VirSCAN VirSCAN

1, Můžete nahrát libovolné soubory, ale existuje limit 20Mb na soubor.
2, VirSCAN podporuje dekompresi Rar / Zip, ale musí obsahovat méně než 20 souborů.
3, VirSCAN otestuje komprimované soubory, které jsou chráněné heslem 'infected' nebo 'virus'.

Vyberte jazyk
Zatížení serveru
Server Load

Informace o souboru
Bezpečnostní hodnocení:60
Seznam chování
Základní informace
MD5:e06ce17511efa73c1169cff23c94806f
Typ souboru:EXE
Produkční společnost:
Verze:15.11.11.19493---5.9.7.10890
Informace o Shell nebo kompilátoru:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Informace o podsouborech:办公网_20170505.reg / 2f33088774a423b4210a3dc889fd4a93 / Unknown
账户初始化配置工具.exe / 0c148bf234ce05fd0f7af20fbc405978 / EXE
生产网_20170106.reg / 51b482237ae497e66216a1f013c9fdb3 / Unknown
7zip关联.reg / e3cbd7f6c400cecb63475f2fec9ed112 / Unknown
输入法.reg / 558d144814e009336659fff679b202dd / Unknown
klíčová opatření
Popis chování:修改注册表_安装输入法项
Podrobnosti:\REGISTRY\USER\S-*\Keyboard Layout\Preload\2
\REGISTRY\USER\S-*\Keyboard Layout\Preload\3
Popis chování:跨进程写入数据
Podrobnosti:TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d18
TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d18
TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000d18
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000914
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000914
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000914
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x7ffd5238, Size = 0x00000004 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x0000099c
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x0000099c
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x0000099c
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0x8d2870a1, EDX = 0x0000039e
EAX = 0x8fdb701d, EDX = 0x0000039e
EAX = 0xbcbb42e7, EDX = 0x0000039e
EAX = 0xbf431270, EDX = 0x0000039e
EAX = 0xbf4312bc, EDX = 0x0000039e
EAX = 0xc1f61238, EDX = 0x0000039e
EAX = 0xc1f61284, EDX = 0x0000039e
EAX = 0xc1f612d0, EDX = 0x0000039e
EAX = 0xc1f6131c, EDX = 0x0000039e
EAX = 0xc1f61368, EDX = 0x0000039e
EAX = 0x00a622cf, EDX = 0x0000039f
EAX = 0x032df258, EDX = 0x0000039f
EAX = 0x2ad2f6b5, EDX = 0x0000039f
EAX = 0x3a836248, EDX = 0x0000039f
EAX = 0x3a836294, EDX = 0x0000039f
Popis chování:自删除
Podrobnosti:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Popis chování:获取TickCount值
Podrobnosti:TickCount = 1172082, SleepMilliseconds = 20.
TickCount = 1172098, SleepMilliseconds = 20.
TickCount = 1172098, SleepMilliseconds = 60000.
TickCount = 1232078, SleepMilliseconds = 60000.
Chování procesu
Popis chování:隐藏窗口创建进程
Podrobnosti:ImagePath = C:\Windows\system32\cmd.exe, CmdLine = "C:\Windows\system32\cmd.exe" /c "C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp.bat"
Popis chování:跨进程写入数据
Podrobnosti:TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000d18
TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000d18
TargetProcess = C:\Users\Public\账户初始化配置工具.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000d18
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000914
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000914
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000914
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x7ffd5238, Size = 0x00000004 TargetPID = 0x00000a84
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x0000099c
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x0000099c
TargetProcess = C:\Windows\regedit.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x0000099c
Popis chování:创建新文件进程
Podrobnosti:[0x00000d18]ImagePath = C:\Users\Public\账户初始化配置工具.exe, CmdLine = "C:\Users\Public\账户初始化配置工具.exe"
Popis chování:创建进程
Podrobnosti:[0x00000914]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = "C:\Windows\system32\cmd.exe" /c "C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp.bat"
[0x00000a84]ImagePath = C:\Windows\regedit.exe, CmdLine = "C:\Windows\regedit.exe" /s 7zip关联.reg
[0x0000099c]ImagePath = C:\Windows\regedit.exe, CmdLine = "C:\Windows\regedit.exe" /s 输入法.reg
Chování souborů
Popis chování:创建文件
Podrobnosti:C:\Users\Public\7zip关联.reg
C:\Users\Public\办公网_20170505.reg
C:\Users\Public\生产网_20170106.reg
C:\Users\Public\输入法.reg
C:\Users\Public\账户初始化配置工具.exe
C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\init.conf
Popis chování:创建可执行文件
Podrobnosti:C:\Users\Public\账户初始化配置工具.exe
Popis chování:修改脚本文件
Podrobnosti:C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp.bat ---> Offset = 0
Popis chování:查找文件
Podrobnosti:FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Users
FileName = C:\Users\Public
FileName = C:\Users\Public\*.*
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Local
FileName = C:\Users\ADMINI~1\AppData\Local\Temp
FileName = C:\Windows
FileName = C:\Windows\system32
FileName = C:\Windows\system32\cmd.exe
FileName = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework\\*
FileName = C:\Windows\WinSxS
FileName = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Popis chování:删除文件
Podrobnosti:C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110320171104\index.dat
Popis chování:重命名文件
Podrobnosti:C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp ---> C:\Users\Administrator\AppData\Local\Temp\HZ~E215.tmp.bat
Popis chování:修改文件内容
Podrobnosti:C:\Users\Public\7zip关联.reg ---> Offset = 0
C:\Users\Public\办公网_20170505.reg ---> Offset = 0
C:\Users\Public\生产网_20170106.reg ---> Offset = 0
C:\Users\Public\输入法.reg ---> Offset = 0
C:\Users\Public\账户初始化配置工具.exe ---> Offset = 0
C:\Users\Public\账户初始化配置工具.exe ---> Offset = 33276
Popis chování:自删除
Podrobnosti:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Chování sítě
Popis chování:按名称获取主机地址
Podrobnosti:GetAddrInfoW: a-PC
Chování registru
Popis chování:修改注册表_安装输入法项
Podrobnosti:\REGISTRY\USER\S-*\Keyboard Layout\Preload\2
\REGISTRY\USER\S-*\Keyboard Layout\Preload\3
Popis chování:删除注册表键值
Podrobnosti:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Popis chování:修改注册表
Podrobnosti:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3A\AAF68885\LanguageList
\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3A\AAF68885\@C:\Windows\regedit.exe,-309
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Choyvp\账户初始化配置工具.rkr
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\zbavgbe\DD.rkr
\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\
\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\
\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip\shell\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip\shell\open\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.zip\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.rar\
Další chování
Popis chování:检测自身是否被调试
Podrobnosti:IsDebuggerPresent
Popis chování:创建互斥体
Podrobnosti:Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Global\.net clr networking
CDBurnNotify
Global\CDBurnExclusive
Popis chování:隐藏指定窗口
Podrobnosti:[Window,Class] = [,ComboLBox]
[Window,Class] = [好压自解压安装程序,#32770]
[Window,Class] = [C:\Windows\System32\%temp%\****.exe,ConsoleWindowClass]
Popis chování:打开互斥体
Podrobnosti:Local\MSCTF.Asm.MutexDefault1
Global\CLR_CASOFF_MUTEX
Global\.net clr networking
CDBurnNotify
Global\CDBurnExclusive
Popis chování:查找指定窗口
Podrobnosti:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Popis chování:窗口信息
Podrobnosti:Pid = 3352, Hwnd=0x220158, Text = 外网, ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0x17017a, Text = **.133.40.** , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xb0216, Text = Administrator, ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0x150138, Text = 开始初始化环境! 没有找到安装包C:\bak\Google Chrome\chrome45.exe 开始配置 7ZIP配置客户端软件 7ZIP配置软件配置完成! 开始配置 输入法配置客户端软件 输入法配置软件配置完成! 配置完成 , ClassName = WindowsForms10.EDIT.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 31秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xd0240, Text = 当前开机时间:, ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xb016a, Text = 搜狗五笔输入法, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 3352, Hwnd=0xe0204, Text = 搜狗拼音输入法, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 3352, Hwnd=0xc021c, Text = 中信银行账户初始化配置工具, ClassName = WindowsForms10.Window.8.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 34秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 37秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 40秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 43秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 46秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 3352, Hwnd=0xf02dc, Text = 0天 0小时 18分钟 49秒 , ClassName = WindowsForms10.STATIC.app.0.378734a.
Popis chování:获取TickCount值
Podrobnosti:TickCount = 1172082, SleepMilliseconds = 20.
TickCount = 1172098, SleepMilliseconds = 20.
TickCount = 1172098, SleepMilliseconds = 60000.
TickCount = 1232078, SleepMilliseconds = 60000.
Popis chování:调整进程token权限
Podrobnosti:SE_INC_BASE_PRIORITY_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Popis chování:打开事件
Podrobnosti:HookSwitchHookEnabledEvent
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
MSFT.VSA.COM.DISABLE.3352
MSFT.VSA.IEC.STATUS.6c736db0
Popis chování:可执行文件签名信息
Podrobnosti:C:\Users\Public\账户初始化配置工具.exe(签名验证: 未通过)
Popis chování:调用Sleep函数
Podrobnosti:[1]: MilliSeconds = -1.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
Popis chování:创建事件对象
Podrobnosti:EventName = Global\CorDBIPCSetupSyncEvent_3352
EventName = ConsoleEvent-0x00000218
Popis chování:可执行文件MD5
Podrobnosti:C:\Users\Public\账户初始化配置工具.exe ---> 0c148bf234ce05fd0f7af20fbc405978
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0x8d2870a1, EDX = 0x0000039e
EAX = 0x8fdb701d, EDX = 0x0000039e
EAX = 0xbcbb42e7, EDX = 0x0000039e
EAX = 0xbf431270, EDX = 0x0000039e
EAX = 0xbf4312bc, EDX = 0x0000039e
EAX = 0xc1f61238, EDX = 0x0000039e
EAX = 0xc1f61284, EDX = 0x0000039e
EAX = 0xc1f612d0, EDX = 0x0000039e
EAX = 0xc1f6131c, EDX = 0x0000039e
EAX = 0xc1f61368, EDX = 0x0000039e
EAX = 0x00a622cf, EDX = 0x0000039f
EAX = 0x032df258, EDX = 0x0000039f
EAX = 0x2ad2f6b5, EDX = 0x0000039f
EAX = 0x3a836248, EDX = 0x0000039f
EAX = 0x3a836294, EDX = 0x0000039f
Popis chování:加载新释放的文件
Podrobnosti:Image: C:\Users\Public\账户初始化配置工具.exe.
Spustit snímek obrazovky
VirSCAN

O VirSCAN | Ochrana soukromí | Kontakt | Přátelský odkaz | Pomozte VirSCAN
Překlad strongy
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号