VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

Idioma
Carga do sistema
Server Load

Informação de arquivo
Classificação de segurança:79
Lista de comportamento
Informação básica
MD5:371077c3034409a40d45a45140b4994b
Tipo de arquivo:EXE
Empresa de produção:
Versão:1.3.0.0---1.3.0.0
Informações sobre shell ou compilador:COMPILER:PE+(64)
Comportamento chave
Descrição do comportamento:获取TickCount值
Detalhes:TickCount = 1702703, SleepMilliseconds = 5000.
TickCount = 1702781, SleepMilliseconds = 5000.
TickCount = 1703109, SleepMilliseconds = 5000.
TickCount = 1703421, SleepMilliseconds = 5000.
TickCount = 1703734, SleepMilliseconds = 5000.
TickCount = 1704046, SleepMilliseconds = 5000.
TickCount = 1704359, SleepMilliseconds = 5000.
TickCount = 1704671, SleepMilliseconds = 5000.
TickCount = 1705000, SleepMilliseconds = 5000.
TickCount = 1705328, SleepMilliseconds = 5000.
TickCount = 1705640, SleepMilliseconds = 5000.
TickCount = 1705953, SleepMilliseconds = 5000.
TickCount = 1706000, SleepMilliseconds = 5000.
TickCount = 1701437, SleepMilliseconds = 172.
TickCount = 1706578, SleepMilliseconds = 5000.
Comportamento de processo
Descrição do comportamento:创建本地线程
Detalhes:ProcessId = 2268, ThreadId = 3384.
ProcessId = 2268, ThreadId = 3944.
ProcessId = 2268, ThreadId = 3380.
ProcessId = 2268, ThreadId = 2936.
ProcessId = 2268, ThreadId = 1532.
ProcessId = 2268, ThreadId = 2536.
ProcessId = 2268, ThreadId = 3284.
ProcessId = 2268, ThreadId = 3084.
ProcessId = 2268, ThreadId = 324.
ProcessId = 2268, ThreadId = 3724.
Comportamento de arquivos
Descrição do comportamento:查找文件
Detalhes:FileName = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework64\\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\****.exe
FileName = C:\Users\Administrator
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\Client.all\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\System\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\*
Comportamento de rede
Descrição do comportamento:建立到一个指定的套接字连接
Detalhes:URL: ip****om, IP: **.133.40.**:80, SOCKET = 0x00000538
URL: fr****et, IP: **.133.40.**:80, SOCKET = 0x00000510
URL: ap****rg, IP: **.133.40.**:80, SOCKET = 0x00000510
IP: **.0.0.**:4782, SOCKET = 0x000005a0
IP: **.0.0.**:4782, SOCKET = 0x0000061c
IP: **.0.0.**:4782, SOCKET = 0x00000338
IP: **.0.0.**:4782, SOCKET = 0x000005b4
Descrição do comportamento:发送HTTP包
Detalhes:GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ip****om Connection: Keep-Alive
GET /xml/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: fr****et Connection: Keep-Alive
GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0 Host: ap****rg Connection: Keep-Alive
Descrição do comportamento:按名称获取主机地址
Detalhes:GetAddrInfoW: ip****om
GetAddrInfoW: fr****et
GetAddrInfoW: ap****rg
Comportamento do registro
Descrição do comportamento:修改注册表
Detalhes:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500_CLASSES\Local Settings\MuiCache\da\AAF68885\@%SystemRoot%\System32\fveui.dll,-843
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500_CLASSES\Local Settings\MuiCache\da\AAF68885\@%SystemRoot%\System32\fveui.dll,-844
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500_CLASSES\Local Settings\MuiCache\da\AAF68885\@%SystemRoot%\System32\wuaueng.dll,-400
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\EnableAutoFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASMANCS\EnableAutoFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\996E_RASMANCS\ConsoleTracingMask
Outro comportamento
Descrição do comportamento:检测自身是否被调试
Detalhes:IsDebuggerPresent
Descrição do comportamento:创建互斥体
Detalhes:QSR_MUTEX_V4f78SJObm47XTb3Sg
Global\RasPbFile
Descrição do comportamento:创建事件对象
Detalhes:EventName = Global\CPFATE_2268_v4.0.30319
Descrição do comportamento:获取TickCount值
Detalhes:TickCount = 1702703, SleepMilliseconds = 5000.
TickCount = 1702781, SleepMilliseconds = 5000.
TickCount = 1703109, SleepMilliseconds = 5000.
TickCount = 1703421, SleepMilliseconds = 5000.
TickCount = 1703734, SleepMilliseconds = 5000.
TickCount = 1704046, SleepMilliseconds = 5000.
TickCount = 1704359, SleepMilliseconds = 5000.
TickCount = 1704671, SleepMilliseconds = 5000.
TickCount = 1705000, SleepMilliseconds = 5000.
TickCount = 1705328, SleepMilliseconds = 5000.
TickCount = 1705640, SleepMilliseconds = 5000.
TickCount = 1705953, SleepMilliseconds = 5000.
TickCount = 1706000, SleepMilliseconds = 5000.
TickCount = 1701437, SleepMilliseconds = 172.
TickCount = 1706578, SleepMilliseconds = 5000.
Descrição do comportamento:调整进程token权限
Detalhes:SE_DEBUG_PRIVILEGE
Descrição do comportamento:打开事件
Detalhes:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2268
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Descrição do comportamento:调用Sleep函数
Detalhes:[1]: MilliSeconds = 5000.
[2]: MilliSeconds = 5000.
[3]: MilliSeconds = 5000.
[4]: MilliSeconds = 5000.
[5]: MilliSeconds = 5000.
[6]: MilliSeconds = 5000.
[7]: MilliSeconds = 5000.
[8]: MilliSeconds = 5000.
[9]: MilliSeconds = 5000.
[10]: MilliSeconds = 5000.
Descrição do comportamento:解密数据
Detalhes:[CryptDecrypt] Data: 0x000000000266D710, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x000000000266D850, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x000000000266F340, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x000000000266F388, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x000000000266FFE8, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002670038, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002670CB0, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002670CF8, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002671958, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x00000000026719A8, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002672630, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002672690, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x00000000026726E0, CipherTextLen: 0, PlainTextLen: 0, Flags: 0x00000000
[CryptDecrypt] Data: 0x00000000026733A0, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x0000000002673400, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
Descrição do comportamento:导入密钥
Detalhes:[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x000000000266C928, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x000000000266E8E8, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x000000000266F590, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002670258, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002670F00, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002671BD0, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002672940, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002673680, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x00000000026745C8, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_AES_256 (0x00006610), Data: 0x0000000002676E78, DataLen: 44, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00000000004E4290, DataLen: 532, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x000000001B1FD58B, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x000000001ACE801C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x000000001ACE7D5C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x000000001ACE80CC, DataLen: 148, Flags: 0x00000000
Executar captura de tela
VirSCAN

Sobre o VirSCAN | Política de Privacidade | Contate-nos | Link amigável | Ajude o VirSCAN
Traduzido por Luis A S C Junior, (Brasil)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号