VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:89
Behavior list
Basic Information
MD5:143b595ff00c5d7c8dcfd1431a2867e5
file type:EXE
Production company:
version:0.0.0.0
Shell or compiler information:
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AEF..ILIHH
MSCTF.MarshalInterface.FileMap.AEF.B.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.C.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.D.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.E.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.F.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.G.HMIHH
MSCTF.Shared.SFM.AEF
Behavior description:检测自身是否被调试
details:N/A
Behavior description:停止系统服务
details:ServiceName = Windows Time
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [系统信息,Button]
[Window,Class] = [,Static]
[Window,Class] = [,Button]
[Window,Class] = [软改模块,Button]
[Window,Class] = [模块1,Button]
[Window,Class] = [模块2,Button]
[Window,Class] = [模块3,Button]
[Window,Class] = [KMS,Button]
[Window,Class] = [自动续期,Button]
[Window,Class] = [激活,Button]
[Window,Class] = [查看,Button]
[Window,Class] = [卸载,Button]
[Window,Class] = [软件简介:本程序基于Vista Loader和vlmcsd KMS内核,原理是 利用GRLDR模拟品牌机SLIC,实现Vista/2008/7的OEM软改激活, 以及10/8.1/8/Office2016/2013/2010的KMS离线激活。免刷BIOS, 简单安全,傻瓜
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000502cc, Text = Windows一键激活 1.6.9.23, ClassName = AutoIt v3 GUI.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = sc config w32time start= auto
ImagePath = , CmdLine = sc stop w32time
ImagePath = , CmdLine = sc start w32time
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\templates\*.dot*"
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\word\startup\*.dot*"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc config W32Time start= auto
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc stop w32time
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc start w32time
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Templates\*.dot*"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q "%appdata%\microsoft\Word\Startup\*.dot*"
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AEF..ILIHH
MSCTF.MarshalInterface.FileMap.AEF.B.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.C.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.D.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.E.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.F.HMIHH
MSCTF.MarshalInterface.FileMap.AEF.G.HMIHH
MSCTF.Shared.SFM.AEF
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut3.tmp---> Offset = 0
C:\WINDOWS\system32\Readme.txt---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1443082326.866828.exe
FileName = C:\WINDOWS\autokms\autokms.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\sc.exe
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\Readme.txt
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Word\Startup\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Word\Startup\*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\*.dot*
FileName = C:\Documents and Settings\Administrator\Application Data\microsoft\Templates\Document Themes\*
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\Config\MaxNegPhaseCorrection
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\Config\MaxPosPhaseCorrection
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AEF
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [系统信息,Button]
[Window,Class] = [,Static]
[Window,Class] = [,Button]
[Window,Class] = [软改模块,Button]
[Window,Class] = [模块1,Button]
[Window,Class] = [模块2,Button]
[Window,Class] = [模块3,Button]
[Window,Class] = [KMS,Button]
[Window,Class] = [自动续期,Button]
[Window,Class] = [激活,Button]
[Window,Class] = [查看,Button]
[Window,Class] = [卸载,Button]
[Window,Class] = [软件简介:本程序基于Vista Loader和vlmcsd KMS内核,原理是 利用GRLDR模拟品牌机SLIC,实现Vista/2008/7的OEM软改激活, 以及10/8.1/8/Office2016/2013/2010的KMS离线激活。免刷BIOS, 简单安全,傻瓜
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Windows Time, C:\WINDOWS\System32\svchost.exe -k netsvcs
Behavior description:窗口信息
details:Pid = 1476, Hwnd=0x202b4, Text = =:=, ClassName = Static.
Pid = 1476, Hwnd=0x302bc, Text = 系统信息, ClassName = Button(GroupBox).
Pid = 1476, Hwnd=0x202d4, Text = 系统名称:Microsoft Windows XP, ClassName = Static.
Pid = 1476, Hwnd=0x302dc, Text = 系统标识:5.1.2600, ClassName = Static.
Pid = 1476, Hwnd=0x202c2, Text = 软改模块, ClassName = Button(GroupBox).
Pid = 1476, Hwnd=0x202c4, Text = 模块1, ClassName = Button(RadioButton).
Pid = 1476, Hwnd=0x202c8, Text = 模块2, ClassName = Button(RadioButton).
Pid = 1476, Hwnd=0x202ca, Text = 模块3, ClassName = Button(RadioButton).
Pid = 1476, Hwnd=0x202c6, Text = KMS, ClassName = Button(RadioButton).
Pid = 1476, Hwnd=0x302b8, Text = 自动续期, ClassName = Button(CheckBox).
Pid = 1476, Hwnd=0x202aa, Text = 激活, ClassName = Button.
Pid = 1476, Hwnd=0x402be, Text = 查看, ClassName = Button.
Pid = 1476, Hwnd=0x502ce, Text = 卸载, ClassName = Button.
Pid = 1476, Hwnd=0x302b6, Text = 软件简介:本程序基于Vista Loader和vlmcsd KMS内核,原理是 利用GRLDR模拟品牌机SLIC,实现Vista/2008/7的OEM软改激活, 以及10/8.1/8/O, ClassName = Edit.
Pid = 1476, Hwnd=0x502cc, Text = Windows一键激活 1.6.9.23, ClassName = AutoIt v3 GUI.
Behavior description:获取TickCount值
details:TickCount = 506431, SleepMilliseconds = 10.
Behavior description:获取光标位置
details:CursorPos = (106,18467), SleepMilliseconds = 10.
CursorPos = (6399,26500), SleepMilliseconds = 10.
CursorPos = (19234,15724), SleepMilliseconds = 10.
CursorPos = (11543,29358), SleepMilliseconds = 10.
CursorPos = (27027,24464), SleepMilliseconds = 10.
CursorPos = (5770,28145), SleepMilliseconds = 10.
CursorPos = (23346,16827), SleepMilliseconds = 10.
CursorPos = (10026,491), SleepMilliseconds = 10.
CursorPos = (3060,11942), SleepMilliseconds = 10.
CursorPos = (4892,5436), SleepMilliseconds = 10.
CursorPos = (32456,14604), SleepMilliseconds = 10.
CursorPos = (3967,153), SleepMilliseconds = 10.
CursorPos = (357,12382), SleepMilliseconds = 10.
CursorPos = (17486,18716), SleepMilliseconds = 10.
CursorPos = (19783,19895), SleepMilliseconds = 10.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000502cc, Text = Windows一键激活 1.6.9.23, ClassName = AutoIt v3 GUI.
Behavior description:枚举窗口
details:N/A
Behavior description:停止系统服务
details:ServiceName = Windows Time
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号