VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:19
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:512301c535c88255c9a252fdf70b7a03
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:FSG 2.0 -> bart/xt
Key behavior
Behavior description:杀掉进程
details:RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:多次强杀进程
details:C:\WINDOWS\system32\taskmgr.exe
Behavior description:设置特殊文件属性
details:C:\WINDOWS\setup.exe
C:\setup.exe
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Process behavior
Behavior description:多次强杀进程
details:C:\WINDOWS\system32\taskmgr.exe
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\system32\drivers\spo0lsv.exe, CmdLine = C:\WINDOWS\system32\drivers\spo0lsv.exe
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share X$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share D$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share C$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share A$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share admin$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share X$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share D$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share C$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share A$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share admin$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share X$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share D$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share C$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share A$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share admin$ /del /y
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
File behavior
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe
C:\WINDOWS\setup.exe
C:\setup.exe
C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
Behavior description:设置特殊文件属性
details:C:\WINDOWS\setup.exe
C:\setup.exe
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\$NtUninstallKB2412687$\Desktop_.ini---> Offset = 0
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\Desktop_.ini---> Offset = 0
C:\WINDOWS\addins\Desktop_.ini---> Offset = 0
C:\WINDOWS\AppPatch\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\CustomMarshalers\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\ISymWrapper\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\mscorlib\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\Desktop_.ini---> Offset = 0
C:\WINDOWS\assembly\GAC_32\PresentationCore\Desktop_.ini---> Offset = 0
Behavior description:修改新生成的可执行文件
details:C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe---> Offset = 30257
C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe---> Offset = 30513
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://www.tom.com hInternet = 0x00000214
InternetOpenUrlA: http://www.163.com hInternet = 0x00000210
InternetOpenUrlA: http://www.sohu.com hInternet = 0x00000218
InternetOpenUrlA: http://www.yahoo.com hInternet = 0x0000021c
InternetOpenUrlA: http://www.google.com hInternet = 0x00000220
InternetOpenUrlA: http://www.ac86.cn/66/up.txt hInternet = 0x00000240
InternetOpenUrlA: http://www.tom.com hInternet = 0x000002c8
InternetOpenUrlA: http://www.163.com hInternet = 0x000002b0
InternetOpenUrlA: http://www.sohu.com hInternet = 0x000002bc
InternetOpenUrlA: http://www.yahoo.com hInternet = 0x000002c0
InternetOpenUrlA: http://www.google.com hInternet = 0x00000284
InternetOpenUrlA: http://www.tom.com hInternet = 0x00000354
InternetOpenUrlA: http://www.163.com hInternet = 0x00000334
InternetOpenUrlA: http://www.sohu.com hInternet = 0x00000358
InternetOpenUrlA: http://www.yahoo.com hInternet = 0x0000035c
Behavior description:下载文件
details:URLDownloadToFileW: MZ愶o趙l趙%很w杰w珃趙Bx趙W宗ww萓 u咑tf凒"u 3蓞?斄嬹PD塃??]?t Ot23篱^?j榺? ?离9u黃WPuuuu 謰?髏S岴餚Wu?u<凐劑,E鞁E餈Pj 58?u?u?u0U鴵5細暲
Behavior description:读取网络文件
details:hFile = 0x00000214, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000210, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000218, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000021c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000220, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000240, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000002c8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000002b0, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000002bc, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000002c0, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000284, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000354, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000334, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000358, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000035c, BytesToRead =1024, BytesRead = 1024.
Registry behavior
Behavior description:删除注册表键值_删除启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW
Behavior description:修改注册表_文件夹关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Other behavior
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:创建互斥体
details:SHIMLIB_LOG_MUTEX
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Abnormal crash
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:创建互斥体
details:SHIMLIB_LOG_MUTEX
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号