VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:
Behavior list
Basic Information
MD5:614880e2da9661e4587173f707c79ba5
file type:
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000E0, Name: NtSetInformationFile, Instruction Address = 0x00539F9D
Behavior description:直接获取CPU时钟
details:EAX = 0x03531a87, EDX = 0x000000bf
Behavior description:获取TickCount值
details:TickCount = 255093, SleepMilliseconds = 250.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2804, ThreadID = 2840, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2804, ThreadID = 2976, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2804, ThreadID = 2980, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2804, ThreadID = 2984, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2804, ThreadID = 2988, StartAddress = 4AEA7456, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat.log
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceSession.etl
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat.log
Behavior description:修改文件内容
details:C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI ---> Offset = 0
C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI ---> Offset = 7
C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI ---> Offset = 53
C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI ---> Offset = 74
C:\Documents and Settings\All Users\Application Data\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI ---> Offset = 92
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl ---> Offset = 140
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat ---> Offset = 512
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\ErrMgmt\SQCLIENT.dat.log ---> Offset = 32
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl ---> Offset = 120
C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE\NPETraceInProgress.etl ---> Offset = 372
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\Start
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\FileName
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\BufferSize
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\C38AF496-FDAD-460A-9ED0-FEBDD490FF89\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\C38AF496-FDAD-460A-9ED0-FEBDD490FF89\Level
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\BE4171F1-8285-41B8-A4AB-7D6E73BD8712\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\BE4171F1-8285-41B8-A4AB-7D6E73BD8712\Level
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\86EE033A-2259-4E4E-82BC-79C7FB353D27\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\86EE033A-2259-4E4E-82BC-79C7FB353D27\Level
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\9F4BAE25-E546-4307-AC98-DB55897FE597\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\9F4BAE25-E546-4307-AC98-DB55897FE597\Level
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\D149D149-D149-D149-D149-D149D149D149\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\D149D149-D149-D149-D149-D149D149D149\Level
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\ED78D096-EBF4-11DC-B20B-0017F209DE16\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\ED78D096-EBF4-11DC-B20B-0017F209DE16\Level
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\ED78D096-EBF4-11DC-B20B-0017F209DE16\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\D149D149-D149-D149-D149-D149D149D149\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\C38AF496-FDAD-460A-9ED0-FEBDD490FF89\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\BE4171F1-8285-41B8-A4AB-7D6E73BD8712\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\B513074F-BF61-4B2B-9FA6-03BD7AC14130\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\9F4BAE25-E546-4307-AC98-DB55897FE597\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WMI\GlobalLogger\86EE033A-2259-4E4E-82BC-79C7FB353D27\
Other behavior
Behavior description:直接调用系统关键API
details:Index = 0x000000E0, Name: NtSetInformationFile, Instruction Address = 0x00539F9D
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:oleacc-msaa-loaded
Global\Symantec_CLCGlobal_File
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.IPK
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.IPK.IC
EventName = MSCTF.SendReceiveConection.Event.IPK.IC
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 2804, Hwnd=0x10346, Text = Norton Power Eraser, ClassName = NortonPowerEraserWnd.
Behavior description:获取TickCount值
details:TickCount = 255093, SleepMilliseconds = 250.
Behavior description:调整进程token权限
details:SE_SECURITY_PRIVILEGE
Behavior description:打开事件
details:Global\crypt32LogoffEvent
HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 250.
Behavior description:直接获取CPU时钟
details:EAX = 0x03531a87, EDX = 0x000000bf
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号