VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:4afaac3ffacd185fb38be13eabea52b4
file type:EXE
Production company:TeraByte Unlimited
version:2.7.5.0---2.75
Shell or compiler information:PACKER:Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00150000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00150020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Behavior description:设置线程上下文
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:跨进程写代码段数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00607000, Size = 0x00000002
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x89010971.
Foreground window Info: HWND = 0x00000000, DC = 0x1101020f.
Foreground window Info: HWND = 0x00000000, DC = 0x1001097d.
Foreground window Info: HWND = 0x00000000, DC = 0xbb010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc2010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc3010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc4010880.
Foreground window Info: HWND = 0x00000000, DC = 0x360109c1.
Foreground window Info: HWND = 0x00000000, DC = 0xc5010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc6010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc7010880.
Behavior description:获取TickCount值
details:TickCount = 765735, SleepMilliseconds = 1.
TickCount = 765751, SleepMilliseconds = 1.
TickCount = 765844, SleepMilliseconds = 1.
TickCount = 765860, SleepMilliseconds = 1.
TickCount = 765876, SleepMilliseconds = 1.
TickCount = 765891, SleepMilliseconds = 1.
TickCount = 765907, SleepMilliseconds = 1.
TickCount = 765922, SleepMilliseconds = 1.
TickCount = 765938, SleepMilliseconds = 1.
TickCount = 765954, SleepMilliseconds = 1.
TickCount = 765969, SleepMilliseconds = 1.
TickCount = 765985, SleepMilliseconds = 1.
TickCount = 766001, SleepMilliseconds = 1.
TickCount = 766016, SleepMilliseconds = 1.
TickCount = 766032, SleepMilliseconds = 1.
Behavior description:直接获取CPU时钟
details:EAX = 0xd04b0687, EDX = 0x00000279
EAX = 0xd04b06d3, EDX = 0x00000279
EAX = 0xfe63bfa9, EDX = 0x00000279
EAX = 0xfe63bff5, EDX = 0x00000279
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:创建进程
details:ImagePath = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, CmdLine = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Behavior description:跨进程写代码段数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00607000, Size = 0x00000002
Behavior description:设置线程上下文
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
Behavior description:跨进程写入数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00150000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x00150020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004
File behavior
Behavior description:查找文件
details:FileName = C:\Users\Administrator
FileName = C:\Windows\*
FileName = C:\*
FileName = C:\Users\Administrator\AppData\Local\%temp%\*
FileName = C:\Windows\system32\*
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\*
FileName = C:\Users\Administrator\AppData\Local\%temp%\IFW.INI
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs
\REGISTRY\MACHINE\SOFTWARE\Licenses\{R7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{K7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{650BF64C-9BE4-1282-BBFB-9DF44C3462B0}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{650BF64C-9BE4-1282-BBFB-9DF44C3462B0}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{650BF64C-9BE4-1282-BBFB-9DF44C3462B0}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Licenses\{I8472C9DDA17A372D}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{08472C9DDA17A372D}
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{650BF64C-9BE4-1282-BBFB-9DF44C3462B0}\0
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Other behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:创建互斥体
details:160::DA0A5853A9
DILLOCREATE
DILLOOEP
DBWinMutex
RAL6882DB0F
6882DB0F::WK
Behavior description:窗口信息
details:Pid = 352, Hwnd=0xa02ca, Text = Image for Windows is in trial-mode and can only be used for evaluation purposes. Click the "Buy Now" button to purchase a license or click the "Enter Key" button to enter the product key you obtained in your purchase receipt., ClassName = Edit.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 20 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x2401de, Text = OK, ClassName = Button.
Pid = 352, Hwnd=0x1b01dc, Text = Enter &Key, ClassName = Button.
Pid = 352, Hwnd=0x260168, Text = &Buy Now!, ClassName = Button.
Pid = 352, Hwnd=0x1f0124, Text = Reminder, ClassName = SRTSmartDlg{D0A13D5E-B459-41B8-952C-60520249AB34}.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 17 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 14 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 11 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 8 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 5 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x1c01c0, Text = OK button will be enabled in 2 seconds..., ClassName = Static.
Pid = 352, Hwnd=0x2501de, Text = 帮助(&H), ClassName = Button.
Pid = 352, Hwnd=0x1d01c0, Text = <<上一步(&P), ClassName = Button.
Pid = 352, Hwnd=0xb02ca, Text = 下一步(&N)>>, ClassName = Button.
Behavior description:隐藏指定窗口
details:[Window,Class] = [Reminder,SRTSmartDlg{D0A13D5E-B459-41B8-952C-60520249AB34}]
[Window,Class] = [正在获取网络资源列表... 如果等待时间太长,请禁用“显示整个网络”设置。,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [压缩(&M),Button]
[Window,Class] = [几何参数(&G) ,Button]
[Window,Class] = [创建扩展分区(&E),Button]
[Window,Class] = [更改磁盘(&C),Button]
[Window,Class] = [添加虚拟驱动器(&V),Button]
[Window,Class] = [,#32770]
Behavior description:检测自身是否被调试
details:N/A
Behavior description:打开互斥体
details:CB8::DA0A5853A9
160::DA0A5853A9
6882DB0F:SIMULATEEXPIRED
160:DAF
Local\MSCTF.Asm.MutexDefault1
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,Shareware Cheater v 3.0]
NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,]
NtUserFindWindowEx: [Class,Window] = [IFW2,]
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x00607c7d
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
Global\SvcctrlStartEvent_A3752DX
Behavior description:枚举窗口
details:N/A
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x89010971.
Foreground window Info: HWND = 0x00000000, DC = 0x1101020f.
Foreground window Info: HWND = 0x00000000, DC = 0x1001097d.
Foreground window Info: HWND = 0x00000000, DC = 0xbb010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc2010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc3010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc4010880.
Foreground window Info: HWND = 0x00000000, DC = 0x360109c1.
Foreground window Info: HWND = 0x00000000, DC = 0xc5010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc6010880.
Foreground window Info: HWND = 0x00000000, DC = 0xc7010880.
Behavior description:直接操作物理设备
details:\??\PHYSICALDRIVE0
\??\PhysicalDrive0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 1.
[2]: MilliSeconds = 250.
[3]: MilliSeconds = 500.
Behavior description:调整进程token权限
details:SE_INC_WORKING_SET_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 765735, SleepMilliseconds = 1.
TickCount = 765751, SleepMilliseconds = 1.
TickCount = 765844, SleepMilliseconds = 1.
TickCount = 765860, SleepMilliseconds = 1.
TickCount = 765876, SleepMilliseconds = 1.
TickCount = 765891, SleepMilliseconds = 1.
TickCount = 765907, SleepMilliseconds = 1.
TickCount = 765922, SleepMilliseconds = 1.
TickCount = 765938, SleepMilliseconds = 1.
TickCount = 765954, SleepMilliseconds = 1.
TickCount = 765969, SleepMilliseconds = 1.
TickCount = 765985, SleepMilliseconds = 1.
TickCount = 766001, SleepMilliseconds = 1.
TickCount = 766016, SleepMilliseconds = 1.
TickCount = 766032, SleepMilliseconds = 1.
Behavior description:直接获取CPU时钟
details:EAX = 0xd04b0687, EDX = 0x00000279
EAX = 0xd04b06d3, EDX = 0x00000279
EAX = 0xfe63bfa9, EDX = 0x00000279
EAX = 0xfe63bff5, EDX = 0x00000279
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号