VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :78
基本信息
MD5:eb9e3765a559c32b5791b6b81f6d67c0
文件类型:EXE
出品公司:TODO: <公司名>
版本:1.0.0.1---1.0.0.1
壳或编译器信息:COMPILER:UPolyX v0.5
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c04
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c04
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000c04
行为描述:设置特殊文件属性
详情信息:C:\updata.exe
行为描述:修改注册表_启动项
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\updata
进程行为
行为描述:创建进程
详情信息:[0x00000c08]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updata /t REG_SZ /d C:\updata.exe /f
[0x00000c04]ImagePath = C:\Windows\System32\reg.exe, CmdLine = reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v updata /t REG_SZ /d C:\updata.exe /f
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000c08
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000c04
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000c04
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000c04
文件行为
行为描述:重命名文件
详情信息:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\updata.exe
行为描述:设置特殊文件属性
详情信息:C:\updata.exe
行为描述:查找文件
详情信息:FileName = C:\Users
FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\reg.*
FileName = C:\Users\Administrator\AppData\Local\%temp%\reg
FileName = C:\Python\Python27\reg.*
FileName = C:\Python\Python27\reg
FileName = C:\Python\Python27\Scripts\reg.*
FileName = C:\Python\Python27\Scripts\reg
FileName = C:\Python\Python36\Scripts\reg.*
FileName = C:\Python\Python36\Scripts\reg
FileName = C:\Python\Python36\reg.*
网络行为
行为描述:建立到一个指定的套接字连接
详情信息:URL: ?檾儦!PF鶭哪墶?碝Dh ge=!, IP: **.133.40.**:0, SOCKET = 0x000000e4
行为描述:按名称获取主机地址
详情信息:gethostbyname: ?檾儦!PF鶭哪墶?碝Dh ge=!
注册表行为
行为描述:修改注册表_启动项
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\updata
其他行为
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
行为描述:创建事件对象
详情信息:EventName = ConsoleEvent-0x00000A74
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
\KernelObjects\SystemErrorPortReady
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [C:\Windows\System32\%temp%\****.exe,ConsoleWindowClass]
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号