VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:95b3a97d822b6f45e7b8f6aaaa27f514
file type:EXE
Production company:Byte Technologies
version:3.6.1.1---3.6.1.1
Shell or compiler information:COMPILER:Microsoft Visual C# / Basic .NET [Overlay]
Key behavior
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Behavior description:获取TickCount值
details:TickCount = 220203, SleepMilliseconds = 250.
TickCount = 220218, SleepMilliseconds = 250.
TickCount = 220020, SleepMilliseconds = 20.
TickCount = 220035, SleepMilliseconds = 20.
TickCount = 220051, SleepMilliseconds = 20.
Process behavior
Behavior description:创建进程
details:[0x00000a64]ImagePath = C:\WINDOWS\system32\ntvdm.exe, CmdLine = "C:\WINDOWS\system32\ntvdm.exe" -f -i1 -o
[0x00000a74]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE" /n "C:\Documents and Settings\Administrator\Local Settings\Temp\New Microsoft Word Belgesi.docx"
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2572, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2580, StartAddress = 791F59C0, Parameter = 001B01D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2628, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2632, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: ntvdm.exe, InheritedFromPID = 2528, ProcessID = 2660, ThreadID = 2668, StartAddress = 0F03BEA4, Parameter = 00000000
TargetProcess: ntvdm.exe, InheritedFromPID = 2528, ProcessID = 2660, ThreadID = 2672, StartAddress = 0F0121A5, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2684, StartAddress = 792F7F68, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2688, StartAddress = 77E56C7D, Parameter = 00203B70
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2528, ThreadID = 2692, StartAddress = 769AE43B, Parameter = 001C7CF8
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2720, StartAddress = 77E56C7D, Parameter = 001A6218
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2724, StartAddress = 769AE43B, Parameter = 001A9410
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2728, StartAddress = 77E56C7D, Parameter = 001AAE78
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2760, StartAddress = 326138F8, Parameter = 02C53420
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2896, StartAddress = 3264B7DB, Parameter = 00000000
TargetProcess: WINWORD.EXE, InheritedFromPID = 2528, ProcessID = 2676, ThreadID = 2988, StartAddress = 314AB3EA, Parameter = 320FDEB0
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\New Microsoft Word Belgesi.docx
C:\WINDOWS\Temp\scs3.tmp
C:\WINDOWS\Temp\scs4.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{07C81286-3274-48BB-A452-16E77601764A}.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~$w Microsoft Word Belgesi.docx
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{EB513505-05DA-4AF9-A648-85E40A17300E}.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\New Microsoft Word Belgesi.docx.LNK
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\Temp.LNK
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRF{0EA85754-5D92-478F-ABDD-D20B92ED7C11}.tmp
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:查找文件
details:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
Behavior description:删除文件
details:C:\WINDOWS\Temp\scs3.tmp
C:\WINDOWS\Temp\scs4.tmp
Behavior description:复制文件
details:C:\Program Files\Microsoft Office 2007\Office12\OPA12.BAK ---> C:\Program Files\Microsoft Office 2007\Office12\opa12.dat
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe ---> Offset = 16384
C:\WINDOWS\Temp\scs3.tmp ---> Offset = 0
C:\WINDOWS\Temp\scs3.tmp ---> Offset = 31
C:\WINDOWS\Temp\scs3.tmp ---> Offset = 33
C:\WINDOWS\Temp\scs3.tmp ---> Offset = 36
C:\WINDOWS\Temp\scs3.tmp ---> Offset = 38
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT ---> Offset = 0
C:\WINDOWS\Temp\scs4.tmp ---> Offset = 0
C:\WINDOWS\Temp\scs4.tmp ---> Offset = 9
C:\WINDOWS\Temp\scs4.tmp ---> Offset = 11
C:\WINDOWS\Temp\scs4.tmp ---> Offset = 77
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\Cryptered.exe
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\zv-
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\2052
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\1033
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\WORDFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\5-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\#b-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\zc-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\8d-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\qe-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\?e-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\-f-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\ReviewCycle\ReviewToken
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\5-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\#b-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\zc-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\8d-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\qe-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\?e-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Max Display
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 1
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 2
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 3
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 4
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 5
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 6
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 7
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 8
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.GCompartListMUTEX.DefaultS-*
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = Global\CPFATE_2528_v4.0.30319
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Local\PrimaryWord12Mutex_S-*
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ConsoleWindowClass,ntvdm-a64.a68.410003]
NtUserFindWindowEx: [Class,Window] = [mspim_wnd32,]
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:获取TickCount值
details:TickCount = 220203, SleepMilliseconds = 250.
TickCount = 220218, SleepMilliseconds = 250.
TickCount = 220020, SleepMilliseconds = 20.
TickCount = 220035, SleepMilliseconds = 20.
TickCount = 220051, SleepMilliseconds = 20.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2528
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2676
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 250.
[2]: MilliSeconds = -1.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ThunderRT6Main]
[Window,Class] = [,_WwB]
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Local\MU_ACBPIDS09_S-1-5-5-0-52227
CtfmonInstMutexDefaultS-*
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号