VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:87
Behavior list
Basic Information
MD5:88f672f8b8b7390ca571dab4a980bf8f
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:UPolyX v0.5
Subfile information:TrayEverything.exe / 5901126c7ad6b9afefabfefbc074e433 / EXE
updater.exe / da50e0616f625e2044ed11693c520e01 / EXE
hook.dll / 39dd417f47e795912ab7dd435bc00ff4 / DLL
eng.dll / ef9ea270f7ff1e4d87f24525be1eb994 / DLL
chi.dll / c6242763e00dd4abff30d4f7f0444577 / DLL
options.ini / 6c69d2a46c9c70a5aaf1436390a20b7c / Unknown
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:直接获取CPU时钟
details:EAX = 0x91229c7a, EDX = 0x000000b5
EAX = 0xa4079716, EDX = 0x000000b5
EAX = 0xa4079762, EDX = 0x000000b5
EAX = 0xb717c1f1, EDX = 0x000000b5
Behavior description:获取TickCount值
details:TickCount = 218331, SleepMilliseconds = 50.
TickCount = 218456, SleepMilliseconds = 50.
TickCount = 218471, SleepMilliseconds = 50.
TickCount = 218487, SleepMilliseconds = 50.
TickCount = 218503, SleepMilliseconds = 50.
TickCount = 218518, SleepMilliseconds = 50.
TickCount = 218534, SleepMilliseconds = 50.
TickCount = 218550, SleepMilliseconds = 50.
TickCount = 218565, SleepMilliseconds = 50.
TickCount = 218596, SleepMilliseconds = 50.
TickCount = 218612, SleepMilliseconds = 50.
TickCount = 218628, SleepMilliseconds = 50.
TickCount = 218643, SleepMilliseconds = 50.
TickCount = 218659, SleepMilliseconds = 50.
TickCount = 218675, SleepMilliseconds = 50.
Process behavior
Behavior description:创建进程
details:[0x00000e60]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe" -el -s2 "-d" "-p" "-sp"
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3116, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3120, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3124, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3128, StartAddress = 6359727B, Parameter = 001AD9E8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3156, StartAddress = 77E56C7D, Parameter = 00246090
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3160, StartAddress = 769AE43B, Parameter = 028D90D8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3164, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3172, StartAddress = 77E56C7D, Parameter = 00246510
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3028, ThreadID = 3632, StartAddress = 76BDD451, Parameter = 028D0600
TargetProcess: %temp%\****.exe, InheritedFromPID = 3028, ProcessID = 3680, ThreadID = 3776, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 3028, ProcessID = 3680, ThreadID = 3780, StartAddress = 7C930230, Parameter = 00000000
File behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.IOH
_SHuassist.mtx
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\Microsoft Smart Card Resource Manager Started
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
RasPbFile
CtfmonInstMutexDefaultS-*
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.3028
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000013
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000013
_fCanRegisterWithShellService
Global\Microsoft Smart Card Resource Manager Started
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000014
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000014
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取TickCount值
details:TickCount = 218331, SleepMilliseconds = 50.
TickCount = 218456, SleepMilliseconds = 50.
TickCount = 218471, SleepMilliseconds = 50.
TickCount = 218487, SleepMilliseconds = 50.
TickCount = 218503, SleepMilliseconds = 50.
TickCount = 218518, SleepMilliseconds = 50.
TickCount = 218534, SleepMilliseconds = 50.
TickCount = 218550, SleepMilliseconds = 50.
TickCount = 218565, SleepMilliseconds = 50.
TickCount = 218596, SleepMilliseconds = 50.
TickCount = 218612, SleepMilliseconds = 50.
TickCount = 218628, SleepMilliseconds = 50.
TickCount = 218643, SleepMilliseconds = 50.
TickCount = 218659, SleepMilliseconds = 50.
TickCount = 218675, SleepMilliseconds = 50.
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
CursorPos = (19208,15725), SleepMilliseconds = 50.
CursorPos = (11517,29359), SleepMilliseconds = 50.
CursorPos = (27001,24465), SleepMilliseconds = 50.
CursorPos = (5744,28146), SleepMilliseconds = 50.
CursorPos = (23320,16828), SleepMilliseconds = 50.
CursorPos = (10000,492), SleepMilliseconds = 50.
CursorPos = (3034,11943), SleepMilliseconds = 50.
CursorPos = (4866,5437), SleepMilliseconds = 50.
CursorPos = (32430,14605), SleepMilliseconds = 50.
CursorPos = (3941,154), SleepMilliseconds = 50.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
Behavior description:窗口信息
details:Pid = 3028, Hwnd=0x10384, Text = 接受, ClassName = Button.
Pid = 3028, Hwnd=0x10386, Text = 拒绝, ClassName = Button.
Pid = 3028, Hwnd=0x10388, Text = 欢迎使用www.ouyaoxiazai.com的软件, ClassName = Static.
Pid = 3028, Hwnd=0x1037c, Text = 第1步:软件开始初始化并开始解压, ClassName = #32770.
Pid = 3028, Hwnd=0x1034a, Text = 目标文件夹(&D), ClassName = Static.
Pid = 3028, Hwnd=0x1034c, Text = C:\Documents and Settings\Administrator\Local Settings\%temp%, ClassName = ComboBox.
Pid = 3028, Hwnd=0x10350, Text = C:\Documents and Settings\Administrator\Local Settings\%temp%, ClassName = Edit.
Pid = 3028, Hwnd=0x10352, Text = 浏览(&W)..., ClassName = Button.
Pid = 3028, Hwnd=0x10356, Text = 解压进度, ClassName = Static.
Pid = 3028, Hwnd=0x1035c, Text = 解压, ClassName = Button.
Pid = 3028, Hwnd=0x1035e, Text = 取消, ClassName = Button.
Pid = 3028, Hwnd=0x10360, Text = 欢迎使用www.ouyaoxiazai.com的软件, ClassName = Static.
Pid = 3028, Hwnd=0x10344, Text = 第2步:选择目标地址输入解压密码, ClassName = #32770.
Pid = 3028, Hwnd=0x104f4, Text = 您想使用哪个用户帐户运行这个程序?, ClassName = Static.
Pid = 3028, Hwnd=0x104f6, Text = 当前用户(&C) (COMPUTER\Administrator), ClassName = Button(RadioButton).
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,Edit]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:直接获取CPU时钟
details:EAX = 0x91229c7a, EDX = 0x000000b5
EAX = 0xa4079716, EDX = 0x000000b5
EAX = 0xa4079762, EDX = 0x000000b5
EAX = 0xb717c1f1, EDX = 0x000000b5
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号