VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :84
基本信息
MD5:6d119ca6103a2ba49e54a1abc6b76a3a
文件类型:EXE
出品公司:数游租号
版本:1.2.1.3---1.2.1.3
壳或编译器信息:
子文件信息:ShuyouClient.exe / b3d9749050853154f982beeb936169d4 / EXE
ShuyouEngine.exe / 9da0a4d5ddaf3f58cf1b17f6b73c3896 / EXE
CFLoginHelp.wav / 5310a9f2365e78d1ee88ed7d35d4c766 / Unknown
ZhwInput64.exe / 4322f3814ed9b5bff07c6b5d2838d617 / EXE
WebGame.exe / 17125093c14cb94a5dbd3abfdea476b4 / EXE
Getkey.dll / d2754cc49f17be41b098ec6bb815e59c / DLL
ShuyouGame.exe / 94a333a61dac4385d7b4163442af458f / EXE
ZhwInput32.exe / d3f5621a3474a11ecf0dfd3b1b8dc6ea / EXE
ZhwInput64.sys / 6f57406a0e928be1edf47a4f6dec0d05 / SYS
ProtectS.sys / de6fb06956fb607e5c4e12d83b1e3d8d / SYS
msvcr110.dll / 4ba25d2cbe1587a841dcfb8c8c4a6ea6 / DLL
TimeOut.wav / ebf167f50f31dcdfa667b7b97e54cec9 / Unknown
ProtectS.sys / 7225883d6340c41ef05f0f8e4509fc49 / SYS
msvcp110.dll / 3e29914113ec4b968ba5eb1f6d194a0a / DLL
NoMove.wav / 9a6a09e9b01019cff2db04bd404db301 / Unknown
processwork.dll / 0a4fa7a9ba969a805eb0603c7cfe3378 / DLL
modern-wizard.bmp / 1055d96346a57c81879f43ad50f68a48 / Unknown
InstallOptions.dll / 0dc0cc7a6d9db685bf05a7e5f3ea4781 / DLL
[NSIS].nsi / 4ce6c526cb7665ef81e2c0e8249554f2 / Unknown
关键行为
行为描述:获取TickCount值
详情信息:TickCount = 5447578, SleepMilliseconds = 2000.
TickCount = 5447640, SleepMilliseconds = 2000.
TickCount = 5447671, SleepMilliseconds = 2000.
TickCount = 5447687, SleepMilliseconds = 2000.
TickCount = 5447718, SleepMilliseconds = 2000.
TickCount = 5447734, SleepMilliseconds = 2000.
TickCount = 5447750, SleepMilliseconds = 2000.
TickCount = 5447765, SleepMilliseconds = 2000.
TickCount = 5447781, SleepMilliseconds = 2000.
TickCount = 5448187, SleepMilliseconds = 2000.
TickCount = 5448203, SleepMilliseconds = 2000.
TickCount = 5449609, SleepMilliseconds = 2000.
TickCount = 5449687, SleepMilliseconds = 2000.
进程行为
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:创建文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\nsx51.tmp
C:\Program Files\数游租号\uninst.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll
C:\WINDOWS\wininit.ini
行为描述:删除文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\nsx51.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll
行为描述:创建可执行文件
详情信息:C:\Program Files\数游租号\uninst.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll
行为描述:修改文件内容
详情信息:C:\Program Files\数游租号\uninst.exe ---> Offset = 0
C:\Program Files\数游租号\uninst.exe ---> Offset = 101376
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> Offset = 30217
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> Offset = 62985
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> Offset = 64725
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> Offset = 97493
C:\WINDOWS\wininit.ini ---> Offset = 0
行为描述:查找文件
详情信息:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq52.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq52.tmp\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq52.tmp\processwork.dll.AmBackup2
注册表行为
行为描述:修改注册表_延迟重命名项
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
其他行为
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行为描述:窗口信息
详情信息:Pid = 3420, Hwnd=0x1b02b6, Text = 确定, ClassName = Button.
Pid = 3420, Hwnd=0x60380, Text = 请退出360安全卫士后重试。, ClassName = Static.
Pid = 3420, Hwnd=0x150342, Text = 数游租号 1.2.1.3 安装, ClassName = #32770.
行为描述:获取TickCount值
详情信息:TickCount = 5447578, SleepMilliseconds = 2000.
TickCount = 5447640, SleepMilliseconds = 2000.
TickCount = 5447671, SleepMilliseconds = 2000.
TickCount = 5447687, SleepMilliseconds = 2000.
TickCount = 5447718, SleepMilliseconds = 2000.
TickCount = 5447734, SleepMilliseconds = 2000.
TickCount = 5447750, SleepMilliseconds = 2000.
TickCount = 5447765, SleepMilliseconds = 2000.
TickCount = 5447781, SleepMilliseconds = 2000.
TickCount = 5448187, SleepMilliseconds = 2000.
TickCount = 5448203, SleepMilliseconds = 2000.
TickCount = 5449609, SleepMilliseconds = 2000.
TickCount = 5449687, SleepMilliseconds = 2000.
行为描述:调整进程token权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
行为描述:可执行文件签名信息
详情信息:C:\Program Files\数游租号\uninst.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 2000.
行为描述:可执行文件MD5
详情信息:C:\Program Files\数游租号\uninst.exe ---> eecf5ed8e52d6f862dc0d323f89f6760
C:\Documents and Settings\Administrator\Local Settings\Temp\nsq52.tmp\processwork.dll ---> 0a4fa7a9ba969a805eb0603c7cfe3378
行为描述:打开互斥体
详情信息:ShimCacheMutex
行为描述:加载新释放的文件
详情信息:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsq52.tmp\processwork.dll.
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号