VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:7ccd47a72b017e83954d20c4971a510b
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:NsPacK V3.7 -> LiuXingPing [Overlay] *
Subfile information:nspack_fc1874b3dumpFile / 0278bcdd7cb27149c2cae25a7ad4b88f / EXE
Key behavior
Behavior description:获取TickCount值
details:TickCount = 226984, SleepMilliseconds = 2000.
TickCount = 227078, SleepMilliseconds = 2000.
TickCount = 227093, SleepMilliseconds = 2000.
TickCount = 227109, SleepMilliseconds = 2000.
TickCount = 227125, SleepMilliseconds = 2000.
TickCount = 227484, SleepMilliseconds = 2000.
TickCount = 234359, SleepMilliseconds = 2000.
TickCount = 251656, SleepMilliseconds = 1000.
TickCount = 251671, SleepMilliseconds = 1000.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2752, StartAddress = 004049C8, Parameter = 018F6BA4
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2804, StartAddress = 004049C8, Parameter = 019172C8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2832, StartAddress = 004049C8, Parameter = 018F38E0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2836, StartAddress = 004049C8, Parameter = 01918B7C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2944, StartAddress = 004049C8, Parameter = 01918B7C
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 33
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 44
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 55
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 146
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 239
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 332
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 424
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 518
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 534
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 546
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 562
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 580
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 596
C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini ---> Offset = 626
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Operate.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\dat\QQWry.dat
FileName = C:\WINDOWS\system32\Drivers\Etc\Hosts
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\00036CA5.MPHT
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: ne****et, IP: **.133.40.**:80, SOCKET = 0x00000134
Behavior description:按名称获取主机地址
details:gethostbyname: computer
gethostbyname: ne****et
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.ELK
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.ELK.IC
EventName = MSCTF.SendReceiveConection.Event.ELK.IC
Behavior description:窗口信息
details:Pid = 2736, Hwnd=0x1056a, Text = 保存, ClassName = TspSkinButton.
Pid = 2736, Hwnd=0x10566, Text = 搜索, ClassName = TspSkinButton.
Pid = 2736, Hwnd=0x103ea, Text = 显示搜索结果, ClassName = TspSkinComboBox.
Pid = 2736, Hwnd=0x203e4, Text = 自动上线主机, ClassName = TspSkinComboBox.
Pid = 2736, Hwnd=0x203dc, Text = Panel130, ClassName = TspSkinPanel.
Pid = 2736, Hwnd=0x103de, Text = 自动上线:0台, ClassName = TspSkinLabel.
Pid = 2736, Hwnd=0x103e0, Text = 我的电脑, ClassName = TspSkinLabel.
Pid = 2736, Hwnd=0x20396, Text = 命令广播, ClassName = TspSkinTabSheet.
Pid = 2736, Hwnd=0x203d8, Text = 批量修改备注, ClassName = TspSkinTabSheet.
Pid = 2736, Hwnd=0x103d6, Text = 筛选符合条件主机, ClassName = TspSkinTabSheet.
Pid = 2736, Hwnd=0x303c8, Text = 消息广播, ClassName = TspSkinTabSheet.
Pid = 2736, Hwnd=0x103d0, Text = 确定, ClassName = TspSkinComboBox.
Pid = 2736, Hwnd=0x303ca, Text = 普通, ClassName = TspSkinComboBox.
Pid = 2736, Hwnd=0x103c4, Text = 常用命令广播, ClassName = TspSkinTabSheet.
Pid = 2736, Hwnd=0x103c6, Text = spSkinPanel3, ClassName = TspSkinPanel.
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [msctls_updown32,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取TickCount值
details:TickCount = 226984, SleepMilliseconds = 2000.
TickCount = 227078, SleepMilliseconds = 2000.
TickCount = 227093, SleepMilliseconds = 2000.
TickCount = 227109, SleepMilliseconds = 2000.
TickCount = 227125, SleepMilliseconds = 2000.
TickCount = 227484, SleepMilliseconds = 2000.
TickCount = 234359, SleepMilliseconds = 2000.
TickCount = 251656, SleepMilliseconds = 1000.
TickCount = 251671, SleepMilliseconds = 1000.
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 1000.
CursorPos = (6373,26501), SleepMilliseconds = 1000.
CursorPos = (19208,15725), SleepMilliseconds = 1000.
CursorPos = (11517,29359), SleepMilliseconds = 1000.
CursorPos = (27001,24465), SleepMilliseconds = 2000.
CursorPos = (5744,28146), SleepMilliseconds = 2000.
CursorPos = (23320,16828), SleepMilliseconds = 2000.
CursorPos = (10000,492), SleepMilliseconds = 2000.
CursorPos = (3034,11943), SleepMilliseconds = 2000.
CursorPos = (4866,5437), SleepMilliseconds = 2000.
CursorPos = (32430,14605), SleepMilliseconds = 2000.
CursorPos = (3941,154), SleepMilliseconds = 2000.
CursorPos = (331,12383), SleepMilliseconds = 2000.
CursorPos = (17460,18717), SleepMilliseconds = 2000.
CursorPos = (19757,19896), SleepMilliseconds = 2000.
Behavior description:枚举窗口
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 500.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 125.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 2000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 2000.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 2000.
[10]: MilliSeconds = 1000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [996e,TApplication]
[Window,Class] = [,TSplashForm]
[Window,Class] = [灰鸽子远程控制 [黑防专版] **.133.40.**,TGrayPigeonMainForm]
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号