VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:30
Behavior list
Basic Information
MD5:114aadd038557d25ec81db04d84277dc
file type:EXE
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1445811522.115179.exe
C:\%temp%\1445811522.122052.exe
C:\%temp%\1445811522.128922.exe
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.139332.exe
Behavior description:关闭系统文件保护
details:N/A
Behavior description:跨进程写代码段数据
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.523949.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.530914.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AGI..KAOGH
MSCTF.MarshalInterface.FileMap.AGI.B.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.C.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.D.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.E.KCOGH
MSCTF.MarshalInterface.FileMap.AGI.F.JDOGH
MSCTF.MarshalInterface.FileMap.AGI.G.JEOGH
MSCTF.Shared.SFM.AGI
MSCTF.MarshalInterface.FileMap.AGI.H.KCPKH
MSCTF.MarshalInterface.FileMap.AGI.I.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.J.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.K.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.L.KEPKH
MSCTF.MarshalInterface.FileMap.AGI.M.JFPKH
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = %temp%\1445811521.311481.exe
Behavior description:按名称获取主机地址
details:ce.kator.at
wo.tymis.pl
Process behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1445811522.115179.exe
C:\%temp%\1445811522.122052.exe
C:\%temp%\1445811522.128922.exe
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.115280.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.115280.exe
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.139332.exe
Behavior description:枚举进程
details:N/A
Behavior description:跨进程写代码段数据
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.523949.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.530914.exe, WriteAddress = 0x006E0A66, EntryPoint = 0x006E0A66
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = %temp%\1445811521.311481.exe
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AGI..KAOGH
MSCTF.MarshalInterface.FileMap.AGI.B.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.C.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.D.KBOGH
MSCTF.MarshalInterface.FileMap.AGI.E.KCOGH
MSCTF.MarshalInterface.FileMap.AGI.F.JDOGH
MSCTF.MarshalInterface.FileMap.AGI.G.JEOGH
MSCTF.Shared.SFM.AGI
MSCTF.MarshalInterface.FileMap.AGI.H.KCPKH
MSCTF.MarshalInterface.FileMap.AGI.I.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.J.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.K.KDPKH
MSCTF.MarshalInterface.FileMap.AGI.L.KEPKH
MSCTF.MarshalInterface.FileMap.AGI.M.JFPKH
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445811521.513608.exe
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000494, TotalSize = 20, Offset = 0, ReadSize = 20.
SOCKET = 0x00000494, TotalSize = 40, Offset = 0, ReadSize = 40.
SOCKET = 0x00000268, TotalSize = 20, Offset = 0, ReadSize = 20.
SOCKET = 0x00000268, TotalSize = 40, Offset = 0, ReadSize = 40.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
Behavior description:按名称获取主机地址
details:ce.kator.at
wo.tymis.pl
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:85C::DAFCE0CF6F
DILLOCREATE
DILLOOEP
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AGI
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 485744, SleepMilliseconds = 10.
TickCount = 546203, SleepMilliseconds = 60000.
TickCount = 546218, SleepMilliseconds = 60000.
TickCount = 546234, SleepMilliseconds = 60000.
TickCount = 546250, SleepMilliseconds = 60000.
TickCount = 546265, SleepMilliseconds = 60000.
TickCount = 546281, SleepMilliseconds = 60000.
TickCount = 546296, SleepMilliseconds = 60000.
TickCount = 546312, SleepMilliseconds = 60000.
TickCount = 546781, SleepMilliseconds = 60000.
TickCount = 486922, SleepMilliseconds = 1.
TickCount = 486938, SleepMilliseconds = 1.
TickCount = 486954, SleepMilliseconds = 1.
TickCount = 486969, SleepMilliseconds = 1.
TickCount = 486985, SleepMilliseconds = 1.
Behavior description:关闭系统文件保护
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
Abnormal crash
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:85C::DAFCE0CF6F
DILLOCREATE
DILLOOEP
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AGI
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 485744, SleepMilliseconds = 10.
TickCount = 546203, SleepMilliseconds = 60000.
TickCount = 546218, SleepMilliseconds = 60000.
TickCount = 546234, SleepMilliseconds = 60000.
TickCount = 546250, SleepMilliseconds = 60000.
TickCount = 546265, SleepMilliseconds = 60000.
TickCount = 546281, SleepMilliseconds = 60000.
TickCount = 546296, SleepMilliseconds = 60000.
TickCount = 546312, SleepMilliseconds = 60000.
TickCount = 546781, SleepMilliseconds = 60000.
TickCount = 486922, SleepMilliseconds = 1.
TickCount = 486938, SleepMilliseconds = 1.
TickCount = 486954, SleepMilliseconds = 1.
TickCount = 486969, SleepMilliseconds = 1.
TickCount = 486985, SleepMilliseconds = 1.
Behavior description:关闭系统文件保护
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号