VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:81
Behavior list
Basic Information
MD5:1c367fe3cf97da1f8b245cb8a790016f
file type:EXE
Production company:Bitsum LLC
version:8.9.8.52---8.9.8.52
Shell or compiler information:COMPILER:NSIS
Subfile information:LangDLL.dll / d41d8cd98f00b204e9800998ecf8427e / Unknown
Process behavior
Behavior description:创建新文件进程
details:[0x00000a6c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe" _?=C:\Documents and Settings\Administrator\Local Settings\%temp%\
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsr3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nss5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll
C:\WINDOWS\wininit.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsr3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll
Behavior description:查找文件
details:FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~nsu.tmp\Au_.exe
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg4.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsi6.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll ---> Offset = 0
C:\WINDOWS\wininit.ini ---> Offset = 0
Registry behavior
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.AHK
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Button]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2668, Hwnd=0x10348, Text = 简体中文, ClassName = ComboBox.
Pid = 2668, Hwnd=0x1034c, Text = OK, ClassName = Button.
Pid = 2668, Hwnd=0x1034e, Text = Cancel, ClassName = Button.
Pid = 2668, Hwnd=0x10350, Text = Please select a language., ClassName = Static.
Pid = 2668, Hwnd=0x10344, Text = Installer Language, ClassName = #32770.
Pid = 2668, Hwnd=0x2034e, Text = 卸载(&U), ClassName = Button.
Pid = 2668, Hwnd=0x2034c, Text = 取消(&C), ClassName = Button.
Pid = 2668, Hwnd=0x40342, Text = Process Lasso - 8.9.8.52 - Built on 10/20/2016 at 9:43:13 AM - (c)2016 Bitsum LLC , ClassName = Static.
Pid = 2668, Hwnd=0x10358, Text = Process Lasso - 8.9.8.52 - Built on 10/20/2016 at 9:43:13 AM - (c)2016 Bitsum LLC, ClassName = Static.
Pid = 2668, Hwnd=0x1035c, Text = 卸载 Process Lasso Server Edition [x64], ClassName = Static.
Pid = 2668, Hwnd=0x1035e, Text = 从你的计算机卸载“Process Lasso Server Edition [x64]”, ClassName = Static.
Pid = 2668, Hwnd=0x10368, Text = 卸载目录: , ClassName = Static.
Pid = 2668, Hwnd=0x1036a, Text = C:\Documents and Settings\Administrator\Local Settings\%temp%\, ClassName = Edit.
Pid = 2668, Hwnd=0x1036c, Text = 这个向导将从你的计算机卸载 Process Lasso Server Edition [x64] 。 单击 [卸载(U)] 开始解除安装进程。, ClassName = Static.
Pid = 2668, Hwnd=0x20344, Text = Process Lasso Server Edition [x64] 卸载 , ClassName = #32770.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll(签名验证: 未通过)
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.AHK.IC
EventName = MSCTF.SendReceiveConection.Event.AHK.IC
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~nsu.tmp\Au_.exe ---> 1c367fe3cf97da1f8b245cb8a790016f
C:\Documents and Settings\Administrator\Local Settings\Temp\nsy7.tmp\LangDLL.dll ---> a1cd3f159ef78d9ace162f067b544fd9
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy7.tmp\LangDLL.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号