VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Basic Information
MD5:8c276088c2108cc81348efb483cd021b
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Subfile information:upx_c_c61807dcdumpFile / 4b8e690b37fe2ffabe2134d92fbe0458 / EXE
Key behavior
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im Ksafetray.exe
C:\WINDOWS\system32\ksafetray.exe
Behavior description:获取TickCount值
details:TickCount = 825828, SleepMilliseconds = 600000.
TickCount = 830796, SleepMilliseconds = 600000.
TickCount = 830812, SleepMilliseconds = 600000.
TickCount = 837500, SleepMilliseconds = 600000.
TickCount = 237796, SleepMilliseconds = 250.
TickCount = 238312, SleepMilliseconds = 500.
TickCount = 238359, SleepMilliseconds = 500.
TickCount = 238375, SleepMilliseconds = 500.
TickCount = 238390, SleepMilliseconds = 500.
TickCount = 844484, SleepMilliseconds = 600000.
TickCount = 244492, SleepMilliseconds = 8.
TickCount = 244508, SleepMilliseconds = 8.
TickCount = 247633, SleepMilliseconds = 8.
TickCount = 250758, SleepMilliseconds = 8.
TickCount = 253883, SleepMilliseconds = 8.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0003033c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0003033c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0003033c, DC = 0x01010055.
Foreground window Info: HWND = 0x0003033c, DC = 0x01010057.
Behavior description:创建系统服务
details:[服务创建成功]: Net CLR, C:\Documents and Settings\Administrator\Local Settings\Temp\\spowqc
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = taskkill /f /im Ksafetray.exe
ImagePath = , CmdLine = kwwq.bat
Behavior description:创建进程
details:[0x00000c14]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /f /im Ksafetray.exe
[0x00000da0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c kwwq.bat
Behavior description:创建新文件进程
details:[0x00000b28]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\Vatione极速版端口爆破神器.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\Vatione极速版端口爆破神器.exe"
[0x00000b40]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\svchost.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\svchost.exe"
[0x00000d14]ImagePath = C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\\spowqc"
[0x00000dac]ImagePath = C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc"
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:TASKKILL = taskkill /f /im Ksafetray.exe
C:\WINDOWS\system32\ksafetray.exe
Behavior description:创建本地线程
details:TargetProcess: svchost.exe, InheritedFromPID = 2776, ProcessID = 2880, ThreadID = 3016, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2776, ProcessID = 2880, ThreadID = 3100, StartAddress = 77C0A341, Parameter = 00914CD8
TargetProcess: taskkill.exe, InheritedFromPID = 2880, ProcessID = 3092, ThreadID = 3112, StartAddress = 77E56C7D, Parameter = 000EAC30
TargetProcess: taskkill.exe, InheritedFromPID = 2880, ProcessID = 3092, ThreadID = 3116, StartAddress = 769AE43B, Parameter = 000ED5D0
TargetProcess: taskkill.exe, InheritedFromPID = 2880, ProcessID = 3092, ThreadID = 3120, StartAddress = 77E56C7D, Parameter = 000EDD58
TargetProcess: spowqc, InheritedFromPID = 652, ProcessID = 3348, ThreadID = 3476, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spowqc, InheritedFromPID = 652, ProcessID = 3348, ThreadID = 3480, StartAddress = 77C0A341, Parameter = 00914910
TargetProcess: spowqc, InheritedFromPID = 652, ProcessID = 3348, ThreadID = 3484, StartAddress = 77DC3519, Parameter = 0019BC58
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3576, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3592, StartAddress = 77C0A341, Parameter = 00914A10
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3596, StartAddress = 77C0A341, Parameter = 00914A10
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3600, StartAddress = 77C0A341, Parameter = 00914A10
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3632, StartAddress = 77C0A341, Parameter = 00914A10
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3664, StartAddress = 77C0A341, Parameter = 00914A10
TargetProcess: spowqc, InheritedFromPID = 3348, ProcessID = 3500, ThreadID = 3720, StartAddress = 77C0A341, Parameter = 00914CD0
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\Vatione极速版端口爆破神器.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\perfectwhistler2.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc
C:\Documents and Settings\Administrator\Local Settings\%temp%\kwwq.bat
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\Vatione极速版端口爆破神器.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\kwwq.bat ---> Offset = 0
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\svchost.exe ---> C:\Documents and Settings\Administrator\Local Settings\Temp\\spowqc
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\perfectwhistler2.ini
C:\Documents and Settings\Administrator\Local Settings\%temp%\kwwq.bat
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\svchost.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\Vatione极速版端口爆破神器.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\svchost.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\perfectwhistler2.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 135168
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 136192
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 137216
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 138240
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> Offset = 139264
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: ha****et, IP: **.133.40.**:8888, SOCKET = 0x00000114
Behavior description:按名称获取主机地址
details:gethostbyname: ha****et
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\Vatione极速版端口爆破神器.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temp\svchost.exe
\REGISTRY\MACHINE\SOFTWARE\death\Net CLR\MarkTime
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Net CLR\Description
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IOH
G奔Y鷫Np綼?l?龒&?谎豮=?4餖灲?咄y8?雒?;材洦?縎?:槪G?︸?~Kn5乹R龗從?!祣嫁債l慱篖穬.L=q躾霺熵廏醛@??Q?慘傴<棹?9???ナx衺?
MSCTF.Shared.MUTEX.MCL
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MCL.IC
EventName = MSCTF.SendReceiveConection.Event.MCL.IC
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
MSFT.VSA.COM.DISABLE.3092
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [msctls_updown32,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Microsoft Net Framework COM+ Support, C:\Documents and Settings\Administrator\Local Settings\Temp\\spowqc
Behavior description:枚举窗口
details:N/A
Behavior description:获取TickCount值
details:TickCount = 825828, SleepMilliseconds = 600000.
TickCount = 830796, SleepMilliseconds = 600000.
TickCount = 830812, SleepMilliseconds = 600000.
TickCount = 837500, SleepMilliseconds = 600000.
TickCount = 237796, SleepMilliseconds = 250.
TickCount = 238312, SleepMilliseconds = 500.
TickCount = 238359, SleepMilliseconds = 500.
TickCount = 238375, SleepMilliseconds = 500.
TickCount = 238390, SleepMilliseconds = 500.
TickCount = 844484, SleepMilliseconds = 600000.
TickCount = 244492, SleepMilliseconds = 8.
TickCount = 244508, SleepMilliseconds = 8.
TickCount = 247633, SleepMilliseconds = 8.
TickCount = 250758, SleepMilliseconds = 8.
TickCount = 253883, SleepMilliseconds = 8.
Behavior description:创建系统服务
details:[服务创建成功]: Net CLR, C:\Documents and Settings\Administrator\Local Settings\Temp\\spowqc
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2856, Hwnd=0x10348, Text = 设置, ClassName = TTabSheet.
Pid = 2856, Hwnd=0x10382, Text = 导入S己描ip:, ClassName = TGroupBox.
Pid = 2856, Hwnd=0x10388, Text = 清空, ClassName = TButton.
Pid = 2856, Hwnd=0x10386, Text = 导入, ClassName = TButton.
Pid = 2856, Hwnd=0x10380, Text = 8080, ClassName = TEdit.
Pid = 2856, Hwnd=0x1037e, Text = 1000, ClassName = TEdit.
Pid = 2856, Hwnd=0x1037c, Text = 10, ClassName = TEdit.
Pid = 2856, Hwnd=0x2034c, Text = 用户名:, ClassName = TGroupBox.
Pid = 2856, Hwnd=0x1037a, Text = 导入, ClassName = TButton.
Pid = 2856, Hwnd=0x10378, Text = admin , ClassName = TMemo.
Pid = 2856, Hwnd=0x1034a, Text = 密 码:, ClassName = TGroupBox.
Pid = 2856, Hwnd=0x10376, Text = 导入, ClassName = TButton.
Pid = 2856, Hwnd=0x10374, Text = admin 147258369 369258147 258147 147258 258369 369258 159357 12 123 1234 12345 123456 1234567 12345678 123456789 1, ClassName = TMemo.
Pid = 2856, Hwnd=0x1035e, Text = 信息, ClassName = TTabSheet.
Pid = 2856, Hwnd=0x1036c, Text = 地址段:, ClassName = TGroupBox.
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc(签名验证: 未通过)
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0003033c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0003033c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0003033c, DC = 0x01010055.
Foreground window Info: HWND = 0x0003033c, DC = 0x01010057.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\Vatione极速版端口爆破神器.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\svchost.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 600000.
[2]: MilliSeconds = 600000.
[3]: MilliSeconds = 600000.
[2]: MilliSeconds = 500.
[4]: MilliSeconds = 250.
[2]: MilliSeconds = 8.
[3]: MilliSeconds = 8.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 8.
[6]: MilliSeconds = 8.
[7]: MilliSeconds = 8.
[8]: MilliSeconds = 8.
[9]: MilliSeconds = 8.
[10]: MilliSeconds = 8.
Behavior description:隐藏指定窗口
details:[Window,Class] = [Vatione端口爆破神器 QQ53579978 官网www.vatione.org,TForm1]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\Vatione极速版端口爆破神器.exe ---> 01764a3d9f4f939b91e81cfafe16bc14
C:\Documents and Settings\Administrator\Local Settings\Temp\Temp\svchost.exe ---> fc9203376b941207b6e0157e346dba67
C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> fc9203376b941207b6e0157e346dba67
Behavior description:打开互斥体
details:Local\!IETld!Mutex
ShimCacheMutex
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\spowqc ---> 文件过大!
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号