VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 0af1cc5e071bffd9e73e2cc95750ad56
file type: EXE
Production company:
version:
Shell or compiler information: COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [RAR SFX] *
{$lang.habo.subfile_info}>: Cheаt.exe / e883740a52b500a6f633b539566c82ea / EXE
Cheаt.exe / e883740a52b500a6f633b539566c82ea / EXE

Key behavior

Behavior description: 跨进程写入数据
details: TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\Cheаt.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000a0c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\Cheаt.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000a0c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\Cheаt.exe, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000a0c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mpv.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000a80
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mpv.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000a80
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mpv.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000a80
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\WBP.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000b14
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\WBP.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000b14
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\WBP.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000b14
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mespv.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000b54
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mespv.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000b54
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\mespv.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000b54
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\pv.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000bc4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\pv.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000bc4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\pv.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x00000bc4
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 直接获取CPU时钟
details: EAX = 0x5a4814a1, EDX = 0x00000038
EAX = 0x5f82e35a, EDX = 0x00000038
EAX = 0x6235e2d6, EDX = 0x00000038
EAX = 0xd8ce8f6f, EDX = 0x00000038
EAX = 0xde348e1b, EDX = 0x00000038
EAX = 0xde348e67, EDX = 0x00000038
EAX = 0xde348eb3, EDX = 0x00000038
EAX = 0xe0bc5e3c, EDX = 0x00000038
EAX = 0xe0bc5e88, EDX = 0x00000038
EAX = 0xe0bc5ed4, EDX = 0x00000038
EAX = 0x7aedcbd5, EDX = 0x00000039
EAX = 0x956a3428, EDX = 0x00000039
EAX = 0xa7cd9eeb, EDX = 0x00000039
EAX = 0xc4d1d67b, EDX = 0x00000039
EAX = 0xccbfa464, EDX = 0x00000039
Behavior description: 获取TickCount值
details: TickCount = 79296, SleepMilliseconds = 5000.
TickCount = 79312, SleepMilliseconds = 5000.
TickCount = 75791, SleepMilliseconds = 10.
TickCount = 75806, SleepMilliseconds = 10.
TickCount = 75822, SleepMilliseconds = 10.
TickCount = 75838, SleepMilliseconds = 10.
TickCount = 76010, SleepMilliseconds = 10.
TickCount = 76025, SleepMilliseconds = 10.
TickCount = 76056, SleepMilliseconds = 10.
TickCount = 76103, SleepMilliseconds = 10.
TickCount = 76166, SleepMilliseconds = 10.
TickCount = 76166, SleepMilliseconds = 60000.
TickCount = 136156, SleepMilliseconds = 60000.
TickCount = 136171, SleepMilliseconds = 60000.
TickCount = 136203, SleepMilliseconds = 60000.

File behavior

Behavior description: 创建文件
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\__tmp_rar_sfx_access_check_68390
C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Local\Temp\mpv.exe
C:\Users\Administrator\AppData\Local\Temp\mpvp.txt
C:\Users\Administrator\AppData\Local\Temp\WBP.exe
C:\Users\Administrator\AppData\Local\Temp\WBVP.txt
C:\Users\Administrator\AppData\Local\Temp\mespv.exe
C:\Users\Administrator\AppData\Local\Temp\mespvp.txt
C:\Users\Administrator\AppData\Local\Temp\pv.exe
C:\Users\Administrator\AppData\Local\Temp\pvp.txt
C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock
Behavior description: 创建可执行文件
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe
C:\Users\Administrator\AppData\Local\Temp\mpv.exe
C:\Users\Administrator\AppData\Local\Temp\WBP.exe
C:\Users\Administrator\AppData\Local\Temp\mespv.exe
C:\Users\Administrator\AppData\Local\Temp\pv.exe
Behavior description: 查找文件
details: FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Users
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Local
FileName = C:\Users\ADMINI~1\AppData\Local\Temp
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\Cheаt.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\*.*
FileName = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework\Upgrades.2.0.50727\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
FileName = C:\Windows
FileName = C:\Windows\WinSxS
FileName = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Behavior description: 删除文件
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\__tmp_rar_sfx_access_check_68390
C:\Users\Administrator\AppData\Local\Temp\mpv.exe
C:\Users\Administrator\AppData\Local\Temp\mpvp.txt
C:\Users\Administrator\AppData\Local\Temp\WBP.exe
C:\Users\Administrator\AppData\Local\Temp\WBVP.txt
C:\Users\Administrator\AppData\Local\Temp\mespv.exe
C:\Users\Administrator\AppData\Local\Temp\mespvp.txt
C:\Users\Administrator\AppData\Local\Temp\pv.exe
C:\Users\Administrator\AppData\Local\Temp\pvp.txt
C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 修改文件内容
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> Offset = 363520
C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> Offset = 393216
C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> Offset = 458496
C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> Offset = 458752
C:\Users\Administrator\AppData\Local\Temp\mpv.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\WBP.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\WBVP.txt ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\mespv.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\pv.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\pvp.txt ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\pvp.txt ---> Offset = 50
C:\Users\Administrator\AppData\Local\Temp\pvp.txt ---> Offset = 52
C:\Users\Administrator\AppData\Local\Temp\pvp.txt ---> Offset = 91
C:\Users\Administrator\AppData\Local\Temp\pvp.txt ---> Offset = 136

Network behavior

Behavior description: 建立到一个指定的套接字连接
details: URL: wpad, IP: **.133.40.**:128, SOCKET = 0x00000420
URL: a0****ru, IP: **.133.40.**:21, SOCKET = 0x00000440
Behavior description: 发送HTTP包
details: GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.5420 Host: **.133.40.**:128 Connection: Close
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: wpad
GetAddrInfoW: a0****ru

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\zbavgbe\DD.rkr
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Nqzvavfgengbe\NccQngn\Ybpny\Grzc\EneFSK1\Purаg.rkr
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Cheаt_RASMANCS\FileDirectory
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Other behavior

Behavior description: 检测自身是否被调试
details: IsDebuggerPresent
Behavior description: 创建互斥体
details: Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Global\.net clr networking
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
CDBurnNotify
Global\CDBurnExclusive
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,ComboLBox]
[Window,Class] = [&Обзор...,Button]
[Window,Class] = [C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1,ComboBox]
[Window,Class] = [,WindowsForms10.Window.8.app.0.33c0d9d]
Behavior description: 打开互斥体
details: DefaultTabtip-MainUI
Local\MSCTF.Asm.MutexDefault1
Global\CLR_CASOFF_MUTEX
Global\.net clr networking
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
CDBurnNotify
Global\CDBurnExclusive
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [SystemTray_Main,]
Behavior description: 启动系统服务
details: [服务启动成功]: LocalSystem, Program Compatibility Assistant Service, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
[服务启动失败]: LocalSystem, Program Compatibility Assistant Service, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
[服务启动成功]: LocalSystem, Protected Storage, C:\Windows\system32\lsass.exe
[服务启动成功]: LocalSystem, Credential Manager, C:\Windows\system32\lsass.exe
Behavior description: 窗口信息
details: Pid = 2572, Hwnd=0x201f4, Text = 确定, ClassName = Button.
Pid = 2572, Hwnd=0x101f8, Text = 锣 忮瘃? 漯嚅忮疣 礤 镱滗屦骅忄弪? 溧眄 镳桦铈屙桢?, ClassName = Static.
Pid = 2572, Hwnd=0x201f2, Text = 马桁囗桢, ClassName = #32770.
Behavior description: 获取TickCount值
details: TickCount = 79296, SleepMilliseconds = 5000.
TickCount = 79312, SleepMilliseconds = 5000.
TickCount = 75791, SleepMilliseconds = 10.
TickCount = 75806, SleepMilliseconds = 10.
TickCount = 75822, SleepMilliseconds = 10.
TickCount = 75838, SleepMilliseconds = 10.
TickCount = 76010, SleepMilliseconds = 10.
TickCount = 76025, SleepMilliseconds = 10.
TickCount = 76056, SleepMilliseconds = 10.
TickCount = 76103, SleepMilliseconds = 10.
TickCount = 76166, SleepMilliseconds = 10.
TickCount = 76166, SleepMilliseconds = 60000.
TickCount = 136156, SleepMilliseconds = 60000.
TickCount = 136171, SleepMilliseconds = 60000.
TickCount = 136203, SleepMilliseconds = 60000.
Behavior description: 调整进程token权限
details: SE_SHUTDOWN_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SC_AutoStartComplete
Global\SvcctrlStartEvent_A3752DX
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
Global\PS_SERVICE_STARTED
MSFT.VSA.COM.DISABLE.2572
MSFT.VSA.IEC.STATUS.6c736db0
Behavior description: 可执行文件签名信息
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\mpv.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\WBP.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\mespv.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\pv.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 5000.
[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[1]: MilliSeconds = 500.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 20.
[6]: MilliSeconds = 20.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 10.
[9]: MilliSeconds = 60000.
Behavior description: 创建事件对象
details: EventName = Global\CorDBIPCSetupSyncEvent_2572
Behavior description: 可执行文件MD5
details: C:\Users\Administrator\AppData\Local\Temp\RarSFX1\Cheаt.exe ---> e883740a52b500a6f633b539566c82ea
C:\Users\Administrator\AppData\Local\Temp\mpv.exe ---> a138fca70622323e45d6018125322051
C:\Users\Administrator\AppData\Local\Temp\WBP.exe ---> 6d95f03eaf83b31686f263260202ee36
C:\Users\Administrator\AppData\Local\Temp\mespv.exe ---> ffc52f2b4435fcddaca6e15489a88b75
C:\Users\Administrator\AppData\Local\Temp\pv.exe ---> afe3aeeffaa1e1772a926ca45923f33f
Behavior description: 直接获取CPU时钟
details: EAX = 0x5a4814a1, EDX = 0x00000038
EAX = 0x5f82e35a, EDX = 0x00000038
EAX = 0x6235e2d6, EDX = 0x00000038
EAX = 0xd8ce8f6f, EDX = 0x00000038
EAX = 0xde348e1b, EDX = 0x00000038
EAX = 0xde348e67, EDX = 0x00000038
EAX = 0xde348eb3, EDX = 0x00000038
EAX = 0xe0bc5e3c, EDX = 0x00000038
EAX = 0xe0bc5e88, EDX = 0x00000038
EAX = 0xe0bc5ed4, EDX = 0x00000038
EAX = 0x7aedcbd5, EDX = 0x00000039
EAX = 0x956a3428, EDX = 0x00000039
EAX = 0xa7cd9eeb, EDX = 0x00000039
EAX = 0xc4d1d67b, EDX = 0x00000039
EAX = 0xccbfa464, EDX = 0x00000039
Behavior description: 加载新释放的文件
details: Image: C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX1\Cheаt.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\mpv.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\WBP.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\mespv.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\pv.exe.

Run screenshot

VirSCAN