VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:e6607ea4de0c1acf58831aea5d50cf09
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 [Overlay]
Key behavior
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributesEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\dinput8.dll
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll
FindFirstFileEx: FileName = C:\WINDOWS\system32\drivers\VBoxVideo.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\vmmouse.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\VBoxVideo.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\VBoxGuest.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxTray.exe
FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxControl.exe
Process behavior
Behavior description:创建进程
details:[0x00000b0c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\systeminfo.exe > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\systeminfo.log
[0x00000b34]ImagePath = C:\WINDOWS\system32\systeminfo.exe, CmdLine = C:\WINDOWS\system32\systeminfo.exe
[0x00000be4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\dxdiag.exe /t C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dxdiag.log
[0x00000bec]ImagePath = C:\WINDOWS\system32\dxdiag.exe, CmdLine = C:\WINDOWS\system32\dxdiag.exe /t C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dxdiag.log
Behavior description:创建新文件进程
details:[0x00000ae8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\LogGoblin.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\LogGoblin.exe"
[0x00000de8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\1904.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\1904.exe"
Behavior description:枚举进程
details:N/A
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 004014AF, Parameter = 00917930
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2700, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: LogGoblin.exe, InheritedFromPID = 2648, ProcessID = 2792, ThreadID = 2808, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: systeminfo.exe, InheritedFromPID = 2828, ProcessID = 2868, ThreadID = 2896, StartAddress = 77E56C7D, Parameter = 000EAA48
TargetProcess: systeminfo.exe, InheritedFromPID = 2828, ProcessID = 2868, ThreadID = 2900, StartAddress = 769AE43B, Parameter = 000ED2B8
TargetProcess: systeminfo.exe, InheritedFromPID = 2828, ProcessID = 2868, ThreadID = 2904, StartAddress = 77E56C7D, Parameter = 000ED980
TargetProcess: systeminfo.exe, InheritedFromPID = 2828, ProcessID = 2868, ThreadID = 2976, StartAddress = 77E56C7D, Parameter = 000F2D50
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3060, StartAddress = 77E56C7D, Parameter = 000FAF30
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3064, StartAddress = 769AE43B, Parameter = 000FD8B0
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3068, StartAddress = 77E56C7D, Parameter = 000FE038
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3232, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3236, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3240, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3392, StartAddress = 765E964D, Parameter = 00138D78
TargetProcess: dxdiag.exe, InheritedFromPID = 3044, ProcessID = 3052, ThreadID = 3396, StartAddress = 759D8761, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\System.TEMP
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log
C:\WINDOWS\system32\d3d9caps.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\dxdiag.log
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributesEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\systeminfo.exe
FileName = C:\WINDOWS\system32\dxdiag.exe
Behavior description:删除文件
details:C:\WINDOWS\system32\d3d9caps.dat
Behavior description:重命名文件
details:C:\WINDOWS\system32\d3d9caps.tmp ---> C:\WINDOWS\system32\d3d9caps.dat
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> Offset = 393216
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> Offset = 393216
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log ---> Offset = 2
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log ---> Offset = 20
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log ---> Offset = 28
C:\Documents and Settings\Administrator\Local Settings\Temp\systeminfo.log ---> Offset = 30
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\LogGoblin.exe
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In SystemInfo
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectDraw
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectSound
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectMusic
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Direct3D\Drivers\SoftwareOnly
\REGISTRY\USER\S-*\Software\Microsoft\Direct3D\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectInput
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\MediaProperties\PrivateProperties\DirectInput\VID_80EE&PID_0021\Calibration\0\GUID
\REGISTRY\USER\S-*\Software\Microsoft\DirectInput\DXDIAG.EXE480251FF0013D000\Name
\REGISTRY\USER\S-*\Software\Microsoft\DirectInput\DXDIAG.EXE480251FF0013D000\UsesMapper
\REGISTRY\USER\S-*\Software\Microsoft\DirectInput\MostRecentApplication\Name
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In SystemInfo
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectDraw
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectSound
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectMusic
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Direct3D\Drivers\SoftwareOnly
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectInput
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\dxdiag\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectPlay
\REGISTRY\USER\S-*\Software\Microsoft\DirectX Diagnostic Tool\DxDiag In DirectShow
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
DirectSound DllMain mutex (0x00000BEC)
DDrawWindowListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
DDrawDriverObjectListMutex
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [MPWClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.2868
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.3052
Global\SvcctrlStartEvent_A3752DX
Global\userenv: Machine Group Policy has been applied
userenv: User Group Policy has been applied
\INSTALLATION_SECURITY_HOLD
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2792, Hwnd=0x4033e, Text = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\LogGoblin.exe, ClassName = ConsoleWindowClass.
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\1904.exe ---> b0c76693be21843b9686cc2ae5bc6631
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\LogGoblin.exe ---> 953dd6baa83b342177287bcf9ea29e0d
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
RasPbFile
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x001A3958, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x001A2DD8, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01F1C9B8, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01F1CAC8, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01F1CD10, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01F14978, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01F14A88, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E6DA80, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E6CF20, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E6CB10, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E6D0D8, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E8DF90, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E8D320, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E8D010, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x01E8D5D0, DataLen: 276, Flags: 0x00000000
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxDisp.dll
FindFirstFileEx: FileName = C:\WINDOWS\system32\drivers\VBoxVideo.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\vmmouse.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\VBoxVideo.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\DRIVERS\VBoxGuest.sys
FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxTray.exe
FindFirstFileEx: FileName = C:\WINDOWS\system32\VBoxControl.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号