1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
| Safety rating:30 |
| Behavior list |
| Basic Information | |
|---|---|
| MD5: | 114aadd038557d25ec81db04d84277dc |
| file type: | EXE |
| Production company: | |
| version: | |
| Shell or compiler information: | |
| Key behavior | |
|---|---|
| Behavior description: | 检测自身是否被调试 |
| details: | N/A |
| Behavior description: | 跨进程写入数据 |
| details: | C:\WINDOWS\system32\winlogon.exe |
| C:\WINDOWS\system32\services.exe | |
| C:\WINDOWS\system32\lsass.exe | |
| C:\WINDOWS\system32\svchost.exe | |
| C:\WINDOWS\system32\spoolsv.exe | |
| C:\WINDOWS\system32\alg.exe | |
| C:\WINDOWS\explorer.exe | |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| C:\%temp%\1445811522.115179.exe | |
| C:\%temp%\1445811522.122052.exe | |
| C:\%temp%\1445811522.128922.exe | |
| Behavior description: | 创建远程线程 |
| details: | C:\WINDOWS\system32\winlogon.exe |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.139332.exe | |
| Behavior description: | 关闭系统文件保护 |
| details: | N/A |
| Behavior description: | 跨进程写代码段数据 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.523949.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66 |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.530914.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66 | |
| Behavior description: | 修改注册表_系统防火墙可信进程列表 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe |
| Behavior description: | 写权限映射文件 |
| details: | CiceroSharedMemDefaultS-* |
| MSCTF.MarshalInterface.FileMap.AGI..KAOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.B.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.C.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.D.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.E.KCOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.F.JDOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.G.JEOGH | |
| MSCTF.Shared.SFM.AGI | |
| MSCTF.MarshalInterface.FileMap.AGI.H.KCPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.I.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.J.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.K.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.L.KEPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.M.JFPKH | |
| Behavior description: | 通过内存映射跨进程修改内存 |
| details: | TargetProcess = [System Process] |
| TargetProcess = %temp%\1445811521.311481.exe | |
| Behavior description: | 按名称获取主机地址 |
| details: | ce.kator.at |
| wo.tymis.pl | |
| Process behavior | |
|---|---|
| Behavior description: | 跨进程写入数据 |
| details: | C:\WINDOWS\system32\winlogon.exe |
| C:\WINDOWS\system32\services.exe | |
| C:\WINDOWS\system32\lsass.exe | |
| C:\WINDOWS\system32\svchost.exe | |
| C:\WINDOWS\system32\spoolsv.exe | |
| C:\WINDOWS\system32\alg.exe | |
| C:\WINDOWS\explorer.exe | |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| C:\%temp%\1445811522.115179.exe | |
| C:\%temp%\1445811522.122052.exe | |
| C:\%temp%\1445811522.128922.exe | |
| Behavior description: | 创建新文件进程 |
| details: | ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.115280.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.115280.exe |
| Behavior description: | 创建远程线程 |
| details: | C:\WINDOWS\system32\winlogon.exe |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.139332.exe | |
| Behavior description: | 枚举进程 |
| details: | N/A |
| Behavior description: | 跨进程写代码段数据 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.523949.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66 |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.530914.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66 | |
| Behavior description: | 通过内存映射跨进程修改内存 |
| details: | TargetProcess = [System Process] |
| TargetProcess = %temp%\1445811521.311481.exe | |
| File behavior | |
|---|---|
| Behavior description: | 写权限映射文件 |
| details: | CiceroSharedMemDefaultS-* |
| MSCTF.MarshalInterface.FileMap.AGI..KAOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.B.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.C.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.D.KBOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.E.KCOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.F.JDOGH | |
| MSCTF.MarshalInterface.FileMap.AGI.G.JEOGH | |
| MSCTF.Shared.SFM.AGI | |
| MSCTF.MarshalInterface.FileMap.AGI.H.KCPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.I.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.J.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.K.KDPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.L.KEPKH | |
| MSCTF.MarshalInterface.FileMap.AGI.M.JFPKH | |
| Behavior description: | 查找文件 |
| details: | FileName = C:\DOCUME~1 |
| FileName = C:\DOCUME~1\ADMINI~1 | |
| FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1 | |
| FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp | |
| FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp% | |
| FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.513608.exe | |
| Network behavior | |
|---|---|
| Behavior description: | 发送一个已连接的套接字数据 |
| details: | SOCKET = 0x00000494, TotalSize = 20, Offset = 0, ReadSize = 20. |
| SOCKET = 0x00000494, TotalSize = 40, Offset = 0, ReadSize = 40. | |
| SOCKET = 0x00000268, TotalSize = 20, Offset = 0, ReadSize = 20. | |
| SOCKET = 0x00000268, TotalSize = 40, Offset = 0, ReadSize = 40. | |
| Behavior description: | 建立到一个指定的套接字连接 |
| details: | 219.133.40.1:80 |
| Behavior description: | 按名称获取主机地址 |
| details: | ce.kator.at |
| wo.tymis.pl | |
| Registry behavior | |
|---|---|
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount |
| Behavior description: | 修改注册表_系统防火墙可信进程列表 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe |
| Other behavior | |
|---|---|
| Behavior description: | 检测自身是否被调试 |
| details: | N/A |
| Behavior description: | 创建互斥体 |
| details: | 85C::DAFCE0CF6F |
| DILLOCREATE | |
| DILLOOEP | |
| CTF.LBES.MutexDefaultS-* | |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| MSCTF.Shared.MUTEX.ELH | |
| MSCTF.Shared.MUTEX.AGI | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] |
| NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,] | |
| Behavior description: | 获取系统权限 |
| details: | SE_DEBUG_PRIVILEGE |
| SE_TAKE_OWNERSHIP_PRIVILEGE | |
| SE_RESTORE_PRIVILEGE | |
| SE_BACKUP_PRIVILEGE | |
| SE_CHANGE_NOTIFY_PRIVILEGE | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 485744, SleepMilliseconds = 10. |
| TickCount = 546203, SleepMilliseconds = 60000. | |
| TickCount = 546218, SleepMilliseconds = 60000. | |
| TickCount = 546234, SleepMilliseconds = 60000. | |
| TickCount = 546250, SleepMilliseconds = 60000. | |
| TickCount = 546265, SleepMilliseconds = 60000. | |
| TickCount = 546281, SleepMilliseconds = 60000. | |
| TickCount = 546296, SleepMilliseconds = 60000. | |
| TickCount = 546312, SleepMilliseconds = 60000. | |
| TickCount = 546781, SleepMilliseconds = 60000. | |
| TickCount = 486922, SleepMilliseconds = 1. | |
| TickCount = 486938, SleepMilliseconds = 1. | |
| TickCount = 486954, SleepMilliseconds = 1. | |
| TickCount = 486969, SleepMilliseconds = 1. | |
| TickCount = 486985, SleepMilliseconds = 1. | |
| Behavior description: | 关闭系统文件保护 |
| details: | N/A |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 60000. |
| Abnormal crash | |
|---|---|
| Behavior description: | 检测自身是否被调试 |
| details: | N/A |
| Behavior description: | 创建互斥体 |
| details: | 85C::DAFCE0CF6F |
| DILLOCREATE | |
| DILLOOEP | |
| CTF.LBES.MutexDefaultS-* | |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| MSCTF.Shared.MUTEX.ELH | |
| MSCTF.Shared.MUTEX.AGI | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] |
| NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,] | |
| Behavior description: | 获取系统权限 |
| details: | SE_DEBUG_PRIVILEGE |
| SE_TAKE_OWNERSHIP_PRIVILEGE | |
| SE_RESTORE_PRIVILEGE | |
| SE_BACKUP_PRIVILEGE | |
| SE_CHANGE_NOTIFY_PRIVILEGE | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 485744, SleepMilliseconds = 10. |
| TickCount = 546203, SleepMilliseconds = 60000. | |
| TickCount = 546218, SleepMilliseconds = 60000. | |
| TickCount = 546234, SleepMilliseconds = 60000. | |
| TickCount = 546250, SleepMilliseconds = 60000. | |
| TickCount = 546265, SleepMilliseconds = 60000. | |
| TickCount = 546281, SleepMilliseconds = 60000. | |
| TickCount = 546296, SleepMilliseconds = 60000. | |
| TickCount = 546312, SleepMilliseconds = 60000. | |
| TickCount = 546781, SleepMilliseconds = 60000. | |
| TickCount = 486922, SleepMilliseconds = 1. | |
| TickCount = 486938, SleepMilliseconds = 1. | |
| TickCount = 486954, SleepMilliseconds = 1. | |
| TickCount = 486969, SleepMilliseconds = 1. | |
| TickCount = 486985, SleepMilliseconds = 1. | |
| Behavior description: | 关闭系统文件保护 |
| details: | N/A |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 60000. |
| Run screenshot |
|---|
 |
HOME
