VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:5c405ade15f71a4ca9af7e2a448d53b3
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 写权限映射文件
details: Global\Cor_Private_IPCBlock_v4_1372
Global\Cor_SxSPublic_IPCBlock_1372
CiceroSharedMemDefaultS-*
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
MSCTF.MarshalInterface.FileMap.MBB..FIJGH
MSCTF.MarshalInterface.FileMap.MBB.B.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.C.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.D.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.E.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.F.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.G.FJJGH
MSCTF.Shared.SFM.MBB

Process behavior

Behavior description: 枚举进程
details: N/A

File behavior

Behavior description: 写权限映射文件
details: Global\Cor_Private_IPCBlock_v4_1372
Global\Cor_SxSPublic_IPCBlock_1372
CiceroSharedMemDefaultS-*
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
MSCTF.MarshalInterface.FileMap.MBB..FIJGH
MSCTF.MarshalInterface.FileMap.MBB.B.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.C.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.D.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.E.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.F.FIJGH
MSCTF.MarshalInterface.FileMap.MBB.G.FJJGH
MSCTF.Shared.SFM.MBB
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT---> Offset = 0
C:\Documents and Settings\Administrator\桌面\Your Desktop Files.txt---> Offset = 0
C:\Documents and Settings\Administrator\桌面\Your Document Files.txt---> Offset = 0
Behavior description: 查找文件
details: FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445530407.722419.exe
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\Documents and Settings\Administrator\My Documents\*.*
FileName = C:\Documents and Settings\Administrator\桌面\*.*

Other behavior

Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = -1.
[2]: MilliSeconds = 60000.
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 窗口信息
details: Pid = 1372, Hwnd=0x302ba, Text = Close only after making payment otherwise files could be lost ->, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x302bc, Text = Close The Application, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202d4, Text = Your files will be destroyed in 48 hours if payment is not made!, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202d6, Text = Your personal files are encrypted!, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202d8, Text = Proceed to buy Bitcoins, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202c2, Text = Important Info, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202c4, Text = 1PvNq2Ypez83AXmMBmapPDr5yi4H4AkMbP, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202c8, Text = Bitcoin Address:, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202ca, Text = Click proceed to payment to obtain the private key, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202c6, Text = To retrieve the private key, you need to pay $300 USD in Bitcoin to the address below. , ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x302da, Text = The single copy of the private key, which will allow you to decrypt the files, is located on a secret sercer on the internet: the, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x302b8, Text = Encryption was produced using a unique public key RSA-4096 generated for this computer. To decrypt files, you need to obtain a pr, ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202b0, Text = Any attempt to remove or damage this software will lead to immediate private key destruction by the server., ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202ae, Text = Your important files were encrypted on this computer: photos,videos, documents, ect., ClassName = WindowsForms10.EDIT.app.0.2bf8098_r23_ad1.
Pid = 1372, Hwnd=0x202b2, Text = CryptoLocker 3.0, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r23_ad1.
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MBB
Behavior description: 获取TickCount值
details: TickCount = 503098, SleepMilliseconds = 20.
TickCount = 503098, SleepMilliseconds = 60000.
TickCount = 563093, SleepMilliseconds = 60000.
TickCount = 563109, SleepMilliseconds = 60000.