VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Basic Information
MD5:47c7bd13942893277a25073983db2303
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 7.0
Subfile information:7dumpFile / c328aab203b6a8415979d3959a76e7a3 / EXE
imdisk.cpl / 7c7bc8c14f48edda91b9939c5ac5ec05 / DLL
imdisk.cpl / 71a9cae07c74be20fc608cb3114deae7 / DLL
ImdiskMenuExt.dll / cdb8a6725624c5d9ca4dea8d1f72a886 / DLL
imdisk.exe / 8b96af927bf26a67e6ca3241f2ffb99c / EXE
imdisk.exe / f18c1155eb5a186a6589d199532a32c1 / EXE
imdisk.sys / 3c9f84b37b3053fb54bb80bdac1072d3 / SYS
imdisk.sys / 56772bad4536925fd18544b8b499949a / SYS
awealloc.sys / 1d3e3f6907a25e9e5fb465c9b3510ea2 / SYS
awealloc.sys / acdfd244fcb01db63649fa8b5eed8513 / SYS
imdsksvc.exe / aed76961cea0f20d261763d8d413c73e / EXE
imdsksvc.exe / f4b1f9622efd7d12958168f4bf164e35 / EXE
uninstall_imdisk.cmd / 9bec56cd576695afd869a3f23c565010 / Unknown
ImdiskMenuExt.bmp / dc6d1b58bb0d313eb22e49a1e2c8513a / Unknown
CheckImdiskMenuExt.cmd / 56caabd71cb888e8b47e51d5b51fbb72 / Unknown
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffdd008, Size = 0x00000004 TargetPID = 0x00000f94
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x000c5000 TargetPID = 0x00000f94
Behavior description:设置线程上下文
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:获取TickCount值
details:TickCount = 223047, SleepMilliseconds = 1.
TickCount = 223063, SleepMilliseconds = 1.
TickCount = 223079, SleepMilliseconds = 1.
TickCount = 223094, SleepMilliseconds = 1.
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00400000, ResName: #7, ResType: EXEDATA
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00403FAB
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = 7z x "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587.txt" -aoa -y -o"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587" -p"zzz"
ImagePath = , CmdLine = cmd.exe /c rd "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587" /s /q
ImagePath = , CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~PECMD~1.BAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~43881~1
Behavior description:创建进程
details:[0x00000f94]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = 7z x "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587.txt" -aoa -y -o"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587" -p"zzz"
[0x0000080c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c rd "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587" /s /q
[0x00000820]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~PECMD~1.BAT C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~43881~1
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3896, ThreadID = 3908, StartAddress = 00402FF2, Parameter = 004ACC04
TargetProcess: %temp%\****.exe, InheritedFromPID = 3896, ProcessID = 3988, ThreadID = 1940, StartAddress = 77C0A341, Parameter = 0102E028
TargetProcess: %temp%\****.exe, InheritedFromPID = 3896, ProcessID = 3988, ThreadID = 112, StartAddress = 77C0A341, Parameter = 0102E028
TargetProcess: %temp%\****.exe, InheritedFromPID = 3896, ProcessID = 3988, ThreadID = 1608, StartAddress = 77C0A341, Parameter = 01028C00
TargetProcess: %temp%\****.exe, InheritedFromPID = 3896, ProcessID = 3988, ThreadID = 1336, StartAddress = 77C0A341, Parameter = 0102E0D8
Behavior description:跨进程写入数据
details:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x7ffdd008, Size = 0x00000004 TargetPID = 0x00000f94
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, WriteAddress = 0x00400000, Size = 0x000c5000 TargetPID = 0x00000f94
Behavior description:设置线程上下文
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\changes.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm00.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm01.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm02.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm03.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm04.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm05.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm06.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm09.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm11.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm12.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm14.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\desktop.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\7zx64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\FVIE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\ResourceHacker.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\UPX.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x64单文件模板.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x86单文件模板.exe
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~pecmd_mktmp.3896.0~.bat ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe.autoapp.wcs
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\changes.txt
FileName = \\?\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\changes.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm00.png
FileName = \\?\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm00.png
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm01.png
FileName = \\?\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm01.png
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm02.png
FileName = \\?\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm02.png
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm03.png
FileName = \\?\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4388133980922809587\Help\bm03.png
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\7zx64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\changes.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\FVIE.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm00.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm01.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm02.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm03.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm04.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm05.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm06.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm09.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm10.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm11.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm12.png
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm14.png
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587.txt ---> Offset = 1944446
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\changes.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm00.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm01.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm02.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm03.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm04.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm05.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm06.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm09.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm10.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm11.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm12.png ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\Help\bm14.png ---> Offset = 0
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MDP
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [取消,Button]
[Window,Class] = [执行,Button]
[Window,Class] = [解压密码,Static]
[Window,Class] = [执行命令,Static]
[Window,Class] = [释放路径,Static]
[Window,Class] = [图标资源,Static]
[Window,Class] = [压缩资源,Static]
[Window,Class] = [123456,Edit]
[Window,Class] = [EXEC =%&Extract_Path%\PE.EXE %*,ComboBox]
[Window,Class] = [%Curdir%,ComboBox]
[Window,Class] = [请拖入文件(*.ico;*.exe;*.dll)...,Edit]
[Window,Class] = [请拖入文件(*.7z;*.rar)...,Edit]
[Window,Class] = [,Button]
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00403FAB
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 3896, Hwnd=0x10348, Text = 请拖入文件(*.7z;*.rar)..., ClassName = Edit.
Pid = 3896, Hwnd=0x1034a, Text = 请拖入文件(*.ico;*.exe;*.dll)..., ClassName = Edit.
Pid = 3896, Hwnd=0x1034c, Text = %Temp%, ClassName = ComboBox.
Pid = 3896, Hwnd=0x10350, Text = %Temp%, ClassName = Edit.
Pid = 3896, Hwnd=0x10352, Text = EXEC =%&Extract_Path%\PE.EXE %*, ClassName = ComboBox.
Pid = 3896, Hwnd=0x10356, Text = EXEC =%&Extract_Path%\PE.EXE %*, ClassName = Edit.
Pid = 3896, Hwnd=0x1035a, Text = 压缩资源, ClassName = Static.
Pid = 3896, Hwnd=0x1035c, Text = 图标资源, ClassName = Static.
Pid = 3896, Hwnd=0x1035e, Text = 释放路径, ClassName = Static.
Pid = 3896, Hwnd=0x10360, Text = 执行命令, ClassName = Static.
Pid = 3896, Hwnd=0x10362, Text = 解压密码, ClassName = Static.
Pid = 3896, Hwnd=0x10364, Text = 执行, ClassName = Button.
Pid = 3896, Hwnd=0x10366, Text = 取消, ClassName = Button.
Pid = 3896, Hwnd=0x3033e, Text = 单文件制作工具, ClassName = #32770.
Pid = 3896, Hwnd=0x1034c, Text = %Curdir%, ClassName = ComboBox.
Behavior description:获取TickCount值
details:TickCount = 223047, SleepMilliseconds = 1.
TickCount = 223063, SleepMilliseconds = 1.
TickCount = 223079, SleepMilliseconds = 1.
TickCount = 223094, SleepMilliseconds = 1.
Behavior description:调整进程token权限
details:SE_BACKUP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceive.Event.IOH.IC
MSCTF.SendReceiveConection.Event.IOH.IC
_fCanRegisterWithShellService
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00400000, ResName: #7, ResType: EXEDATA
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\7zx64.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\FVIE.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\ResourceHacker.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\UPX.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x64单文件模板.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x86单文件模板.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 1.
[10]: MilliSeconds = 1.
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.MDP.IC
EventName = MSCTF.SendReceiveConection.Event.MDP.IC
EventName = ShellCopyEngineRunning
EventName = ShellCopyEngineFinished
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\7zx64.exe ---> cc412934e569ffd7fc721ab7955dcd9a
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\FVIE.exe ---> a48b5406ba08349014ebfbcd8d82b89d
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\ResourceHacker.exe ---> fb8b0825d1a5d6c248cb8f5811b21d18
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\UPX.exe ---> 0a493c3b30c4f095b68171621ca94fde
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x64单文件模板.exe ---> da5011c66fdea836510c44fb6d763fed
C:\Documents and Settings\Administrator\Local Settings\Temp\~4388133980922809587\x86单文件模板.exe ---> f1d6ca8c63e65b5981456615f2668c99
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号