VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:81
Behavior list
Basic Information
MD5:b3e4b598572b88f19d26c595574be8c8
file type:EXE
Production company:
version:1.2.3.1---1.2.3.1
Shell or compiler information:COMPILER:
Key behavior
Behavior description:获取TickCount值
details:TickCount = 5352322, SleepMilliseconds = 10.
TickCount = 5352353, SleepMilliseconds = 10.
TickCount = 5352510, SleepMilliseconds = 10.
TickCount = 5352541, SleepMilliseconds = 10.
TickCount = 5352556, SleepMilliseconds = 10.
TickCount = 5352572, SleepMilliseconds = 10.
TickCount = 5352588, SleepMilliseconds = 10.
TickCount = 5352603, SleepMilliseconds = 10.
TickCount = 5352619, SleepMilliseconds = 10.
TickCount = 5352635, SleepMilliseconds = 10.
TickCount = 5352650, SleepMilliseconds = 10.
TickCount = 5352666, SleepMilliseconds = 10.
TickCount = 5352681, SleepMilliseconds = 10.
TickCount = 5352697, SleepMilliseconds = 10.
TickCount = 5352713, SleepMilliseconds = 10.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 896, StartAddress = 10001050, Parameter = 00400000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 1808, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 1048, StartAddress = 010D1018, Parameter = 001CF4A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 328, StartAddress = 010D1018, Parameter = 001CF4A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 2244, StartAddress = 010D1018, Parameter = 001CF4A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 2368, StartAddress = 010D1018, Parameter = 001CF4A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 968, ThreadID = 2440, StartAddress = 010D1018, Parameter = 001CF4A8
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsr52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\PopWnd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\riliUI.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\nso59.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\NSISdl.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\PopWnd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\riliUI.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\NSISdl.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\nso59.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp
FileName = C:\WINDOWS\易游网娱平台\uninstall.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsr52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\nso59.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\nsc53.tmp ---> Offset = 129184
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\PopWnd.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\riliUI.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\NSISdl.dll ---> Offset = 0
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: co****om, IP: **.133.40.**:80, SOCKET = 0x00000678
URL: co****om, IP: **.133.40.**:80, SOCKET = 0x0000067c
URL: co****om, IP: **.133.40.**:80, SOCKET = 0x00000688
URL: co****om, IP: **.133.40.**:80, SOCKET = 0x0000068c
URL: co****om, IP: **.133.40.**:80, SOCKET = 0x00000690
Behavior description:发送HTTP包
details:GET /cfg.php?qid=0996&rand=8796755332563&flag=1029 HTTP/1.0 Host: co****om User-Agent: NSISDL/1.2 (Mozilla) Accept: */*
Behavior description:按名称获取主机地址
details:gethostbyname: co****om
Other behavior
Behavior description:创建互斥体
details:oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = InitializeDialogEvent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:窗口信息
details:Pid = 968, Hwnd=0xf035e, Text = 安装程序正在加载中,请稍等..., ClassName = Static.
Behavior description:获取TickCount值
details:TickCount = 5352322, SleepMilliseconds = 10.
TickCount = 5352353, SleepMilliseconds = 10.
TickCount = 5352510, SleepMilliseconds = 10.
TickCount = 5352541, SleepMilliseconds = 10.
TickCount = 5352556, SleepMilliseconds = 10.
TickCount = 5352572, SleepMilliseconds = 10.
TickCount = 5352588, SleepMilliseconds = 10.
TickCount = 5352603, SleepMilliseconds = 10.
TickCount = 5352619, SleepMilliseconds = 10.
TickCount = 5352635, SleepMilliseconds = 10.
TickCount = 5352650, SleepMilliseconds = 10.
TickCount = 5352666, SleepMilliseconds = 10.
TickCount = 5352681, SleepMilliseconds = 10.
TickCount = 5352697, SleepMilliseconds = 10.
TickCount = 5352713, SleepMilliseconds = 10.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\PopWnd.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\riliUI.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\NSISdl.dll(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\PopWnd.dll ---> c7467c73f340484044f9b80002d7cac7
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\riliUI.dll ---> 0ccc0b4b0b610d5fd681390b055d06c8
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\System.dll ---> 960a5c48e25cf2bca332e74e11d825c9
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\socket2.dll ---> d75cedafa11c61f80c5caba24198a0d9
C:\Documents and Settings\Administrator\Local Settings\Temp\nss54.tmp\NSISdl.dll ---> a5a4cee2eb89d2687c05ef74299f0dba
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp\PopWnd.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp\riliUI.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp\socket2.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss54.tmp\NSISdl.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号