VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:21
Behavior list
Basic Information
MD5:cff3e706eb537250ecce83403752c729
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Subfile information:upx_c_6b92d7a5dumpFile / big file / EXE
宅男福利播放器_x11518.exedumpFile / bb84ee2d0430070774001dfe664b590e / EXE
宅男福利播放器_x11518.exe / bb84ee2d0430070774001dfe664b590e / EXE
Key behavior
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Behavior description:获取TickCount值
details:TickCount = 5362744, SleepMilliseconds = 10.
TickCount = 5362760, SleepMilliseconds = 10.
TickCount = 5362775, SleepMilliseconds = 10.
TickCount = 5362791, SleepMilliseconds = 10.
TickCount = 5362806, SleepMilliseconds = 10.
TickCount = 5362822, SleepMilliseconds = 10.
TickCount = 5362838, SleepMilliseconds = 10.
TickCount = 5362853, SleepMilliseconds = 10.
TickCount = 5362869, SleepMilliseconds = 10.
TickCount = 5362885, SleepMilliseconds = 10.
TickCount = 5362900, SleepMilliseconds = 10.
TickCount = 5362916, SleepMilliseconds = 10.
TickCount = 5362931, SleepMilliseconds = 10.
TickCount = 5362947, SleepMilliseconds = 10.
TickCount = 5362963, SleepMilliseconds = 10.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2464, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2468, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2484, StartAddress = 00492760, Parameter = 01228BD8
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2488, StartAddress = 77C0A341, Parameter = 01EA69A8
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2492, StartAddress = 77E56C7D, Parameter = 01E86A18
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2496, StartAddress = 769AE43B, Parameter = 0331A928
TargetProcess: 宅男福利播放器_x11518.exe, InheritedFromPID = 1944, ProcessID = 2444, ThreadID = 2500, StartAddress = 77E56C7D, Parameter = 01E868F8
File behavior
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = gx****om, PORT = 80, UserName = , Password = , hSession = 0x04653100, hConnect = 0x04653200, Flags = 0x00000000
WinHttpConnect: ServerName = gx****om, PORT = 80, UserName = , Password = , hSession = 0x04653100, hConnect = 0x04653300, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x04653100
Behavior description:建立到一个指定的套接字连接
details:URL: gx****om, IP: **.133.40.**:80, SOCKET = 0x00000520
URL: gx****om, IP: **.133.40.**:80, SOCKET = 0x00000530
Behavior description:发送HTTP包
details:GET /gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 HTTP/1.1 Referer: http://gx.lesouwuguojie.com/gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) X-Forwarded-For: 127.0.0.1 CLIENT_IP: 127.0.0.1 VIA: 127.0.0.1 REMOTE_ADDR: 127.0.0.1 client_ip: 127.0.0.1 Host: gx****om Connection: Keep-Alive
GET /gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 HTTP/1.1 Referer: http://gx.youtu888.com/gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) X-Forwarded-For: 127.0.0.1 CLIENT_IP: 127.0.0.1 VIA: 127.0.0.1 REMOTE_ADDR: 127.0.0.1 client_ip: 127.0.0.1 Host: gx****om Connection: Keep-Alive
GET /gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 HTTP/1.1 Referer: http://gx.youtu8888.com/gengxin/?jc=fulibo&jqm=63312D074B5A98EFC6A4762F3470A083 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) X-Forwarded-For: 127.0.0.1 CLIENT_IP: 127.0.0.1 VIA: 127.0.0.1 REMOTE_ADDR: 127.0.0.1 client_ip: 127.0.0.1 Host: gx****om Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: gx****om:80/gengxin/?jc=fulibo&jqm=63312d074b5a98efc6a4762f3470a083, hConnect = 0x04653200, hRequest = 0x046d0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: gx****om:80/gengxin/?jc=fulibo&jqm=63312d074b5a98efc6a4762f3470a083, hConnect = 0x04653300, hRequest = 0x046d0000, Verb: GET, Referer: , Flags = 0x00000080
Behavior description:按名称获取主机地址
details:GetAddrInfoW: gx****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x16(565 0)
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Other behavior
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:窗口信息
details:Pid = 2444, Hwnd=0x120340, Text = 确定, ClassName = Button.
Pid = 2444, Hwnd=0x1302b8, Text = 网络连接失败,请稍候重试!, ClassName = Static.
Pid = 2444, Hwnd=0xe03c8, Text = 信息:, ClassName = #32770.
Behavior description:获取TickCount值
details:TickCount = 5362744, SleepMilliseconds = 10.
TickCount = 5362760, SleepMilliseconds = 10.
TickCount = 5362775, SleepMilliseconds = 10.
TickCount = 5362791, SleepMilliseconds = 10.
TickCount = 5362806, SleepMilliseconds = 10.
TickCount = 5362822, SleepMilliseconds = 10.
TickCount = 5362838, SleepMilliseconds = 10.
TickCount = 5362853, SleepMilliseconds = 10.
TickCount = 5362869, SleepMilliseconds = 10.
TickCount = 5362885, SleepMilliseconds = 10.
TickCount = 5362900, SleepMilliseconds = 10.
TickCount = 5362916, SleepMilliseconds = 10.
TickCount = 5362931, SleepMilliseconds = 10.
TickCount = 5362947, SleepMilliseconds = 10.
TickCount = 5362963, SleepMilliseconds = 10.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000040
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000040
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
MSFT.VSA.COM.DISABLE.2444
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowEx]
[Window,Class] = [,LabelEx]
[Window,Class] = [,ButtonEx]
[Window,Class] = [,EditboxEx]
[Window,Class] = [,ImagebuttonEx]
[Window,Class] = [,Afx:400000:8]
[Window,Class] = [,WTWindow]
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号