VirSCAN VirSCAN

1, Můžete nahrát libovolné soubory, ale existuje limit 20Mb na soubor.
2, VirSCAN podporuje dekompresi Rar / Zip, ale musí obsahovat méně než 20 souborů.
3, VirSCAN otestuje komprimované soubory, které jsou chráněné heslem 'infected' nebo 'virus'.

Vyberte jazyk
Zatížení serveru
Server Load

Informace o souboru
Bezpečnostní hodnocení:41
Seznam chování
Základní informace
MD5:c4959dfc88c4588eb683dfdfe96b1588
Typ souboru:EXE
Produkční společnost:
Verze:
Informace o Shell nebo kompilátoru:COMPILER:Microsoft Visual C# / Basic .NET
klíčová opatření
Popis chování:获取TickCount值
Podrobnosti:TickCount = 218937, SleepMilliseconds = 1000.
TickCount = 218953, SleepMilliseconds = 1000.
TickCount = 219125, SleepMilliseconds = 1000.
TickCount = 219265, SleepMilliseconds = 1000.
TickCount = 219281, SleepMilliseconds = 1000.
TickCount = 219312, SleepMilliseconds = 1000.
TickCount = 219328, SleepMilliseconds = 1000.
TickCount = 219921, SleepMilliseconds = 1000.
TickCount = 218957, SleepMilliseconds = 20.
TickCount = 219004, SleepMilliseconds = 20.
TickCount = 219020, SleepMilliseconds = 20.
TickCount = 219082, SleepMilliseconds = 20.
TickCount = 225656, SleepMilliseconds = 1000.
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0xf77d83a5, EDX = 0x000000ba
EAX = 0x4b971d91, EDX = 0x000000bb
Popis chování:修改注册表_系统防火墙可信进程列表
Podrobnosti:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\server.exe
Popis chování:修改注册表_启动项
Podrobnosti:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\1ca468537a7ca5b16335edf196756670
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ca468537a7ca5b16335edf196756670
Chování procesu
Popis chování:隐藏窗口创建进程
Podrobnosti:ImagePath = , CmdLine = netsh firewall add allowedprogram "C:\WINDOWS\server.exe" "server.exe" ENABLE
Popis chování:创建进程
Podrobnosti:[0x00000b18]ImagePath = C:\WINDOWS\system32\netsh.exe, CmdLine = netsh firewall add allowedprogram "C:\WINDOWS\server.exe" "server.exe" ENABLE
Popis chování:创建新文件进程
Podrobnosti:[0x00000ae0]ImagePath = C:\WINDOWS\server.exe, CmdLine = "C:\WINDOWS\server.exe"
Popis chování:创建本地线程
Podrobnosti:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2724, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2740, StartAddress = 79F91FCF, Parameter = 001A5780
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2792, StartAddress = 79FDA29C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2796, StartAddress = 77E56C7D, Parameter = 001ECC90
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2800, StartAddress = 769AE43B, Parameter = 001EDF98
TargetProcess: server.exe, InheritedFromPID = 2676, ProcessID = 2784, ThreadID = 2804, StartAddress = 79F0237F, Parameter = 00000000
TargetProcess: server.exe, InheritedFromPID = 2676, ProcessID = 2784, ThreadID = 2808, StartAddress = 79F91FCF, Parameter = 001A51D0
TargetProcess: netsh.exe, InheritedFromPID = 2784, ProcessID = 2840, ThreadID = 2848, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: netsh.exe, InheritedFromPID = 2784, ProcessID = 2840, ThreadID = 2852, StartAddress = 77E56C7D, Parameter = 001B73E8
TargetProcess: netsh.exe, InheritedFromPID = 2784, ProcessID = 2840, ThreadID = 2856, StartAddress = 769AE43B, Parameter = 001B8FC8
TargetProcess: netsh.exe, InheritedFromPID = 2784, ProcessID = 2840, ThreadID = 2860, StartAddress = 77E56C7D, Parameter = 001BE398
TargetProcess: server.exe, InheritedFromPID = 2676, ProcessID = 2784, ThreadID = 2940, StartAddress = 79F91FCF, Parameter = 001C8150
TargetProcess: server.exe, InheritedFromPID = 2676, ProcessID = 2784, ThreadID = 2944, StartAddress = 79F91FCF, Parameter = 001C8150
Chování souborů
Popis chování:创建文件
Podrobnosti:C:\WINDOWS\server.exe
Popis chování:创建可执行文件
Podrobnosti:C:\WINDOWS\server.exe
Popis chování:修改文件内容
Podrobnosti:C:\WINDOWS\server.exe ---> Offset = 0
Popis chování:查找文件
Podrobnosti:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
Chování registru
Popis chování:修改注册表
Podrobnosti:\REGISTRY\USER\S-*\di
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\server.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active
Popis chování:修改注册表_系统环境变量
Podrobnosti:\REGISTRY\USER\S-*\Environment\SEE_MASK_NOZONECHECKS
Popis chování:修改注册表_系统防火墙可信进程列表
Podrobnosti:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\server.exe
Popis chování:修改注册表_启动项
Podrobnosti:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\1ca468537a7ca5b16335edf196756670
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1ca468537a7ca5b16335edf196756670
Další chování
Popis chování:检测自身是否被调试
Podrobnosti:IsDebuggerPresent
Popis chování:创建互斥体
Podrobnosti:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
1ca468537a7ca5b16335edf196756670
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Popis chování:创建事件对象
Podrobnosti:EventName = Global\CorDBIPCSetupSyncEvent_2676
EventName = Global\CorDBIPCSetupSyncEvent_2784
EventName = Global\crypt32LogoffEvent
Popis chování:打开互斥体
Podrobnosti:ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Local\!IETld!Mutex
Popis chování:获取TickCount值
Podrobnosti:TickCount = 218937, SleepMilliseconds = 1000.
TickCount = 218953, SleepMilliseconds = 1000.
TickCount = 219125, SleepMilliseconds = 1000.
TickCount = 219265, SleepMilliseconds = 1000.
TickCount = 219281, SleepMilliseconds = 1000.
TickCount = 219312, SleepMilliseconds = 1000.
TickCount = 219328, SleepMilliseconds = 1000.
TickCount = 219921, SleepMilliseconds = 1000.
TickCount = 218957, SleepMilliseconds = 20.
TickCount = 219004, SleepMilliseconds = 20.
TickCount = 219020, SleepMilliseconds = 20.
TickCount = 219082, SleepMilliseconds = 20.
TickCount = 225656, SleepMilliseconds = 1000.
Popis chování:调整进程token权限
Podrobnosti:SE_LOAD_DRIVER_PRIVILEGE
Popis chování:打开事件
Podrobnosti:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2676
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.2840
Popis chování:可执行文件签名信息
Podrobnosti:C:\WINDOWS\server.exe(签名验证: 未通过)
Popis chování:调用Sleep函数
Podrobnosti:[1]: MilliSeconds = 5000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = -1.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 20.
[6]: MilliSeconds = 20.
[3]: MilliSeconds = 2000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
Popis chování:可执行文件MD5
Podrobnosti:C:\WINDOWS\server.exe ---> c4959dfc88c4588eb683dfdfe96b1588
Popis chování:直接获取CPU时钟
Podrobnosti:EAX = 0xf77d83a5, EDX = 0x000000ba
EAX = 0x4b971d91, EDX = 0x000000bb
Spustit snímek obrazovky
VirSCAN

O VirSCAN | Ochrana soukromí | Kontakt | Přátelský odkaz | Pomozte VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号