VirSCAN VirSCAN

1, Vous pouvez ENVOYER tout fichier mais il y a une limite de 20 Mo par fichier.
2, VirSCAN supporte la décompression Rar/Zip mais il doit y avoir moins de 20 fichiers.
3, VirSCAN peut détecter un fichier compressé avec le mot de passe 'infected' ou 'virus'.

La langue
Charge du serveur
Server Load

Informations sur les fichiers
Cote de sécurité:77
Liste de comportement
Informations de base
MD5:a14d07e683d3e1987b10f5167040c14a
Type de fichier:EXE
Société de production:Microsoft Corporation
Version:11.0.9600.16428---11.00.9600.16428 (winblue_gdr.131013-1700)
Informations sur le shell ou le compilateur:COMPILER:FASM v1.5x *
Informations de sous-fichier:CDS.exe / 424bf196deaeb4ddcafb78e137fa560a / EXE
cdd.zip / 1d5698b4e2dd3435d103865e881aa2dd / zip
lua5.1.dll / c3256800dce47c14acc83ccca4c3e2ac / DLL
c.dat / 0001ba5ad634c66a4a73aa0c266514a8 / Unknown
CDS.cdd / 3e7ecaeb51c2812d13b07ec852d74aaf / zip
lua51.dll / 7fa818f532effd80cf7c1c54676e5a0d / DLL
ap1.dat / 93270c4fa492e4e4edee872a2b961dde / Unknown
ap2.dat / fc2a595f574b1ead82a6dcf06492c985 / Unknown
ap3.dat / 967fdfe0a01c083804673b4976ad6730 / zip
630_10.png / 340b294efc691d1b20c64175d565ebc7 / Unknown
fs.settings / 68934a3e9455fa72420237eb05902327 / Unknown
Comportement clé
Description du comportement:获取TickCount值
Détails:TickCount = 284500, SleepMilliseconds = 60000.
TickCount = 284515, SleepMilliseconds = 60000.
TickCount = 284562, SleepMilliseconds = 60000.
TickCount = 284718, SleepMilliseconds = 60000.
TickCount = 284765, SleepMilliseconds = 60000.
TickCount = 284796, SleepMilliseconds = 60000.
Description du comportement:直接获取CPU时钟
Détails:EAX = 0x8e596a86, EDX = 0x000000ba
EAX = 0x8e596ad2, EDX = 0x000000ba
EAX = 0x8e596b1e, EDX = 0x000000ba
EAX = 0x8e596b6a, EDX = 0x000000ba
EAX = 0x90e13af3, EDX = 0x000000ba
EAX = 0x90e13b3f, EDX = 0x000000ba
EAX = 0x7c699751, EDX = 0x000000bb
EAX = 0x7c69979d, EDX = 0x000000bb
Description du comportement:修改注册表_启动项
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Comportement du processus
Description du comportement:创建新文件进程
Détails:[0x00000c04]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe
[0x00000c48]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe"
Description du comportement:枚举进程
Détails:N/A
Description du comportement:创建本地线程
Détails:TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3168, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3172, StartAddress = 791F59C0, Parameter = 001AFEC8
TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3204, StartAddress = 791F59C0, Parameter = 001D6C78
TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3208, StartAddress = 77E56C7D, Parameter = 001E1500
TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3212, StartAddress = 769AE43B, Parameter = 001CE9A8
TargetProcess: crypted.exe, InheritedFromPID = 3076, ProcessID = 3144, ThreadID = 3216, StartAddress = 77DC845A, Parameter = 00000000
Comportement du fichier
Description du comportement:创建文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap2.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap3.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\fs.settings
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\c.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\cdd.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Description du comportement:删除文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\TMP4351$.TMP
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\cdd.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\c.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\fs.settings
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap3.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap2.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd
Description du comportement:创建可执行文件
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe
Description du comportement:修改文件内容
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.cdd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 18972
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 51740
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 84508
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> Offset = 117276
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 13852
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 46620
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 79388
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> Offset = 112156
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\630_10.png ---> Offset = 316
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\ap1.dat ---> Offset = 0
Description du comportement:查找文件
Détails:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\CDS.cdd
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe
Comportement du réseau
Description du comportement:建立到一个指定的套接字连接
Détails:URL: do****fo, IP: **.133.40.**:80, SOCKET = 0x000002d4
Description du comportement:发送HTTP包
Détails:GET /WUDFhost.exe HTTP/1.1 Host: do****fo Connection: Keep-Alive
Description du comportement:按名称获取主机地址
Détails:gethostbyname: do****fo
Comportement du registre
Description du comportement:修改注册表
Détails:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\crypted.exe
Description du comportement:删除注册表键值
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Description du comportement:修改注册表_启动项
Détails:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
Autre comportement
Description du comportement:检测自身是否被调试
Détails:IsDebuggerPresent
Description du comportement:创建互斥体
Détails:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
DirectSound DllMain mutex (0x00000C04)
DirectSound Administrator shared thread array (lock)
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IOH
RasPbFile
MSCTF.Shared.MUTEX.IAM
Description du comportement:创建事件对象
Détails:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = Global\CPFATE_3144_v4.0.30319
EventName = MSCTF.SendReceive.Event.IAM.IC
EventName = MSCTF.SendReceiveConection.Event.IAM.IC
Description du comportement:打开互斥体
Détails:ShimCacheMutex
Local\!IETld!Mutex
RasPbFile
Description du comportement:查找指定窗口
Détails:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Description du comportement:窗口信息
Détails:Pid = 3076, Hwnd=0x10340, Text = CDSA, ClassName = Afx:00400000:3:00000000:00000006:000703AB.
Description du comportement:获取TickCount值
Détails:TickCount = 284500, SleepMilliseconds = 60000.
TickCount = 284515, SleepMilliseconds = 60000.
TickCount = 284562, SleepMilliseconds = 60000.
TickCount = 284718, SleepMilliseconds = 60000.
TickCount = 284765, SleepMilliseconds = 60000.
TickCount = 284796, SleepMilliseconds = 60000.
Description du comportement:调整进程token权限
Détails:SE_LOAD_DRIVER_PRIVILEGE
Description du comportement:打开事件
Détails:HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
MSFT.VSA.COM.DISABLE.3144
MSFT.VSA.IEC.STATUS.6c736db0
Description du comportement:可执行文件签名信息
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe(签名验证: 未通过)
Description du comportement:调用Sleep函数
Détails:[1]: MilliSeconds = 60000.
Description du comportement:隐藏指定窗口
Détails:[Window,Class] = [Debug,#32770]
[Window,Class] = [CDSA,Afx:00400000:3:00000000:00000006:000703AB]
Description du comportement:可执行文件MD5
Détails:C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\CDS.exe ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua5.1.dll ---> c3256800dce47c14acc83ccca4c3e2ac
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\lua51.dll ---> 7fa818f532effd80cf7c1c54676e5a0d
C:\Documents and Settings\Administrator\Local Settings\Temp\IXP000.TMP\crypted.exe ---> 47f47d769db8f10873828993f033e73c
Description du comportement:直接获取CPU时钟
Détails:EAX = 0x8e596a86, EDX = 0x000000ba
EAX = 0x8e596ad2, EDX = 0x000000ba
EAX = 0x8e596b1e, EDX = 0x000000ba
EAX = 0x8e596b6a, EDX = 0x000000ba
EAX = 0x90e13af3, EDX = 0x000000ba
EAX = 0x90e13b3f, EDX = 0x000000ba
EAX = 0x7c699751, EDX = 0x000000bb
EAX = 0x7c69979d, EDX = 0x000000bb
Description du comportement:加载新释放的文件
Détails:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\lua5.1.dll.
Exécuter une capture d'écran
VirSCAN

Au sujet de VirSCAN | Politique de confidentialité | Contacts | Lien amical | Aider VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号