VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:76
Behavior list
Basic Information
MD5:10e3bbee13c14233822a4f3815bb4e15
file type:EXE
Production company:BY DH
version:3.1.0.0---3.1.0.0
Shell or compiler information:PACKER:ASPack 2.12 -> Alexey Solodovnikov
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00FC1005
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00FC0818
Index = 0x00000042, Name: NtDeviceIoControlFile, Instruction Address = 0x00FC07CD
Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00FC0FF8
Index = 0x00000025, Name: NtCreateFile, Instruction Address = 0x00FC1405
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:直接获取CPU时钟
details:EAX = 0x52667824, EDX = 0x000000b9
EAX = 0x52667870, EDX = 0x000000b9
EAX = 0x526678bc, EDX = 0x000000b9
EAX = 0x52667908, EDX = 0x000000b9
EAX = 0x52667954, EDX = 0x000000b9
EAX = 0x526679a0, EDX = 0x000000b9
EAX = 0x5519791c, EDX = 0x000000b9
EAX = 0x55197968, EDX = 0x000000b9
EAX = 0x551979b4, EDX = 0x000000b9
EAX = 0x55197a00, EDX = 0x000000b9
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001035e, DC = 0x01010057.
Foreground window Info: HWND = 0x0001038c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001038e, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010392, DC = 0x01010057.
Foreground window Info: HWND = 0x0001035e, DC = 0x0a010375.
Behavior description:获取TickCount值
details:TickCount = 283421, SleepMilliseconds = 60000.
TickCount = 283437, SleepMilliseconds = 60000.
TickCount = 283453, SleepMilliseconds = 60000.
TickCount = 283468, SleepMilliseconds = 60000.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2828, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2848, StartAddress = 77C0A341, Parameter = 022669A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2852, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2856, StartAddress = 77E56C7D, Parameter = 0109B1A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2860, StartAddress = 769AE43B, Parameter = 0109EFE8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2948, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2952, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2704, ThreadID = 2980, StartAddress = 7C949B6F, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ip138_com[1]
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
Behavior description:查找文件
details:FileName = c:\documents and settings
FileName = c:\Documents and Settings\administrator
FileName = c:\Documents and Settings\Administrator\local settings
FileName = c:\Documents and Settings\Administrator\Local Settings\temp
FileName = c:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = c:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = c:\windows
FileName = c:\WINDOWS\system32
FileName = c:\docume~1
FileName = c:\Documents and Settings\admini~1
FileName = c:\Documents and Settings\Administrator\locals~1
FileName = c:\Documents and Settings\Administrator\my documents
FileName = c:\Documents and Settings\all users
FileName = c:\Documents and Settings\All Users\documents
FileName = c:\program files
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ip138_com[1]
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = i****n, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), hSession = 0x01ee4000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2), hSession = 0x01ee4100
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003f8
URL: i****n, IP: **.133.40.**:443, SOCKET = 0x0000041c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000041c
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET / HTTP/1.1 Accept: */* Referer: http://www.ip138.com Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: ww****om Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: i****n:443/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80800010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: i****n
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00FC1005
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00FC0818
Index = 0x00000042, Name: NtDeviceIoControlFile, Instruction Address = 0x00FC07CD
Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00FC0FF8
Index = 0x00000025, Name: NtCreateFile, Instruction Address = 0x00FC1405
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.EJK
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:创建事件对象
details:EventName = EVB_2D2435BC235280B1_00000A90
EventName = DINPUTWINMM
EventName = DEsdfssso2920HUHBghyGDF4532222DFrgrRfRfGrF
EventName = MSCTF.SendReceive.Event.EJK.IC
EventName = MSCTF.SendReceiveConection.Event.EJK.IC
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2704
MSFT.VSA.IEC.STATUS.6c736db0
DEsdfssso2920HUHBghyGDF4532222DFrgrRfRfGrF
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Global\crypt32LogoffEvent
Behavior description:获取TickCount值
details:TickCount = 283421, SleepMilliseconds = 60000.
TickCount = 283437, SleepMilliseconds = 60000.
TickCount = 283453, SleepMilliseconds = 60000.
TickCount = 283468, SleepMilliseconds = 60000.
Behavior description:窗口信息
details:Pid = 2704, Hwnd=0x10392, Text = [使用说明]或[支持作者], ClassName = Button.
Pid = 2704, Hwnd=0x1038e, Text = 关闭(28), ClassName = Button.
Pid = 2704, Hwnd=0x1038c, Text = 不再显示本窗口, ClassName = Button(CheckBox).
Pid = 2704, Hwnd=0x1038a, Text = 先看使用说明! 先看使用说明! 先看使用说明! 支持才能更新! 支持才能更新! 支持才能更新! 反馈要带链接! 反馈要带链接! 反馈要带链接! , ClassName = _EL_Label.
Pid = 2704, Hwnd=0x10388, Text = 0、本程序部分功能不支持XP系统且数据不与2.x版本通用! 1、使用本程序不需要登录百度账号,属于游客(匿名)方式解析 2、解析原理是模拟网页访问操作,出现解析失败很正常 3、经常解析失败的,可以尝试使用代理进行解析 4、本程序只能解析百度云的分享链接(解析原理限制) 5、本程序解析出来的下载地址仍然受百度服务器控制 6、若解析到的是高速链接,或者本资源热度高,下载速度就快 7、解析出的下载地址不是长期有效的,超过一定时间需重解析 8、内置Aria2c下载工具,线程, ClassName = _EL_Label.
Pid = 2704, Hwnd=0x10386, Text = 重要说明, ClassName = _EL_Label.
Pid = 2704, Hwnd=0x10384, Text = V3.x版本, ClassName = WTWindow.
Pid = 2704, Hwnd=0x1037a, Text = 正在进行初始化处理..., ClassName = _EL_Label.
Pid = 2704, Hwnd=0x10372, Text = PanD解析下载器3.1 BY DH --永久免费 [菜单]-[关于我们]-使用说明, ClassName = _EL_Label.
Pid = 2704, Hwnd=0x1036a, Text = 批量复制, ClassName = Button.
Pid = 2704, Hwnd=0x10366, Text = 批量下载, ClassName = Button.
Pid = 2704, Hwnd=0x10362, Text = 信息查看, ClassName = Button.
Pid = 2704, Hwnd=0x10360, Text = 删, ClassName = Button.
Pid = 2704, Hwnd=0x1035c, Text = 下载操作, ClassName = Button.
Pid = 2704, Hwnd=0x1035a, Text = 复制地址, ClassName = Button.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001035e, DC = 0x01010057.
Foreground window Info: HWND = 0x0001038c, DC = 0x0a010375.
Foreground window Info: HWND = 0x0001038e, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010392, DC = 0x01010057.
Foreground window Info: HWND = 0x0001035e, DC = 0x0a010375.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [复制地址,Button]
[Window,Class] = [下载操作,Button]
[Window,Class] = [删,Button]
[Window,Class] = [信息查看,Button]
[Window,Class] = [,_EL_Timer]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp ---> f255e834356af487df1c7cc0e25236aa
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp ---> fe85f5ac019d9f79135693bacf58426b
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp ---> a60148e78b8b8d9ca4ffc9777ac5c209
Behavior description:直接获取CPU时钟
details:EAX = 0x52667824, EDX = 0x000000b9
EAX = 0x52667870, EDX = 0x000000b9
EAX = 0x526678bc, EDX = 0x000000b9
EAX = 0x52667908, EDX = 0x000000b9
EAX = 0x52667954, EDX = 0x000000b9
EAX = 0x526679a0, EDX = 0x000000b9
EAX = 0x5519791c, EDX = 0x000000b9
EAX = 0x55197968, EDX = 0x000000b9
EAX = 0x551979b4, EDX = 0x000000b9
EAX = 0x55197a00, EDX = 0x000000b9
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb4.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb5.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb6.tmp.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号