VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :40
基本信息
MD5:67202cc7fbf42540409c32b2f5e1d9ff
文件类型:EXE
出品公司:
版本:
壳或编译器信息:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
子文件信息:upx_c_9bc0e9e4dumpFile / 737b3ea15ea3003649170f15caeff1df / EXE
关键行为
行为描述:获取TickCount值
详情信息:TickCount = 217687, SleepMilliseconds = 500.
TickCount = 217703, SleepMilliseconds = 500.
TickCount = 217734, SleepMilliseconds = 500.
TickCount = 2017562, SleepMilliseconds = 1800000.
TickCount = 2017593, SleepMilliseconds = 1800000.
TickCount = 222700, SleepMilliseconds = 200.
TickCount = 222715, SleepMilliseconds = 200.
TickCount = 228075, SleepMilliseconds = 200.
TickCount = 228090, SleepMilliseconds = 200.
TickCount = 228106, SleepMilliseconds = 200.
TickCount = 233450, SleepMilliseconds = 200.
TickCount = 238793, SleepMilliseconds = 200.
TickCount = 244121, SleepMilliseconds = 200.
TickCount = 244137, SleepMilliseconds = 200.
TickCount = 244153, SleepMilliseconds = 200.
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = at \\**.133.40.** 3:30 admin$\
ImagePath = , CmdLine = at \\**.133.40.** 3:31 admin$\
行为描述:创建进程
详情信息:[0x00000ad0]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:30 admin$\
[0x00000b60]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000c0c]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000c98]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000ce4]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000d44]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000d90]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
[0x00000dd8]ImagePath = C:\WINDOWS\system32\at.exe, CmdLine = at \\**.133.40.** 3:31 admin$\
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2716, StartAddress = 004036E5, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2720, StartAddress = 00405A9E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2724, StartAddress = 00404A32, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2728, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2900, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 3072, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 3212, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 3288, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 3404, StartAddress = 0040527E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 3480, StartAddress = 0040527E, Parameter = 00000000
文件行为
行为描述:创建文件
详情信息:C:\WINDOWS\system32\%temp%\****.exe
行为描述:创建可执行文件
详情信息:C:\WINDOWS\system32\%temp%\****.exe
行为描述:覆盖已有文件
详情信息:C:\WINDOWS\system32\%temp%\****.exe
行为描述:查找文件
详情信息:FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\at.exe
行为描述:复制文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> \\**.133.40.**\admin$\g1fd.exe
行为描述:修改文件内容
详情信息:C:\WINDOWS\system32\%temp%\****.exe ---> Offset = 0
C:\WINDOWS\system32\%temp%\****.exe ---> Offset = 4096
C:\WINDOWS\system32\%temp%\****.exe ---> Offset = 8192
C:\WINDOWS\system32\%temp%\****.exe ---> Offset = 12288
网络行为
行为描述:建立到一个指定的套接字连接
详情信息:IP: **.0.22.**:8080, SOCKET = 0x000000e8
URL: yk****om, IP: **.133.40.**:8090, SOCKET = 0x00000108
URL: yk****om, IP: **.133.40.**:8090, SOCKET = 0x00000128
URL: yk****om, IP: **.133.40.**:8090, SOCKET = 0x0000012c
URL: yk****om, IP: **.133.40.**:8090, SOCKET = 0x00000118
URL: yk****om, IP: **.133.40.**:8090, SOCKET = 0x0000011c
行为描述:按名称获取主机地址
详情信息:gethostbyname: computer
DnsQuery_W: 1.110.110.110.in-addr.arpa.
gethostbyname: yk****om
DnsQuery_W: 2.110.110.110.in-addr.arpa.
DnsQuery_W: 3.110.110.110.in-addr.arpa.
DnsQuery_W: 4.110.110.110.in-addr.arpa.
DnsQuery_W: 5.110.110.110.in-addr.arpa.
DnsQuery_W: 6.110.110.110.in-addr.arpa.
DnsQuery_W: 7.110.110.110.in-addr.arpa.
DnsQuery_W: 8.110.110.110.in-addr.arpa.
其他行为
行为描述:创建互斥体
详情信息:121212
Mnopqr Tuvwxyab Def
行为描述:获取TickCount值
详情信息:TickCount = 217687, SleepMilliseconds = 500.
TickCount = 217703, SleepMilliseconds = 500.
TickCount = 217734, SleepMilliseconds = 500.
TickCount = 2017562, SleepMilliseconds = 1800000.
TickCount = 2017593, SleepMilliseconds = 1800000.
TickCount = 222700, SleepMilliseconds = 200.
TickCount = 222715, SleepMilliseconds = 200.
TickCount = 228075, SleepMilliseconds = 200.
TickCount = 228090, SleepMilliseconds = 200.
TickCount = 228106, SleepMilliseconds = 200.
TickCount = 233450, SleepMilliseconds = 200.
TickCount = 238793, SleepMilliseconds = 200.
TickCount = 244121, SleepMilliseconds = 200.
TickCount = 244137, SleepMilliseconds = 200.
TickCount = 244153, SleepMilliseconds = 200.
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
行为描述:可执行文件签名信息
详情信息:C:\WINDOWS\system32\%temp%\****.exe(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 500.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 200.
[4]: MilliSeconds = 200.
[5]: MilliSeconds = 1800000.
[6]: MilliSeconds = 2000.
[7]: MilliSeconds = 200.
[8]: MilliSeconds = 200.
[9]: MilliSeconds = 200.
[10]: MilliSeconds = 200.
行为描述:可执行文件MD5
详情信息:C:\WINDOWS\system32\%temp%\****.exe ---> 67202cc7fbf42540409c32b2f5e1d9ff
行为描述:打开互斥体
详情信息:ShimCacheMutex
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号