VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:60
Behavior list
Basic Information
MD5:78b976784143472e08e0af6ec8d66b80
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [RAR SFX] *
Key behavior
Behavior description:关机或重启
details:N/A
Behavior description:设置特殊文件夹属性
details:C:\$WinBunk1604HSection$
Behavior description:获取TickCount值
details:TickCount = 1162375, SleepMilliseconds = 80000.
TickCount = 1162843, SleepMilliseconds = 80000.
TickCount = 1162875, SleepMilliseconds = 80000.
TickCount = 1162890, SleepMilliseconds = 80000.
TickCount = 1089812, SleepMilliseconds = 5000.
TickCount = 1089828, SleepMilliseconds = 5000.
TickCount = 1089843, SleepMilliseconds = 5000.
TickCount = 1089859, SleepMilliseconds = 5000.
TickCount = 1090093, SleepMilliseconds = 5000.
TickCount = 1090156, SleepMilliseconds = 5000.
TickCount = 1090187, SleepMilliseconds = 5000.
TickCount = 1087500, SleepMilliseconds = 500.
TickCount = 1089046, SleepMilliseconds = 500.
TickCount = 1089078, SleepMilliseconds = 500.
TickCount = 1089187, SleepMilliseconds = 500.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\$WinBunk1604HSection$\Library\Ra.exe, CmdLine = "C:\$WinBunk1604HSection$\Library\Ra.exe" x -o+ -pp骻飠龘ψ曱戁巭▓§忈嘂奣 C:\$WinBunk1604HSection$\Branding\profiles.dll C:\$WinBunk1604HSection$\Branding\
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1604HSection$\Branding\tc.bat
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1604HSection$\Branding\updata.bat
ImagePath = C:\WINDOWS\system32\shutdown.exe, CmdLine = "C:\WINDOWS\system32\shutdown.exe" -r -f -t 0
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\regedit.exe, CmdLine = "C:\WINDOWS\regedit.exe" /s C:\$WinBunk1604HSection$\Branding\tc.lnk
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1604HSection$\Branding\tc.bat
ImagePath = C:\WINDOWS\system32\msg.exe, CmdLine = msg Administrator /time:5 "Windows正在进行重要更新;请不要关闭计算机电源,Windos将自动备份当前未保存的文件。"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /C C:\$WinBunk1604HSection$\Branding\updata.bat
ImagePath = C:\WINDOWS\system32\msg.exe, CmdLine = msg Administrator /time:20 "Windows已完成以下安全更新,要使更新立即生效,您必须重新启动计算机。1.Microsoft Windows office的安全更新(KB295075786890adjkl)2.Microsoft Windows Microsoft.NET的安全更新(KB29500075785)3.Microsoft Windows Microsoft Works的安全更新(KB2950757853)Windows将在1分钟后自动重新启动您的计算机,请保存好当前未保存的
ImagePath = C:\WINDOWS\system32\shutdown.exe, CmdLine = "C:\WINDOWS\system32\shutdown.exe" -r -f -t 0
Behavior description:创建新文件进程
details:ImagePath = C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com, CmdLine = "C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com"
ImagePath = C:\$WinBunk1604HSection$\Library\Ra.exe, CmdLine = "C:\$WinBunk1604HSection$\Library\Ra.exe" x -o+ -pp骻飠龘ψ曱戁巭▓§忈嘂奣 C:\$WinBunk1604HSection$\Branding\profiles.dll C:\$WinBunk1604HSection$\Branding\
File behavior
Behavior description:创建文件
details:C:\__tmp_rar_sfx_access_check_1073875
C:\$WinBunk1604HSection$\Library\cmd.exe
C:\$WinBunk1604HSection$\Library\Ra.exe
C:\$WinBunk1604HSection$\Branding\basebrd.dll
C:\$WinBunk1604HSection$\Branding\profiles.dll
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com
C:\1604.dat
C:\OA\QQ图片20160602173631.png
C:\$WinBunk1604HSection$\Branding\1604.dat
C:\$WinBunk1604HSection$\Branding\updata.bat
C:\$WinBunk1604HSection$\Branding\UP\031997yuinghjklhtHNBZGTYUOMKLFRAOMHSGYABFtemp.inf
C:\$WinBunk1604HSection$\Branding\db.bat
C:\$WinBunk1604HSection$\Branding\db1.lnk
C:\$WinBunk1604HSection$\Branding\db2.lnk
C:\$WinBunk1604HSection$\Branding\lacal.rar
Behavior description:创建可执行文件
details:C:\$WinBunk1604HSection$\Library\cmd.exe
C:\$WinBunk1604HSection$\Library\Ra.exe
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com
Behavior description:复制文件
details:C:\1604.dat ---> C:\$WinBunk1604HSection$\Branding\1604.dat
Behavior description:删除文件
details:C:\__tmp_rar_sfx_access_check_1073875
C:\1604.dat
C:\$WinBunk1604HSection$\Branding\tc.bat
C:\$WinBunk1604HSection$\Branding\tc.lnk
C:\$WinBunk1604HSection$\Branding\updata.bat
Behavior description:修改BAT脚本文件
details:C:\$WinBunk1604HSection$\Branding\updata.bat ---> Offset = 0
C:\$WinBunk1604HSection$\Branding\db.bat ---> Offset = 0
C:\$WinBunk1604HSection$\Branding\tc.bat ---> Offset = 0
Behavior description:重命名文件
details:C:\$WinBunk1604HSection$\Branding\lacal.rar ---> C:\$WinBunk1604HSection$\Branding\userstart.vbe
Behavior description:设置特殊文件夹属性
details:C:\$WinBunk1604HSection$
Behavior description:修改文件内容
details:C:\$WinBunk1604HSection$\Library\cmd.exe ---> Offset = 0
C:\$WinBunk1604HSection$\Library\cmd.exe ---> Offset = 65536
C:\$WinBunk1604HSection$\Library\cmd.exe ---> Offset = 131072
C:\$WinBunk1604HSection$\Library\cmd.exe ---> Offset = 307200
C:\$WinBunk1604HSection$\Library\cmd.exe ---> Offset = 308992
C:\$WinBunk1604HSection$\Library\Ra.exe ---> Offset = 0
C:\$WinBunk1604HSection$\Library\Ra.exe ---> Offset = 65536
C:\$WinBunk1604HSection$\Library\Ra.exe ---> Offset = 131072
C:\$WinBunk1604HSection$\Library\Ra.exe ---> Offset = 196608
C:\$WinBunk1604HSection$\Library\Ra.exe ---> Offset = 262144
C:\$WinBunk1604HSection$\Branding\basebrd.dll ---> Offset = 0
C:\$WinBunk1604HSection$\Branding\profiles.dll ---> Offset = 0
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com ---> Offset = 0
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com ---> Offset = 65536
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com ---> Offset = 131072
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\$WinBunk1604HSection$\Library\Ra.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\PromptOnSecureDesktop
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\shutdown.exe
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [浏览(&W)...,Button]
[Window,Class] = [C:\,ComboBox]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
Behavior description:获取TickCount值
details:TickCount = 1162375, SleepMilliseconds = 80000.
TickCount = 1162843, SleepMilliseconds = 80000.
TickCount = 1162875, SleepMilliseconds = 80000.
TickCount = 1162890, SleepMilliseconds = 80000.
TickCount = 1089812, SleepMilliseconds = 5000.
TickCount = 1089828, SleepMilliseconds = 5000.
TickCount = 1089843, SleepMilliseconds = 5000.
TickCount = 1089859, SleepMilliseconds = 5000.
TickCount = 1090093, SleepMilliseconds = 5000.
TickCount = 1090156, SleepMilliseconds = 5000.
TickCount = 1090187, SleepMilliseconds = 5000.
TickCount = 1087500, SleepMilliseconds = 500.
TickCount = 1089046, SleepMilliseconds = 500.
TickCount = 1089078, SleepMilliseconds = 500.
TickCount = 1089187, SleepMilliseconds = 500.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_REMOTE_SHUTDOWN_PRIVILEGE
Behavior description:窗口信息
details:Pid = 588, Hwnd=0x203d8, Text = 确定, ClassName = Button.
Pid = 588, Hwnd=0x103da, Text = Windows正在进行重要更新;请不要关闭计算机电源,Windos将自动备份当前未保存的文件。, ClassName = Static.
Pid = 588, Hwnd=0x203d4, Text = 来自 Administrator 的消息 2016-6-2 18:01, ClassName = #32770.
Pid = 588, Hwnd=0x20460, Text = 确定, ClassName = Button.
Pid = 588, Hwnd=0x20466, Text = Windows已完成以下安全更新,要使更新立即生效,您必须重新启动计算机。1.Microsoft Windows office的安全更新(KB295075786890adjkl)2.Mi, ClassName = Static.
Pid = 588, Hwnd=0x40462, Text = 来自 Administrator 的消息 2016-6-2 18:01, ClassName = #32770.
Behavior description:可执行文件签名信息
details:C:\$WinBunk1604HSection$\Library\cmd.exe(签名验证: 未通过)
C:\$WinBunk1604HSection$\Library\Ra.exe(签名验证: 通过)
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 80000.
[2]: MilliSeconds = 5000.
[3]: MilliSeconds = 5000.
[4]: MilliSeconds = 500.
[5]: MilliSeconds = 500.
[6]: MilliSeconds = 500.
[7]: MilliSeconds = 500.
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
Behavior description:关机或重启
details:N/A
Behavior description:可执行文件MD5
details:C:\$WinBunk1604HSection$\Library\cmd.exe ---> 6960d29abe74341fab8300db3e6f883d
C:\$WinBunk1604HSection$\Library\Ra.exe ---> 1e23843d7faa3792ba9fa95bc3066065
C:\$WinBunk1604HSection$\Library\Qlnbfvxtyuingh.com ---> 文件过大!
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号