VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:e344b0f6cfa66d28927829fc7f38b54a
file type:EXE
Production company:
version:1.0.0.0---1.0.0.0
Shell or compiler information:COMPILER:Microsoft Visual C# / Basic .NET [Overlay]
Key behavior
Behavior description:直接获取CPU时钟
details:EAX = 0x114ebe37, EDX = 0x000000b4
EAX = 0x114ebe83, EDX = 0x000000b4
EAX = 0x114ebecf, EDX = 0x000000b4
EAX = 0x114ebf1b, EDX = 0x000000b4
EAX = 0x2b9ff77b, EDX = 0x000000b4
EAX = 0x3e2e9231, EDX = 0x000000b4
EAX = 0x40b661ba, EDX = 0x000000b4
EAX = 0x45f13073, EDX = 0x000000b4
EAX = 0x951008ee, EDX = 0x000000b4
EAX = 0x9510093a, EDX = 0x000000b4
Behavior description:获取TickCount值
details:TickCount = 218473, SleepMilliseconds = 20.
TickCount = 219963, SleepMilliseconds = 10.
TickCount = 220010, SleepMilliseconds = 10.
TickCount = 220025, SleepMilliseconds = 10.
TickCount = 220041, SleepMilliseconds = 10.
TickCount = 220135, SleepMilliseconds = 10.
TickCount = 220181, SleepMilliseconds = 10.
TickCount = 220213, SleepMilliseconds = 10.
TickCount = 220228, SleepMilliseconds = 10.
TickCount = 220260, SleepMilliseconds = 10.
TickCount = 220275, SleepMilliseconds = 10.
TickCount = 280312, SleepMilliseconds = 60000.
TickCount = 280343, SleepMilliseconds = 60000.
TickCount = 280375, SleepMilliseconds = 60000.
TickCount = 280406, SleepMilliseconds = 60000.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpvp.txt
ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBVP.txt
ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespvp.txt
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2680, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2696, StartAddress = 79F91FCF, Parameter = 001A5780
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2800, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: WBP.exe, InheritedFromPID = 2656, ProcessID = 2832, ThreadID = 2840, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2900, StartAddress = 77E56C7D, Parameter = 001ED618
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2904, StartAddress = 769AE43B, Parameter = 001EDC38
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2908, StartAddress = 79F91FCF, Parameter = 001F1540
Behavior description:创建新文件进程
details:[0x00000b00]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpvp.txt
[0x00000b10]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBVP.txt
[0x00000b3c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespvp.txt
[0x00000b4c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pvp.txt
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpvp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mespvp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpvp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\mespvp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 50
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 52
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 91
C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 136
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: fi****om, IP: **.133.40.**:21, SOCKET = 0x00000324
Behavior description:按名称获取主机地址
details:gethostbyname: fi****om
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
Global\.net clr networking
Behavior description:创建事件对象
details:EventName = Global\CorDBIPCSetupSyncEvent_2656
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
Behavior description:打开互斥体
details:ShimCacheMutex
Global\CLR_CASOFF_MUTEX
RasPbFile
Global\.net clr networking
Behavior description:获取TickCount值
details:TickCount = 218473, SleepMilliseconds = 20.
TickCount = 219963, SleepMilliseconds = 10.
TickCount = 220010, SleepMilliseconds = 10.
TickCount = 220025, SleepMilliseconds = 10.
TickCount = 220041, SleepMilliseconds = 10.
TickCount = 220135, SleepMilliseconds = 10.
TickCount = 220181, SleepMilliseconds = 10.
TickCount = 220213, SleepMilliseconds = 10.
TickCount = 220228, SleepMilliseconds = 10.
TickCount = 220260, SleepMilliseconds = 10.
TickCount = 220275, SleepMilliseconds = 10.
TickCount = 280312, SleepMilliseconds = 60000.
TickCount = 280343, SleepMilliseconds = 60000.
TickCount = 280375, SleepMilliseconds = 60000.
TickCount = 280406, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:打开事件
details:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
Global\PS_SERVICE_STARTED
Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2656
MSFT.VSA.IEC.STATUS.6c736db0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 20.
[6]: MilliSeconds = 20.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 10.
[9]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowsForms10.Window.8.app.0.33c0d9d]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe ---> a138fca70622323e45d6018125322051
C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe ---> 6d95f03eaf83b31686f263260202ee36
C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe ---> ffc52f2b4435fcddaca6e15489a88b75
C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe ---> afe3aeeffaa1e1772a926ca45923f33f
Behavior description:直接获取CPU时钟
details:EAX = 0x114ebe37, EDX = 0x000000b4
EAX = 0x114ebe83, EDX = 0x000000b4
EAX = 0x114ebecf, EDX = 0x000000b4
EAX = 0x114ebf1b, EDX = 0x000000b4
EAX = 0x2b9ff77b, EDX = 0x000000b4
EAX = 0x3e2e9231, EDX = 0x000000b4
EAX = 0x40b661ba, EDX = 0x000000b4
EAX = 0x45f13073, EDX = 0x000000b4
EAX = 0x951008ee, EDX = 0x000000b4
EAX = 0x9510093a, EDX = 0x000000b4
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号