VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:d24953353212f350145bff42c02f1fab
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 写权限映射文件
details: CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.EKI..JBLHH
MSCTF.MarshalInterface.FileMap.EKI.B.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.C.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.D.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.E.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.F.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.G.JCLHH
MSCTF.Shared.SFM.EKI
Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 设置特殊文件属性
details: C:\Documents and Settings\Administrator\Application Data\patch.exe
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]

Process behavior

Behavior description: 创建新文件进程
details: ImagePath = C:\Documents and Settings\Administrator\Application Data\patch.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\\patch.exe"
Behavior description: 枚举进程
details: N/A

File behavior

Behavior description: 写权限映射文件
details: CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.EKI..JBLHH
MSCTF.MarshalInterface.FileMap.EKI.B.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.C.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.D.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.E.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.F.JBLHH
MSCTF.MarshalInterface.FileMap.EKI.G.JCLHH
MSCTF.Shared.SFM.EKI
Behavior description: 重命名文件
details: C:\Documents and Settings\Administrator\Application Data\patch.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490437\...\TemporaryFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490437\... ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490437\TemporaryFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490687\... ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490687\TemporaryFile
Behavior description: 设置特殊文件属性
details: C:\Documents and Settings\Administrator\Application Data\patch.exe
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Application Data\patch.exe
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Application Data\patch.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490437\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490437\TemporaryFile\*.*
FileName = C:\Documents and Settings\Administrator\Application Data\\patch.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490687\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\490687\TemporaryFile\*.*

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\MACHINE\SYSTEM\灰太狼工作室\CD-KEY
\REGISTRY\MACHINE\SYSTEM\灰太狼工作室\用户名

Other behavior

Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 创建互斥体
details: RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.EKI
Behavior description: 内联HOOK
details: C:\WINDOWS\system32\ntdll.dll--->LdrFindResource_U Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->LdrAccessResource Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringW Offset = 0x0
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 枚举窗口
details: N/A
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\SIWVID
\??\NTICE
Behavior description: 窗口信息
details: Pid = 2208, Hwnd=0x202ca, Text = 682dd06c78b1566:|:0:|:返回信息为A:|:返回信息为 B:|:1:|:15:|:0:|:http://:|:0:|:31536000:|:七夜:|:1:|:0.02:|:0:|::|:02- 28:|::|:1:|, ClassName = Edit.
Pid = 2208, Hwnd=0x202c8, Text = 补码, ClassName = Button.
Pid = 2208, Hwnd=0x202c4, Text = 截取, ClassName = Button.
Pid = 2208, Hwnd=0x302dc, Text = 窗口类名:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2208, Hwnd=0x202d4, Text = 窗口标题:, ClassName = Afx:400000:b:10011:1900015:0.
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]