VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Basic Information
MD5:5388ceb10c6a3a39ff5910204c213316
file type:EXE
Production company:
version:11.7.9924.9266---11, 7, 9924, 9266
Shell or compiler information:PACKER:ASProtect v1.23 RC1 *
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x000007d0
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00e40000, Size = 0x00000318 TargetPID = 0x000007d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x00000b50
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x04cc0000, Size = 0x00000318 TargetPID = 0x00000b50
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x00000b78
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x04600000, Size = 0x00000318 TargetPID = 0x00000b78
Behavior description:创建远程线程
details:TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3252, StartAddress = 7C98149B, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2364, ProcessID = 2896, ThreadID = 3304, StartAddress = 7C98149B, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2896, ProcessID = 2936, ThreadID = 3312, StartAddress = 7C98149B, Parameter = 00000000
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = explorer.exe
TargetProcess = iexplore.exe
Behavior description:设置线程上下文
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:获取TickCount值
details:TickCount = 243975, SleepMilliseconds = 100.
TickCount = 246865, SleepMilliseconds = 100.
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x000007d0
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00e40000, Size = 0x00000318 TargetPID = 0x000007d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x00000b50
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x04cc0000, Size = 0x00000318 TargetPID = 0x00000b50
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7c98149b, Size = 0x00000004 TargetPID = 0x00000b78
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x04600000, Size = 0x00000318 TargetPID = 0x00000b78
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 3180, StartAddress = 00401034, Parameter = 0012FDC0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 3184, StartAddress = 004010FB, Parameter = 0012FDC0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 3248, StartAddress = 01E9105B, Parameter = 01E97570
Behavior description:创建远程线程
details:TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3252, StartAddress = 7C98149B, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2364, ProcessID = 2896, ThreadID = 3304, StartAddress = 7C98149B, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2896, ProcessID = 2936, ThreadID = 3312, StartAddress = 7C98149B, Parameter = 00000000
Behavior description:设置线程上下文
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:枚举进程
details:N/A
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = explorer.exe
TargetProcess = iexplore.exe
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Appm9_25\aaclm700.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Appm9_25\aaclm700.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Appm9_25\aaclm700.exe ---> Offset = 4096
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\aspr_keys.ini
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aspr_keys.ini
FileName = C:\WINDOWS\system32\*.dll
Registry behavior
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:oleacc-msaa-loaded
{E03EB370-BF64-122B-4914-63668D8847FA}
{606C98C9-3FB4-9234-C994-E3E60D08C77A}
{685E90CD-A72E-DADB-711C-CBAE35102FC2}
Behavior description:创建事件对象
details:EventName = Local\{A19253DD-8C8B-7BD1-9E65-80DFB269B483}
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ProgMan,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x0052973c
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 100.
CursorPos = (6373,26501), SleepMilliseconds = 100.
CursorPos = (19208,15725), SleepMilliseconds = 100.
CursorPos = (11517,29359), SleepMilliseconds = 100.
CursorPos = (27001,24465), SleepMilliseconds = 100.
CursorPos = (5744,28146), SleepMilliseconds = 100.
Behavior description:枚举窗口
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 100.
Behavior description:获取TickCount值
details:TickCount = 243975, SleepMilliseconds = 100.
TickCount = 246865, SleepMilliseconds = 100.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号