VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:88
Behavior list
Basic Information
MD5:349defaf796911eea3828544bf912a65
file type:EXE
Production company:夏冰软件
version:0.0.0.0---
Shell or compiler information:COMPILER:Inno Setup Module Heuristic Mode [Overlay]
Key behavior
Behavior description:关机或重启
details:N/A
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\文件夹加密超级大师.lnk
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [cwind,#32770]
[Window,Class] = [安装 - 文件夹加密超级大师,TWizardForm]
Behavior description:创建系统服务
details:[服务创建成功]: wxbfileb, system32\DRIVERS\wxbfileb.sys
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\program files\fse\cwind.exe" baohu
ImagePath = , CmdLine = "c:\program files\fse\diskpro.exe" -i
ImagePath = , CmdLine = "c:\program files\fse\fse.exe" baohu
ImagePath = , CmdLine = "c:\windows\system32\rundll32.exe" setupapi,installhinfsection defaultinstall 132 c:\windows\system32\wxbfileb.inf
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = "C:\WINDOWS\system32\rundll32.exe" setupapi,InstallHinfSection DefaultInstall 132 C:\WINDOWS\system32\wxbfileb.inf
ImagePath = C:\WINDOWS\system32\runonce.exe, CmdLine = runonce -r
ImagePath = C:\WINDOWS\system32\grpconv.exe, CmdLine = "C:\WINDOWS\system32\grpconv.exe" -o
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-EGVFB.tmp\is-3PPQE.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-EGVFB.tmp\is-3PPQE.tmp" /SL4 $1034C "c:\%temp%\1425044843.730359.exe" 3677417 51712
ImagePath = C:\Program Files\fse\cwind.exe, CmdLine = "C:\Program Files\fse\cwind.exe" baohu
ImagePath = C:\Program Files\fse\DiskPro.exe, CmdLine = "C:\Program Files\fse\DiskPro.exe" -i
ImagePath = C:\Program Files\fse\fse.exe, CmdLine = "C:\Program Files\fse\fse.exe" baohu
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\文件夹加密超级大师.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\帮助.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\夏冰软件产品介绍.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\常见问题解答.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\访问夏冰软件.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\联系我们.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\删除文件夹加密超级大师.lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-EGVFB.tmp\is-3PPQE.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-6UJTH.tmp\_shfoldr.dll
C:\Program Files\fse\is-M7U61.tmp
C:\Program Files\fse\is-6KG2R.tmp
C:\Program Files\fse\is-13AE3.tmp
C:\Program Files\fse\is-00QEJ.tmp
C:\Program Files\fse\is-O5FQB.tmp
C:\Program Files\fse\is-73T3C.tmp
C:\Program Files\fse\is-LLJNP.tmp
C:\Program Files\fse\is-0TI21.tmp
C:\WINDOWS\system32\is-QUJAJ.tmp
C:\Program Files\fse\is-RLM5G.tmp
C:\Program Files\fse\is-HJJ0C.tmp
C:\Program Files\fse\is-MAO33.tmp
C:\Program Files\fse\is-MB1TV.tmp
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\文件夹加密超级大师.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EIK..EHDGF
MSCTF.MarshalInterface.FileMap.EIK.B.EHDGF
MSCTF.MarshalInterface.FileMap.EIK.C.EHDGF
MSCTF.MarshalInterface.FileMap.EIK.D.EHDGF
MSCTF.MarshalInterface.FileMap.EIK.E.EHDGF
MSCTF.MarshalInterface.FileMap.EIK.F.EIDGF
MSCTF.MarshalInterface.FileMap.EIK.G.EIDGF
MSCTF.Shared.SFM.EIK
\WINDOWS\system32\zh-cn\ieframe.dll.mui
MSCTF.MarshalInterface.FileMap.IHO..BDPLF
MSCTF.MarshalInterface.FileMap.IHO.B.BDPLF
MSCTF.MarshalInterface.FileMap.IHO.C.AEPLF
MSCTF.MarshalInterface.FileMap.IHO.D.AEPLF
MSCTF.MarshalInterface.FileMap.IHO.E.AEPLF
Behavior description:重命名文件
details:C:\Program Files\fse\is-M7U61.tmp ---> C:\Program Files\fse\unins000.exe
C:\Program Files\fse\is-6KG2R.tmp ---> C:\Program Files\fse\fse.exe
C:\Program Files\fse\is-13AE3.tmp ---> C:\Program Files\fse\fsetmp.exe
C:\Program Files\fse\is-00QEJ.tmp ---> C:\Program Files\fse\ED.exe
C:\Program Files\fse\is-O5FQB.tmp ---> C:\Program Files\fse\SESelf.exe
C:\Program Files\fse\is-73T3C.tmp ---> C:\Program Files\fse\hd.exe
C:\Program Files\fse\is-LLJNP.tmp ---> C:\Program Files\fse\DiskPro.exe
C:\Program Files\fse\is-0TI21.tmp ---> C:\Program Files\fse\cwind.exe
C:\WINDOWS\system32\is-QUJAJ.tmp ---> C:\WINDOWS\system32\wxbfileb.sys
C:\WINDOWS\system32\is-OVHVL.tmp ---> C:\WINDOWS\system32\xp.inf
C:\WINDOWS\system32\is-11CS9.tmp ---> C:\WINDOWS\system32\2000.inf
C:\WINDOWS\system32\xp.inf ---> C:\WINDOWS\system32\wxbfileb.inf
C:\Program Files\fse\is-BN3BK.tmp ---> C:\Program Files\fse\help.chm
C:\Program Files\fse\is-1ABPI.tmp ---> C:\Program Files\fse\FAQ.txt
C:\Program Files\fse\is-RLM5G.tmp ---> C:\Program Files\fse\CRTool.dll
Behavior description:修改文件内容
details:C:\WINDOWS\system32\is-OVHVL.tmp---> Offset = 0
C:\WINDOWS\system32\is-11CS9.tmp---> Offset = 0
C:\Program Files\fse\is-BN3BK.tmp---> Offset = 262144
C:\Program Files\fse\is-1ABPI.tmp---> Offset = 0
C:\Program Files\fse\is-JRQ2J.tmp---> Offset = 0
C:\Program Files\fse\is-OA4OM.tmp---> Offset = 0
C:\Documents and Settings\Administrator\Favorites\is-DHVUA.tmp---> Offset = 0
C:\Program Files\fse\is-3PCEO.tmp---> Offset = 0
C:\Documents and Settings\Administrator\桌面\is-BRA65.tmp---> Offset = 0
C:\Program Files\fse\is-932LH.tmp---> Offset = 0
C:\Program Files\fse\is-62O5L.tmp---> Offset = 0
C:\Documents and Settings\Administrator\桌面\is-V8J6D.tmp---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\文件夹加密超级大师.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\帮助.lnk---> Offset = 0
C:\Documents and Settings\All Users\「开始」菜单\程序\文件夹加密超级大师\夏冰软件产品介绍.lnk---> Offset = 0
Registry behavior
Behavior description:删除注册表键值_删除启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\fse_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs0_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs1_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs2_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs3_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs4_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs5_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs6_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs7_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\ffs8_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\fdse_file\
\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\fse\
\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\fse\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\fse\
\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\fse\command\
Behavior description:修改注册表_浏览器工具条
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBarLayout
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.EIK
SHIMLIB_LOG_MUTEX
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.MCJ
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [cwind,#32770]
[Window,Class] = [安装 - 文件夹加密超级大师,TWizardForm]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [TWizardForm,安装 - 文件夹加密超级大师]
NtUserFindWindowEx: [Class,Window] = [#32770,系统设置改变]
NtUserFindWindowEx: [Class,Window] = [#32770,错误]
NtUserFindWindowEx: [Class,Window] = [#32770,硬件安装]
NtUserFindWindowEx: [Class,Window] = [#32770,Microsoft Windows]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2688, Hwnd=0x1037a, Text = www.cksis.com(夏冰软件为您服务), ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10378, Text = 欢迎使用 文件夹加密超级大师 安装向导 , ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10376, Text = 现在将安装 文件夹加密超级大师 12.60 到您的电脑中。 推荐您在继续安装前关闭所有其它应用程序。 单击“下一步”继续,或单击“取消, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10372, Text = 下一步(&N) >, ClassName = TButton.
Pid = 2688, Hwnd=0x10370, Text = 取消, ClassName = TButton.
Pid = 2688, Hwnd=0x2035c, Text = 安装 - 文件夹加密超级大师, ClassName = TWizardForm.
Pid = 2688, Hwnd=0x10386, Text = 许可协议, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10384, Text = 继续安装前请阅读下列重要信息。, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10380, Text = 请仔细阅读下列许可协议。您在继续安装前必须同意这些协议条款。, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x1037e, Text = 我同意此协议(&A), ClassName = TRadioButton.
Pid = 2688, Hwnd=0x6037c, Text = 我不同意此协议(&D), ClassName = TRadioButton.
Pid = 2688, Hwnd=0x1038a, Text = < 上一步(&B), ClassName = TButton.
Pid = 2688, Hwnd=0x10386, Text = 选择目标位置, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10384, Text = 您想将 文件夹加密超级大师 安装在什么地方?, ClassName = TNewStaticText.
Pid = 2688, Hwnd=0x10396, Text = 安装程序将安装 文件夹加密超级大师 到下列文件夹中。, ClassName = TNewStaticText.
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_SYSTEM_PROFILE_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:枚举窗口
details:N/A
Behavior description:关机或重启
details:N/A
Behavior description:创建系统服务
details:[服务创建成功]: wxbfileb, system32\DRIVERS\wxbfileb.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号