VirSCAN VirSCAN

1, Podés SUBIR cualquier archivo de hasta 20MB.
2, VirSCAN soporta descompresión Rar/Zip de hasta 20 archivos.
3, VirSCAN puede escanear archivos comprimidos con la contraseña 'infected' o 'virus'.

Idioma
Carga del Servidor
Server Load

Información del archivo
Calificación de seguridad:71
Lista de comportamiento
Información básica
MD5:d55d581211fa46e258fc881a089234b5
Tipo de archivo:EXE
Compañía de producción:
Versión:
Información de shell o compilador:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
Información de subarchivo:upx_c_27124eebdumpFile / 583856a2e8f8558afac7ef0c70518be4 / EXE
Comportamiento clave
Descripción del comportamiento:打开注册表_检测虚拟机相关
Detalles:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Comportamiento del proceso
Descripción del comportamiento:创建进程
Detalles:[0x00000b3c]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
[0x00000b7c]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
[0x00000c44]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
[0x00000c84]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
[0x00000cb4]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
[0x00000d04]ImagePath = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE, CmdLine = "C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE" "C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt"
Descripción del comportamiento:创建本地线程
Detalles:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2600, ThreadID = 2612, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2600, ThreadID = 2616, StartAddress = 004011E1, Parameter = 00000000
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2876, ThreadID = 2888, StartAddress = 77E56C7D, Parameter = 001B6B40
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2876, ThreadID = 2892, StartAddress = 769AE43B, Parameter = 001B9D48
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2876, ThreadID = 2896, StartAddress = 77E56C7D, Parameter = 001BAE00
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2940, ThreadID = 3044, StartAddress = 77E56C7D, Parameter = 001B6B40
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2940, ThreadID = 3048, StartAddress = 769AE43B, Parameter = 001B9D48
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2940, ThreadID = 3052, StartAddress = 77E56C7D, Parameter = 001BB720
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3140, ThreadID = 3176, StartAddress = 77E56C7D, Parameter = 001B6B40
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3140, ThreadID = 3180, StartAddress = 769AE43B, Parameter = 001B9D48
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3140, ThreadID = 3184, StartAddress = 77E56C7D, Parameter = 001BA2D0
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3204, ThreadID = 3220, StartAddress = 77E56C7D, Parameter = 001B6B40
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3204, ThreadID = 3224, StartAddress = 769AE43B, Parameter = 001B9D48
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 3204, ThreadID = 3232, StartAddress = 77E56C7D, Parameter = 001BABD0
TargetProcess: POWERPNT.EXE, InheritedFromPID = 2600, ProcessID = 2876, ThreadID = 3236, StartAddress = 3010CF15, Parameter = 00000000
Comportamiento del archivo
Descripción del comportamiento:创建文件
Detalles:C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt
Descripción del comportamiento:覆盖已有文件
Detalles:C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt
Descripción del comportamiento:修改文件内容
Detalles:C:\Documents and Settings\Administrator\Local Settings\%temp%国庆节PPT作品.ppt ---> Offset = 0
Descripción del comportamiento:查找文件
Detalles:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files\Microsoft Office 2007\Office12
FileName = C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office 2007
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Office\PowerPoint.qat
Descripción del comportamiento:复制文件
Detalles:C:\Program Files\Microsoft Office 2007\Office12\OPA12.BAK ---> C:\Program Files\Microsoft Office 2007\Office12\opa12.dat
Comportamiento del registro
Descripción del comportamiento:修改注册表
Detalles:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\(4.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\2052
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\1033
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\u~.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\PPTFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\pb.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\`w/
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\`)0
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\n|.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\w}.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\p~.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\ .
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\$a.
Descripción del comportamiento:删除注册表键
Detalles:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Descripción del comportamiento:打开注册表_检测虚拟机相关
Detalles:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Descripción del comportamiento:删除注册表键值
Detalles:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\u~.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\`w/
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\`)0
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\pb.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\n|.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\w}.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\p~.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\ .
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\$a.
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\e{0
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\PowerPoint\Resiliency\StartupItems\$80
Otro comportamiento
Descripción del comportamiento:创建互斥体
Detalles:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MCK
MSCTF.Shared.MUTEX.AEL
Descripción del comportamiento:创建事件对象
Detalles:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceiveConection.Event.MCK.IC
EventName = MSCTF.SendReceive.Event.MCK.IC
EventName = Local\PP12Running_S-*
EventName = Global\WatsonDataAccess
EventName = MSCTF.SendReceive.Event.AEL.IC
EventName = MSCTF.SendReceiveConection.Event.AEL.IC
Descripción del comportamiento:窗口信息
Detalles:Pid = 2600, Hwnd=0x10358, Text = 时间:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2600, Hwnd=0x10356, Text = 2018年11月14日19时44分2秒, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2600, Hwnd=0x1034a, Text = 1553306192, ClassName = _EL_HyperLinker.
Pid = 2600, Hwnd=0x10348, Text = 作者联系QQ:, ClassName = _EL_Label.
Pid = 2600, Hwnd=0x10346, Text = 本学习软件制作作者:简俊辉, ClassName = _EL_Label.
Pid = 2600, Hwnd=0x10352, Text = 建议最好联网使用本软件!, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2600, Hwnd=0x10350, Text = 正在检测…………, ClassName = Edit.
Pid = 2600, Hwnd=0x1034e, Text = 联网状态:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2600, Hwnd=0x1034c, Text = 打开制作作品:《国庆节PPT作品》, ClassName = Button.
Pid = 2600, Hwnd=0x10344, Text = 欢迎使用俊辉学习软件!, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2600, Hwnd=0x10340, Text = 俊辉软件, ClassName = WTWindow.
Pid = 2600, Hwnd=0x1036a, Text = 确定, ClassName = Button.
Pid = 2600, Hwnd=0x1036c, Text = 载入学习资料成功! 注意:本作品是简俊辉自己努力制作的,请勿窃取作者的劳动成果!, ClassName = Static.
Pid = 2600, Hwnd=0x10368, Text = 软件提示:, ClassName = #32770.
Pid = 2600, Hwnd=0x10356, Text = 2018年11月14日19时44分5秒, ClassName = Afx:400000:b:10011:1900015:0.
Descripción del comportamiento:查找指定窗口
Detalles:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [PP12FrameClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp11,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
Descripción del comportamiento:打开事件
Detalles:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
_fCanRegisterWithShellService
MSFT.VSA.COM.DISABLE.2876
MSFT.VSA.IEC.STATUS.6c736db0
Local\PP12Running_S-*
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2940
MSFT.VSA.COM.DISABLE.3140
MSFT.VSA.COM.DISABLE.3204
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
Descripción del comportamiento:调整进程token权限
Detalles:SE_LOAD_DRIVER_PRIVILEGE
Descripción del comportamiento:枚举窗口
Detalles:N/A
Descripción del comportamiento:隐藏指定窗口
Detalles:[Window,Class] = [建议最好联网使用本软件!,Afx:400000:b:10011:1900015:0]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [,ThunderRT6Main]
Descripción del comportamiento:打开互斥体
Detalles:ShimCacheMutex
CtfmonInstMutexDefaultS-*
Local\MU_ACBPIDS09_S-1-5-5-0-52227
Ejecutar captura de pantalla
VirSCAN

Acerca de VirSCAN | Política de Privacidad | Contactanos | Enlace amigable | Ayudá a VirSCAN
Traducido por Marcelo Ois Lagarde, Argentina
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号