VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:6a7d9315b9e2ea37e42e2dc7a8e72912
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 关机或重启
details: N/A
Behavior description: 设置特殊文件夹属性
details: C:\$WinBunk1605HSection$
C:\open1
C:\open2
Behavior description: 获取TickCount值
details: TickCount = 5368846, SleepMilliseconds = 300.
TickCount = 5471234, SleepMilliseconds = 100000.
TickCount = 5471312, SleepMilliseconds = 100000.
TickCount = 5471328, SleepMilliseconds = 100000.
TickCount = 5471390, SleepMilliseconds = 100000.
TickCount = 5372859, SleepMilliseconds = 1000.
TickCount = 5378578, SleepMilliseconds = 5500.
TickCount = 5378640, SleepMilliseconds = 5500.
TickCount = 5379859, SleepMilliseconds = 5500.
TickCount = 5379921, SleepMilliseconds = 5500.
TickCount = 5380281, SleepMilliseconds = 5500.

Process behavior

Behavior description: 隐藏窗口创建进程
details: ImagePath = C:\$WinBunk1605HSection$\Library\Ra.exe, CmdLine = "C:\$WinBunk1605HSection$\Library\Ra.exe" x -o+ -ppP嚳盦鞌萵ψ竁嚹§慁僰璽▓ C:\$WinBunk1605HSection$\Branding\profiles.dll C:\$WinBunk1605HSection$\Branding\
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1605HSection$\Branding\tc.bat
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1605HSection$\Branding\updata.bat
ImagePath = C:\WINDOWS\system32\shutdown.exe, CmdLine = "C:\WINDOWS\system32\shutdown.exe" -r -t 0
Behavior description: 创建进程
details: ImagePath = C:\WINDOWS\regedit.exe, CmdLine = "C:\WINDOWS\regedit.exe" /s C:\$WinBunk1605HSection$\Library\ico\1003.ico
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1605HSection$\Branding\tc.bat
ImagePath = C:\WINDOWS\system32\msg.exe, CmdLine = msg Administrator /time:5 "Windows正在进行重要更新;请不要关闭计算机电源,Windos将自动备份当前未保存的文件。"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1605HSection$\Branding\updata.bat
ImagePath = C:\WINDOWS\system32\msg.exe, CmdLine = msg Administrator /time:20 "Windows已完成以下安全更新,要使更新立即生效,您必须重新启动计算机。1.Microsoft Windows office的安全更新(KB295075786890adjkl)2.Microsoft Windows Microsoft.NET的安全更新(KB29500075785)3.Microsoft Windows Microsoft Works的安全更新(KB2950757853)Windows将在1分钟后自动重新启动您的计算机,请保存好当前未保存的
ImagePath = C:\WINDOWS\system32\shutdown.exe, CmdLine = "C:\WINDOWS\system32\shutdown.exe" -r -t 0
Behavior description: 创建本地线程
details: TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2112, ThreadID = 2312, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Lmnhuiabdge.com, InheritedFromPID = 2112, ProcessID = 2304, ThreadID = 2444, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Lmnhuiabdge.com, InheritedFromPID = 2112, ProcessID = 2304, ThreadID = 2548, StartAddress = 004045B0, Parameter = 0000012C
TargetProcess: Lmnhuiabdge.com, InheritedFromPID = 2112, ProcessID = 2304, ThreadID = 2564, StartAddress = 004045B0, Parameter = 000001F4
TargetProcess: Lmnhuiabdge.com, InheritedFromPID = 2112, ProcessID = 2304, ThreadID = 2568, StartAddress = 004045B0, Parameter = 000186A0
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2604, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2608, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2612, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2616, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2620, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2624, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2628, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2632, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2636, StartAddress = 004478F0, Parameter = 009F2B50
TargetProcess: Ra.exe, InheritedFromPID = 2304, ProcessID = 2572, ThreadID = 2640, StartAddress = 004478F0, Parameter = 009F2B50
Behavior description: 创建新文件进程
details: ImagePath = C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com, CmdLine = "C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com"
ImagePath = C:\$WinBunk1605HSection$\Library\Ra.exe, CmdLine = "C:\$WinBunk1605HSection$\Library\Ra.exe" x -o+ -ppP嚳盦鞌萵ψ竁嚹§慁僰璽▓ C:\$WinBunk1605HSection$\Branding\profiles.dll C:\$WinBunk1605HSection$\Branding\

File behavior

Behavior description: 创建文件
details: C:\__tmp_rar_sfx_access_check_5354625
C:\$WinBunk1605HSection$\Library\cmd.exe
C:\$WinBunk1605HSection$\Library\Ra.exe
C:\$WinBunk1605HSection$\Branding\profiles.dll
C:\$WinBunk1605HSection$\Library\ico\1001.ico
C:\$WinBunk1605HSection$\Library\ico\1002.ico
C:\$WinBunk1605HSection$\Library\ico\1003.ico
C:\$WinBunk1605HSection$\Library\ico\1004.ico
C:\$WinBunk1605HSection$\Library\ico\1005.ico
C:\$WinBunk1605HSection$\Library\ico\1006.ico
C:\$WinBunk1605HSection$\Library\ico\1007.ico
C:\$WinBunk1605HSection$\Library\ico\1008.ico
C:\$WinBunk1605HSection$\Branding\userupdata.vbe
C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com
C:\1605.dat
Behavior description: 创建可执行文件
details: C:\$WinBunk1605HSection$\Library\cmd.exe
C:\$WinBunk1605HSection$\Library\Ra.exe
C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com
Behavior description: 复制文件
details: C:\1605.dat ---> C:\$WinBunk1605HSection$\Branding\1605.dat
Behavior description: 删除文件
details: C:\__tmp_rar_sfx_access_check_5354625
C:\1605.dat
C:\$WinBunk1605HSection$\Branding\tc.bat
C:\$WinBunk1605HSection$\Branding\updata.bat
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\$WinBunk1605HSection$\Library
FileName = C:\WINDOWS
FileName = C:\WINDOWS\regedit.exe
FileName = C:\open1.*
FileName = C:\1605.dat
FileName = C:\$WinBunk1605HSection$\Library\Ra.exe
FileName = C:\Documents and Settings\Administrator\Application Data
Behavior description: 修改BAT脚本文件
details: C:\$WinBunk1605HSection$\Branding\tc.bat ---> Offset = 0
C:\$WinBunk1605HSection$\Branding\updata.bat ---> Offset = 0
Behavior description: 设置特殊文件夹属性
details: C:\$WinBunk1605HSection$
C:\open1
C:\open2
Behavior description: 修改文件内容
details: C:\$WinBunk1605HSection$\Library\cmd.exe ---> Offset = 0
C:\$WinBunk1605HSection$\Library\cmd.exe ---> Offset = 65536
C:\$WinBunk1605HSection$\Library\cmd.exe ---> Offset = 131072
C:\$WinBunk1605HSection$\Library\cmd.exe ---> Offset = 307200
C:\$WinBunk1605HSection$\Library\cmd.exe ---> Offset = 308992
C:\$WinBunk1605HSection$\Library\Ra.exe ---> Offset = 0
C:\$WinBunk1605HSection$\Library\Ra.exe ---> Offset = 65536
C:\$WinBunk1605HSection$\Library\Ra.exe ---> Offset = 131072
C:\$WinBunk1605HSection$\Library\Ra.exe ---> Offset = 196608
C:\$WinBunk1605HSection$\Library\Ra.exe ---> Offset = 262144
C:\$WinBunk1605HSection$\Branding\profiles.dll ---> Offset = 0
C:\$WinBunk1605HSection$\Library\ico\1001.ico ---> Offset = 0
C:\$WinBunk1605HSection$\Library\ico\1002.ico ---> Offset = 0
C:\$WinBunk1605HSection$\Library\ico\1003.ico ---> Offset = 0
C:\$WinBunk1605HSection$\Library\ico\1004.ico ---> Offset = 0

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellEx\{000214EE-0000-0000-C000-000000000046}\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellEx\{000214F9-0000-0000-C000-000000000046}\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellEx\{00021500-0000-0000-C000-000000000046}\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellEx\{E357FCCD-A995-4576-B01F-234630154E96}\
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\Handler
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\IconPath
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\ItemName
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\MenuText
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\NullFile
\REGISTRY\MACHINE\SOFTWARE\Classes\.z1605\ShellNew\Config\DontRename
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\$WinBunk1605HSection$\Library\Ra.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA

Other behavior

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [浏览(&W)...,Button]
[Window,Class] = [C:\,ComboBox]
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000003F
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000003F
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.2304
MSFT.VSA.IEC.STATUS.6c736db0
Behavior description: 获取TickCount值
details: TickCount = 5368846, SleepMilliseconds = 300.
TickCount = 5471234, SleepMilliseconds = 100000.
TickCount = 5471312, SleepMilliseconds = 100000.
TickCount = 5471328, SleepMilliseconds = 100000.
TickCount = 5471390, SleepMilliseconds = 100000.
TickCount = 5372859, SleepMilliseconds = 1000.
TickCount = 5378578, SleepMilliseconds = 5500.
TickCount = 5378640, SleepMilliseconds = 5500.
TickCount = 5379859, SleepMilliseconds = 5500.
TickCount = 5379921, SleepMilliseconds = 5500.
TickCount = 5380281, SleepMilliseconds = 5500.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_REMOTE_SHUTDOWN_PRIVILEGE
Behavior description: 窗口信息
details: Pid = 588, Hwnd=0x30430, Text = 确定, ClassName = Button.
Pid = 588, Hwnd=0x20434, Text = Windows正在进行重要更新;请不要关闭计算机电源,Windos将自动备份当前未保存的文件。, ClassName = Static.
Pid = 588, Hwnd=0x40382, Text = 来自 Administrator 的消息 2016-7-8 3:22, ClassName = #32770.
Pid = 588, Hwnd=0x40434, Text = 确定, ClassName = Button.
Pid = 588, Hwnd=0x40430, Text = Windows已完成以下安全更新,要使更新立即生效,您必须重新启动计算机。1.Microsoft Windows office的安全更新(KB295075786890adjkl)2.Mi, ClassName = Static.
Pid = 588, Hwnd=0x60382, Text = 来自 Administrator 的消息 2016-7-8 3:23, ClassName = #32770.
Behavior description: 可执行文件签名信息
details: C:\$WinBunk1605HSection$\Library\cmd.exe(签名验证: 未通过)
C:\$WinBunk1605HSection$\Library\Ra.exe(签名验证: 通过)
C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 300.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 100000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 5500.
Behavior description: 创建事件对象
details: EventName = Global\crypt32LogoffEvent
Behavior description: 关机或重启
details: N/A
Behavior description: 可执行文件MD5
details: C:\$WinBunk1605HSection$\Library\cmd.exe ---> 6960d29abe74341fab8300db3e6f883d
C:\$WinBunk1605HSection$\Library\Ra.exe ---> 1e23843d7faa3792ba9fa95bc3066065
C:\$WinBunk1605HSection$\Library\Lmnhuiabdge.com ---> 文件过大!
Behavior description: 打开互斥体
details: ShimCacheMutex
Local\!IETld!Mutex