VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:7210faa98d2a15a81400d33ba3e870b2
file type:zip
Production company:
version:
Shell or compiler information:PACKER:EXE Shield 0.4 -> SMoKE
Subfile information:2.exe / 0f83d0a6b9d99804279bf8c9211eefd0 / EXE
Key behavior
Behavior description:设置特殊文件属性
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe
Behavior description:直接获取CPU时钟
details:EAX = 0xb4a0e52e, EDX = 0x000000bc
EAX = 0x3dc82c31, EDX = 0x000000bd
Behavior description:创建系统服务
details:[服务创建成功]: aabfijln, C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe -k
Behavior description:获取TickCount值
details:TickCount = 219984, SleepMilliseconds = 1000.
TickCount = 220843, SleepMilliseconds = 1000.
TickCount = 227593, SleepMilliseconds = 500.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe
Behavior description:创建本地线程
details:TargetProcess: 2.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2784, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: JPRUaceg.exe, InheritedFromPID = 2736, ProcessID = 2868, ThreadID = 2876, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: JPRUaceg.exe, InheritedFromPID = 2736, ProcessID = 2868, ThreadID = 2960, StartAddress = 00460570, Parameter = 00F227FC
TargetProcess: JPRUaceg.exe, InheritedFromPID = 2736, ProcessID = 2868, ThreadID = 2964, StartAddress = 00460580, Parameter = 00F227FC
Behavior description:创建新文件进程
details:[0x00000b34]ImagePath = C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe, CmdLine = "C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe"
File behavior
Behavior description:创建文件
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe
Behavior description:创建可执行文件
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe
Behavior description:查找文件
details:FileName = C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe
FileName = C:\Program Files\Common Files\Microsoft Shared\MSINFO
FileName = C:\Program Files\Common Files\Microsoft Shared\MSInfo
FileName = C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe
Behavior description:设置特殊文件属性
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\2.exe ---> C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe
Behavior description:修改文件内容
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> Offset = 0
C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> Offset = 65536
C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> Offset = 131072
C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> Offset = 196608
C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> Offset = 262144
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: or****et, IP: **.133.40.**:1121, SOCKET = 0x0000020c
Behavior description:按名称获取主机地址
details:gethostbyname: . .
gethostbyname: or****et
gethostbyname: computer
DnsQuery_W: 3.110.110.110.in-addr.arpa.
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Other behavior
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 1000.
CursorPos = (80,18468), SleepMilliseconds = 500.
Behavior description:创建互斥体
details:RasPbFile
AMResourceMutex2
VideoRenderer
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
JPRUaceg.exe
MLJXTVN@ISAGGVYTIXYX@QGNZTXZPLIW
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:获取TickCount值
details:TickCount = 219984, SleepMilliseconds = 1000.
TickCount = 220843, SleepMilliseconds = 1000.
TickCount = 227593, SleepMilliseconds = 500.
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x004be7ca
Behavior description:调整进程token权限
details:SE_INC_BASE_PRIORITY_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Behavior description:可执行文件签名信息
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
[1]: MilliSeconds = 10.
[2]: MilliSeconds = 500.
Behavior description:可执行文件MD5
details:C:\Program Files\Common Files\Microsoft Shared\MSInfo\JPRUaceg.exe ---> 0f83d0a6b9d99804279bf8c9211eefd0
Behavior description:直接获取CPU时钟
details:EAX = 0xb4a0e52e, EDX = 0x000000bc
EAX = 0x3dc82c31, EDX = 0x000000bd
Behavior description:创建系统服务
details:[服务创建成功]: aabfijln, C:\Program Files\Common Files\Microsoft Shared\MSINFO\JPRUaceg.exe -k
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号