VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:35
Behavior list
Basic Information
MD5:253f8fc8cf78bb834dd1c0a4dab32119
file type:EXE
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1446458322.158621.exe
C:\%temp%\1446458322.162142.exe
C:\%temp%\1446458322.165636.exe
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:获取TickCount值
details:TickCount = 484947, SleepMilliseconds = 10.
TickCount = 484963, SleepMilliseconds = 10.
TickCount = 485025, SleepMilliseconds = 10.
TickCount = 495338, SleepMilliseconds = 10.
TickCount = 495353, SleepMilliseconds = 10.
TickCount = 503041, SleepMilliseconds = 10.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a2, Text = PEiD v0.94, ClassName = #32770.
Behavior description:关闭系统文件保护
details:N/A
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
Process behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1446458322.158621.exe
C:\%temp%\1446458322.162142.exe
C:\%temp%\1446458322.165636.exe
Behavior description:创建本地线程
details:N/A
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:枚举进程
details:N/A
Behavior description:进程退出
details:N/A
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
File behavior
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\plugins\*.dll
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\plugins\*.*
Network behavior
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
Behavior description:按名称获取主机地址
details:ilo.brenz.pl
ant.trenz.pl
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MFF
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.MFF.IC
EventName = MSCTF.SendReceiveConection.Event.MFF.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,PEiD v0.94]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 416, Hwnd=0x202a6, Text = ..., ClassName = Button.
Pid = 416, Hwnd=0x202a8, Text = &Multi Scan, ClassName = Button.
Pid = 416, Hwnd=0x202cc, Text = &Task Viewer, ClassName = Button.
Pid = 416, Hwnd=0x202b4, Text = &Options, ClassName = Button.
Pid = 416, Hwnd=0x202b2, Text = &About, ClassName = Button.
Pid = 416, Hwnd=0x302ba, Text = E&xit, ClassName = Button.
Pid = 416, Hwnd=0x202d4, Text = ->, ClassName = Button.
Pid = 416, Hwnd=0x302dc, Text = File:, ClassName = Static.
Pid = 416, Hwnd=0x202c2, Text = &Stay on top, ClassName = Button(CheckBox).
Pid = 416, Hwnd=0x202b0, Text = Entrypoint:, ClassName = Static.
Pid = 416, Hwnd=0x202ae, Text = File Offset:, ClassName = Static.
Pid = 416, Hwnd=0x202aa, Text = Linker Info:, ClassName = Static.
Pid = 416, Hwnd=0x202ac, Text = EP Section:, ClassName = Static.
Pid = 416, Hwnd=0x402be, Text = First Bytes:, ClassName = Static.
Pid = 416, Hwnd=0x702c0, Text = Subsystem:, ClassName = Static.
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 484947, SleepMilliseconds = 10.
TickCount = 484963, SleepMilliseconds = 10.
TickCount = 485025, SleepMilliseconds = 10.
TickCount = 495338, SleepMilliseconds = 10.
TickCount = 495353, SleepMilliseconds = 10.
TickCount = 503041, SleepMilliseconds = 10.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a2, Text = PEiD v0.94, ClassName = #32770.
Behavior description:关闭系统文件保护
details:N/A
Behavior description:程序异常崩溃信息
details:EAX=0x00000000, EBX=0x7FFD4000, ECX=0x0012FFB0, EDX=0x7C92E4F4,ESI=0x536CD652, EDI=0x001310C4, EBP=0x0012FFF0, ESP=0x0012FFBC,EIP=0x00401016, ExceptionCode=0xC0000005(ACCESS_VIOLATION),ExceptionModule=C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446458321.796866.exe Disassembly: 0x00401016: mov dword ptr [eax], ecx 0x00401018: push eax 0x00401019: inc ebp 0x0040101A: inc ebx 0x0040101B: xor al, byte ptr [eax] 0x0040101D: mov cl, C3h 0x0040101F: push ebp 0x00401020: cld 0x00401021: ror edi, 1 0x00401023: pop ds 0x00401024: pushfd 0x00401025: xchg eax, ebx 0x00401026: mov esi, ebp 0x00401028: into 0x00401029: and byte ptr [esi-17167DC2h], ch 0x0040102F: je 0040107Ch 0x00401031: jnl 00401007h 0x00401033: bound eax, dword ptr [eax+764D62D8h] 0x00401039: cdq 0x0040103A: xor ch, ch 0x0040103C: or byte ptr [ebp+ecx-35h], ADh 0x00401041: pushad 0x00401042: lds esp, fword ptr [ecx+esi*8-51B92B90h]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号