VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:73
Behavior list
Basic Information
MD5:5496425c3e1d6f621d30bd3b2aad7d1f
file type:zip
Production company:
version:
Shell or compiler information:COMPILER:.NET executable -> Microsoft *
Subfile information:12306Bypass.exe / 9b1b10e4e34f44c3d64ccdc15684d3f5 / EXE
CrackCaptchaAPI.dll / 6ee8c5d233806eb365bb4dcfd33f4113 / DLL
BypassRuntm.dll / ee94b27481462fa0997f6ed1f72b497b / DLL
打不开的请安装.exe / 53406e9988306cbd4537677c5336aba4 / EXE
12306Bypass.exe.config / d6236e9442c4bcda4424eb717a77b326 / Unknown
使用须知.txt / bdd9bb89d9dff544907ab38848492f59 / Unknown
CrackCaptcha.log / cc2154bdf7d43e6540cd019b042ecbea / Unknown
Key behavior
Behavior description:直接获取CPU时钟
details:EAX = 0xb053aec6, EDX = 0x000000b6
EAX = 0xb053af12, EDX = 0x000000b6
EAX = 0xb053af5e, EDX = 0x000000b6
EAX = 0xb053afaa, EDX = 0x000000b6
EAX = 0xb2db7f33, EDX = 0x000000b6
EAX = 0xc02f4b7c, EDX = 0x000000b6
EAX = 0xcfdfb70f, EDX = 0x000000b6
EAX = 0xcfdfb75b, EDX = 0x000000b6
EAX = 0xcfdfb7a7, EDX = 0x000000b6
EAX = 0xcfdfb7f3, EDX = 0x000000b6
Behavior description:获取TickCount值
details:TickCount = 283187, SleepMilliseconds = 60000.
TickCount = 283203, SleepMilliseconds = 60000.
TickCount = 283656, SleepMilliseconds = 60000.
TickCount = 283671, SleepMilliseconds = 60000.
TickCount = 283796, SleepMilliseconds = 60000.
TickCount = 283812, SleepMilliseconds = 60000.
TickCount = 283828, SleepMilliseconds = 60000.
TickCount = 284109, SleepMilliseconds = 60000.
TickCount = 284187, SleepMilliseconds = 60000.
TickCount = 284234, SleepMilliseconds = 60000.
TickCount = 284250, SleepMilliseconds = 60000.
TickCount = 284265, SleepMilliseconds = 60000.
TickCount = 284281, SleepMilliseconds = 60000.
TickCount = 284343, SleepMilliseconds = 60000.
TickCount = 284359, SleepMilliseconds = 60000.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "cmd.exe"
Behavior description:创建进程
details:[0x00000c68]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = "cmd.exe"
[0x00000c70]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = ipconfig /flushdns
Behavior description:创建本地线程
details:TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 2956, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 2960, StartAddress = 791F59C0, Parameter = 001B01B8
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 2964, StartAddress = 6001C90E, Parameter = 03773C28
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 2968, StartAddress = 6001C90E, Parameter = 03773E48
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3104, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3108, StartAddress = 759D8761, Parameter = 00000000
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3112, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3116, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3120, StartAddress = 77E56C7D, Parameter = 0022E790
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3124, StartAddress = 769AE43B, Parameter = 0026B438
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3152, StartAddress = 791F59C0, Parameter = 00229CC8
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3156, StartAddress = 791F59C0, Parameter = 001E8B20
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3360, StartAddress = 791F59C0, Parameter = 001E8F00
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3376, StartAddress = 791F59C0, Parameter = 002319D0
TargetProcess: 12306Bypass.exe, InheritedFromPID = 2000, ProcessID = 2944, ThreadID = 3380, StartAddress = 74E53861, Parameter = 0570F38C
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\12306Bypass
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\12306Bypass\12306Bypass.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\12306Bypass\12306Bypass.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000002bc
URL: ky****cn, IP: **.133.40.**:443, SOCKET = 0x000002f0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000002f0
URL: ky****cn, IP: **.133.40.**:443, SOCKET = 0x00000408
Behavior description:发送HTTP包
details:POST /General.ashx HTTP/1.1 Accept: */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Host: ww****om Content-Length: 70 Connection: Close
GET /js/station_name.js HTTP/1.1 Accept: */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: ww****om Connection: Close
Behavior description:按名称获取主机地址
details:gethostbyname: ww****om
GetAddrInfoW: ky****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE3F2E66D48FC6BD1DF131E89D768D505DF14302\Blob
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\12306Bypass.exe
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AE3F2E66D48FC6BD1DF131E89D768D505DF14302
Other behavior
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
CursorPos = (5744,28146), SleepMilliseconds = 60000.
CursorPos = (23320,16828), SleepMilliseconds = 60000.
CursorPos = (10000,492), SleepMilliseconds = 60000.
CursorPos = (3034,11943), SleepMilliseconds = 60000.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.EIL
Behavior description:创建事件对象
details:EventName = Global\CPFATE_2944_v4.0.30319
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.EIL.IC
EventName = MSCTF.SendReceiveConection.Event.EIL.IC
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
RasPbFile
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 2944, Hwnd=0x10354, Text = 正在联网检测更新 >>, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x10350, Text = 使用须知, ClassName = WindowsForms10.Window.8.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x10354, Text = 正在下载站点数据 >>, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x10354, Text = 加载完毕,正在启动 >>, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104da, Text = 更多功能, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104dc, Text = 默认分配的服务器, ClassName = WindowsForms10.COMBOBOX.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104e0, Text = 服务器:, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104e2, Text = 用户名, ClassName = WindowsForms10.COMBOBOX.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104e6, Text = 用户名, ClassName = Edit.
Pid = 2944, Hwnd=0x104ea, Text = 登录, ClassName = WindowsForms10.BUTTON.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104ec, Text = 密 码:, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104ee, Text = 用户名:, ClassName = WindowsForms10.STATIC.app.0.141b42a_r19_ad1.
Pid = 2944, Hwnd=0x104d4, Text = 12306登录, ClassName = WindowsForms10.Window.8.app.0.141b42a_r19_ad1.
Behavior description:获取TickCount值
details:TickCount = 283187, SleepMilliseconds = 60000.
TickCount = 283203, SleepMilliseconds = 60000.
TickCount = 283656, SleepMilliseconds = 60000.
TickCount = 283671, SleepMilliseconds = 60000.
TickCount = 283796, SleepMilliseconds = 60000.
TickCount = 283812, SleepMilliseconds = 60000.
TickCount = 283828, SleepMilliseconds = 60000.
TickCount = 284109, SleepMilliseconds = 60000.
TickCount = 284187, SleepMilliseconds = 60000.
TickCount = 284234, SleepMilliseconds = 60000.
TickCount = 284250, SleepMilliseconds = 60000.
TickCount = 284265, SleepMilliseconds = 60000.
TickCount = 284281, SleepMilliseconds = 60000.
TickCount = 284343, SleepMilliseconds = 60000.
TickCount = 284359, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
Global\userenv: Machine Group Policy has been applied
MSFT.VSA.COM.DISABLE.2944
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 1500.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [使用须知,WindowsForms10.Window.8.app.0.141b42a_r19_ad1]
[Window,Class] = [,ComboLBox]
Behavior description:直接获取CPU时钟
details:EAX = 0xb053aec6, EDX = 0x000000b6
EAX = 0xb053af12, EDX = 0x000000b6
EAX = 0xb053af5e, EDX = 0x000000b6
EAX = 0xb053afaa, EDX = 0x000000b6
EAX = 0xb2db7f33, EDX = 0x000000b6
EAX = 0xc02f4b7c, EDX = 0x000000b6
EAX = 0xcfdfb70f, EDX = 0x000000b6
EAX = 0xcfdfb75b, EDX = 0x000000b6
EAX = 0xcfdfb7a7, EDX = 0x000000b6
EAX = 0xcfdfb7f3, EDX = 0x000000b6
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x6865A3E6, DataLen: 148, Flags: 0x00000000
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号