VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:763c9845c4a09132b30e727f65e1aed1
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPolyX v0.5
Key behavior
Behavior description:检测自身是否被调试
details:N/A
Process behavior
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\img.zip
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.2.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.3.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.7.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.9.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.26.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.261.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.8.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt1.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt2.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt3.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt4.bmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\13jjt.bmp
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\img\dm.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\DmReg.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\ys.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\yszso.dll
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\img.zip ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.2.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.3.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.1.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.7.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.8.9.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.26.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.261.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\0.9.8.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt1.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt2.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt3.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\12jjt4.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\13jjt.bmp ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = sh****om, PORT = 80, UserName = , Password = , hSession = 0x048e5000, hConnect = 0x048e5100, Flags = 0x00000000
WinHttpConnect: ServerName = sh****om, PORT = 80, UserName = , Password = , hSession = 0x048e5000, hConnect = 0x048e5200, Flags = 0x00000000
Behavior description:建立到一个指定的套接字连接
details:URL: sh****om, IP: **.133.40.**:80, SOCKET = 0x00000664
URL: sh****om, IP: **.133.40.**:80, SOCKET = 0x0000065c
URL: sh****om, IP: **.133.40.**:80, SOCKET = 0x00000658
Behavior description:发送HTTP包
details:POST /web/user.asp HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Host: sh****om Content-Length: 113 Connection: Keep-Alive code=2D50D4F11C6A58371067434AA01F58B62576AF655D1EE9E2856547279A96DB22C1363044A57244CF37811E0ED961BBF4D51586B43476
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: sh****om:80/web/user.asp, hConnect = 0x048e5100, hRequest = 0x04790000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: sh****om:80/web/user.asp, hConnect = 0x048e5200, hRequest = 0x04790000, Verb: POST, Referer: , Flags = 0x00000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: sh****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
\REGISTRY\USER\S-*\Software\Microsoft\Direct3D\MostRecentApplication\Name
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IHJ
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.IHJ.IC
EventName = MSCTF.SendReceiveConection.Event.IHJ.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2420, Hwnd=0x4036c, Text = 防下断, ClassName = Button.
Pid = 2420, Hwnd=0xa030a, Text = 信息, ClassName = msctls_statusbar32.
Pid = 2420, Hwnd=0x90350, Text = 帐号: 原密码: 新密码: 确认密码:, ClassName = _EL_Label.
Pid = 2420, Hwnd=0xc030c, Text = 激活帐户: 激活码:, ClassName = _EL_Label.
Pid = 2420, Hwnd=0x7033a, Text = 注册帐户: 注册密码: 确认密码:, ClassName = _EL_Label.
Pid = 2420, Hwnd=0x7033c, Text = 登陆帐户: 登陆密码:, ClassName = _EL_Label.
Pid = 2420, Hwnd=0xe02fe, Text = 修改密码, ClassName = Button.
Pid = 2420, Hwnd=0xb02f2, Text = 充入, ClassName = Button.
Pid = 2420, Hwnd=0xb02b0, Text = 会员注册, ClassName = Button.
Pid = 2420, Hwnd=0x90354, Text = 软件版本:1.35, ClassName = _EL_Label.
Pid = 2420, Hwnd=0x6034a, Text = 登 陆, ClassName = Button.
Pid = 2420, Hwnd=0x4036a, Text = 保存配置, ClassName = Button(CheckBox).
Pid = 2420, Hwnd=0x40368, Text = 试用登陆, ClassName = Button(RadioButton).
Pid = 2420, Hwnd=0x6035e, Text = 正常登陆, ClassName = Button(RadioButton).
Pid = 2420, Hwnd=0xe031e, Text = COC辅助—意思版, ClassName = WTWindow.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\img\dm.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\DmReg.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\ys.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\yszso.dll(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [,_EL_Timer]
[Window,Class] = [,Edit]
[Window,Class] = [会员注册,Button]
[Window,Class] = [充入,Button]
[Window,Class] = [修改密码,Button]
[Window,Class] = [,Afx:400000:8]
[Window,Class] = [注册帐户: 注册密码: 确认密码:,_EL_Label]
[Window,Class] = [激活帐户: 激活码:,_EL_Label]
[Window,Class] = [ 帐号: 原密码: 新密码: 确认密码:,_EL_Label]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\img\dm.dll ---> 5f62cac44830ed5ae052c112c09b9eda
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\DmReg.dll ---> a3e89f9c6cd3b4a938a98a336de30e8c
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\ys.dll ---> e025cd92bb47f50703b5a602d97c36cb
C:\Documents and Settings\Administrator\Local Settings\%temp%\img\yszso.dll ---> c578b6820bda5689940560147c6e5ffc
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号