VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :88
基本信息
MD5:475ef4a5489e03b272030d18b903e91f
文件类型:EXE
出品公司:
版本:0.0.0.19
壳或编译器信息:COMPILER:Wise Installer stub [Overlay]
关键行为
行为描述:在桌面创建文件
详情信息:C:\Documents and Settings\Administrator\桌面\训练预约系统.lnk
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 3140, StartAddress = 00C71CB0, Parameter = 00C740B0
行为描述:创建新文件进程
详情信息:[0x00000d94]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp" C:\Program Files\普洱市考试中心训练预约系统\gregn50.dll
[0x00000e00]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp" C:\Program Files\普洱市考试中心训练预约系统\libcurl.dll
[0x00000e0c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp" C:\Program Files\普洱市考试中心训练预约系统\libpq.dll
[0x00000e14]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLJ4.tmp" C:\Program Files\普洱市考试中心训练预约系统\Report.dll
文件行为
行为描述:创建文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLB6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLF8.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP
C:\WINDOWS\system32\GLBSINST.%$D
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0002.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0003.TMP
C:\Program Files\普洱市考试中心训练预约系统\temp.000
C:\WINDOWS\system32\~GLH0005.TMP
C:\WINDOWS\system32\temp.000
C:\WINDOWS\system32\~GLH0007.TMP
行为描述:在系统敏感位置(如开始菜单等)释放链接或快捷方式
详情信息:C:\Documents and Settings\Administrator\「开始」菜单\程序\普洱市考试中心训练预约系统\训练预约系统.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\普洱市考试中心训练预约系统\卸载普洱市考试中心训练预约系统.lnk
行为描述:创建可执行文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0003.TMP
C:\Program Files\普洱市考试中心训练预约系统\temp.000
C:\WINDOWS\system32\~GLH0005.TMP
C:\WINDOWS\system32\temp.000
C:\WINDOWS\system32\~GLH0007.TMP
C:\WINDOWS\system32\~GLH0009.TMP
C:\Program Files\普洱市考试中心训练预约系统\BACKUP\MFC71.dll
C:\WINDOWS\system32\~GLH000a.TMP
C:\Program Files\普洱市考试中心训练预约系统\BACKUP\msvcp71.dll
C:\WINDOWS\system32\~GLH000b.TMP
行为描述:覆盖已有文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG7.tmp
行为描述:查找文件
详情信息:FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\GLF8.tmp
FileName = C:\Program Files
FileName = C:\Program Files\普洱市考试中心训练预约系统
FileName = C:\Program Files\普洱市考试中心训练预约系统\UNWISE.EXE
FileName = C:\PROGRA~1\普洱市考试中心训练预约系统
FileName = C:\PROGRA~1\普洱市~1\UNWISE.EXE
FileName = C:\PROGRA~1\普洱市~1\INSTALL.LOG
FileName = C:\Program Files\普洱市考试中心训练预约系统\AutoUpdate.exe.manifest
FileName = C:\PROGRA~1\普洱市~1\AutoUpdate.exe.manifest
FileName = C:\PROGRA~1
FileName = C:\Program Files\普洱市~1
行为描述:复制文件
详情信息:C:\Documents and Settings\Administrator\「开始」菜单\程序\普洱市考试中心训练预约系统\训练预约系统.lnk ---> C:\Program Files\普洱市考试中心训练预约系统\BACKUP\训练预约系统.lnk
C:\Documents and Settings\Administrator\桌面\训练预约系统.lnk ---> C:\Program Files\普洱市考试中心训练预约系统\BACKUP\训练预约系统.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\普洱市考试中心训练预约系统\卸载普洱市考试中心训练预约系统.lnk ---> C:\Program Files\普洱市考试中心训练预约系统\BACKUP\卸载普洱市考试中心训练预约系统.lnk
行为描述:删除文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLB6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\GLF8.tmp
C:\WINDOWS\system32\GLBSINST.%$D
C:\Program Files\普洱市考试中心训练预约系统\~GLH0003.TMP
C:\WINDOWS\system32\~GLH0005.TMP
C:\WINDOWS\system32\~GLH0007.TMP
C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\~GLH0009.TMP
C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\~GLH000a.TMP
C:\WINDOWS\system32\msvcr71.dll
C:\WINDOWS\system32\~GLH000b.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH000d.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH000f.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0011.TMP
行为描述:在桌面创建文件
详情信息:C:\Documents and Settings\Administrator\桌面\训练预约系统.lnk
行为描述:重命名文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLF8.tmp
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> C:\Program Files\普洱市考试中心训练预约系统\UNWISE.EXE
C:\Program Files\普洱市考试中心训练预约系统\~GLH0002.TMP ---> C:\Program Files\普洱市考试中心训练预约系统\AutoUpdate.exe.manifest
C:\Program Files\普洱市考试中心训练预约系统\temp.000 ---> C:\PROGRA~1\普洱市~1\~GLH0004.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH0004.TMP ---> C:\PROGRA~1\普洱市~1\AutoUpdate.exe
C:\WINDOWS\system32\temp.000 ---> C:\WINDOWS\system32\~GLH0006.TMP
C:\WINDOWS\system32\~GLH0006.TMP ---> C:\WINDOWS\system32\BCGCBPRO221071.dll
C:\WINDOWS\system32\temp.000 ---> C:\WINDOWS\system32\~GLH0008.TMP
C:\WINDOWS\system32\~GLH0008.TMP ---> C:\WINDOWS\system32\BCGPStyle2010White2210.dll
C:\WINDOWS\system32\temp.000 ---> C:\WINDOWS\system32\mfc71.dll
C:\WINDOWS\system32\temp.000 ---> C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\temp.000 ---> C:\WINDOWS\system32\msvcr71.dll
C:\Program Files\普洱市考试中心训练预约系统\~GLH000c.TMP ---> C:\Program Files\普洱市考试中心训练预约系统\Config.xml
C:\Program Files\普洱市考试中心训练预约系统\temp.000 ---> C:\PROGRA~1\普洱市~1\~GLH000e.TMP
C:\Program Files\普洱市考试中心训练预约系统\~GLH000e.TMP ---> C:\PROGRA~1\普洱市~1\gregn50.dll
行为描述:修改文件内容
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG7.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\GLG7.tmp ---> Offset = 208
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> Offset = 0
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> Offset = 32768
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> Offset = 65536
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> Offset = 98304
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\普洱市考试中心训练预约系统\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\普洱市考试中心训练预约系统\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{715CBE0F-4F50-46EF-B009-CACED3A5C868}\
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\gregn50.DLL\AppID
\REGISTRY\MACHINE\SOFTWARE\Classes\grpro.GRDisplayViewer.5\
\REGISTRY\MACHINE\SOFTWARE\Classes\grpro.GRDisplayViewer.5\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\grpro.GRDisplayViewer\
\REGISTRY\MACHINE\SOFTWARE\Classes\grpro.GRDisplayViewer\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\grpro.GRDisplayViewer\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{613F3AE0-D4EB-4F9F-B750-576C09700351}\AppID
其他行为
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MFK
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.MFK.IC
EventName = MSCTF.SendReceiveConection.Event.MFK.IC
EventName = Global\userenv: User Profile setup event
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
行为描述:调整进程token权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
行为描述:窗口信息
详情信息:Pid = 2648, Hwnd=0x10344, Text = 普洱市考试中心训练预约系统 安装, ClassName = GLBSInstall.
Pid = 2648, Hwnd=0x3034a, Text = 下一步(&N) >, ClassName = Button.
Pid = 2648, Hwnd=0x1038c, Text = 取消, ClassName = Button.
Pid = 2648, Hwnd=0x10390, Text = 欢迎使用“普洱市考试中心训练预约系统”安装程序。本程序将安装“普洱市考试中心训练预约系统”到您的计算机中。, ClassName = Static.
Pid = 2648, Hwnd=0x10392, Text = 强烈建议您在运行本安装程序前退出其他所有正在运行的程序。 单击“取消”按钮可以退出安装程序以关闭其他正在运行的程序,或者单击“下一步”按钮继续安装程序。 警告:本计算机程序受版权法和国际条约保护。 未经授权复制或散播本计算机程序或其中的一部分,将受到严厉的民事或刑事处罚,并将在法律许可的范围内受到最大可能的起诉。, ClassName = Static.
Pid = 2648, Hwnd=0x3038a, Text = 普洱市考试中心训练预约系统, ClassName = GLBSWizard.
Pid = 2648, Hwnd=0x10340, Text = 普洱市考试中心训练预约系统 安装, ClassName = GLBSInstall.
Pid = 2648, Hwnd=0x20394, Text = 下一步(&N) >, ClassName = Button.
Pid = 2648, Hwnd=0x20392, Text = < 上一步(&B), ClassName = Button.
Pid = 2648, Hwnd=0x20390, Text = 取消, ClassName = Button.
Pid = 2648, Hwnd=0x2038c, Text = 本安装程序将安装“普洱市考试中心训练预约系统”到下边的目录中。 若想安装到不同的目录,请单击“浏览”按钮,并选择另外的目录。 您可以选择“取消”按钮退出安装程序从而不安装“普洱市考试中心训练预约系统”。, ClassName = Static.
Pid = 2648, Hwnd=0x4034a, Text = 目标目录, ClassName = Button(GroupBox).
Pid = 2648, Hwnd=0x20396, Text = 浏览(&R)..., ClassName = Button.
Pid = 2648, Hwnd=0x10398, Text = C:\Program Files\普洱市考试中心训练预约系统, ClassName = Static.
Pid = 2648, Hwnd=0x1039a, Text = 请选择目标目录, ClassName = Static.
行为描述:可执行文件签名信息
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP(签名验证: 未通过)
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP(签名验证: 未通过)
C:\Program Files\普洱市考试中心训练预约系统\~GLH0003.TMP(签名验证: 未通过)
C:\Program Files\普洱市考试中心训练预约系统\temp.000(签名验证: 未通过)
C:\WINDOWS\system32\~GLH0005.TMP(签名验证: 未通过)
C:\WINDOWS\system32\temp.000(签名验证: 未通过)
C:\WINDOWS\system32\~GLH0007.TMP(签名验证: 未通过)
C:\WINDOWS\system32\~GLH0009.TMP(签名验证: 未通过)
C:\Program Files\普洱市考试中心训练预约系统\BACKUP\MFC71.dll(签名验证: 未通过)
C:\WINDOWS\system32\~GLH000a.TMP(签名验证: 未通过)
C:\Program Files\普洱市考试中心训练预约系统\BACKUP\msvcp71.dll(签名验证: 未通过)
C:\WINDOWS\system32\~GLH000b.TMP(签名验证: 未通过)
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [ ,GLBSInstall]
[Window,Class] = [,Static]
[Window,Class] = [普洱市考试中心训练预约系统,#32770]
行为描述:可执行文件MD5
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\GLC3.tmp ---> 8c97d8bb1470c6498e47b12c5a03ce39
C:\Documents and Settings\Administrator\Local Settings\Temp\GLJ4.tmp ---> 6f608d264503796bebd7cd66b687be92
C:\Documents and Settings\Administrator\Local Settings\Temp\GLK5.tmp ---> 07631941f67818659e0e97932224886f
C:\Documents and Settings\Administrator\Local Settings\Temp\~GLH0000.TMP ---> 3b2e23d259394c701050486e642d14fa
C:\Program Files\普洱市考试中心训练预约系统\~GLH0001.TMP ---> 0b4c220be3b2bfd235fb9ea624488e1b
C:\Program Files\普洱市考试中心训练预约系统\~GLH0003.TMP ---> 163e46fff0af5400cdc36ca9483bb241
C:\Program Files\普洱市考试中心训练预约系统\temp.000 ---> 163e46fff0af5400cdc36ca9483bb241
C:\WINDOWS\system32\~GLH0005.TMP ---> f34ced6155a979ba887b4a5ca77e7d51
C:\WINDOWS\system32\temp.000 ---> f34ced6155a979ba887b4a5ca77e7d51
C:\WINDOWS\system32\~GLH0007.TMP ---> 02d9b498b67aae03dc33bb60b022f24d
C:\WINDOWS\system32\temp.000 ---> 02d9b498b67aae03dc33bb60b022f24d
C:\WINDOWS\system32\~GLH0009.TMP ---> 1fd3f9722119bdf7b8cff0ecd1e84ea6
C:\Program Files\普洱市考试中心训练预约系统\BACKUP\MFC71.dll ---> f35a584e947a5b401feb0fe01db4a0d7
C:\WINDOWS\system32\temp.000 ---> 1fd3f9722119bdf7b8cff0ecd1e84ea6
C:\WINDOWS\system32\~GLH000a.TMP ---> a94dc60a90efd7a35c36d971e3ee7470
行为描述:打开互斥体
详情信息:ShimCacheMutex
行为描述:加载新释放的文件
详情信息:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLC3.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLK5.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GLF8.tmp.
Image: C:\Program Files\普洱市考试中心训练预约系统\gregn50.dll.
Image: C:\Program Files\普洱市考试中心训练预约系统\libcurl.dll.
Image: C:\WINDOWS\system32\msvcr71.dll.
Image: C:\Program Files\普洱市考试中心训练预约系统\libpq.dll.
Image: C:\Program Files\普洱市考试中心训练预约系统\Report.dll.
Image: C:\WINDOWS\system32\mfc71.dll.
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号