VirSCAN VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。

选择语言
服务器负载
Server Load

文件信息
安全评分:77
行为列表
基本信息
MD5:c987609da6887a3edebb056c17c7997d
文件类型:EXE
出品公司:
版本:2.6.3.0---2.6.3.0
壳或编译器信息:COMPILER:Microsoft Visual C# / Basic .NET
关键行为
行为描述:获取TickCount值
详细信息:TickCount = 222975, SleepMilliseconds = 100.
TickCount = 282906, SleepMilliseconds = 60000.
TickCount = 282937, SleepMilliseconds = 60000.
TickCount = 282968, SleepMilliseconds = 60000.
TickCount = 283125, SleepMilliseconds = 60000.
TickCount = 283140, SleepMilliseconds = 60000.
TickCount = 283203, SleepMilliseconds = 60000.
TickCount = 283250, SleepMilliseconds = 60000.
TickCount = 283265, SleepMilliseconds = 60000.
进程行为
行为描述:创建本地线程
详细信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2772, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2776, StartAddress = 791F59C0, Parameter = 001B0438
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2880, StartAddress = 77E56C7D, Parameter = 00200738
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2884, StartAddress = 769AE43B, Parameter = 00201550
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2888, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2892, StartAddress = 792F7F68, Parameter = 00000000
文件行为
行为描述:创建文件
详细信息:C:\Documents and Settings\All Users\Application Data\Microsoft Toolkit\Settings.xml
C:\Documents and Settings\Administrator\Local Settings\%temp%\AutoKMS.log
行为描述:添加计划任务
详细信息:C:\WINDOWS\Tasks\AutoKMS.job
行为描述:删除文件
详细信息:C:\Documents and Settings\All Users\Application Data\Microsoft Toolkit\Settings.xml
行为描述:修改文件内容
详细信息:C:\Documents and Settings\All Users\Application Data\Microsoft Toolkit\Settings.xml ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\AutoKMS.log ---> Offset = 0
C:\WINDOWS\Tasks\AutoKMS.job ---> Offset = 0
行为描述:查找文件
详细信息:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.INI
其他行为
行为描述:检测自身是否被调试
详细信息:IsDebuggerPresent
行为描述:创建互斥体
详细信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
行为描述:创建事件对象
详细信息:EventName = Global\CPFATE_2720_v4.0.30319
EventName = Global\userenv: User Profile setup event
行为描述:样本控制台输出内容
详细信息:N/A
行为描述:加密数据
详细信息:[CryptEncrypt] Data: 0x001DFDF8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
行为描述:获取TickCount值
详细信息:TickCount = 222975, SleepMilliseconds = 100.
TickCount = 282906, SleepMilliseconds = 60000.
TickCount = 282937, SleepMilliseconds = 60000.
TickCount = 282968, SleepMilliseconds = 60000.
TickCount = 283125, SleepMilliseconds = 60000.
TickCount = 283140, SleepMilliseconds = 60000.
TickCount = 283203, SleepMilliseconds = 60000.
TickCount = 283250, SleepMilliseconds = 60000.
TickCount = 283265, SleepMilliseconds = 60000.
行为描述:调整进程token权限
详细信息:SE_DEBUG_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行为描述:打开事件
详细信息:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2720
MSFT.VSA.IEC.STATUS.6c736db0
行为描述:调用Sleep函数
详细信息:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 250.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = -1.
[6]: MilliSeconds = 20.
行为描述:打开互斥体
详细信息:ShimCacheMutex
Local\!IETld!Mutex
行为描述:解密数据
详细信息:[CryptDecrypt] Data: 0x001D5008, CipherTextLen: 44384, PlainTextLen: 44384, Flags: 0x00000000
行为描述:导入密钥
详细信息:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0046A764, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001C4384, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001D4250, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001F6364, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001FE504, DataLen: 148, Flags: 0x00000000
运行截图
VirSCAN

关于VirSCAN | 免责声明 | 联系我们 | 友情链接 | 帮助我们
计算机网络与信息安全技术研究中心
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号