VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:b8c42d2e1c63502e5fe4b0215b33bb0d
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 跨进程写入数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00c4fffc, Size = 0x00000004
Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 创建远程线程
details: TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2848, StartAddress = 00000000, Parameter = 00000001
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\NTICE
\??\SIWVID
Behavior description: 获取TickCount值
details: TickCount = 5416609, SleepMilliseconds = 60000.
TickCount = 5416671, SleepMilliseconds = 60000.
TickCount = 5416687, SleepMilliseconds = 60000.
TickCount = 5416703, SleepMilliseconds = 60000.
TickCount = 5416718, SleepMilliseconds = 60000.
TickCount = 5416796, SleepMilliseconds = 60000.
TickCount = 5416921, SleepMilliseconds = 60000.
TickCount = 5416906, SleepMilliseconds = 60000.
TickCount = 5416937, SleepMilliseconds = 60000.
TickCount = 5417046, SleepMilliseconds = 60000.
TickCount = 5417062, SleepMilliseconds = 60000.
TickCount = 5417078, SleepMilliseconds = 60000.
TickCount = 5417093, SleepMilliseconds = 60000.
TickCount = 5417250, SleepMilliseconds = 60000.
TickCount = 5417609, SleepMilliseconds = 60000.
Behavior description: 检测自身是否被调试
details: N/A
Behavior description: 跨进程写代码段数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00598000, Size = 0x00000002
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00470000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00476000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00401000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00475000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00474000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00403000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00473000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0047d000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0046f000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00477000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0045a000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00478000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00402000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00472000, Size = 0x00001000
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]

Process behavior

Behavior description: 创建进程
details: ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe"
Behavior description: 创建本地线程
details: TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 1944, ProcessID = 2768, ThreadID = 2852, StartAddress = 004F02B0, Parameter = 000007A8
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2864, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2868, StartAddress = 00E2BDC0, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2872, StartAddress = 77E56C7D, Parameter = 0019C450
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2876, StartAddress = 769AE43B, Parameter = 0019EE38
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2940, StartAddress = 00E4B440, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2992, StartAddress = 00E4B440, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2996, StartAddress = 00E59300, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 3000, StartAddress = 0046E620, Parameter = 00000000
TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 3016, StartAddress = 00E587A0, Parameter = 00000000
Behavior description: 创建远程线程
details: TargetProcess: xf-autocad-kg_x64.exe, InheritedFromPID = 2768, ProcessID = 2816, ThreadID = 2848, StartAddress = 00000000, Parameter = 00000001
Behavior description: 跨进程写入数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00c4fffc, Size = 0x00000004
Behavior description: 跨进程写代码段数据
details: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00598000, Size = 0x00000002
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00470000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00476000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00401000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00475000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00474000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00403000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00473000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0047d000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0046f000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00477000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x0045a000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00478000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00402000, Size = 0x00001000
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe, WriteAddress = 0x00472000, Size = 0x00001000

File behavior

Behavior description: 查找文件
details: FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\xf-autocad-kg_x64.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\WINDOWS\*
FileName = C:\*
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\AutoCAD 2013【注册机】\*
FileName = C:\WINDOWS\system32\*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\MACHINE\SOFTWARE\Licenses\{R7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{K7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE3F761C-CD5A-B59D-74EA-605FD5296B5E}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE3F761C-CD5A-B59D-74EA-605FD5296B5E}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE3F761C-CD5A-B59D-74EA-605FD5296B5E}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Licenses\{IE83EB676AA8C8BD4}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{0E83EB676AA8C8BD4}
Behavior description: 删除注册表键值
details: \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE3F761C-CD5A-B59D-74EA-605FD5296B5E}\0
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Other behavior

Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 创建互斥体
details: B00::DAE59F96BF
DILLOCREATE
DILLOOEP
RAL9191B20A
9191B20A::WK
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.EAL
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.EAL.IC
EventName = MSCTF.SendReceiveConection.Event.EAL.IC
Behavior description: 检测自身是否被调试
details: N/A
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\NTICE
\??\SIWVID
Behavior description: 搜索kernel32.dll基地址
details: Instruction Address = 0x00598c7d
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2816
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
Behavior description: 枚举窗口
details: N/A
Behavior description: 调整进程token权限
details: SE_INC_BASE_PRIORITY_PRIVILEGE
Behavior description: 直接操作物理设备
details: \??\PHYSICALDRIVE0
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 100.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 200.
[4]: MilliSeconds = 250.
[5]: MilliSeconds = 500.
Behavior description: 获取TickCount值
details: TickCount = 5416609, SleepMilliseconds = 60000.
TickCount = 5416671, SleepMilliseconds = 60000.
TickCount = 5416687, SleepMilliseconds = 60000.
TickCount = 5416703, SleepMilliseconds = 60000.
TickCount = 5416718, SleepMilliseconds = 60000.
TickCount = 5416796, SleepMilliseconds = 60000.
TickCount = 5416921, SleepMilliseconds = 60000.
TickCount = 5416906, SleepMilliseconds = 60000.
TickCount = 5416937, SleepMilliseconds = 60000.
TickCount = 5417046, SleepMilliseconds = 60000.
TickCount = 5417062, SleepMilliseconds = 60000.
TickCount = 5417078, SleepMilliseconds = 60000.
TickCount = 5417093, SleepMilliseconds = 60000.
TickCount = 5417250, SleepMilliseconds = 60000.
TickCount = 5417609, SleepMilliseconds = 60000.
Behavior description: 打开互斥体
details: AD0::DAE59F96BF
ShimCacheMutex
B00::DAE59F96BF
DBWinMutex
9191B20A:SIMULATEEXPIRED
B00:DAF
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]