VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:d505371a4136faec19f488a7c58b3fb2
file type:EXE
Production company:
version:2.1.0.901---2.1.0.901
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000EA, Name: NtQueryInformationProcess, Instruction Address = 0x00B2FB45
Behavior description:获取TickCount值
details:TickCount = 143740, SleepMilliseconds = 100.
TickCount = 143756, SleepMilliseconds = 100.
TickCount = 143818, SleepMilliseconds = 100.
TickCount = 143928, SleepMilliseconds = 100.
TickCount = 144037, SleepMilliseconds = 100.
TickCount = 144146, SleepMilliseconds = 100.
TickCount = 144256, SleepMilliseconds = 100.
TickCount = 144365, SleepMilliseconds = 100.
TickCount = 144475, SleepMilliseconds = 100.
TickCount = 144584, SleepMilliseconds = 100.
TickCount = 144693, SleepMilliseconds = 100.
Behavior description:直接获取CPU时钟
details:EAX = 0xcb440c4c, EDX = 0x00000077
EAX = 0xd07edb05, EDX = 0x00000077
EAX = 0x0fc21846, EDX = 0x00000078
EAX = 0x0fc21892, EDX = 0x00000078
EAX = 0x1f9db418, EDX = 0x00000078
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Roaming\GlobalMgr.db
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Roaming\GlobalMgr.db ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ap****cc, PORT = 80, UserName = , Password = , hSession = 0x00250bf8, hConnect = 0x0021c370, Flags = 0x00000000
WinHttpConnect: ServerName = ap****cc, PORT = 80, UserName = , Password = , hSession = 0x00250bf8, hConnect = 0x002305b8, Flags = 0x00000000
WinHttpConnect: ServerName = ap****cc, PORT = 80, UserName = , Password = , hSession = 0x00250bf8, hConnect = 0x0025c488, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW32; Trident/5.0), hSession = 0x00250bf8
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x0021c370, hRequest = 0x0021c458, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x002305b8, hRequest = 0x0023ba00, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x0025c488, hRequest = 0x0021c3c0, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x0025c488, hRequest = 0x0023ba00, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x0025c488, hRequest = 0x0021c288, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: ap****cc:80/api/getlist, hConnect = 0x0025c488, hRequest = 0x0021c2c0, Verb: POST, Referer: , Flags = 0x00000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ap****cc
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Direct3D\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:RasPbFile
ATL:MemData03EAA-PC
Local\__DDrawExclMode__
Local\__DDrawCheckExclMode__
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ATL:DLGFrame032E]
Behavior description:直接调用系统关键API
details:Index = 0x000000EA, Name: NtQueryInformationProcess, Instruction Address = 0x00B2FB45
Behavior description:窗口信息
details:Pid = 3104, Hwnd=0x3024a, Text = 确定, ClassName = Button.
Pid = 3104, Hwnd=0x501d4, Text = 网络链接错误, ClassName = Static.
Pid = 3104, Hwnd=0x401b6, Text = 错误, ClassName = #32770.
Behavior description:获取TickCount值
details:TickCount = 143740, SleepMilliseconds = 100.
TickCount = 143756, SleepMilliseconds = 100.
TickCount = 143818, SleepMilliseconds = 100.
TickCount = 143928, SleepMilliseconds = 100.
TickCount = 144037, SleepMilliseconds = 100.
TickCount = 144146, SleepMilliseconds = 100.
TickCount = 144256, SleepMilliseconds = 100.
TickCount = 144365, SleepMilliseconds = 100.
TickCount = 144475, SleepMilliseconds = 100.
TickCount = 144584, SleepMilliseconds = 100.
TickCount = 144693, SleepMilliseconds = 100.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 100.
Behavior description:直接获取CPU时钟
details:EAX = 0xcb440c4c, EDX = 0x00000077
EAX = 0xd07edb05, EDX = 0x00000077
EAX = 0x0fc21846, EDX = 0x00000078
EAX = 0x0fc21892, EDX = 0x00000078
EAX = 0x1f9db418, EDX = 0x00000078
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号