VirSCAN VirSCAN

1, Вы можете высылать файлы для проверки размером не более 20 мб.
2, VirSCAN поддерживает Rar/Zip сжатия, но не более 20-ти файлов.
3, VirSCAN может проверять сжатые файлы со следующими паролями 'infected' или 'virus'.

Язык
Server load
Server Load

文件信息
安全评分 :50
基本信息
MD5:c02ca9b98ec01e6aae9dffce06cf5f14
文件类型:EXE
出品公司:P R C
版本:1.0.0.0---1.0.0.0
壳或编译器信息:COMPILER:UPolyX v0.5
关键行为
行为描述:直接获取CPU时钟
详情信息:EAX = 0xd5fb8c30, EDX = 0x000000b6
EAX = 0xd5fb8c7c, EDX = 0x000000b6
EAX = 0xe5d72802, EDX = 0x000000b6
EAX = 0xe5d7284e, EDX = 0x000000b6
EAX = 0xf04cc574, EDX = 0x000000b6
EAX = 0xfd7561ca, EDX = 0x000000b6
EAX = 0xfd756216, EDX = 0x000000b6
EAX = 0x44a66cf4, EDX = 0x000000b7
EAX = 0x44a66d40, EDX = 0x000000b7
EAX = 0x44a66d8c, EDX = 0x000000b7
行为描述:获取TickCount值
详情信息:TickCount = 220615, SleepMilliseconds = 100.
TickCount = 280515, SleepMilliseconds = 60000.
TickCount = 280687, SleepMilliseconds = 60000.
TickCount = 280968, SleepMilliseconds = 60000.
TickCount = 280984, SleepMilliseconds = 60000.
TickCount = 281015, SleepMilliseconds = 60000.
TickCount = 281062, SleepMilliseconds = 60000.
TickCount = 281078, SleepMilliseconds = 60000.
TickCount = 281140, SleepMilliseconds = 60000.
TickCount = 281187, SleepMilliseconds = 60000.
TickCount = 281234, SleepMilliseconds = 60000.
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2664, StartAddress = 791F59C0, Parameter = 001B01D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2792, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2796, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2800, StartAddress = 77E56C7D, Parameter = 001DCA38
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2804, StartAddress = 769AE43B, Parameter = 001C7B18
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2808, StartAddress = 791F59C0, Parameter = 001ECCA0
文件行为
行为描述:覆盖已有文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
行为描述:查找文件
详情信息:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
网络行为
行为描述:建立到一个指定的套接字连接
详情信息:URL: wo****om, IP: **.133.40.**:443, SOCKET = 0x00000318
行为描述:按名称获取主机地址
详情信息:gethostbyname: wo****om
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MFK
行为描述:创建事件对象
详情信息:EventName = Global\CPFATE_2648_v4.0.30319
EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MFK.IC
EventName = MSCTF.SendReceiveConection.Event.MFK.IC
行为描述:打开互斥体
详情信息:ShimCacheMutex
RasPbFile
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:窗口信息
详情信息:Pid = 2648, Hwnd=0x103b2, Text = Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately. The request was aborted: Could not create SSL/TLS secure, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x103ba, Text = &Details, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x103bc, Text = &Continue, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x103be, Text = &Quit, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x103c0, Text = See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at S, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x103b4, Text = Microsoft .NET Framework, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10352, Text = statusStrip1, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10354, Text = menuStrip1, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10364, Text = 0.000%, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10366, Text = 涨跌家数:, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10368, Text = 平:0012, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x1036a, Text = 换手封板率:, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x1036c, Text = 跌:000414, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x1036e, Text = 涨:002128, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
Pid = 2648, Hwnd=0x10376, Text = 扫一扫,关注微信公众号 zhaocaimore 有惊喜!!!, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r19_ad1.
行为描述:获取TickCount值
详情信息:TickCount = 220615, SleepMilliseconds = 100.
TickCount = 280515, SleepMilliseconds = 60000.
TickCount = 280687, SleepMilliseconds = 60000.
TickCount = 280968, SleepMilliseconds = 60000.
TickCount = 280984, SleepMilliseconds = 60000.
TickCount = 281015, SleepMilliseconds = 60000.
TickCount = 281062, SleepMilliseconds = 60000.
TickCount = 281078, SleepMilliseconds = 60000.
TickCount = 281140, SleepMilliseconds = 60000.
TickCount = 281187, SleepMilliseconds = 60000.
TickCount = 281234, SleepMilliseconds = 60000.
行为描述:获取光标位置
详情信息:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
CursorPos = (5744,28146), SleepMilliseconds = 60000.
CursorPos = (23320,16828), SleepMilliseconds = 60000.
CursorPos = (10000,492), SleepMilliseconds = 60000.
CursorPos = (3034,11943), SleepMilliseconds = 60000.
行为描述:打开事件
详情信息:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2648
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 60000.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [Microsoft .NET Framework,WindowsForms10.Window.8.app.0.2bf8098_r19_ad1]
行为描述:直接获取CPU时钟
详情信息:EAX = 0xd5fb8c30, EDX = 0x000000b6
EAX = 0xd5fb8c7c, EDX = 0x000000b6
EAX = 0xe5d72802, EDX = 0x000000b6
EAX = 0xe5d7284e, EDX = 0x000000b6
EAX = 0xf04cc574, EDX = 0x000000b6
EAX = 0xfd7561ca, EDX = 0x000000b6
EAX = 0xfd756216, EDX = 0x000000b6
EAX = 0x44a66cf4, EDX = 0x000000b7
EAX = 0x44a66d40, EDX = 0x000000b7
EAX = 0x44a66d8c, EDX = 0x000000b7
运行截图
VirSCAN

Информация о VirSCAN | Privacy policy | Обратная связь | 友情链接 | Содействие VirSCAN
Translated by Vit Rusych, Ukraine
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号