VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:98
Behavior list
Basic Information
MD5:c5119f132de772c55c4c1bc95c47269b
file type:EXE
Production company:Google
version:34.176.200.0---34.176.200
Shell or compiler information:COMPILER:PE+(64)
Subfile information:11507dumpFile / 462dd8afaae32c7139e73cb691419273 / DLL
Key behavior
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancer.exe
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancerservice.exe
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancer.dll
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\wajam.ico
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancer.exe
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancerservice.exe
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancer.dll
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\wajam.ico
Process behavior
Behavior description:创建进程
details:[0x00000dac]ImagePath = C:\Users\Administrator\AppData\Local\%temp%\****.exe, CmdLine = c:\users\administrator\appdata\local\%temp%\****.exe --crash-handler "--database=c:\users\administrator\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annota
Behavior description:创建本地线程
details:ProcessId = 3500, ThreadId = 740.
ProcessId = 3500, ThreadId = 3576.
ProcessId = 3500, ThreadId = 4024.
ProcessId = 3500, ThreadId = 3064.
ProcessId = 3500, ThreadId = 1884.
ProcessId = 888, ThreadId = 3684.
ProcessId = 888, ThreadId = 4004.
ProcessId = 888, ThreadId = 1964.
ProcessId = 888, ThreadId = 3472.
ProcessId = 888, ThreadId = 3036.
ProcessId = 888, ThreadId = 3868.
ProcessId = 888, ThreadId = 2924.
ProcessId = 888, ThreadId = 2028.
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\software_reporter_tool.log
C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-crashpad.log
C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\settings.dat
C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\metadata
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancer.exe
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancerservice.exe
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\internetenhancer.dll
GetFileAttributes: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\wajam.ico
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancer.exe
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancerservice.exe
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\internetenhancer.dll
GetFileAttributes: FileName = c:\program files\Oracle\VirtualBox Guest Additions\wajam.ico
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\software_reporter_tool.log ---> Offset = -1
C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-crashpad.log ---> Offset = -1
C:\Users\Administrator\AppData\Local\Google\Software Reporter Tool\settings.dat ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Users
FileName = C:\Users\Administrator\Desktop
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Roaming
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo
FileName = C:\Users\Administrator\Music
FileName = C:\Users\Administrator\Videos
FileName = C:\Windows
FileName = C:\Windows\Fonts
FileName = C:\ProgramData\Microsoft\Windows
FileName = C:\ProgramData\Microsoft\Windows\Start Menu\Programs
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ExitCode
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\StartTime
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\109
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\160
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\263
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\272
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10044
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\20002
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\20001
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10054
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10053
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10052
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10051
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10050
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10049
\REGISTRY\USER\S-1-5-21-1170589654-2814428265-349930785-500\SOFTWARE\Google\Software Removal Tool\ScanTimes\10048
Other behavior
Behavior description:调整进程token权限
details:SE_INC_WORKING_SET_PRIVILEGE
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:打开事件
details:\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号