VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:b9adb5883036d887b55e3629932bffef
file type:EXE
Production company:china
version:1.0.0.0---1.0.0.0
Shell or compiler information:COMPILER:Microsoft Visual C# / Basic .NET
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00497045
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00496858
Index = 0x00000042, Name: NtDeviceIoControlFile, Instruction Address = 0x0049680D
Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00497038
Index = 0x0000007D, Name: NtOpenSection, Instruction Address = 0x0049712A
Index = 0x0000008B, Name: NtQueryAttributesFile, Instruction Address = 0x00497529
Index = 0x00000074, Name: NtOpenFile, Instruction Address = 0x004974F9
Index = 0x000000A7, Name: NtQuerySection, Instruction Address = 0x004972D0
Index = 0x00000019, Name: NtClose, Instruction Address = 0x004973A0
Behavior description:获取TickCount值
details:TickCount = 287156, SleepMilliseconds = 60000.
TickCount = 287390, SleepMilliseconds = 60000.
TickCount = 287453, SleepMilliseconds = 60000.
TickCount = 287968, SleepMilliseconds = 60000.
TickCount = 288015, SleepMilliseconds = 60000.
TickCount = 288093, SleepMilliseconds = 60000.
TickCount = 288218, SleepMilliseconds = 60000.
TickCount = 288281, SleepMilliseconds = 60000.
TickCount = 288296, SleepMilliseconds = 60000.
TickCount = 288312, SleepMilliseconds = 60000.
TickCount = 288328, SleepMilliseconds = 60000.
TickCount = 288359, SleepMilliseconds = 60000.
TickCount = 288390, SleepMilliseconds = 60000.
TickCount = 288421, SleepMilliseconds = 60000.
TickCount = 288437, SleepMilliseconds = 60000.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 2836, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 2840, StartAddress = 79F91FCF, Parameter = 004EBCF8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 2868, StartAddress = 77E56C7D, Parameter = 004FF8E0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 2872, StartAddress = 769AE43B, Parameter = 00510510
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 2884, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2728, ThreadID = 3368, StartAddress = 79FDA29C, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = c:\documents and settings
FileName = c:\Documents and Settings\administrator
FileName = c:\Documents and Settings\Administrator\local settings
FileName = c:\Documents and Settings\Administrator\Local Settings\temp
FileName = c:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = c:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = c:\windows
FileName = c:\WINDOWS\system32
FileName = c:\docume~1
FileName = c:\Documents and Settings\admini~1
FileName = c:\Documents and Settings\Administrator\locals~1
FileName = c:\Documents and Settings\Administrator\my documents
FileName = c:\Documents and Settings\all users
FileName = c:\Documents and Settings\All Users\documents
FileName = c:\program files
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp ---> Offset = 0
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MKK
Behavior description:创建事件对象
details:EventName = EVB_B4396728A7A0ABD2_00000AA8
EventName = Global\CorDBIPCSetupSyncEvent_2728
EventName = MSCTF.SendReceive.Event.MKK.IC
EventName = MSCTF.SendReceiveConection.Event.MKK.IC
Behavior description:直接调用系统关键API
details:Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00497045
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00496858
Index = 0x00000042, Name: NtDeviceIoControlFile, Instruction Address = 0x0049680D
Index = 0x000000A3, Name: NtQueryObject, Instruction Address = 0x00497038
Index = 0x0000007D, Name: NtOpenSection, Instruction Address = 0x0049712A
Index = 0x0000008B, Name: NtQueryAttributesFile, Instruction Address = 0x00497529
Index = 0x00000074, Name: NtOpenFile, Instruction Address = 0x004974F9
Index = 0x000000A7, Name: NtQuerySection, Instruction Address = 0x004972D0
Index = 0x00000019, Name: NtClose, Instruction Address = 0x004973A0
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
MSFT.VSA.COM.DISABLE.2728
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取TickCount值
details:TickCount = 287156, SleepMilliseconds = 60000.
TickCount = 287390, SleepMilliseconds = 60000.
TickCount = 287453, SleepMilliseconds = 60000.
TickCount = 287968, SleepMilliseconds = 60000.
TickCount = 288015, SleepMilliseconds = 60000.
TickCount = 288093, SleepMilliseconds = 60000.
TickCount = 288218, SleepMilliseconds = 60000.
TickCount = 288281, SleepMilliseconds = 60000.
TickCount = 288296, SleepMilliseconds = 60000.
TickCount = 288312, SleepMilliseconds = 60000.
TickCount = 288328, SleepMilliseconds = 60000.
TickCount = 288359, SleepMilliseconds = 60000.
TickCount = 288390, SleepMilliseconds = 60000.
TickCount = 288421, SleepMilliseconds = 60000.
TickCount = 288437, SleepMilliseconds = 60000.
Behavior description:窗口信息
details:Pid = 2728, Hwnd=0x10350, Text = 关于, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10352, Text = 说明, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10354, Text = 龙门吊编号, ClassName = WindowsForms10.Window.8.app.0.378734a.
Pid = 2728, Hwnd=0x10356, Text = L54-L62, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10358, Text = L42-L45, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x1035a, Text = L37-L41, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x2034c, Text = L46-L53, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x1035c, Text = L34/L35, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x1035e, Text = L33/L36, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10360, Text = L25-L32, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10362, Text = L17-L24, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10364, Text = L12-L16, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10366, Text = 故障清屏, ClassName = WindowsForms10.BUTTON.app.0.378734a.
Pid = 2728, Hwnd=0x10368, Text = 设备编号, ClassName = WindowsForms10.STATIC.app.0.378734a.
Pid = 2728, Hwnd=0x1036a, Text = 代码含义, ClassName = WindowsForms10.STATIC.app.0.378734a.
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x03784805, DataLen: 148, Flags: 0x00000000
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = -1.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\evb4.tmp ---> 4867ae1c83eb87a90c38cd464d9746d5
C:\Documents and Settings\Administrator\Local Settings\Temp\evb5.tmp ---> 4867ae1c83eb87a90c38cd464d9746d5
C:\Documents and Settings\Administrator\Local Settings\Temp\evb6.tmp ---> 4867ae1c83eb87a90c38cd464d9746d5
Behavior description:打开互斥体
details:ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb4.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb5.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\evb6.tmp.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号