VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:17
Behavior list
Basic Information
MD5:c94aecf0f26de0be739ec282df46acd6
file type:EXE
Production company:360.cn
version:8.1.1.246---8.1.1.246
Shell or compiler information:COMPILER:Microsoft Visual C++
Subfile information:360se_ie6.xml / a43ef00bbd95b242e00059fc921fc4ce / Unknown
360se.xml / 6f5ce4f907cc147103228d266e2a8009 / Unknown
tab_progress.png / 0cf1d332c68ad44ef5ce8271b251cfe4 / Unknown
kantuButton_1.png / 2233c5e6ce488150e9deebbe494bd3a6 / Unknown
yunpan_loading.png / b50483b77afc9908bd52aa241ea0ee7a / Unknown
pop_switch_ie9.png / e65ea742bd4e9f655fb18ff7f8d63d0b / Unknown
360se_mini_video.xml / 7386bbc1be450f3e048531b543b49fcf / Unknown
cloud_btn2.png / 90eceb11c710e795c4cae01a7e124cd8 / Unknown
recyclebin_animated.png / 84c10226a597f00db38a86a816c1cb5f / Unknown
searchVideobutton.png / c8d37028673bd69c19918a75e98cc715 / Unknown
AddressExtBtn.png / a625da63a9b6c29789ab25a71ec31401 / Unknown
cloud_btn1.png / 555e5563c6457a727d8546b4658a83b6 / Unknown
pop_switch_chrome.png / d31636354d344a6ecc81fa34c055f82d / Unknown
360se_mini.xml / 419abc54e968b2ec649a5c21f4ab526e / Unknown
dianping_0.png / 45ec244ea5d96d2b113960efdb4ba6cc / Unknown
guessulike_0.png / 240bce27d543b29477d4d54e806523e3 / Unknown
skin_button2.png / 12f8b6dac533e81fda85535d7f17352a / Unknown
adfilter_bg_iconX.png / 752089177e6488e9aa09e42743d29a50 / Unknown
adfilter_bg_icon.png / b1a4ff17c5b07acadda96b5aba22dae7 / Unknown
Key behavior
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:获取TickCount值
details:TickCount = 5431593, SleepMilliseconds = 500.
TickCount = 5431350, SleepMilliseconds = 100.
TickCount = 5431365, SleepMilliseconds = 100.
TickCount = 5611515, SleepMilliseconds = 180000.
TickCount = 5611531, SleepMilliseconds = 180000.
TickCount = 5431887, SleepMilliseconds = 200.
TickCount = 5437012, SleepMilliseconds = 200.
TickCount = 5437206, SleepMilliseconds = 300.
TickCount = 5442606, SleepMilliseconds = 200.
TickCount = 5442909, SleepMilliseconds = 300.
TickCount = 5448278, SleepMilliseconds = 200.
TickCount = 5448825, SleepMilliseconds = 200.
TickCount = 5454246, SleepMilliseconds = 200.
TickCount = 5454465, SleepMilliseconds = 200.
TickCount = 5459918, SleepMilliseconds = 200.
Behavior description:创建系统服务
details:[服务创建成功]: Stuvwx Abcdefgh Jkl, C:\WINDOWS\wqikik.exe
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\****.exe > nul
ImagePath = , CmdLine = at \\**.133.40.** 0:59 admin$\
ImagePath = , CmdLine = at \\**.133.40.** 0:60 admin$\
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\****.exe > nul
ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 0:59 admin$\
ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 0:60 admin$\
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\wqikik.exe, CmdLine = C:\WINDOWS\wqikik.exe
Behavior description:创建本地线程
details:TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3240, StartAddress = 77DC3519, Parameter = 00198488
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3244, StartAddress = 00402DD5, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3248, StartAddress = 004051E0, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3252, StartAddress = 00405241, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3256, StartAddress = 0040387C, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3264, StartAddress = 00405128, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3268, StartAddress = 00405184, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3272, StartAddress = 004040DA, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3276, StartAddress = 00404908, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3352, StartAddress = 004040DA, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3356, StartAddress = 00404908, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3536, StartAddress = 004040DA, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3544, StartAddress = 00404908, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3608, StartAddress = 004040DA, Parameter = 00000000
TargetProcess: wqikik.exe, InheritedFromPID = 656, ProcessID = 3220, ThreadID = 3612, StartAddress = 00404908, Parameter = 00000000
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
File behavior
Behavior description:创建文件
details:C:\WINDOWS\wqikik.exe
C:\WINDOWS\system32\wqikik.exe
Behavior description:创建可执行文件
details:C:\WINDOWS\wqikik.exe
C:\WINDOWS\system32\wqikik.exe
Behavior description:覆盖已有文件
details:C:\WINDOWS\system32\wqikik.exe
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\WINDOWS\wqikik.exe
C:\WINDOWS\wqikik.exe ---> \\**.133.40.**\admin$\g1fd.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\at.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\****.exe
Behavior description:修改文件内容
details:C:\WINDOWS\wqikik.exe ---> Offset = 0
C:\WINDOWS\wqikik.exe ---> Offset = 65536
C:\WINDOWS\wqikik.exe ---> Offset = 131072
C:\WINDOWS\wqikik.exe ---> Offset = 196608
C:\WINDOWS\wqikik.exe ---> Offset = 262144
C:\WINDOWS\system32\wqikik.exe ---> Offset = 0
C:\WINDOWS\system32\wqikik.exe ---> Offset = 65536
C:\WINDOWS\system32\wqikik.exe ---> Offset = 131072
C:\WINDOWS\system32\wqikik.exe ---> Offset = 196608
C:\WINDOWS\system32\wqikik.exe ---> Offset = 262144
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: , IP: **.114.97.**:41197, SOCKET = 0x000000ec
URL: ql****et, IP: **.133.40.**:9898, SOCKET = 0x00000140
URL: ww****om, IP: **.133.40.**:9999, SOCKET = 0x00000168
URL: ql****et, IP: **.133.40.**:9898, SOCKET = 0x00000164
URL: ww****om, IP: **.133.40.**:9999, SOCKET = 0x00000108
URL: ql****et, IP: **.133.40.**:9898, SOCKET = 0x0000010c
URL: ww****om, IP: **.133.40.**:9999, SOCKET = 0x00000150
URL: ww****om, IP: **.133.40.**:9999, SOCKET = 0x00000180
URL: ql****et, IP: **.133.40.**:9898, SOCKET = 0x0000015c
URL: ww****om, IP: **.133.40.**:9999, SOCKET = 0x0000010c
Behavior description:按名称获取主机地址
details:gethostbyname: computer
DnsQuery_W: 1.110.110.110.in-addr.arpa.
gethostbyname: ql****et
gethostbyname: ww****om
DnsQuery_W: 2.110.110.110.in-addr.arpa.
DnsQuery_W: 3.110.110.110.in-addr.arpa.
DnsQuery_W: 4.110.110.110.in-addr.arpa.
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Stuvwx Abcdefgh Jkl
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Stuvwx Abcdefgh Jklmnopq Stuv, C:\WINDOWS\wqikik.exe
Behavior description:获取TickCount值
details:TickCount = 5431593, SleepMilliseconds = 500.
TickCount = 5431350, SleepMilliseconds = 100.
TickCount = 5431365, SleepMilliseconds = 100.
TickCount = 5611515, SleepMilliseconds = 180000.
TickCount = 5611531, SleepMilliseconds = 180000.
TickCount = 5431887, SleepMilliseconds = 200.
TickCount = 5437012, SleepMilliseconds = 200.
TickCount = 5437206, SleepMilliseconds = 300.
TickCount = 5442606, SleepMilliseconds = 200.
TickCount = 5442909, SleepMilliseconds = 300.
TickCount = 5448278, SleepMilliseconds = 200.
TickCount = 5448825, SleepMilliseconds = 200.
TickCount = 5454246, SleepMilliseconds = 200.
TickCount = 5454465, SleepMilliseconds = 200.
TickCount = 5459918, SleepMilliseconds = 200.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
Behavior description:打开事件
details:Global\SvcctrlStartEvent_A3752DX
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Behavior description:可执行文件签名信息
details:C:\WINDOWS\wqikik.exe(签名验证: 未通过)
C:\WINDOWS\system32\wqikik.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 500.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 200.
[8]: MilliSeconds = 180000.
[9]: MilliSeconds = 180000.
[10]: MilliSeconds = 200.
Behavior description:可执行文件MD5
details:C:\WINDOWS\wqikik.exe ---> c94aecf0f26de0be739ec282df46acd6
C:\WINDOWS\system32\wqikik.exe ---> c94aecf0f26de0be739ec282df46acd6
Behavior description:打开互斥体
details:Local\!IETld!Mutex
ShimCacheMutex
Behavior description:创建系统服务
details:[服务创建成功]: Stuvwx Abcdefgh Jkl, C:\WINDOWS\wqikik.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号