VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:2d3505e8713bfe829f08fc4e61948690
file type:EXE
Production company:
version:1.0.0.0---1.0.0.0
Shell or compiler information:COMPILER:Elan
Key behavior
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs
Behavior description:获取TickCount值
details:TickCount = 219485, SleepMilliseconds = 1.
TickCount = 219719, SleepMilliseconds = 1.
TickCount = 220219, SleepMilliseconds = 1.
TickCount = 220719, SleepMilliseconds = 1.
TickCount = 221219, SleepMilliseconds = 1.
TickCount = 221735, SleepMilliseconds = 1.
TickCount = 222251, SleepMilliseconds = 1.
TickCount = 222797, SleepMilliseconds = 1.
TickCount = 223282, SleepMilliseconds = 1.
TickCount = 223797, SleepMilliseconds = 1.
TickCount = 224297, SleepMilliseconds = 1.
TickCount = 224797, SleepMilliseconds = 1.
TickCount = 225297, SleepMilliseconds = 1.
TickCount = 225797, SleepMilliseconds = 1.
TickCount = 226297, SleepMilliseconds = 1.
Process behavior
Behavior description:创建进程
details:[0x00000ae0]ImagePath = C:\WINDOWS\system32\wscript.exe, CmdLine = "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs"
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2648, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2652, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2792, StartAddress = 004283AF, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2796, StartAddress = 0042872B, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2800, StartAddress = 00428A38, Parameter = 00000000
TargetProcess: wscript.exe, InheritedFromPID = 2636, ProcessID = 2784, ThreadID = 2876, StartAddress = 01002FD4, Parameter = 008E4488
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2908, StartAddress = 004283AF, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2912, StartAddress = 0042872B, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2916, StartAddress = 00428A38, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2944, StartAddress = 00496190, Parameter = 00E372E0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2948, StartAddress = 00496200, Parameter = 00E372E0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2952, StartAddress = 00496270, Parameter = 00E372E0
TargetProcess: wscript.exe, InheritedFromPID = 2636, ProcessID = 2784, ThreadID = 2968, StartAddress = 765E964D, Parameter = 001BD1D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2972, StartAddress = 004283AF, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2636, ThreadID = 2976, StartAddress = 0042872B, Parameter = 00000000
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs
C:\Documents and Settings\Administrator\Application Data\Microsoft\Config.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Application Data\svchcst.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\WINDOWS
FileName = C:\WINDOWS\System32
FileName = C:\WINDOWS\System32\WScript.exe
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\wscript.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\VBS3.vbs
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\Documents and Settings\Administrator\Application Data\svchcst.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Config.ini ---> Offset = 0
Network behavior
Behavior description:建立到一个指定的套接字连接
details:IP: **.51.203.**:9988, SOCKET = 0x00000204
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\System32\WScript.exe
Other behavior
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
XXNBbin
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [#32770,视频源]
Behavior description:获取TickCount值
details:TickCount = 219485, SleepMilliseconds = 1.
TickCount = 219719, SleepMilliseconds = 1.
TickCount = 220219, SleepMilliseconds = 1.
TickCount = 220719, SleepMilliseconds = 1.
TickCount = 221219, SleepMilliseconds = 1.
TickCount = 221735, SleepMilliseconds = 1.
TickCount = 222251, SleepMilliseconds = 1.
TickCount = 222797, SleepMilliseconds = 1.
TickCount = 223282, SleepMilliseconds = 1.
TickCount = 223797, SleepMilliseconds = 1.
TickCount = 224297, SleepMilliseconds = 1.
TickCount = 224797, SleepMilliseconds = 1.
TickCount = 225297, SleepMilliseconds = 1.
TickCount = 225797, SleepMilliseconds = 1.
TickCount = 226297, SleepMilliseconds = 1.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2784
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,_EL_Timer]
[Window,Class] = [,Afx:400000:8]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\svchcst.exe ---> 751bcd209d6bd029a3f414a9c55fe892
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
XXNBbin
Local\!IETld!Mutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号