VirSCAN VirSCAN

1, Vous pouvez ENVOYER tout fichier mais il y a une limite de 20 Mo par fichier.
2, VirSCAN supporte la décompression Rar/Zip mais il doit y avoir moins de 20 fichiers.
3, VirSCAN peut détecter un fichier compressé avec le mot de passe 'infected' ou 'virus'.

La langue
Charge du serveur
Server Load

Informations sur les fichiers
Cote de sécurité:75
Liste de comportement
Informations de base
MD5:af4ba8756011aa057b93476583c0e31a
Type de fichier:zip
Société de production:
Version:
Informations sur le shell ou le compilateur:
Informations de sous-fichier:MusicTools.exe / bd5782286d5a6678124a0cd45af7bec3 / EXE
Comportement clé
Description du comportement:直接调用系统关键API
Détails:Index = 0x000000F8, Name: NtQueryObject, Instruction Address = 0x009C2BE1
Index = 0x000000EA, Name: NtQueryInformationProcess, Instruction Address = 0x009C23F4
Index = 0x0000006B, Name: NtDeviceIoControlFile, Instruction Address = 0x009C23A9
Index = 0x000000F8, Name: NtQueryObject, Instruction Address = 0x009C2BD4
Index = 0x000000C2, Name: NtOpenSection, Instruction Address = 0x009C2C66
Index = 0x000000D9, Name: NtQueryAttributesFile, Instruction Address = 0x009C3065
Index = 0x000000B3, Name: NtOpenFile, Instruction Address = 0x009C3035
Index = 0x00000032, Name: NtClose, Instruction Address = 0x009C2EDC
Description du comportement:跨进程写入数据
Détails:TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000009d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000009d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x000009d0
Description du comportement:设置特殊文件夹属性
Détails:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache
Description du comportement:直接获取CPU时钟
Détails:EAX = 0xbfa78b69, EDX = 0x0000039e
EAX = 0x11796314, EDX = 0x0000039f
EAX = 0x1401329d, EDX = 0x0000039f
EAX = 0x140132e9, EDX = 0x0000039f
EAX = 0x16b43265, EDX = 0x0000039f
EAX = 0x3ba63792, EDX = 0x0000039f
EAX = 0x5b5d6e52, EDX = 0x0000039f
EAX = 0x3c44fd97, EDX = 0x000003a0
EAX = 0x3c44fde3, EDX = 0x000003a0
EAX = 0x3c44fe2f, EDX = 0x000003a0
Description du comportement:获取TickCount值
Détails:TickCount = 1174218, SleepMilliseconds = 60000.
TickCount = 1174234, SleepMilliseconds = 60000.
TickCount = 1174421, SleepMilliseconds = 60000.
TickCount = 1174718, SleepMilliseconds = 60000.
TickCount = 1174765, SleepMilliseconds = 60000.
TickCount = 1178078, SleepMilliseconds = 60000.
TickCount = 1178203, SleepMilliseconds = 60000.
TickCount = 1178468, SleepMilliseconds = 60000.
TickCount = 1178562, SleepMilliseconds = 60000.
TickCount = 1178625, SleepMilliseconds = 60000.
TickCount = 1178640, SleepMilliseconds = 60000.
TickCount = 1178656, SleepMilliseconds = 60000.
TickCount = 1178671, SleepMilliseconds = 60000.
TickCount = 1178687, SleepMilliseconds = 60000.
TickCount = 1178781, SleepMilliseconds = 60000.
Comportement du processus
Description du comportement:跨进程写入数据
Détails:TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000009d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000009d0
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x000009d0
Description du comportement:枚举进程
Détails:N/A
Description du comportement:创建进程
Détails:[0x000009d0]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe"
Comportement du fichier
Description du comportement:创建文件
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE215.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Log\2019_05_19.log
Description du comportement:创建可执行文件
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp
Description du comportement:覆盖已有文件
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE215.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp
Description du comportement:查找文件
Détails:FileName = c:\users
FileName = c:\Users\administrator
FileName = c:\Users\Administrator\appdata
FileName = c:\Users\Administrator\AppData\local
FileName = c:\Users\Administrator\AppData\Local\temp
FileName = c:\Users\Administrator\AppData\Local\%temp%
FileName = c:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump
FileName = c:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\musictools.exe
FileName = c:\Users\ADMINI~1\appdata
FileName = c:\Users\ADMINI~1\AppData\local
FileName = c:\Users\ADMINI~1\AppData\Local\temp
FileName = c:\Users\ADMINI~1\AppData\Local\%temp%
FileName = c:\Users\ADMINI~1\AppData\Local\%temp%\b70c.exe_7zdump
FileName = c:\Users\ADMINI~1\AppData\Local\%temp%\B70C~1.EXE\musictools.exe
FileName = c:\windows
Description du comportement:删除文件
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp
Description du comportement:设置特殊文件夹属性
Détails:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache
Description du comportement:修改文件内容
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\Log\2019_05_19.log ---> Offset = 0
Comportement du réseau
Description du comportement:建立到一个指定的套接字连接
Détails:URL: to****om, IP: **.133.40.**:80, SOCKET = 0x0000058c
Description du comportement:发送HTTP包
Détails:GET /MusicTools.json HTTP/1.1 User-Agent: User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705 Accept: */* Accept-Language: zh-cn,en-us;q=0.5 Host: to****om Connection: Keep-Alive
Description du comportement:按名称获取主机地址
Détails:GetAddrInfoW: to****om
Comportement du registre
Description du comportement:修改注册表
Détails:\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\MusicTools_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
Description du comportement:删除注册表键值
Détails:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Autre comportement
Description du comportement:直接调用系统关键API
Détails:Index = 0x000000F8, Name: NtQueryObject, Instruction Address = 0x009C2BE1
Index = 0x000000EA, Name: NtQueryInformationProcess, Instruction Address = 0x009C23F4
Index = 0x0000006B, Name: NtDeviceIoControlFile, Instruction Address = 0x009C23A9
Index = 0x000000F8, Name: NtQueryObject, Instruction Address = 0x009C2BD4
Index = 0x000000C2, Name: NtOpenSection, Instruction Address = 0x009C2C66
Index = 0x000000D9, Name: NtQueryAttributesFile, Instruction Address = 0x009C3065
Index = 0x000000B3, Name: NtOpenFile, Instruction Address = 0x009C3035
Index = 0x00000032, Name: NtClose, Instruction Address = 0x009C2EDC
Description du comportement:检测自身是否被调试
Détails:IsDebuggerPresent
Description du comportement:创建互斥体
Détails:RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
SmartScreen_UrsCacheMutex_2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2High_S-*
SmartScreen_ClientId_Mutex
Description du comportement:创建事件对象
Détails:EventName = EVB_33F127743FB61949_00000DA8
EventName = Global\CPFATE_3496_v4.0.30319
Description du comportement:打开互斥体
Détails:RasPbFile
Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\c:!users!administrator!appdata!local!microsoft!feeds cache!
Local\!BrowserEmulation!SharedMemory!Mutex
Description du comportement:查找指定窗口
Détails:NtUserFindWindowEx: [Class,Window] = [msctls_updown32,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Description du comportement:加密数据
Détails:[CryptEncrypt] Data: 0x05B39E18, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B39E90, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B39EA8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A118, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A190, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A1C0, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A418, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A4A8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A4C0, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x05B3A508, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x054E6D78, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
Description du comportement:窗口信息
Détails:Pid = 3496, Hwnd=0x10019e, Text = 确定, ClassName = Button.
Pid = 3496, Hwnd=0x130186, Text = 连接服务器失败! 请检查本机网络或防火墙设置是否存在问题!, ClassName = Static.
Pid = 3496, Hwnd=0xa013a, Text = 网络请求出错, ClassName = #32770.
Description du comportement:获取TickCount值
Détails:TickCount = 1174218, SleepMilliseconds = 60000.
TickCount = 1174234, SleepMilliseconds = 60000.
TickCount = 1174421, SleepMilliseconds = 60000.
TickCount = 1174718, SleepMilliseconds = 60000.
TickCount = 1174765, SleepMilliseconds = 60000.
TickCount = 1178078, SleepMilliseconds = 60000.
TickCount = 1178203, SleepMilliseconds = 60000.
TickCount = 1178468, SleepMilliseconds = 60000.
TickCount = 1178562, SleepMilliseconds = 60000.
TickCount = 1178625, SleepMilliseconds = 60000.
TickCount = 1178640, SleepMilliseconds = 60000.
TickCount = 1178656, SleepMilliseconds = 60000.
TickCount = 1178671, SleepMilliseconds = 60000.
TickCount = 1178687, SleepMilliseconds = 60000.
TickCount = 1178781, SleepMilliseconds = 60000.
Description du comportement:调整进程token权限
Détails:SE_DEBUG_PRIVILEGE
Description du comportement:打开事件
Détails:HookSwitchHookEnabledEvent
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
MSFT.VSA.COM.DISABLE.3496
MSFT.VSA.IEC.STATUS.6c736db0
\KernelObjects\MaximumCommitCondition
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Isolation Signal Registry Event (F08430BB-79DF-11E9-828E-080027488980, 0)
IE_EarlyTabStart_0x93c
MSFT.VSA.COM.DISABLE.2052
Isolation Signal Registry Event (F08430B7-79DF-11E9-828E-080027488980, 0)
Global\TabletHardwarePresent
Description du comportement:导入密钥
Détails:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x08FDFC09, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x08826BDC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x08826E7C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0918004D, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x08826D2C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x08827074, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x08880278, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x054356F8, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x05435698, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5D60, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5E60, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5F00, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5EA0, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5DE0, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x087E5D40, DataLen: 20, Flags: 0x00000001
Description du comportement:可执行文件签名信息
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp(签名验证: 未通过)
Description du comportement:调用Sleep函数
Détails:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 800.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 50.
[5]: MilliSeconds = 50.
[6]: MilliSeconds = 50.
[7]: MilliSeconds = 50.
[8]: MilliSeconds = 50.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
Description du comportement:隐藏指定窗口
Détails:[Window,Class] = [,msctls_updown32]
[Window,Class] = [,Static]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Description du comportement:获取光标位置
Détails:CursorPos = (388,18506), SleepMilliseconds = 60000.
CursorPos = (6681,26539), SleepMilliseconds = 800.
CursorPos = (19516,15763), SleepMilliseconds = 800.
CursorPos = (11825,29397), SleepMilliseconds = 800.
CursorPos = (27309,24503), SleepMilliseconds = 800.
CursorPos = (6052,28184), SleepMilliseconds = 800.
CursorPos = (23628,16866), SleepMilliseconds = 800.
CursorPos = (10308,530), SleepMilliseconds = 800.
CursorPos = (3342,11981), SleepMilliseconds = 800.
CursorPos = (5174,5475), SleepMilliseconds = 800.
CursorPos = (32738,14643), SleepMilliseconds = 800.
CursorPos = (4249,192), SleepMilliseconds = 800.
CursorPos = (639,12421), SleepMilliseconds = 50.
CursorPos = (17768,18755), SleepMilliseconds = 50.
CursorPos = (20065,19934), SleepMilliseconds = 50.
Description du comportement:可执行文件MD5
Détails:C:\Users\Administrator\AppData\Local\Temp\evbE61D.tmp ---> ba2ea17a8d36ce6c512af573f53e4249
C:\Users\Administrator\AppData\Local\Temp\evbE64D.tmp ---> ba2ea17a8d36ce6c512af573f53e4249
C:\Users\Administrator\AppData\Local\Temp\evb129.tmp ---> cbeab8faa6ec0809fe49d9e3ed7167f7
C:\Users\Administrator\AppData\Local\Temp\evb12A.tmp ---> cbeab8faa6ec0809fe49d9e3ed7167f7
C:\Users\Administrator\AppData\Local\Temp\evb1426.tmp ---> 40ccbe044beffc5402548a44f92901ef
C:\Users\Administrator\AppData\Local\Temp\evb1437.tmp ---> 40ccbe044beffc5402548a44f92901ef
C:\Users\Administrator\AppData\Local\Temp\evb1467.tmp ---> 40ccbe044beffc5402548a44f92901ef
C:\Users\Administrator\AppData\Local\Temp\evb1477.tmp ---> 40ccbe044beffc5402548a44f92901ef
C:\Users\Administrator\AppData\Local\Temp\evb14B7.tmp ---> d28cf4b8d93c86a420cec10206112b4c
C:\Users\Administrator\AppData\Local\Temp\evb14C7.tmp ---> d28cf4b8d93c86a420cec10206112b4c
C:\Users\Administrator\AppData\Local\Temp\evb1536.tmp ---> 91cf732313578318b799f550a5d13d3b
C:\Users\Administrator\AppData\Local\Temp\evb16DD.tmp ---> c55e2ff93285f9933fc8021a29b14d9a
Description du comportement:直接获取CPU时钟
Détails:EAX = 0xbfa78b69, EDX = 0x0000039e
EAX = 0x11796314, EDX = 0x0000039f
EAX = 0x1401329d, EDX = 0x0000039f
EAX = 0x140132e9, EDX = 0x0000039f
EAX = 0x16b43265, EDX = 0x0000039f
EAX = 0x3ba63792, EDX = 0x0000039f
EAX = 0x5b5d6e52, EDX = 0x0000039f
EAX = 0x3c44fd97, EDX = 0x000003a0
EAX = 0x3c44fde3, EDX = 0x000003a0
EAX = 0x3c44fe2f, EDX = 0x000003a0
Description du comportement:解密数据
Détails:[CryptDecrypt] Data: 0x0548A070, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x00C468C8, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x00C46B08, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE800, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE840, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x087E8DE0, CipherTextLen: 32, PlainTextLen: 32, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE870, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x087E8E30, CipherTextLen: 32, PlainTextLen: 32, Flags: 0x00000000
[CryptDecrypt] Data: 0x087E8EA8, CipherTextLen: 32, PlainTextLen: 32, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE8A0, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE8C0, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x054E6D78, CipherTextLen: 16, PlainTextLen: 16, Flags: 0x00000000
[CryptDecrypt] Data: 0x054FE8E0, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
Description du comportement:加载新释放的文件
Détails:Image: C:\Users\ADMINI~1\AppData\Local\Temp\evbE61D.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evbE64D.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb129.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb12A.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb1426.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb1437.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb1467.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb1477.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb14B7.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb14C7.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb1536.tmp.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\evb16DD.tmp.
Exécuter une capture d'écran
VirSCAN

Au sujet de VirSCAN | Politique de confidentialité | Contacts | Lien amical | Aider VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号