1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.
MD5:55f6945302a5baa49f32ef25425b793c |
文件大小:5.58MB |
上传时间: 2014-09-22 10:36:30 (CST) |
Package names: |
Minimum operating environment: |
copyright: |
Behavior description: | 设置特殊文件夹属性 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\Administrator\Local Settings\History | |
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
C:\Documents and Settings\Administrator\Cookies | |
C:\Documents and Settings\All Users\Application Data\Fomesaod | |
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files | |
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\LocalService\Local Settings\History | |
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 | |
C:\Documents and Settings\LocalService\Cookies | |
Behavior description: | 创建系统服务 |
details: | [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
Behavior description: | 设置消息钩子 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
Behavior description: | 创建新文件进程 |
details: | ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe" |
ImagePath = C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe" | |
ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/ |
Behavior description: | 创建可执行文件 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe | |
C:\WINDOWS\regedit.exe | |
C:\WINDOWS\RCX3.tmp | |
C:\WINDOWS\RCX4.tmp | |
C:\WINDOWS\RCX5.tmp | |
C:\WINDOWS\RCX6.tmp | |
C:\WINDOWS\RCX7.tmp | |
C:\WINDOWS\winhelp.exe | |
C:\WINDOWS\winhlp32.exe | |
C:\WINDOWS\RCX8.tmp | |
C:\WINDOWS\RCX9.tmp | |
C:\WINDOWS\RCXA.tmp | |
C:\WINDOWS\RCXB.tmp | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
Behavior description: | 写权限映射文件 |
details: | Local\b7b7bc2512ee1fedcd76bdc68926d4f7b |
Global\c1128acc29a2f4c564400859e81d4b5b3 | |
VIDEOMEMORY | |
AMResourceMapping2-0x0000-0x0000051e | |
Behavior description: | 重命名文件 |
details: | C:\WINDOWS\RCX3.tmp ---> C:\WINDOWS\regedit.exe |
C:\WINDOWS\RCX4.tmp ---> C:\WINDOWS\regedit.exe | |
C:\WINDOWS\RCX5.tmp ---> C:\WINDOWS\regedit.exe | |
C:\WINDOWS\RCX6.tmp ---> C:\WINDOWS\regedit.exe | |
C:\WINDOWS\RCX7.tmp ---> C:\WINDOWS\regedit.exe | |
C:\WINDOWS\RCX8.tmp ---> C:\WINDOWS\winhlp32.exe | |
C:\WINDOWS\RCX9.tmp ---> C:\WINDOWS\winhlp32.exe | |
C:\WINDOWS\RCXA.tmp ---> C:\WINDOWS\winhlp32.exe | |
C:\WINDOWS\RCXB.tmp ---> C:\WINDOWS\winhlp32.exe | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXC.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXD.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXE.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\RCXF.tmp ---> C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\RCX10.tmp ---> C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\RCX11.tmp ---> C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe | |
Behavior description: | 设置特殊文件夹属性 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files | |
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\Administrator\Local Settings\History | |
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
C:\Documents and Settings\Administrator\Cookies | |
C:\Documents and Settings\All Users\Application Data\Fomesaod | |
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files | |
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 | |
C:\Documents and Settings\LocalService\Local Settings\History | |
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5 | |
C:\Documents and Settings\LocalService\Cookies | |
Behavior description: | 修改文件内容 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\febamero.cat---> Offset = 4118 |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\uqboumxuuc.ocx---> Offset = 0 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\uhfogeend.cat---> Offset = 0 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\hesehaq.ocx---> Offset = 4108 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\saisohon\icxobanet.bin---> Offset = 4108 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\epfegohab.mui---> Offset = 4108 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\adigapog.drv---> Offset = 4112 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\abqaqebi.mui---> Offset = 0 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omehug\iqkeusohlu.bin---> Offset = 0 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\raerebw.cat---> Offset = 4114 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\kasoi.bin---> Offset = 0 | |
C:\Documents and Settings\Administrator\Application Data\Fomesaod\omicxahemu\buatosud.drv---> Offset = 0 | |
C:\Documents and Settings\All Users\Application Data\Fomesaod\tuuxosoc.bin---> Offset = 0 | |
C:\Documents and Settings\All Users\Application Data\Fomesaod\giarigw.ocx---> Offset = 8221 | |
C:\Documents and Settings\All Users\Application Data\Fomesaod\koe\edb.dmp---> Offset = 4113 | |
Behavior description: | 修改新生成的可执行文件 |
details: | C:\WINDOWS\regedit.exe---> Offset = 293888 |
C:\WINDOWS\winhelp.exe---> Offset = 290816 | |
C:\WINDOWS\winhlp32.exe---> Offset = 293376 | |
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe---> Offset = 293376 | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\6781b87c8d3b55e6120b1e86bea6e040\ServiceModelReg.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\b9c1a29e684bc02e49226ff1e9eec253\SMSvcHost.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\7d2a3adbdcb675f872eb2dbf21f73596\WsatConfig.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2b3bb967d405eb9e0c95b184f7ae8979\ComSvcConfig.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\MSBuild\e2799fc6d0e3b74e8fa3c2ce0225a940\MSBuild.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\SMSvcHost\048beed5824506fe8ac3453e5d71edb2\SMSvcHost.ni.exe---> Offset = 292352 | |
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\WsatConfig\d44ea63953312a5b92800127d1f48932\WsatConfig.ni.exe---> Offset = 292352 | |
C:\WINDOWS\ie8\spuninst\spuninst.exe---> Offset = 293376 | |
C:\WINDOWS\inf\unregmp2.exe---> Offset = 292864 |
Behavior description: | 连接指定站点 |
details: | InternetConnectA: ServerName = icanhazip.com, PORT = 80 |
InternetConnectA: ServerName = example.com, PORT = 80 | |
InternetConnectA: ServerName = z3mm6cupmtw5b2xx.onion, PORT = 80 | |
InternetConnectA: ServerName = urasahrenaheen.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = xoegfeima.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = niubsacaosuce.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = egaggioxipme.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = miqookleugoc.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = ivowqiutulqa.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = paegekreaho.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = sulauhovmi.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = nigiqohe.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = ogvehobiqute.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = ifoxtameavrih.ddns.net, PORT = 80 | |
InternetConnectA: ServerName = ixqiguiwfe.ddns.net, PORT = 80 | |
Behavior description: | 读取网络文件 |
details: | hFile = 0x000002dc, BytesToRead =1023, BytesRead = 1023. |
hFile = 0x000001a8, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x000001b8, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x0000024c, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x00000230, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x00000224, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x00000278, BytesToRead =1023, BytesRead = 1023. | |
hFile = 0x000001f0, BytesToRead =1023, BytesRead = 1023. | |
Behavior description: | 打开HTTP请求 |
details: | HttpOpenRequestA: z3mm6cupmtw5b2xx.onion:80/si.php?xd={"f6226":""}, hConnect = 0x000002d0 |
HttpOpenRequestA: urasahrenaheen.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002d0 | |
HttpOpenRequestA: xoegfeima.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: niubsacaosuce.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: egaggioxipme.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: miqookleugoc.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: ivowqiutulqa.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: paegekreaho.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: sulauhovmi.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: nigiqohe.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: ogvehobiqute.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: ifoxtameavrih.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: ixqiguiwfe.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: veugihivirhiaqi.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc | |
HttpOpenRequestA: hedaitoms.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x000002dc |
Behavior description: | 修改注册表 |
details: | \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\ |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\DefaultIcon\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\IsShortcut | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\NeverShowExt | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\IsolatedCommand | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\IsolatedCommand | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\IsolatedCommand | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command\IsolatedCommand | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shellex\IconHandler\ | |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe\ | |
Behavior description: | 修改注册表_组策略 |
details: | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisablePCA |
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\AppCompat\DisablePCA |
Behavior description: | 创建驱动文件镜像 |
details: | C:\WINDOWS\system32\drivers\fastfat.sys |
Behavior description: | 创建互斥体 |
details: | AMResourceMutex2 |
VideoRenderer | |
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-1482476501-1645522239-1417001333-500 | |
Behavior description: | 设置消息钩子 |
details: | C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
Behavior description: | 启动系统服务 |
details: | [服务启动成功]: LocalSystem, GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |
Behavior description: | 获取系统权限 |
details: | SE_INC_BASE_PRIORITY_PRIVILEGE |
SE_LOAD_DRIVER_PRIVILEGE | |
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE | |
Behavior description: | 枚举窗口 |
details: | N/A |
Behavior description: | 创建系统服务 |
details: | [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe |