1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.
| Virscan.org multi-engine scan report |
| Behavior analysis report: Habo file analysis |
| MD5:0fe93c280ed61da962da5df4b0009a3c |
| 文件大小:5.58MB |
| 上传时间: 2014-09-22 10:36:30 (CST) |
| Package names: |
| Minimum operating environment: |
| copyright: |
| Behavior description: | 直接调用系统关键API |
| details: | Index = 0x00000025, Name: NtCreateFile, Instruction Address = 0x007219DB |
| Index = 0x000000B7, Name: NtReadFile, Instruction Address = 0x00721684 | |
| Index = 0x000000E0, Name: NtSetInformationFile, Instruction Address = 0x00724EEC | |
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x65e34cc9, EDX = 0x000000b8 |
| EAX = 0x65e34d15, EDX = 0x000000b8 | |
| EAX = 0x859a83d5, EDX = 0x000000b8 | |
| EAX = 0xc1143b0c, EDX = 0x000000bc | |
| EAX = 0xc1143b58, EDX = 0x000000bc | |
| EAX = 0xc3c73ad4, EDX = 0x000000bc | |
| EAX = 0xc3c73b20, EDX = 0x000000bc | |
| EAX = 0xc3c73b6c, EDX = 0x000000bc | |
| EAX = 0xc3c73bb8, EDX = 0x000000bc | |
| EAX = 0x37ace921, EDX = 0x000000bd | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 220906, SleepMilliseconds = 1000. |
| TickCount = 220953, SleepMilliseconds = 1000. | |
| TickCount = 221125, SleepMilliseconds = 1000. | |
| TickCount = 221171, SleepMilliseconds = 1000. | |
| TickCount = 221187, SleepMilliseconds = 1000. | |
| TickCount = 221218, SleepMilliseconds = 1000. | |
| TickCount = 221531, SleepMilliseconds = 1000. | |
| TickCount = 221578, SleepMilliseconds = 1000. | |
| TickCount = 221609, SleepMilliseconds = 1000. | |
| TickCount = 221796, SleepMilliseconds = 1000. | |
| TickCount = 222328, SleepMilliseconds = 1000. | |
| TickCount = 222484, SleepMilliseconds = 1000. | |
| TickCount = 222687, SleepMilliseconds = 1000. | |
| TickCount = 222734, SleepMilliseconds = 1000. | |
| TickCount = 222765, SleepMilliseconds = 1000. |
| Behavior description: | 创建本地线程 |
| details: | TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2688, StartAddress = 006435DC, Parameter = 00000000 |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2704, StartAddress = 00566428, Parameter = 0123AFF4 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2720, StartAddress = 792A741C, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2724, StartAddress = 791F59C0, Parameter = 001B9E90 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2880, StartAddress = 792C4BE2, Parameter = 0012D728 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2956, StartAddress = 791F59C0, Parameter = 001CF0A8 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2960, StartAddress = 77DC845A, Parameter = 00000000 | |
| Behavior description: | 枚举进程 |
| details: | N/A |
| Behavior description: | 查找文件 |
| details: | FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ |
| FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\ | |
| FileName = C:\DOCUME~1\ADMINI~1\ | |
| FileName = C:\DOCUME~1\ | |
| FileName = C:\DOCUME~1 | |
| FileName = C:\Documents and Settings\ADMINI~1 | |
| FileName = C:\Documents and Settings\Administrator\LOCALS~1 | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\Temp | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\ | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe | |
| FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll | |
| FileName = C:\WINDOWS\Microsoft.NET\Framework\\* | |
| FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI | |
| FileName = C:\Documents and Settings\Administrator\Local Settings\%temp% | |
| FileName = C:\Documents and Settings |
| Behavior description: | 直接调用系统关键API |
| details: | Index = 0x00000025, Name: NtCreateFile, Instruction Address = 0x007219DB |
| Index = 0x000000B7, Name: NtReadFile, Instruction Address = 0x00721684 | |
| Index = 0x000000E0, Name: NtSetInformationFile, Instruction Address = 0x00724EEC | |
| Behavior description: | 检测自身是否被调试 |
| details: | IsDebuggerPresent |
| Behavior description: | 创建互斥体 |
| details: | CTF.LBES.MutexDefaultS-* |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| MSCTF.Shared.MUTEX.IOH | |
| Behavior description: | 创建事件对象 |
| details: | EventName = Global\CPFATE_2676_v4.0.30319 |
| Behavior description: | 打开互斥体 |
| details: | ShimCacheMutex |
| DBWinMutex | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] |
| Behavior description: | 打开事件 |
| details: | HookSwitchHookEnabledEvent |
| \SECURITY\LSA_AUTHENTICATION_INITIALIZED | |
| Global\CLR_PerfMon_StartEnumEvent | |
| \KernelObjects\LowMemoryCondition | |
| CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010 | |
| CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010 | |
| MSCTF.SendReceiveConection.Event.IOH.IC | |
| MSCTF.SendReceive.Event.IOH.IC | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 220906, SleepMilliseconds = 1000. |
| TickCount = 220953, SleepMilliseconds = 1000. | |
| TickCount = 221125, SleepMilliseconds = 1000. | |
| TickCount = 221171, SleepMilliseconds = 1000. | |
| TickCount = 221187, SleepMilliseconds = 1000. | |
| TickCount = 221218, SleepMilliseconds = 1000. | |
| TickCount = 221531, SleepMilliseconds = 1000. | |
| TickCount = 221578, SleepMilliseconds = 1000. | |
| TickCount = 221609, SleepMilliseconds = 1000. | |
| TickCount = 221796, SleepMilliseconds = 1000. | |
| TickCount = 222328, SleepMilliseconds = 1000. | |
| TickCount = 222484, SleepMilliseconds = 1000. | |
| TickCount = 222687, SleepMilliseconds = 1000. | |
| TickCount = 222734, SleepMilliseconds = 1000. | |
| TickCount = 222765, SleepMilliseconds = 1000. | |
| Behavior description: | 调整进程token权限 |
| details: | SE_DEBUG_PRIVILEGE |
| Behavior description: | 窗口信息 |
| details: | Pid = 2676, Hwnd=0x10348, Text = 确定, ClassName = Button. |
| Pid = 2676, Hwnd=0x1034c, Text = Fiddler has encountered an unexpected problem. If you believe this is a bug in Fiddler, please copy this message by hitting CTRL+C, and submit a bug report at http://www.telerik.com/forums/fiddler. Could not load type "System.Runtime.CompilerServices.Extensi, ClassName = Static. | |
| Pid = 2676, Hwnd=0x10344, Text = Awww, Fiddlesticks!, ClassName = #32770. | |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 0. |
| [2]: MilliSeconds = 0. | |
| [3]: MilliSeconds = 0. | |
| [4]: MilliSeconds = 0. | |
| [5]: MilliSeconds = 0. | |
| [6]: MilliSeconds = 0. | |
| [7]: MilliSeconds = 0. | |
| [8]: MilliSeconds = 0. | |
| [9]: MilliSeconds = 0. | |
| [10]: MilliSeconds = 0. | |
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x65e34cc9, EDX = 0x000000b8 |
| EAX = 0x65e34d15, EDX = 0x000000b8 | |
| EAX = 0x859a83d5, EDX = 0x000000b8 | |
| EAX = 0xc1143b0c, EDX = 0x000000bc | |
| EAX = 0xc1143b58, EDX = 0x000000bc | |
| EAX = 0xc3c73ad4, EDX = 0x000000bc | |
| EAX = 0xc3c73b20, EDX = 0x000000bc | |
| EAX = 0xc3c73b6c, EDX = 0x000000bc | |
| EAX = 0xc3c73bb8, EDX = 0x000000bc | |
| EAX = 0x37ace921, EDX = 0x000000bd |
HOME
