:创建进程
details:[0x00000ab8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2736 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp"
[0x00000af0]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2772 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.1109773333~.tmp"
[0x00000b08]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe, CmdLine = PECMD**pecmd-cmd* WAIT *2808 -del "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.612627558~.tmp"
[0x00000b34]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = CMD.EXE /C ver
Behavior description:创建本地线程
details:TargetProcess: CGI.exe, InheritedFromPID = 1944, ProcessID = 2484, ThreadID = 2512, StartAddress = 00402FF2, Parameter = 004ACC04
TargetProcess: CGI.exe, InheritedFromPID = 1944, ProcessID = 2484, ThreadID = 2544, StartAddress = 004607D8, Parameter = 0363F228
TargetProcess: CGI.exe, InheritedFromPID = 1944, ProcessID = 2484, ThreadID = 2548, StartAddress = 004607D8, Parameter = 0363F228
TargetProcess: CGI.exe, InheritedFromPID = 2484, ProcessID = 2744, ThreadID = 2836, StartAddress = 00402FF2, Parameter = 004ACC04
TargetProcess: CGI.exe, InheritedFromPID = 2484, ProcessID = 2800, ThreadID = 2856, StartAddress = 00402FF2, Parameter = 004ACC04
TargetProcess: CGI.exe, InheritedFromPID = 2484, ProcessID = 2824, ThreadID = 2924, StartAddress = 00402FF2, Parameter = 004ACC04
Behavior description:创建新文件进程
details:[0x00000a1c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\wimlib-imagex.exe, CmdLine = Wimlib_exe --version
[0x00000ab0]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = Ghost_exe -ver
[0x00000ad4]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = USORT_EXE -mohong
[0x00000af8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp, CmdLine = HDSIZEID_EXE -mohong
Behavior description:杀掉进程
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\wimlib-imagex.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_devi.2484.0~.tmp.cab
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.com
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.sys
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_devi.2484.0~.tmp.cab ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> Offset = 12800
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> Offset = 45568
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> Offset = 78336
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> Offset = 111104
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\~pecmd_exedat.2484.0~.tmp ---> Offset = 0
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.com
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.sys
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_devi.2484.0~.tmp.cab
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe#101.LOG
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CGI.exe.cfg
FileName = C:\WINDOWS\fonts\simsun*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~pecmd_devi.2484.0~.tmp.cab
FileName = C:\*.*
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_devi.2484.0~.tmp.cab
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\*.*
Other behavior
Behavior description:创建互斥体
details:Local\pecmd2012.lock.CGI_PLUS_START_EXE
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ILJ
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [3.请选择目标分区:,Static]
[Window,Class] = [源分区:无,Static]
[Window,Class] = [目标分区:无,Static]
[Window,Class] = [P1,#32770]
[Window,Class] = [3.请选择目标硬盘:,Static]
[Window,Class] = [源硬盘:无,Static]
[Window,Class] = [目标硬盘:无,Static]
[Window,Class] = [P2,#32770]
[Window,Class] = [,Static]
[Window,Class] = [P3,#32770]
[Window,Class] = [P4,#32770]
[Window,Class] = [正在搜索镜像文件,请稍候... 已用时间: 10秒,Edit]
[Window,Class] = [卸载菜单,Button]
[Window,Class] = [清除热键,Button]
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00403FAB
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Global\crypt32LogoffEvent
_fCanRegisterWithShellService
Behavior description:获取TickCount值
details:TickCount = 5437579, SleepMilliseconds = 1.
TickCount = 5437594, SleepMilliseconds = 1.
TickCount = 5437610, SleepMilliseconds = 1.
TickCount = 5437626, SleepMilliseconds = 1.
TickCount = 5437641, SleepMilliseconds = 1.
TickCount = 5437657, SleepMilliseconds = 1.
TickCount = 5437672, SleepMilliseconds = 1.
TickCount = 5437688, SleepMilliseconds = 1.
TickCount = 5437704, SleepMilliseconds = 1.
TickCount = 5437719, SleepMilliseconds = 1.
TickCount = 5437735, SleepMilliseconds = 1.
TickCount = 5437751, SleepMilliseconds = 1.
TickCount = 5437766, SleepMilliseconds = 1.
TickCount = 5437782, SleepMilliseconds = 1.
TickCount = 5437797, SleepMilliseconds = 1.
Behavior description:调整进程token权限
details:SE_BACKUP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000e02b4, Text = < CGI 3.3.0.0 By CloneCD > 修改:JexChan QQ:527104427, ClassName = #32770.
Behavior description:窗口信息
details:Pid = 2484, Hwnd=0x16032e, Text = P1, ClassName = #32770.
Pid = 2484, Hwnd=0xf034a, Text = 1.请选择您要进行的操作:, ClassName = Static.
Pid = 2484, Hwnd=0x603c6, Text = 还原分区, ClassName = Button(RadioButton).
Pid = 2484, Hwnd=0xc038a, Text = 备份分区, ClassName = Button(RadioButton).
Pid = 2484, Hwnd=0x15030c, Text = 分区对拷, ClassName = Button(RadioButton).
Pid = 2484, Hwnd=0x6037e, Text = 2.请选择分区(用鼠标左键单击), ClassName = Static.
Pid = 2484, Hwnd=0x170340, Text = 3.请选择镜像文件:, ClassName = Static.
Pid = 2484, Hwnd=0x303d0, Text = ..., ClassName = Button.
Pid = 2484, Hwnd=0x503ae, Text = ..., ClassName = Button.
Pid = 2484, Hwnd=0xb037c, Text = 正在搜索镜像文件,请稍候... 已用时间: 2秒, ClassName = Edit.
Pid = 2484, Hwnd=0x703bc, Text = 3.请选择目标分区:, ClassName = Static.
Pid = 2484, Hwnd=0x903a2, Text = 状态:, ClassName = Static.
Pid = 2484, Hwnd=0xa03c4, Text = 所选操作:还原分区, ClassName = Static.
Pid = 2484, Hwnd=0x50374, Text = 所选分区:无, ClassName = Static.
Pid = 2484, Hwnd=0x8038c, Text = 源分区:无, ClassName = Static.
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00400000, ResName: #868, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #866, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #867, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #861, ResType: EXEDATA
(FindResourceW) hModule = 0x00400000, ResName: #863, ResType: EXEDATA
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.com(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.sys(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = ShellCopyEngineRunning
EventName = ShellCopyEngineFinished
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.ILJ.IC
EventName = MSCTF.SendReceiveConection.Event.ILJ.IC
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\libwim-15.dll ---> 15f2912fd90940d2ad7fb8fefd61e97e
C:\Documents and Settings\Administrator\Local Settings\Temp\~6868864846517124295\wimlib-imagex.exe ---> f169c509ce362d13dff93d14dc742ebf
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3341860883~.tmp\~pecmd_exedat.2484.0~.tmp ---> 0de100d62e2942f0bc86003ccc72dd0d
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.1109773333~.tmp\~pecmd_exedat.2484.0~.tmp ---> 0cb9c0329fefacfd49c0f76c41c12b42
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.612627558~.tmp\~pecmd_exedat.2484.0~.tmp ---> dc2dd3b74c29fa9ec3439e6b75ce41ab
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.com ---> 2e8e7fb0c829c20bda02dee9c4f9f966
C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_exedat.2484.3775887859~.tmp\.ex\OSFMount.sys ---> 195c48dee1b2afe92553eb5a947b1c19
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~6868864846517124295\libwim-15.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号