VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:0f771651965136731fd75b60d9384f97
file type:zip
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [RAR SFX] *
Subfile information:Thunder9_BY_LUOCHENZHIMUdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
readme.pdf / ec2a0df6fa2add2b955f85d48b10281a / Unknown
Thunder9_BY_LUOCHENZHIMU.exe / 6203f41a12166c84a555865527546684 / EXE
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb1e8, Size = 0x00000004 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000b08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000b08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000b08
Behavior description:直接获取CPU时钟
details:EAX = 0x18393dbd, EDX = 0x0000003b
EAX = 0x22da0ad6, EDX = 0x0000003b
EAX = 0x2561da5f, EDX = 0x0000003b
EAX = 0xc35f7e0d, EDX = 0x0000003b
EAX = 0xc5e74d96, EDX = 0x0000003b
EAX = 0xc5e74de2, EDX = 0x0000003b
EAX = 0xc5e74e2e, EDX = 0x0000003b
EAX = 0xc5e74e7a, EDX = 0x0000003b
EAX = 0xc5e74ec6, EDX = 0x0000003b
EAX = 0xc5e74f12, EDX = 0x0000003b
Process behavior
Behavior description:创建进程
details:[0x00000ac4]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c ""C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Install_Thunder_BY_LUOCHENZHIMU.cmd" "
[0x00000b3c]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c reg query "HKEY_CURRENT_USER\Software\Thunder Network\BHOEnum" /v Thunder7
[0x00000b08]ImagePath = C:\Windows\System32\reg.exe, CmdLine = reg query "HKEY_CURRENT_USER\Software\Thunder Network\BHOEnum" /v Thunder7
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb1e8, Size = 0x00000004 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000ac4
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000b3c
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000b08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000b08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffdd238, Size = 0x00000004 TargetPID = 0x00000b08
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\__tmp_rar_sfx_access_check_71437
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\hosts_Run_as_Admin.cmd
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Install_Thunder_BY_LUOCHENZHIMU.cmd
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Spare.cmd
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\BaseCommunity.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\1\BrowserSupport.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\BrowserSupport.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\GroupAccelerate.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\1\ThunderCore.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\2\ThunderCore.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\3\ThunderCore.xar
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\ThunderCore.xar
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\hosts_Run_as_Admin.cmd ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Install_Thunder_BY_LUOCHENZHIMU.cmd ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Spare.cmd ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> Offset = 196608
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> Offset = 262144
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> Offset = 196608
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> Offset = 262144
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll ---> Offset = 65536
Behavior description:创建可执行文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\__tmp_rar_sfx_access_check_71437
Behavior description:查找文件
details:FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Thunder9_BY_LUOCHENZHIMU.exe
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\*.*
FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Install_Thunder_BY_LUOCHENZHIMU.cmd
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\reg.*
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\reg
FileName = C:\Windows\system32\reg.*
FileName = C:\Windows\system32\reg.COM
Registry behavior
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [浏览(&W)...,Button]
[Window,Class] = [C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU,ComboBox]
Behavior description:打开互斥体
details:DefaultTabtip-MainUI
Local\MSCTF.Asm.MutexDefault1
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Program Compatibility Assistant Service, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
[服务启动失败]: LocalSystem, Program Compatibility Assistant Service, C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SC_AutoStartComplete
Global\SvcctrlStartEvent_A3752DX
Behavior description:可执行文件签名信息
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe(签名验证: 通过)
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\up\XLLiveUD.exe ---> d771d9b66b0d0fdea8f04f646786e829
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\4\XLLiveUD.exe ---> e66b4a547c9d5ee4323f7a96ef668d94
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Thunder9_BY_LUOCHENZHIMU\Resources\vip\XLUserS.dll ---> b1a92d3eaf35ab368be6997014e1fc48
Behavior description:直接获取CPU时钟
details:EAX = 0x18393dbd, EDX = 0x0000003b
EAX = 0x22da0ad6, EDX = 0x0000003b
EAX = 0x2561da5f, EDX = 0x0000003b
EAX = 0xc35f7e0d, EDX = 0x0000003b
EAX = 0xc5e74d96, EDX = 0x0000003b
EAX = 0xc5e74de2, EDX = 0x0000003b
EAX = 0xc5e74e2e, EDX = 0x0000003b
EAX = 0xc5e74e7a, EDX = 0x0000003b
EAX = 0xc5e74ec6, EDX = 0x0000003b
EAX = 0xc5e74f12, EDX = 0x0000003b
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号