VirSCAN VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー

言語
サーバーロード
Server Load

ファイル情報
安全性評価:50
行動リスト
基本情報
MD5:ef3826744cb131fbcf873bb8735b6844
ファイルタイプ:EXE
制作会社:kienxhfzpttvokoek
バージョン:57.22.93.28---57.22.93.28
シェルまたはコンパイラ情報:COMPILER:Microsoft Visual C# / Basic .NET [Overlay]
主な行動
行動の説明:跨进程写入数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00483000, Size = 0x00015800 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00499000, Size = 0x0001b400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x004bc000, Size = 0x00000400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x004bd000, Size = 0x00004e00 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x7ffdb008, Size = 0x00000004 TargetPID = 0x00000c54
行動の説明:跨进程写代码段数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00401000, Size = 0x00081200 TargetPID = 0x00000c54
行動の説明:直接获取CPU时钟
詳細:EAX = 0x5b65a6b7, EDX = 0x000000b6
EAX = 0x5b65a703, EDX = 0x000000b6
EAX = 0x5b65a74f, EDX = 0x000000b6
EAX = 0x5b65a79b, EDX = 0x000000b6
EAX = 0x9fe3b349, EDX = 0x000000b6
EAX = 0x9fe3b395, EDX = 0x000000b6
EAX = 0xa296b311, EDX = 0x000000b6
EAX = 0xa296b35d, EDX = 0x000000b6
EAX = 0xf6f05a45, EDX = 0x000000b6
EAX = 0xf6f05a91, EDX = 0x000000b6
行動の説明:设置线程上下文
詳細:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
プロセスの動作
行動の説明:跨进程写入数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00483000, Size = 0x00015800 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00499000, Size = 0x0001b400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x004bc000, Size = 0x00000400 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x004bd000, Size = 0x00004e00 TargetPID = 0x00000c54
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x7ffdb008, Size = 0x00000004 TargetPID = 0x00000c54
行動の説明:创建本地线程
詳細:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2652, ThreadID = 2664, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2652, ThreadID = 2668, StartAddress = 791F59C0, Parameter = 001B0170
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2652, ThreadID = 3180, StartAddress = 4AEA7456, Parameter = 00000000
行動の説明:设置线程上下文
詳細:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行動の説明:枚举进程
詳細:N/A
行動の説明:跨进程写代码段数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, WriteAddress = 0x00401000, Size = 0x00081200 TargetPID = 0x00000c54
行動の説明:创建新文件进程
詳細:[0x00000c54]ImagePath = C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe"
ファイルの動作
行動の説明:创建文件
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mYY
行動の説明:创建可执行文件
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe
行動の説明:修改文件内容
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\mYY ---> Offset = 0
行動の説明:查找文件
詳細:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
行動の説明:复制文件
詳細:C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe ---> C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe
その他の動作
行動の説明:检测自身是否被调试
詳細:IsDebuggerPresent
行動の説明:创建互斥体
詳細:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
行動の説明:创建事件对象
詳細:EventName = Global\CPFATE_2652_v4.0.30319
行動の説明:打开互斥体
詳細:ShimCacheMutex
行動の説明:查找指定窗口
詳細:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行動の説明:加密数据
詳細:[CryptEncrypt] Data: 0x001BD1F8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x001DA278, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
行動の説明:窗口信息
詳細:Pid = 2652, Hwnd=0x10344, Text = WindowsApplication5, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r19_ad1.
行動の説明:调整进程token权限
詳細:SE_DEBUG_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行動の説明:打开事件
詳細:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
行動の説明:可执行文件签名信息
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe(签名验证: 通过)
行動の説明:可执行文件MD5
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\cmd.exe ---> 88e05f3b2031980a48d458eb78c67659
行動の説明:直接获取CPU时钟
詳細:EAX = 0x5b65a6b7, EDX = 0x000000b6
EAX = 0x5b65a703, EDX = 0x000000b6
EAX = 0x5b65a74f, EDX = 0x000000b6
EAX = 0x5b65a79b, EDX = 0x000000b6
EAX = 0x9fe3b349, EDX = 0x000000b6
EAX = 0x9fe3b395, EDX = 0x000000b6
EAX = 0xa296b311, EDX = 0x000000b6
EAX = 0xa296b35d, EDX = 0x000000b6
EAX = 0xf6f05a45, EDX = 0x000000b6
EAX = 0xf6f05a91, EDX = 0x000000b6
行動の説明:解密数据
詳細:[CryptDecrypt] Data: 0x001D6978, CipherTextLen: 3680, PlainTextLen: 3680, Flags: 0x00000000
[CryptDecrypt] Data: 0x03410020, CipherTextLen: 750592, PlainTextLen: 750592, Flags: 0x00000000
[CryptDecrypt] Data: 0x001E5B88, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
行動の説明:导入密钥
詳細:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0041E227, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001C4284, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001C58A4, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001CD650, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001DA490, DataLen: 20, Flags: 0x00000001
スクリーンショットを実行する
VirSCAN

VirSCANについて | 免責事項 | コンタクト | フレンドリーなリンク | ヘルプ
コンピュータネットワーク情報セキュリティ研究センター
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号