VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:60
Behavior list
Basic Information
MD5:478b8849d4e708084273271650dc8b10
file type:EXE
Production company:Microsoft Corporation
version:2.0.50727.8007---2.0.50727.8007
Shell or compiler information:COMPILER:Microsoft Visual C# / Basic .NET
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = %temp%\1446153218.765231.exe, WriteAddress = 0x00400000, Size = 512
TargetProcess = %temp%\1446153218.775124.exe, WriteAddress = 0x00402000, Size = 360448
TargetProcess = %temp%\1446153218.784818.exe, WriteAddress = 0x0045a000, Size = 1024
TargetProcess = %temp%\1446153218.795662.exe, WriteAddress = 0x0045c000, Size = 512
TargetProcess = %temp%\1446153218.806162.exe, WriteAddress = 0x7ffdc008, Size = 4
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Acrobat Viewer]
[Window,Class] = [,Edit]
[Window,Class] = [AVNullDocView,AVL_AVView]
[Window,Class] = [AVSplitterView,AVL_AVView]
[Window,Class] = [,ScrollBar]
[Window,Class] = [AVRulerView,AVL_AVView]
[Window,Class] = [AVTabStripView,AVL_AVView]
[Window,Class] = [AVTableContainerView,AVL_AVView]
[Window,Class] = [AVToolBarView,AVL_AVView]
[Window,Class] = [AVDockableHostView,AVL_AVView]
[Window,Class] = [,AVL_AVFloating]
[Window,Class] = [Adobe Reader,AcrobatSDIWindow]
[Window,Class] = [0,Edit]
[Window,Class] = [100%,Edit]
[Window,Class] = [123456,Edit]
Behavior description:设置消息钩子
details:idHook : d
Behavior description:设置线程上下文
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446153218.453998.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
Behavior description:写权限映射文件
details:Global\Cor_Private_IPCBlock_416
Global\Cor_Public_IPCBlock_416
CiceroSharedMemDefaultS-*
Global\NLS_00000804_Exception_Table_3_2
Global\Cor_Private_IPCBlock_2228
Global\Cor_Public_IPCBlock_2228
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Global\netfxcustomperfcounters.1.0.net clr networking
MSCTF.MarshalInterface.FileMap.IMJ..LIAHH
MSCTF.MarshalInterface.FileMap.IMJ.B.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.C.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.D.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.E.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.F.LJAHH
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Default Key
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\program files\common files\adobe\updater6\adobe_updater.exe" -doactionappid=reader9rdr-zh_cn
Behavior description:创建进程
details:ImagePath = C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe, CmdLine = "C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Documents and Settings\Administrator\Application Datalecture 6.pdf"
ImagePath = C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe, CmdLine = "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe" -doActionAppID=reader9rdr-zh_CN
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446153218.449560.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446153218.449560.exe"
Behavior description:跨进程写入数据
details:TargetProcess = %temp%\1446153218.765231.exe, WriteAddress = 0x00400000, Size = 512
TargetProcess = %temp%\1446153218.775124.exe, WriteAddress = 0x00402000, Size = 360448
TargetProcess = %temp%\1446153218.784818.exe, WriteAddress = 0x0045a000, Size = 1024
TargetProcess = %temp%\1446153218.795662.exe, WriteAddress = 0x0045c000, Size = 512
TargetProcess = %temp%\1446153218.806162.exe, WriteAddress = 0x7ffdc008, Size = 4
Behavior description:设置线程上下文
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446153218.453998.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:Global\Cor_Private_IPCBlock_416
Global\Cor_Public_IPCBlock_416
CiceroSharedMemDefaultS-*
Global\NLS_00000804_Exception_Table_3_2
Global\Cor_Private_IPCBlock_2228
Global\Cor_Public_IPCBlock_2228
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Global\netfxcustomperfcounters.1.0.net clr networking
MSCTF.MarshalInterface.FileMap.IMJ..LIAHH
MSCTF.MarshalInterface.FileMap.IMJ.B.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.C.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.D.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.E.LJAHH
MSCTF.MarshalInterface.FileMap.IMJ.F.LJAHH
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Default Folder\Server.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Datalecture 6.pdf---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Imminent\Logs\30-10-2015---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal---> Offset = 1028
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents---> Offset = 1024
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\AdobeUpdaterPrefs.dat---> Offset = 169
C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\aum.log---> Offset = 1519
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Updater6\aumLib.log---> Offset = 770
Behavior description:查找文件
details:FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446153219.413791.exe
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E.INI
FileName = C:/DOCUME~1
FileName = C:/DOCUME~1/ADMINI~1
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AVGeneral\bLastExitNormal
\REGISTRY\USER\S-*\Software\Microsoft\ActiveMovie\devenum\Version
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles\c1\sDI
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles\c1\tDIText
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AVGeneral\cRecentFiles\c1\aFS
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\xID
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\iTime
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\iAVDocViewBottomSplitterPos
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\iAVDocViewLeftSplitterPos
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\bAVDocViewTabsShowing
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\bAVToolBarHostView_ToolBarsShowing
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\bShowingPageGaps
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\cTopLeftView\bShowingPageGaps
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\RememberedViews\cNoCategoryFiles\c1\cViewDef\cTopLeftView\xpageViewBead
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\MaxDoc
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\MaxApp
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\PrintToFile
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\Acrobatviewercpp304
\REGISTRY\MACHINE\SYSTEM\WSZXSGANXFJVAYSXYQGNXKQY
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Default Key
Other behavior
Behavior description:设置对象安全信息
details:C:\Documents and Settings\All Users\Application Data\Adobe\Updater6
C:\Documents and Settings\All Users\Application Data\Adobe\Updater6\AdobeESDGlobalApps.xml
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
0564ae97-566a-4257-a765-6b924a5559a8
2AC1A572DB6944B0A65C38C4140AF2F482c0655310C
Acrobat Instance Mutex
Global\.net clr networking
MSCTF.Shared.MUTEX.ELH
Global\AcrobatViewerIsRunning
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-*
MSCTF.Shared.MUTEX.ADI
MSCTF.Shared.MUTEX.IMJ
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Acrobat Viewer]
[Window,Class] = [,Edit]
[Window,Class] = [AVNullDocView,AVL_AVView]
[Window,Class] = [AVSplitterView,AVL_AVView]
[Window,Class] = [,ScrollBar]
[Window,Class] = [AVRulerView,AVL_AVView]
[Window,Class] = [AVTabStripView,AVL_AVView]
[Window,Class] = [AVTableContainerView,AVL_AVView]
[Window,Class] = [AVToolBarView,AVL_AVView]
[Window,Class] = [AVDockableHostView,AVL_AVView]
[Window,Class] = [,AVL_AVFloating]
[Window,Class] = [Adobe Reader,AcrobatSDIWindow]
[Window,Class] = [0,Edit]
[Window,Class] = [100%,Edit]
[Window,Class] = [123456,Edit]
Behavior description:设置消息钩子
details:idHook : d
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [AdobeAcrobatSpeedLaunchCmdWnd,]
NtUserFindWindowEx: [Class,Window] = [AdobeReaderSpeedLaunchCmdWnd,]
NtUserFindWindowEx: [Class,Window] = [Acrobat Instance Window Class,Acrobat Instance Window]
NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [JFWUI2,]
NtUserFindWindowEx: [Class,Window] = [AcrobatTimerWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [UpdaterBaseDialogClass6,]
NtUserFindWindowEx: [Class,Window] = [AcrobatSDIWindow,]
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 487390, SleepMilliseconds = 1000.
TickCount = 487406, SleepMilliseconds = 1000.
TickCount = 487406, SleepMilliseconds = 60000.
TickCount = 486457, SleepMilliseconds = 20.
TickCount = 486473, SleepMilliseconds = 20.
TickCount = 486520, SleepMilliseconds = 20.
TickCount = 486829, SleepMilliseconds = 1.
TickCount = 486844, SleepMilliseconds = 1.
TickCount = 486954, SleepMilliseconds = 1.
TickCount = 487534, SleepMilliseconds = 300.
TickCount = 492250, SleepMilliseconds = 5000.
TickCount = 492281, SleepMilliseconds = 5000.
TickCount = 488296, SleepMilliseconds = 1000.
TickCount = 487563, SleepMilliseconds = 1.
TickCount = 487579, SleepMilliseconds = 1.
Behavior description:获取光标位置
details:CursorPos = (106,18467), SleepMilliseconds = 1.
CursorPos = (6399,26500), SleepMilliseconds = 1.
CursorPos = (19234,15724), SleepMilliseconds = 1.
CursorPos = (11543,29358), SleepMilliseconds = 1.
Behavior description:窗口信息
details:Pid = 2228, Hwnd=0x202c8, Text = You are being monitored by: , ClassName = WindowsForms10.STATIC.app.0.3d893c.
Pid = 2228, Hwnd=0x202ca, Text = Disconnected, ClassName = WindowsForms10.STATIC.app.0.3d893c.
Pid = 2228, Hwnd=0x202d8, Text = Imminent Monitor, ClassName = WindowsForms10.Window.8.app.0.3d893c.
Pid = 2092, Hwnd=0x202aa, Text = AVToolBarHostView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x10306, Text = AVTabStripView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102ea, Text = AVSplitterView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102ec, Text = AVSplitationPageView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102ee, Text = AVSplitterView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102f0, Text = AVScrolledPageView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102f2, Text = AVScrollView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102fa, Text = AVTableContainerView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102fc, Text = 21.587 x 27.937 厘米, ClassName = Static.
Pid = 2092, Hwnd=0x102f8, Text = AVPageView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x102e0, Text = AVNullDocView, ClassName = AVL_AVView.
Pid = 2092, Hwnd=0x202ac, Text = AVToolBarEasel, ClassName = AVL_AVView.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[4]: MilliSeconds = 8000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 5000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 3000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 8000.
[4]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[8]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号