VirSCAN VirSCAN

1, Puteți ÎNCĂRCA orice tip de fișier, însă limita este de 20Mb per fișier.
2, VirSCAN suportă decompresie Rar/Zip, însă arhiva nu trebuie să conțină mai mult de 20 fișiere.
3, VirSCAN poate scana fișiere arhivate cu parola 'infected' sau 'virus'

Limba
Nivelul de încărcare a serverului
Server Load

Informații despre fișiere
Evaluarea siguranței:50
Listă de comportamente
Raport de analiză a comportamentului:         Raport de analiză a comportamentului fișierului Threatbook
Informații de bază
MD5:b27cf34b59a0f10815dcb820f1e3e51a
Tip fișier:EXE
Compania producatoare:单位名称
Versiune:0.0.0.131---0.0.0.131
Shell sau informații despre compilator:COMPILER:Microsoft Visual C++ 6.0 DLL
Comportamentul cheie
Descrierea comportamentului:设置特殊文件夹属性
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descrierea comportamentului:获取窗口截图信息
Pentru mai multe informații:Foreground window Info: HWND = 0x0001035a, DC = 0x01010055.
Foreground window Info: HWND = 0x0001035c, DC = 0x01010057.
Foreground window Info: HWND = 0x00010342, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034e, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010350, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010352, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010354, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010356, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010358, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010354, DC = 0x01010055.
Descrierea comportamentului:获取TickCount值
Pentru mai multe informații:TickCount = 279921, SleepMilliseconds = 60000.
TickCount = 279953, SleepMilliseconds = 60000.
TickCount = 220084, SleepMilliseconds = 100.
TickCount = 220100, SleepMilliseconds = 100.
TickCount = 220146, SleepMilliseconds = 100.
TickCount = 220178, SleepMilliseconds = 100.
TickCount = 220193, SleepMilliseconds = 100.
TickCount = 220209, SleepMilliseconds = 100.
TickCount = 220240, SleepMilliseconds = 100.
TickCount = 220256, SleepMilliseconds = 100.
TickCount = 220271, SleepMilliseconds = 100.
TickCount = 220318, SleepMilliseconds = 100.
TickCount = 280265, SleepMilliseconds = 60000.
TickCount = 280281, SleepMilliseconds = 60000.
TickCount = 280296, SleepMilliseconds = 60000.
Comportamentul procesului
Descrierea comportamentului:创建本地线程
Pentru mai multe informații:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2468, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2472, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2568, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2572, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2660, StartAddress = 77E56C7D, Parameter = 001FEC10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2664, StartAddress = 769AE43B, Parameter = 001FCAE8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2668, StartAddress = 02AD507F, Parameter = 0012711C
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2672, StartAddress = 0046D670, Parameter = 00FD1748
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2676, StartAddress = 6359727B, Parameter = 0028D1C8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2684, StartAddress = 6359727B, Parameter = 03C911A0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2688, StartAddress = 6359727B, Parameter = 03C91240
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2452, ThreadID = 2700, StartAddress = 7C949B6F, Parameter = 00000000
Fișier comportament
Descrierea comportamentului:创建文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temp\~DF85B0.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wangbatiqian[1].html
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Descrierea comportamentului:覆盖已有文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Descrierea comportamentului:查找文件
Pentru mai multe informații:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\urlmon.dll
FileName = C:\WINDOWS\system32\ieframe.dll
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
Descrierea comportamentului:删除文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wangbatiqian[1].html
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF85B0.tmp
Descrierea comportamentului:设置特殊文件夹属性
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descrierea comportamentului:修改文件内容
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] ---> Offset = 0
Comportamentul rețelei
Descrierea comportamentului:连接指定站点
Pentru mai multe informații:InternetConnectA: ServerName = dn****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = gd****om, PORT = 9088, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0010, Flags = 0x00000000
InternetConnectA: ServerName = dn****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc000c, Flags = 0x00000000
Descrierea comportamentului:打开HTTP连接
Pentru mai multe informații:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36, hSession = 0x00cc0008
Descrierea comportamentului:建立到一个指定的套接字连接
Pentru mai multe informații:URL: dn****om, IP: **.133.40.**:80, SOCKET = 0x000003a4
URL: dn****om, IP: **.133.40.**:80, SOCKET = 0x000004c0
URL: gd****om, IP: **.133.40.**:9088, SOCKET = 0x000004f8
Descrierea comportamentului:读取网络文件
Pentru mai multe informații:hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0018, BytesToRead =2048, BytesRead = 2048.
Descrierea comportamentului:发送HTTP包
Pentru mai multe informații:GET /service/wangbatiqian.html?ADTAG=media.outerenter.yungengxin.icon_monitor HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: dn****om Connection: Keep-Alive
Descrierea comportamentului:打开HTTP请求
Pentru mai multe informații:HttpOpenRequestA: dn****om:80/service/wangbatiqian.html?adtag=media.outerenter.yungengxin.icon_monitor, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: dn****om:80/service/wangbatiqian.html?adtag=media.outerenter.yungengxin.icon_monitor, hConnect = 0x00cc000c, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: gd****om:9088/lau, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: POST, Referer: , Flags = 0x00800000
Descrierea comportamentului:按名称获取主机地址
Pentru mai multe informații:GetAddrInfoW: dn****om
GetAddrInfoW: gd****om
Înregistrare comportament
Descrierea comportamentului:修改注册表
Pentru mai multe informații:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Descrierea comportamentului:删除注册表键值
Pentru mai multe informații:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Alt comportament
Descrierea comportamentului:获取光标位置
Pentru mai multe informații:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 1000.
CursorPos = (27001,24465), SleepMilliseconds = 1000.
CursorPos = (5744,28146), SleepMilliseconds = 1000.
CursorPos = (23320,16828), SleepMilliseconds = 1000.
Descrierea comportamentului:创建互斥体
Pentru mai multe informații:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
CritOpMutex
Local\!PrivacIE!SharedMemory!Mutex
MSIMGSIZECacheMutex
MSCTF.Shared.MUTEX.IOH
Descrierea comportamentului:创建事件对象
Pentru mai multe informații:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.MGK.IC
EventName = MSCTF.SendReceiveConection.Event.MGK.IC
EventName = MSCTF.SendReceive.Event.IJJ.IC
EventName = MSCTF.SendReceiveConection.Event.IJJ.IC
Descrierea comportamentului:查找指定窗口
Pentru mai multe informații:NtUserFindWindowEx: [Class,Window] = [shell embedding,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Descrierea comportamentului:窗口信息
Pentru mai multe informații:Pid = 2452, Hwnd=0x10380, Text = 下载完毕, ClassName = Static.
Pid = 2452, Hwnd=0x10382, Text = 获取文件信息:, ClassName = Static.
Pid = 2452, Hwnd=0x10384, Text = update.exe (来自 dnf.qq.com), ClassName = Static.
Pid = 2452, Hwnd=0x10388, Text = 文件大小未知, ClassName = Static.
Pid = 2452, Hwnd=0x1038a, Text = 估计剩余时间:, ClassName = Static.
Pid = 2452, Hwnd=0x1038c, Text = 已下载:, ClassName = Static.
Pid = 2452, Hwnd=0x1038e, Text = 下载到:, ClassName = Static.
Pid = 2452, Hwnd=0x10390, Text = 传输速度:, ClassName = Static.
Pid = 2452, Hwnd=0x10398, Text = 下载完成后关闭此对话框(&C), ClassName = Button(CheckBox).
Pid = 2452, Hwnd=0x1039a, Text = 打开(&O), ClassName = Button.
Pid = 2452, Hwnd=0x1039c, Text = 打开文件夹(&F), ClassName = Button.
Pid = 2452, Hwnd=0x1039e, Text = 取消, ClassName = Button.
Pid = 2452, Hwnd=0x1036c, Text = 已完成安装 0% - wangbatiqian.html (来自 dnf.qq.com), ClassName = #32770.
Pid = 2452, Hwnd=0x10340, Text = 地下城与勇士启动器, ClassName = AAU_FORM[TID:2456].
Pid = 2452, Hwnd=0x203c4, Text = 您想运行或保存此文件吗?, ClassName = Static.
Descrierea comportamentului:获取TickCount值
Pentru mai multe informații:TickCount = 279921, SleepMilliseconds = 60000.
TickCount = 279953, SleepMilliseconds = 60000.
TickCount = 220084, SleepMilliseconds = 100.
TickCount = 220100, SleepMilliseconds = 100.
TickCount = 220146, SleepMilliseconds = 100.
TickCount = 220178, SleepMilliseconds = 100.
TickCount = 220193, SleepMilliseconds = 100.
TickCount = 220209, SleepMilliseconds = 100.
TickCount = 220240, SleepMilliseconds = 100.
TickCount = 220256, SleepMilliseconds = 100.
TickCount = 220271, SleepMilliseconds = 100.
TickCount = 220318, SleepMilliseconds = 100.
TickCount = 280265, SleepMilliseconds = 60000.
TickCount = 280281, SleepMilliseconds = 60000.
TickCount = 280296, SleepMilliseconds = 60000.
Descrierea comportamentului:调整进程token权限
Pentru mai multe informații:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Descrierea comportamentului:打开事件
Pentru mai multe informații:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2452
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
Descrierea comportamentului:获取窗口截图信息
Pentru mai multe informații:Foreground window Info: HWND = 0x0001035a, DC = 0x01010055.
Foreground window Info: HWND = 0x0001035c, DC = 0x01010057.
Foreground window Info: HWND = 0x00010342, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034e, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010350, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00010352, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010354, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010356, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010358, DC = 0x0a010375.
Foreground window Info: HWND = 0x00010354, DC = 0x01010055.
Descrierea comportamentului:调用Sleep函数
Pentru mai multe informații:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 1000.
Descrierea comportamentului:隐藏指定窗口
Pentru mai multe informații:[Window,Class] = [,AAPicturePlus2]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Descrierea comportamentului:打开互斥体
Pentru mai multe informații:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
Rulați captura de ecran
VirSCAN

Despre VirSCAN | Politica de confidențialitate | Contact | Linie prietenoasă | Ajută VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号