1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
Language
Server load
1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
| Safety rating:75 |
| Behavior list |
| Basic Information | |
|---|---|
| MD5: | e344b0f6cfa66d28927829fc7f38b54a |
| file type: | EXE |
| Production company: | |
| version: | 1.0.0.0---1.0.0.0 |
| Shell or compiler information: | COMPILER:Microsoft Visual C# / Basic .NET [Overlay] |
| Key behavior | |
|---|---|
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x114ebe37, EDX = 0x000000b4 |
| EAX = 0x114ebe83, EDX = 0x000000b4 | |
| EAX = 0x114ebecf, EDX = 0x000000b4 | |
| EAX = 0x114ebf1b, EDX = 0x000000b4 | |
| EAX = 0x2b9ff77b, EDX = 0x000000b4 | |
| EAX = 0x3e2e9231, EDX = 0x000000b4 | |
| EAX = 0x40b661ba, EDX = 0x000000b4 | |
| EAX = 0x45f13073, EDX = 0x000000b4 | |
| EAX = 0x951008ee, EDX = 0x000000b4 | |
| EAX = 0x9510093a, EDX = 0x000000b4 | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 218473, SleepMilliseconds = 20. |
| TickCount = 219963, SleepMilliseconds = 10. | |
| TickCount = 220010, SleepMilliseconds = 10. | |
| TickCount = 220025, SleepMilliseconds = 10. | |
| TickCount = 220041, SleepMilliseconds = 10. | |
| TickCount = 220135, SleepMilliseconds = 10. | |
| TickCount = 220181, SleepMilliseconds = 10. | |
| TickCount = 220213, SleepMilliseconds = 10. | |
| TickCount = 220228, SleepMilliseconds = 10. | |
| TickCount = 220260, SleepMilliseconds = 10. | |
| TickCount = 220275, SleepMilliseconds = 10. | |
| TickCount = 280312, SleepMilliseconds = 60000. | |
| TickCount = 280343, SleepMilliseconds = 60000. | |
| TickCount = 280375, SleepMilliseconds = 60000. | |
| TickCount = 280406, SleepMilliseconds = 60000. | |
| Process behavior | |
|---|---|
| Behavior description: | 隐藏窗口创建进程 |
| details: | ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpvp.txt |
| ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBVP.txt | |
| ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespvp.txt | |
| Behavior description: | 创建本地线程 |
| details: | TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2680, StartAddress = 79F0237F, Parameter = 00000000 |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2696, StartAddress = 79F91FCF, Parameter = 001A5780 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2800, StartAddress = 4AEA7456, Parameter = 00000000 | |
| TargetProcess: WBP.exe, InheritedFromPID = 2656, ProcessID = 2832, ThreadID = 2840, StartAddress = 77DC845A, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2900, StartAddress = 77E56C7D, Parameter = 001ED618 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2904, StartAddress = 769AE43B, Parameter = 001EDC38 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2656, ThreadID = 2908, StartAddress = 79F91FCF, Parameter = 001F1540 | |
| Behavior description: | 创建新文件进程 |
| details: | [0x00000b00]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mpvp.txt |
| [0x00000b10]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBP.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WBVP.txt | |
| [0x00000b3c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mespvp.txt | |
| [0x00000b4c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pv.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pv.exe /stext C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pvp.txt | |
| File behavior | |
|---|---|
| Behavior description: | 创建文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mpvp.txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespvp.txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt | |
| Behavior description: | 创建可执行文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe | |
| Behavior description: | 覆盖已有文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT |
| Behavior description: | 查找文件 |
| details: | FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll |
| FileName = C:\WINDOWS\Microsoft.NET\Framework\\* | |
| FileName = C:\WINDOWS | |
| FileName = C:\WINDOWS\WinSxS | |
| FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll | |
| FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\Temp | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\%temp% | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe | |
| FileName = C:\Documents and Settings | |
| FileName = C:\Documents and Settings\Administrator | |
| FileName = C:\Documents and Settings\Administrator\Local Settings | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI | |
| FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI | |
| FileName = C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI | |
| Behavior description: | 删除文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpvp.txt |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespvp.txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt | |
| Behavior description: | 修改文件内容 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe ---> Offset = 0 |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBVP.txt ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 50 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 52 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 91 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pvp.txt ---> Offset = 136 | |
| Network behavior | |
|---|---|
| Behavior description: | 建立到一个指定的套接字连接 |
| details: | URL: fi****om, IP: **.133.40.**:21, SOCKET = 0x00000324 |
| Behavior description: | 按名称获取主机地址 |
| details: | gethostbyname: fi****om |
| Other behavior | |
|---|---|
| Behavior description: | 检测自身是否被调试 |
| details: | IsDebuggerPresent |
| Behavior description: | 创建互斥体 |
| details: | CTF.LBES.MutexDefaultS-* |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| RasPbFile | |
| Global\.net clr networking | |
| Behavior description: | 创建事件对象 |
| details: | EventName = Global\CorDBIPCSetupSyncEvent_2656 |
| EventName = Global\crypt32LogoffEvent | |
| EventName = DINPUTWINMM | |
| Behavior description: | 打开互斥体 |
| details: | ShimCacheMutex |
| Global\CLR_CASOFF_MUTEX | |
| RasPbFile | |
| Global\.net clr networking | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 218473, SleepMilliseconds = 20. |
| TickCount = 219963, SleepMilliseconds = 10. | |
| TickCount = 220010, SleepMilliseconds = 10. | |
| TickCount = 220025, SleepMilliseconds = 10. | |
| TickCount = 220041, SleepMilliseconds = 10. | |
| TickCount = 220135, SleepMilliseconds = 10. | |
| TickCount = 220181, SleepMilliseconds = 10. | |
| TickCount = 220213, SleepMilliseconds = 10. | |
| TickCount = 220228, SleepMilliseconds = 10. | |
| TickCount = 220260, SleepMilliseconds = 10. | |
| TickCount = 220275, SleepMilliseconds = 10. | |
| TickCount = 280312, SleepMilliseconds = 60000. | |
| TickCount = 280343, SleepMilliseconds = 60000. | |
| TickCount = 280375, SleepMilliseconds = 60000. | |
| TickCount = 280406, SleepMilliseconds = 60000. | |
| Behavior description: | 调整进程token权限 |
| details: | SE_DEBUG_PRIVILEGE |
| Behavior description: | 打开事件 |
| details: | Global\CLR_PerfMon_StartEnumEvent |
| \KernelObjects\LowMemoryCondition | |
| HookSwitchHookEnabledEvent | |
| Global\SvcctrlStartEvent_A3752DX | |
| Global\PS_SERVICE_STARTED | |
| Global\crypt32LogoffEvent | |
| \SECURITY\LSA_AUTHENTICATION_INITIALIZED | |
| MSFT.VSA.COM.DISABLE.2656 | |
| MSFT.VSA.IEC.STATUS.6c736db0 | |
| Behavior description: | 可执行文件签名信息 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe(签名验证: 未通过) |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe(签名验证: 未通过) | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe(签名验证: 未通过) | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe(签名验证: 未通过) | |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 20. |
| [2]: MilliSeconds = 20. | |
| [3]: MilliSeconds = 20. | |
| [4]: MilliSeconds = 20. | |
| [5]: MilliSeconds = 20. | |
| [6]: MilliSeconds = 20. | |
| [7]: MilliSeconds = 20. | |
| [8]: MilliSeconds = 10. | |
| [9]: MilliSeconds = 60000. | |
| Behavior description: | 隐藏指定窗口 |
| details: | [Window,Class] = [,WindowsForms10.Window.8.app.0.33c0d9d] |
| Behavior description: | 可执行文件MD5 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\mpv.exe ---> a138fca70622323e45d6018125322051 |
| C:\Documents and Settings\Administrator\Local Settings\Temp\WBP.exe ---> 6d95f03eaf83b31686f263260202ee36 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\mespv.exe ---> ffc52f2b4435fcddaca6e15489a88b75 | |
| C:\Documents and Settings\Administrator\Local Settings\Temp\pv.exe ---> afe3aeeffaa1e1772a926ca45923f33f | |
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x114ebe37, EDX = 0x000000b4 |
| EAX = 0x114ebe83, EDX = 0x000000b4 | |
| EAX = 0x114ebecf, EDX = 0x000000b4 | |
| EAX = 0x114ebf1b, EDX = 0x000000b4 | |
| EAX = 0x2b9ff77b, EDX = 0x000000b4 | |
| EAX = 0x3e2e9231, EDX = 0x000000b4 | |
| EAX = 0x40b661ba, EDX = 0x000000b4 | |
| EAX = 0x45f13073, EDX = 0x000000b4 | |
| EAX = 0x951008ee, EDX = 0x000000b4 | |
| EAX = 0x9510093a, EDX = 0x000000b4 | |
| Run screenshot |
|---|
 |
HOME
