1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
| Safety rating:79 |
| Behavior list |
| Behavior analysis report: Hybrid file analysis Threatbook file behavior analysis report |
| Basic Information | |
|---|---|
| MD5: | 357dd53df03baa40564ad7a99632972a |
| file type: | Rar |
| Production company: | |
| version: | 1.0.0.0 |
| Shell or compiler information: | |
| Subfile information: | w7ldr / f8d487926c8f0925e704b7ceee6a6a92 / Unknown |
| bootinst.exedumpFile / a841800dbc71eb00bf7b841738c48b92 / EXE | |
| w7ldrdumpFile / f8d487926c8f0925e704b7ceee6a6a92 / Unknown | |
| bootrest.exedumpFile / e1921dea226b244f83ac5f59681d48a2 / EXE | |
| bootinst.exe / a841800dbc71eb00bf7b841738c48b92 / EXE | |
| bootrest.exe / e1921dea226b244f83ac5f59681d48a2 / EXE | |
| showdrive.exedumpFile / 23bee4b5b4d117c63d8650080c690d2e / EXE | |
| showdrive.exe / 23bee4b5b4d117c63d8650080c690d2e / EXE | |
| Win7.cmddumpFile / 15748c7d01af21a2e18cc32436f19aec / Unknown | |
| Win7.cmd / 15748c7d01af21a2e18cc32436f19aec / Unknown | |
| Certificate.xrm-msdumpFile / 4baa251d0af2e67eb5d7e231175e9e94 / Unknown | |
| Certificate.xrm-ms / 4baa251d0af2e67eb5d7e231175e9e94 / Unknown | |
| msg.vbsdumpFile / 545ae6a469af091b1035032e9072794d / Unknown | |
| msg.vbs / 545ae6a469af091b1035032e9072794d / Unknown | |
| filesdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown | |
| Key behavior | |
|---|---|
| Behavior description: | 隐藏指定窗口 |
| details: | [Window,Class] = [,ComboLBox] |
| Process behavior | |
|---|---|
| Behavior description: | 创建进程 |
| details: | ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Win7.cmd" " |
| Behavior description: | 创建新文件进程 |
| details: | ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\showdrive.exe, CmdLine = files\showdrive.exe |
| File behavior | |
|---|---|
| Behavior description: | 写权限映射文件 |
| details: | Local\UrlZonesSM_Administrator |
| Behavior description: | 创建可执行文件 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\bootinst.exe |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\bootrest.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\showdrive.exe | |
| Behavior description: | 修改文件内容 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\msg.vbs---> Offset = 0 |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Win7.cmd---> Offset = 0 | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\w7ldr---> Offset = 131072 | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\files\Certificate.xrm-ms---> Offset = 0 | |
| Registry behavior | |
|---|---|
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass |
| \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0\Win7.cmd | |
| Other behavior | |
|---|---|
| Behavior description: | 创建互斥体 |
| details: | Local\ZonesCounterMutex |
| Local\ZoneAttributeCacheCounterMutex | |
| Local\ZonesCacheCounterMutex | |
| Local\ZonesLockedCacheCounterMutex | |
| Behavior description: | 隐藏指定窗口 |
| details: | [Window,Class] = [,ComboLBox] |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [EDIT,] |
| Behavior description: | 获取系统权限 |
| details: | SE_LOAD_DRIVER_PRIVILEGE |
| Behavior description: | 窗口信息 |
| details: | Pid = 560, Hwnd=0xd01e8, Text = 阿非修改的Windows 7激活程序 v1.0, ClassName = ConsoleWindowClass. |
| Behavior description: | 直接操作物理设备 |
| details: | \??\PhysicalDrive0 |
| Run screenshot |
|---|
 |
HOME
