VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:10b0f3bf903256eb7fcdc9597a7347f5
file type:Nsis
Production company:火绒博锐(北京)科技有限公司
version:3.0.0.9---3.0.0.9
Shell or compiler information:
Subfile information:main.ui / d7973f7575d5838df78123462fb729bf / zip
HipsTray.exe / 5823d708a2465f27aa9cc3fe473ff804 / EXE
HipsMain.exe / 70ecc547257fe0c94849938769561d2a / EXE
uninst.exe / a4ad0f339158da285736580c08bd54f3 / Nsis
libvxf.vds / 8f0445c9e92a5153dd2e268c1114eb55 / Unknown
libcodecs.dll / 3560576430e60af62c9ebd99417c99e8 / DLL
hwl.db / 3f0ee60615482d030117a3e354fd7d66 / Unknown
HipsDB.dll / 061765fdd06f4b2b643127836bbe00b2 / DLL
configui.dll / eeefdde76c7d909c3dc14fe68f9f243f / DLL
libdb_sqlite.dll / 88c9c261915605c60705f6babdb72ca4 / DLL
libxscore.bundle / 4ee94bf5be7e06120afde34aeac3203b / Unknown
libxsse.dll / d53fb373507e4e35f7ebab441adbc597 / DLL
DuiLib.dll / 0b6f9a1c36c6772eeb2bf034f2692bcb / DLL
prop.db / b457807275dac5f5008263a2854e204d / Unknown
libcurl.dll / c1b89c57113fa77ae70af6fff5ddc6e7 / DLL
usysdiag.dll / 3f4efa4cb228bb87749c7e3052fca8f6 / DLL
pset.db / a4408ed604dc90baecaf6cde9d1b42a4 / Unknown
troj.db / 4d79617a4157c34c21f3f7700cb00337 / Unknown
popup.ui / 77d4858af35e7367a7b79a73282be7a5 / zip
Key behavior
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
Behavior description:常规加载驱动
details:system32\DRIVERS\sysdiag.sys
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\火绒安全软件.lnk
Behavior description:停止系统服务
details:ServiceName = Huorong Network Security Daemon
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.ECP..NOEIH
MSCTF.MarshalInterface.FileMap.ECP.B.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.C.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.D.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.E.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.F.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.G.NOEIH
MSCTF.Shared.SFM.ECP
MSCTF.MarshalInterface.FileMap.ECP.H.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.I.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.J.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.K.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.L.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.M.BJKMH
Behavior description:按名称获取主机地址
details:update.huorong.cn
Behavior description:创建系统服务
details:[服务创建成功]: HipsDaemon, "C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysdiag
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsc6.tmp\ns8.tmp" regsvr32 /s "c:\program files\huorong\sysdiag\bin\hrshell.dll"
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsc6.tmp\ns9.tmp" sc create hipsdaemon binpath= "\"c:\program files\huorong\sysdiag\bin\hipsdaemon.exe\" -shipsdaemon"
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsc6.tmp\nsa.tmp" sc config hipsdaemon binpath= "\"c:\program files\huorong\sysdiag\bin\hipsdaemon.exe\" -shipsdaemon" type= own type= interact start= auto group= base displayname= "huorong network se
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsc6.tmp\nsb.tmp" sc description hipsdaemon "huorong network security daemon"
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsc6.tmp\nsc.tmp" net start hipsdaemon
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\Program Files\Huorong\Sysdiag\bin\HRShell.dll"
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc create HipsDaemon binpath= "\"C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon"
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc config HipsDaemon binpath= "\"C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon" type= own type= interact start= auto group= Base DisplayName= "Huorong Network Security Daemon"
ImagePath = C:\WINDOWS\system32\sc.exe, CmdLine = sc description HipsDaemon "Huorong Network Security Daemon"
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net start HipsDaemon
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 start HipsDaemon
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\ns8.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\ns8.tmp" regsvr32 /s "C:\Program Files\Huorong\Sysdiag\bin\HRShell.dll"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\ns9.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\ns9.tmp" sc create HipsDaemon binpath= "\"C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsA.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsA.tmp" sc config HipsDaemon binpath= "\"C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe\" -sHipsDaemon" type= own type= interact start
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsB.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsB.tmp" sc description HipsDaemon "Huorong Network Security Daemon"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsC.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\nsC.tmp" net start HipsDaemon
ImagePath = C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe, CmdLine = "C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
ImagePath = C:\Program Files\Huorong\Sysdiag\bin\HipsTray.exe, CmdLine = "C:\Program Files\Huorong\Sysdiag\bin\HipsTray.exe"
ImagePath = C:\Program Files\Huorong\Sysdiag\bin\HRUpdate.exe, CmdLine = "C:\Program Files\Huorong\Sysdiag\bin\HRUpdate.exe" /inst
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\火绒安全实验室\Sysdiag\火绒安全软件.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\火绒安全实验室\Sysdiag\火绒日志.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\火绒安全实验室\Sysdiag\卸载火绒.lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\DuiLib.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\installer-helper.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\AccessControl.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\System.dll
C:\Program Files\Huorong\Sysdiag\bin\uactmon.dll
C:\Program Files\Huorong\Sysdiag\bin\usysdiag.dll
C:\Program Files\Huorong\Sysdiag\bin\daemon.dll
C:\Program Files\Huorong\Sysdiag\bin\behavior.dll
C:\Program Files\Huorong\Sysdiag\bin\usysdiag.exe
C:\WINDOWS\system32\drivers\sysdiag.sys
C:\WINDOWS\system32\drivers\hrfwdrv.sys
C:\WINDOWS\system32\drivers\hrwfpdrv.sys
C:\WINDOWS\system32\dtrampo.dll
C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe
C:\Program Files\Huorong\Sysdiag\bin\HipsDB.dll
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp
FileName = \uninst.exe
FileName = C:\WINDOWS\system32\drivers\sysdiag.sys
FileName = C:\WINDOWS\system32\drivers\hrfwdrv.sys
FileName = C:\WINDOWS\system32\drivers\hrwfpdrv.sys
FileName = C:\WINDOWS\System32\dtrampo.dll
FileName = C:\Program Files\Huorong\Sysdiag\bin\HRShell.dll
FileName = C:\Program Files\Huorong\Sysdiag\bin\HRShell-x64.dll
FileName = C:\Program Files\Huorong\Sysdiag\bin\upgrade.dll
FileName = C:\Program Files\Huorong\Sysdiag\bin\libcurl.dll
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\火绒安全软件.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.ECP..NOEIH
MSCTF.MarshalInterface.FileMap.ECP.B.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.C.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.D.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.E.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.F.NOEIH
MSCTF.MarshalInterface.FileMap.ECP.G.NOEIH
MSCTF.Shared.SFM.ECP
MSCTF.MarshalInterface.FileMap.ECP.H.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.I.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.J.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.K.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.L.BJKMH
MSCTF.MarshalInterface.FileMap.ECP.M.BJKMH
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsc6.tmp\inst.ui---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\VERSION---> Offset = 0
C:\Program Files\Huorong\Sysdiag\bin\main.ui---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\bin\log.ui---> Offset = 16384
C:\Program Files\Huorong\Sysdiag\bin\popup.ui---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\bin\update.ui---> Offset = 16384
C:\Program Files\Huorong\Sysdiag\bin\libxscore.bundle---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\bin\libvxf.vdl---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\bin\libvxf.vds---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\bin\libvxf.dat---> Offset = 0
C:\Program Files\Huorong\Sysdiag\bin\libvxf.tdl---> Offset = 49152
C:\Program Files\Huorong\Sysdiag\LICENSE.3rd---> Offset = 0
C:\Program Files\Huorong\Sysdiag\LICENSE.libcodecs---> Offset = 0
C:\Program Files\Huorong\Sysdiag\LICENSE.libdt---> Offset = 0
C:\Documents and Settings\All Users\Application Data\Huorong\Sysdiag\db\hips.db---> Offset = 0
Network behavior
Behavior description:建立到一个指定的套接字连接
details:110.110.110.110:80
Behavior description:按名称获取主机地址
details:update.huorong.cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\DebugLevel
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\DependOnService
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\ErrorControl
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Type
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Tag
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Group
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\DisplayName
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Description
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Instances\DefaultInstance
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Instances\sysdiag\Altitude
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Instances\sysdiag\Flags
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\ErrorControl
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\Type
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\Tag
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\Group
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Huorong\Sysdiag\cid
Behavior description:修改注册表_服务项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\Start
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\sysdiag\ImagePath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\Start
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\hrfwdrv\ImagePath
Behavior description:修改注册表_系统右键菜单
details:\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\HRShell\
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\HRShell\
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysdiag
Other behavior
Behavior description:设置对象安全信息
details:MACHINE\Software\Huorong\Sysdiag\app
MACHINE\Software\Huorong\Sysdiag\app\ActionBlock
MACHINE\Software\Huorong\Sysdiag\app\AdFilter
MACHINE\Software\Huorong\Sysdiag\app\AntiArp
MACHINE\Software\Huorong\Sysdiag\app\AppControl
MACHINE\Software\Huorong\Sysdiag\app\AppNet
MACHINE\Software\Huorong\Sysdiag\app\AutoStart
MACHINE\Software\Huorong\Sysdiag\app\Behavior
MACHINE\Software\Huorong\Sysdiag\app\IpFilter
MACHINE\Software\Huorong\Sysdiag\app\UserFile
MACHINE\Software\Huorong\Sysdiag\app\UserReg
MACHINE\Software\Huorong\Sysdiag\app\Monitor
MACHINE\Software\Huorong\Sysdiag\app\Scan
MACHINE\Software\Huorong\Sysdiag\app\Safe
MACHINE\Software\Huorong\Sysdiag\app\Maintain
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ECP
SHIMLIB_LOG_MUTEX
Global\Huorong::HipsMonServer
hr_update
hr_tray
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
Behavior description:常规加载驱动
details:system32\DRIVERS\sysdiag.sys
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Huorong Network Security Daemon, "C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 516912, SleepMilliseconds = 100.
TickCount = 517240, SleepMilliseconds = 100.
TickCount = 517412, SleepMilliseconds = 100.
TickCount = 517740, SleepMilliseconds = 100.
TickCount = 517787, SleepMilliseconds = 100.
TickCount = 518115, SleepMilliseconds = 100.
TickCount = 518131, SleepMilliseconds = 100.
TickCount = 518146, SleepMilliseconds = 100.
TickCount = 518240, SleepMilliseconds = 100.
TickCount = 518256, SleepMilliseconds = 100.
TickCount = 518271, SleepMilliseconds = 100.
TickCount = 518412, SleepMilliseconds = 100.
TickCount = 518428, SleepMilliseconds = 100.
TickCount = 518693, SleepMilliseconds = 100.
TickCount = 518709, SleepMilliseconds = 100.
Behavior description:窗口信息
details:Pid = 3588, Hwnd=0x302ba, Text = 火绒安全软件安装, ClassName = ATL:00E31720.
Behavior description:停止系统服务
details:ServiceName = Huorong Network Security Daemon
Behavior description:创建系统服务
details:[服务创建成功]: HipsDaemon, "C:\Program Files\Huorong\Sysdiag\bin\HipsDaemon.exe" -sHipsDaemon
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号