VirSCAN VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.
4, Se il tuo browser non può caricare file, per favore scarica uploader VirSCAN per caricare.

Lingua
Carico del server
Server Load

VirSCAN
VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.

   Informazioni sui file

Rapporto di scansione multi-motore Virscan.org
Rapporto di analisi del comportamento:         Analisi dei file Habo

Informazioni di base

MD5:241c30a079887fca07d97b5f8ad06b8b
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Nome del pacchetto:
Ambiente operativo minimo:
diritto d'autore:

Comportamento chiave

Descrizione del comportamento: 常规加载驱动
Per ulteriori informazioni: \??\C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 设置特殊文件夹属性
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019032820190329
Descrizione del comportamento: 创建系统服务
Per ulteriori informazioni: [服务创建成功]: uWall, C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 获取TickCount值
Per ulteriori informazioni: TickCount = 278765, SleepMilliseconds = 60000.
TickCount = 278781, SleepMilliseconds = 60000.
TickCount = 278796, SleepMilliseconds = 60000.
TickCount = 278843, SleepMilliseconds = 60000.
TickCount = 278859, SleepMilliseconds = 60000.
TickCount = 278968, SleepMilliseconds = 60000.
TickCount = 279000, SleepMilliseconds = 60000.
TickCount = 279062, SleepMilliseconds = 60000.
TickCount = 279109, SleepMilliseconds = 60000.
TickCount = 279140, SleepMilliseconds = 60000.
TickCount = 281453, SleepMilliseconds = 60000.
TickCount = 281468, SleepMilliseconds = 60000.
TickCount = 281515, SleepMilliseconds = 60000.
TickCount = 281593, SleepMilliseconds = 60000.
TickCount = 281609, SleepMilliseconds = 60000.

Comportamento del processo

Descrizione del comportamento: 创建本地线程
Per ulteriori informazioni: TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 2976, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3016, StartAddress = 77E56C7D, Parameter = 001A2860
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3020, StartAddress = 769AE43B, Parameter = 001A5030
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3036, StartAddress = 77F56ED3, Parameter = 0012F994
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3080, StartAddress = 6359727B, Parameter = 00250A98
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3088, StartAddress = 769AE43B, Parameter = 001E0BC0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3092, StartAddress = 77E56C7D, Parameter = 0026E9A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3100, StartAddress = 35C51A30, Parameter = 0287028C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3104, StartAddress = 35C51A30, Parameter = 0287028C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3108, StartAddress = 35C51A30, Parameter = 0287028C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3112, StartAddress = 35C51A30, Parameter = 0287028C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3128, StartAddress = 6359727B, Parameter = 00284CD8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3144, StartAddress = 4A426B97, Parameter = 00C7E000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3148, StartAddress = 4A426D10, Parameter = 4A410000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3152, StartAddress = 4A426D10, Parameter = 4A410000

Comportamento del file

Descrizione del comportamento: 创建文件
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\main.css
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings-white.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\slash.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\index.html
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\bootstrap.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\handlebars.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.slimscroll.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\main.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\lang\en-us
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\lang\zh-cn
Descrizione del comportamento: 创建可执行文件
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll
Descrizione del comportamento: 查找文件
Per ulteriori informazioni: FileName = plugins\*.dll
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\index.html
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\main.css
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.min.js
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\bootstrap.min.js
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\handlebars.js
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.slimscroll.min.js
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\main.js
Descrizione del comportamento: 删除文件
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016091220160913\index.dat
C:\WINDOWS\system32\drivers\uWall.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\index.html
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\lang\en-us
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\lang\zh-cn
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\bootstrap.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\handlebars.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\jquery.slimscroll.min.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\js\main.js
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings-white.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\slash.png
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\Thumbs.db
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css
Descrizione del comportamento: 设置特殊文件夹属性
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019032820190329
Descrizione del comportamento: 修改文件内容
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\bootstrap.min.css ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\css\main.css ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings-white.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\glyphicons-halflings.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\slash.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\img\Thumbs.db ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\resource\index.html ---> Offset = 0

Comportamento di rete

Descrizione del comportamento: 连接指定站点
Per ulteriori informazioni: WinHttpConnect: ServerName = ss****om, PORT = 443, UserName = , Password = , hSession = 0x00c74000, hConnect = 0x00c74100, Flags = 0x00000000
WinHttpConnect: ServerName = ss****om, PORT = 443, UserName = , Password = , hSession = 0x00c74300, hConnect = 0x00c74400, Flags = 0x00000000
Descrizione del comportamento: 打开HTTP连接
Per ulteriori informazioni: WinHttpOpen: UserAgent: Raptor Analytics/0.1 (Windows NT 5.1, WOW64), hSession = 0x00c74000
WinHttpOpen: UserAgent: Raptor Analytics/0.1 (Windows NT 5.1, WOW64), hSession = 0x00c74300
Descrizione del comportamento: 建立到一个指定的套接字连接
Per ulteriori informazioni: IP: **.0.0.**:1031, SOCKET = 0x00000698
IP: **.0.0.**:1032, SOCKET = 0x00000698
IP: **.0.0.**:1033, SOCKET = 0x00000698
IP: **.0.0.**:1034, SOCKET = 0x00000698
IP: **.0.0.**:1035, SOCKET = 0x00000698
IP: **.0.0.**:1036, SOCKET = 0x00000698
IP: **.0.0.**:1037, SOCKET = 0x00000698
IP: **.0.0.**:1038, SOCKET = 0x00000698
IP: **.0.0.**:1039, SOCKET = 0x00000698
IP: **.0.0.**:1040, SOCKET = 0x00000698
IP: **.0.0.**:1041, SOCKET = 0x00000698
IP: **.0.0.**:1042, SOCKET = 0x00000698
IP: **.0.0.**:1043, SOCKET = 0x00000698
IP: **.0.0.**:1044, SOCKET = 0x00000698
IP: **.0.0.**:1045, SOCKET = 0x00000698
Descrizione del comportamento: 打开HTTP请求
Per ulteriori informazioni: WinHttpOpenRequest: ss****om:443/collect, hConnect = 0x00c74100, hRequest = 0x040d0000, Verb: POST, Referer: , Flags = 0x00800000
WinHttpOpenRequest: ss****om:443/collect, hConnect = 0x00c74400, hRequest = 0x040d0400, Verb: POST, Referer: , Flags = 0x00800000
Descrizione del comportamento: 按名称获取主机地址
Per ulteriori informazioni: GetAddrInfoW: ss****om

Comportamento del registro

Descrizione del comportamento: 修改注册表
Per ulteriori informazioni: \REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032820190329\CachePath
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032820190329\CachePrefix
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032820190329\CacheLimit
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032820190329\CacheOptions
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032820190329\CacheRepair
Descrizione del comportamento: 删除注册表键
Per ulteriori informazioni: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016091220160913\

Altro comportamento

Descrizione del comportamento: 获取光标位置
Per ulteriori informazioni: CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
CursorPos = (5744,28146), SleepMilliseconds = 60000.
CursorPos = (23320,16828), SleepMilliseconds = 60000.
CursorPos = (10000,492), SleepMilliseconds = 60000.
CursorPos = (3034,11943), SleepMilliseconds = 60000.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
Descrizione del comportamento: 创建互斥体
Per ulteriori informazioni: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
uWall_Main_WndMutex
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
Descrizione del comportamento: 创建事件对象
Per ulteriori informazioni: EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceiveConection.Event.MIL.IC
EventName = MSCTF.SendReceive.Event.MIL.IC
EventName = ShellCopyEngineRunning
EventName = ShellCopyEngineFinished
Descrizione del comportamento: 删除服务
Per ulteriori informazioni: [DeleteService] ServiceStartName: , DisplayName: uWall, BinaryPathName: \??\C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 常规加载驱动
Per ulteriori informazioni: \??\C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 查找指定窗口
Per ulteriori informazioni: NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Descrizione del comportamento: 启动系统服务
Per ulteriori informazioni: [服务启动成功]: , uWall, \??\C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 窗口信息
Per ulteriori informazioni: Pid = 2952, Hwnd=0x10352, Text = 确定, ClassName = Button.
Pid = 2952, Hwnd=0x10356, Text = 驱动未就绪!, ClassName = Static.
Descrizione del comportamento: 获取TickCount值
Per ulteriori informazioni: TickCount = 278765, SleepMilliseconds = 60000.
TickCount = 278781, SleepMilliseconds = 60000.
TickCount = 278796, SleepMilliseconds = 60000.
TickCount = 278843, SleepMilliseconds = 60000.
TickCount = 278859, SleepMilliseconds = 60000.
TickCount = 278968, SleepMilliseconds = 60000.
TickCount = 279000, SleepMilliseconds = 60000.
TickCount = 279062, SleepMilliseconds = 60000.
TickCount = 279109, SleepMilliseconds = 60000.
TickCount = 279140, SleepMilliseconds = 60000.
TickCount = 281453, SleepMilliseconds = 60000.
TickCount = 281468, SleepMilliseconds = 60000.
TickCount = 281515, SleepMilliseconds = 60000.
TickCount = 281593, SleepMilliseconds = 60000.
TickCount = 281609, SleepMilliseconds = 60000.
Descrizione del comportamento: 调整进程token权限
Per ulteriori informazioni: SE_LOAD_DRIVER_PRIVILEGE
Descrizione del comportamento: 打开事件
Per ulteriori informazioni: HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2952
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Descrizione del comportamento: 可执行文件签名信息
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll(签名验证: 未通过)
Descrizione del comportamento: 调用Sleep函数
Per ulteriori informazioni: [1]: MilliSeconds = 60000.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
Descrizione del comportamento: 隐藏指定窗口
Per ulteriori informazioni: [Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Descrizione del comportamento: 可执行文件MD5
Per ulteriori informazioni: C:\Documents and Settings\Administrator\Local Settings\Temp\EB000355E1\plugins\uWallEB.dll ---> 4e88183d0f32aa807b3432fd5b138931
Descrizione del comportamento: 打开互斥体
Per ulteriori informazioni: ShimCacheMutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
_!SHMSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012019032820190329!
Descrizione del comportamento: 创建系统服务
Per ulteriori informazioni: [服务创建成功]: uWall, C:\WINDOWS\system32\drivers\uWall.sys
Descrizione del comportamento: 加载新释放的文件
Per ulteriori informazioni: Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EB000355E1\plugins\uWallEB.dll.