VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:3fa474270a036a73d82b8112a5272c05
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:PeStubOEP v1.x *
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x004440C2
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00010000, Size = 0x00000868 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00020000, Size = 0x000008f0 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x7ffdd010, Size = 0x00000004 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00030000, Size = 0x00000184 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x7ffdd1e8, Size = 0x00000004 TargetPID = 0x00000aa8
Behavior description:直接获取CPU时钟
details:EAX = 0x34af5d66, EDX = 0x000000b5
EAX = 0x34af5db2, EDX = 0x000000b5
EAX = 0x34af5dfe, EDX = 0x000000b5
EAX = 0x34af5e4a, EDX = 0x000000b5
Process behavior
Behavior description:创建进程
details:[0x00000a70]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c mkdir %APPDATA%\Windows
[0x00000a78]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c copy C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe %APPDATA%\Windows\windll.exe
[0x00000a80]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D %APPDATA%\Windows\windll.exe
[0x00000aa0]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D C:\Documents and Settings\Administrator\Application Data\Windows\windll.exe
[0x00000ab8]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c mkdir %APPDATA%\Windows
[0x00000ac8]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c copy C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe %APPDATA%\Windows\windll.exe
[0x00000ae8]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D %APPDATA%\Windows\windll.exe
[0x00000b08]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c mkdir %APPDATA%\Windows
[0x00000b10]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D C:\Documents and Settings\Administrator\Application Data\Windows\windll.exe
[0x00000b18]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c copy C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe %APPDATA%\Windows\windll.exe
[0x00000b30]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D %APPDATA%\Windows\windll.exe
[0x00000b40]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c mkdir %APPDATA%\Windows
[0x00000b48]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D C:\Documents and Settings\Administrator\Application Data\Windows\windll.exe
[0x00000b50]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c copy C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe %APPDATA%\Windows\windll.exe
[0x00000b5c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = c:\windows\system32\cmd.exe /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V WinDll /t REG_SZ /F /D %APPDATA%\Windows\windll.exe
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 00443FE0, Parameter = 4CB3A000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2664, StartAddress = 00443FE0, Parameter = 4CB3A280
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2668, StartAddress = 00443FE0, Parameter = 4CB3A500
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00010000, Size = 0x00000868 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00020000, Size = 0x000008f0 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x7ffdd010, Size = 0x00000004 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x00030000, Size = 0x00000184 TargetPID = 0x00000aa8
TargetProcess = C:\WINDOWS\system32\%temp%\****.exe, WriteAddress = 0x7ffdd1e8, Size = 0x00000004 TargetPID = 0x00000aa8
File behavior
Behavior description:查找文件
details:FileName = c:\windows
FileName = c:\windows\system32
FileName = c:\windows\system32\cmd.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\REG.*
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\REG
FileName = C:\Python27\REG.*
FileName = C:\Python27\REG
Network behavior
Behavior description:建立到一个指定的套接字连接
details:IP: **.168.10.**:4000, SOCKET = 0x000000d0
IP: **.168.10.**:4000, SOCKET = 0x000000d8
IP: **.168.10.**:4000, SOCKET = 0x000000f0
IP: **.168.10.**:4000, SOCKET = 0x0000010c
IP: **.168.10.**:4000, SOCKET = 0x00000128
IP: **.168.10.**:4000, SOCKET = 0x00000144
IP: **.168.10.**:4000, SOCKET = 0x00000160
IP: **.168.10.**:4000, SOCKET = 0x0000017c
IP: **.168.10.**:4000, SOCKET = 0x00000198
IP: **.168.10.**:4000, SOCKET = 0x000001b4
IP: **.168.10.**:4000, SOCKET = 0x000001d0
IP: **.168.10.**:4000, SOCKET = 0x000001ec
IP: **.168.10.**:4000, SOCKET = 0x00000208
IP: **.168.10.**:4000, SOCKET = 0x00000224
IP: **.168.10.**:4000, SOCKET = 0x00000240
Other behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000010F, Name: NtWaitForSingleObject, Instruction Address = 0x004440C2
Behavior description:直接获取CPU时钟
details:EAX = 0x34af5d66, EDX = 0x000000b5
EAX = 0x34af5db2, EDX = 0x000000b5
EAX = 0x34af5dfe, EDX = 0x000000b5
EAX = 0x34af5e4a, EDX = 0x000000b5
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号