VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:77
Behavior list
Basic Information
MD5:09ed11aec95e3bde885e0c4ba682edd6
file type:EXE
Production company:Runtime Software, LLC
version:4.0.0.0---4.0.0.0
Shell or compiler information:COMPILER:Borland Delphi DLL [Overlay]
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe, WriteAddress = 0x01110000, Size = 0x00000308 TargetPID = 0x00000b5c
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe, WriteAddress = 0x00400100, Size = 0x000000f8 TargetPID = 0x00000b5c
Behavior description:直接调用系统关键API
details:Index = 0x0000007F, Name: NtOpenSymbolicLinkObject, Instruction Address = 0x004AE119
Behavior description:获取TickCount值
details:TickCount = 227593, SleepMilliseconds = 500.
TickCount = 227400, SleepMilliseconds = 150.
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe, WriteAddress = 0x01110000, Size = 0x00000308 TargetPID = 0x00000b5c
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe, WriteAddress = 0x00400100, Size = 0x000000f8 TargetPID = 0x00000b5c
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2772, ThreadID = 2784, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:[0x00000b5c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe"
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtApp.ini
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\AppVirtDll_fcportables.com.dll.20180219-134743.449.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll64_fcportables.com.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\AppVirtDll64_fcportables.com.dll.20180219-134743.464.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\fcportables.com.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\fcportables.com.exe.20180219-134743.480.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\fcportables.com64.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\fcportables.com64.exe.20180219-134743.480.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtFiles.Prog.db
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\VirtFiles.Prog.db.20180219-135054.277.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\SandboxCfg.db
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\SandboxCfg.db.20180219-134743.480.stamp
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtReg.Prog.dat
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\VirtReg.Prog.dat.20180219-135054.277.stamp
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtReg.Prog.dat
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtFiles.Prog.db ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtReg.Prog.dat ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtReg.dat
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtReg.Prog.dat ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtReg.Base.dat
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\*.ToDelete
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\AppVirtDll_fcportables.com.dll.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\AppVirtDll64_fcportables.com.dll.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\fcportables.com.exe.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\fcportables.com64.exe.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\VirtFiles.Prog.db.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\SandboxCfg.db.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\VirtReg.Prog.dat.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\EngineStamps\ZipCache.*.stamp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Data
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db.2776.tmp ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db.2912.tmp ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtApp.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\VirtReg.Prog.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtReg.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtReg.Base.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\VirtFiles.db.2776.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\CHANGES\CryptCheck.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll ---> Offset = 327680
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll ---> Offset = 393216
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll ---> Offset = 458752
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe ---> Offset = 8192
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\freeimage.dll
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\VOS\fcportables.com\BaseDirName
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\CarrierExeName
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Runtime Software\GetDataBackNT\Language
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Runtime Software\GetDataBackNT\License\Key
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Runtime Software\GetDataBackNT\License\Name
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Wow6432Node\Runtime Software\GetDataBackNT\Language
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Wow6432Node\Runtime Software\GetDataBackNT\License\Key
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\Registry\MACHINE\SOFTWARE\Wow6432Node\Runtime Software\GetDataBackNT\License\Name
\REGISTRY\USER\S-*\Software\VOS\fcportables.com\DataIntegrity
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\VOS\fcportables.com\DataIntegrity
Other behavior
Behavior description:创建互斥体
details:oleacc-msaa-loaded
Cameyo.VirtAppsMutex
Cameyo.BasicDeployMutex.fcportables.com
Cameyo.MatrixDiskMutex.fcportables.com
fcportables.com_VirtFilesIpcValidator_IpcCfgValidatorMutex
C__Documents and Settings_Administrator_Local Settings_Temp_EB93A6_Data_fcportables.com_CHANGES_VirtFiles.db
Cameyo.fcportables.com.2772
mchMixCache$10012b50$ad4
Mutex, mAH, Process $00000ad4, API $7c92dc40
Mutex, mAH, Process $00000ad4, API $71ac0000
Mutex, mAH, Process $00000ad4, API $7c92d750
Mutex, mAH, Process $00000ad4, API $7c92d090
Mutex, mAH, Process $00000ad4, API $7c92d580
Mutex, mAH, Process $00000ad4, API $7c92d790
Mutex, mAH, Process $00000ad4, API $7c92d6f0
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
Behavior description:直接调用系统关键API
details:Index = 0x0000007F, Name: NtOpenSymbolicLinkObject, Instruction Address = 0x004AE119
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\freeimage.dll ---> 文件过大!
Behavior description:获取TickCount值
details:TickCount = 227593, SleepMilliseconds = 500.
TickCount = 227400, SleepMilliseconds = 150.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\freeimage.dll(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 500.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 500.
[4]: MilliSeconds = 150.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\gdbsim.exe ---> d6e8dd2402773f8f8d700745fbb8e09f
Behavior description:打开互斥体
details:Cameyo.VirtAppsMutex
Cameyo.MatrixDiskMutex.fcportables.com
fcportables.com_VirtFilesIpcValidator_IpcCfgValidatorMutex
C__Documents and Settings_Administrator_Local Settings_Temp_EB93A6_Data_fcportables.com_CHANGES_VirtFiles.db
ShimCacheMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,GFXSVR]
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\AppVirtDll_fcportables.com.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\Data\fcportables.com\PROG\%Program Files (x86)%\Runtime Software\GetDataBack Simple\FreeImage.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号