VirSCAN VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。

选择语言
服务器负载
Server Load

文件信息
安全评分:75
行为列表
基本信息
MD5:1a3d6c1c2d598150e8d3c056a4bf7651
文件类型:EXE
出品公司:深圳市迪元素科技有限公司
版本:2.1.4.4---2.1.4.4
壳或编译器信息:PACKER:RPolyCryptor V1.4.2 -> Vaska [Overlay] *
关键行为
行为描述:设置特殊文件夹属性
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:获取TickCount值
详细信息:TickCount = 282750, SleepMilliseconds = 60000.
TickCount = 282765, SleepMilliseconds = 60000.
TickCount = 282843, SleepMilliseconds = 60000.
TickCount = 282890, SleepMilliseconds = 60000.
TickCount = 282937, SleepMilliseconds = 60000.
TickCount = 283031, SleepMilliseconds = 60000.
TickCount = 283109, SleepMilliseconds = 60000.
TickCount = 223110, SleepMilliseconds = 1.
TickCount = 223157, SleepMilliseconds = 1.
TickCount = 223219, SleepMilliseconds = 1.
进程行为
行为描述:创建本地线程
详细信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2760, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2880, StartAddress = 77E56C7D, Parameter = 001D2BE0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2884, StartAddress = 769AE43B, Parameter = 001D54C8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2888, StartAddress = 0040978C, Parameter = 014418D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2892, StartAddress = 0040978C, Parameter = 014417C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2896, StartAddress = 0040978C, Parameter = 014417C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2900, StartAddress = 0040978C, Parameter = 014418D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2904, StartAddress = 0040978C, Parameter = 014417C0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2908, StartAddress = 0040978C, Parameter = 014418D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2912, StartAddress = 0040978C, Parameter = 01441750
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2916, StartAddress = 0040978C, Parameter = 014418D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2920, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2924, StartAddress = 7C930230, Parameter = 00000000
文件行为
行为描述:创建文件
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\d_safe_up_info[1].txt
行为描述:设置特殊文件夹属性
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:删除文件
详细信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\d_safe_up_info[1].txt
行为描述:查找文件
详细信息:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.zh-CN
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.zh-Hans
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.zh
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.CHS
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.CH
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
网络行为
行为描述:联网打开网址
详细信息:InternetOpenUrlA: http://up****et/d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.4.4&ws_lib_ver=18, hInternet = 0x00cc0004, Flags = 0x80000000
行为描述:连接指定站点
详细信息:InternetConnectA: ServerName = up****et, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x80000000
行为描述:打开HTTP连接
详细信息:InternetOpenA: UserAgent: Internet Explorer 6.0, hSession = 0x00cc0004
行为描述:建立到一个指定的套接字连接
详细信息:URL: up****et, IP: **.133.40.**:80, SOCKET = 0x000003e4
URL: up****et, IP: **.133.40.**:80, SOCKET = 0x000003e8
行为描述:读取网络文件
详细信息:hFile = 0x00cc000c, BytesToRead =19, BytesRead = 19.
行为描述:发送HTTP包
详细信息:GET /d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.4.4&ws_lib_ver=18 HTTP/1.1 User-Agent: Internet Explorer 6.0 Host: up****et Cache-Control: no-cache
行为描述:打开HTTP请求
详细信息:HttpOpenRequestA: up****et:80/d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.4.4&ws_lib_ver=18, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80000000
行为描述:按名称获取主机地址
详细信息:gethostbyname: computer
GetAddrInfoW: up****et
注册表行为
行为描述:修改注册表
详细信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详细信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:创建互斥体
详细信息:oleacc-msaa-loaded
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
D_SAFE
MSCTF.Shared.MUTEX.IOH
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.EKK
行为描述:创建事件对象
详细信息:EventName = DINPUTWINMM
EventName = Global\d_a_m_sock_5C42D5D1B6249DEBFC30FCDD_c_state_event
EventName = Global\d_s_set_up_event_1
EventName = Global\d_web_set__up_event_1
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.EKK.IC
EventName = MSCTF.SendReceiveConection.Event.EKK.IC
行为描述:窗口信息
详细信息:Pid = 2720, Hwnd=0x10478, Text = ToolBar_Main, ClassName = TToolBar.
Pid = 2720, Hwnd=0x1034a, Text = 主页, ClassName = TTabSheet.
Pid = 2720, Hwnd=0x104f0, Text = 扫描全部网站, ClassName = TButton.
Pid = 2720, Hwnd=0x104e0, Text = :::: 公告 ::::, ClassName = TPanel.
Pid = 2720, Hwnd=0x3034e, Text = 查杀 , ClassName = TTabSheet.
Pid = 2720, Hwnd=0x104d8, Text = ToolBar4, ClassName = TToolBar.
Pid = 2720, Hwnd=0x30350, Text = 后门查杀, ClassName = TTabSheet.
Pid = 2720, Hwnd=0x104d4, Text = 启用[白名单], ClassName = TCheckBox.
Pid = 2720, Hwnd=0x104d2, Text = 开始扫描, ClassName = TButton.
Pid = 2720, Hwnd=0x104d0, Text = 选择目录..., ClassName = TButton.
Pid = 2720, Hwnd=0x104ce, Text = 显示Zend加密, ClassName = TCheckBox.
Pid = 2720, Hwnd=0x104cc, Text = 不显示1级脚本, ClassName = TCheckBox.
Pid = 2720, Hwnd=0x104ca, Text = 列出隐藏脚本, ClassName = TCheckBox.
Pid = 2720, Hwnd=0x1035c, Text = [全部站点], ClassName = TComboBox.
Pid = 2720, Hwnd=0x10360, Text = [全部站点], ClassName = Edit.
行为描述:查找指定窗口
详细信息:NtUserFindWindowEx: [Class,Window] = [msctls_updown32,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:枚举窗口
详细信息:N/A
行为描述:获取TickCount值
详细信息:TickCount = 282750, SleepMilliseconds = 60000.
TickCount = 282765, SleepMilliseconds = 60000.
TickCount = 282843, SleepMilliseconds = 60000.
TickCount = 282890, SleepMilliseconds = 60000.
TickCount = 282937, SleepMilliseconds = 60000.
TickCount = 283031, SleepMilliseconds = 60000.
TickCount = 283109, SleepMilliseconds = 60000.
TickCount = 223110, SleepMilliseconds = 1.
TickCount = 223157, SleepMilliseconds = 1.
TickCount = 223219, SleepMilliseconds = 1.
行为描述:获取光标位置
详细信息:CursorPos = (80,18468), SleepMilliseconds = 2.
CursorPos = (6373,26501), SleepMilliseconds = 2.
CursorPos = (19208,15725), SleepMilliseconds = 2.
CursorPos = (11517,29359), SleepMilliseconds = 2.
CursorPos = (27001,24465), SleepMilliseconds = 2.
CursorPos = (5744,28146), SleepMilliseconds = 2.
CursorPos = (23320,16828), SleepMilliseconds = 2.
CursorPos = (10000,492), SleepMilliseconds = 2.
CursorPos = (3034,11943), SleepMilliseconds = 2.
CursorPos = (4866,5437), SleepMilliseconds = 2.
CursorPos = (32430,14605), SleepMilliseconds = 2.
CursorPos = (3941,154), SleepMilliseconds = 2.
CursorPos = (331,12383), SleepMilliseconds = 2.
CursorPos = (17460,18717), SleepMilliseconds = 2.
CursorPos = (19757,19896), SleepMilliseconds = 2.
行为描述:打开事件
详细信息:HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2720
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\INSTALLATION_SECURITY_HOLD
行为描述:调用Sleep函数
详细信息:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 2.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 10.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 10.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 0.
行为描述:隐藏指定窗口
详细信息:[Window,Class] = [,ComboLBox]
[Window,Class] = [,TScrollingStyleHook.TScrollWindow]
[Window,Class] = [D盾 v2.1.4.4 [测试版],TMain_Form]
行为描述:打开互斥体
详细信息:ShimCacheMutex
Global\d_a_m_sock_5C42D5D1B6249DEBFC30FCDD_s_New_data_mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
运行截图
VirSCAN

关于VirSCAN | 免责声明 | 联系我们 | 友情链接 | 帮助我们
计算机网络与信息安全技术研究中心
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号