VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:59
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:a0492490b98a266a8c6c0df8e677de04
file type:Nsis
Production company:Faronics Corporation
version:8.30.20.4627---8.30.20.4627
Shell or compiler information:
Subfile information:DFStd.exe / big file / EXE
DFTrial.exe / eccb3c90783f73957f44c4df2ad7360f / EXE
ReplaceFile.exe / 4b2ebaaef8ddcf7e7055b6144ae62d06 / EXE
CONDLG32.dll / 632c1b2f753e35a8d123b5238178ce86 / DLL
Faronics_Data_Igloo_README.txt / d734753a8198e84079792f8837302006 / Unknown
[NSIS].nsi / 627584fe1eb42b5752f8725376930b0e / Unknown
Faronics_Data_Igloo.url / c9e3064e81572c12f188646775eb8e0f / Unknown
Data Igloo Benutzerhandbuch.url / a120fba0f516b4652bb7f57dc9ee8f39 / Unknown
Deep Freeze Standard Benutzerhandbuch.url / 44cc280f6869f8a1d28770a752437cd2 / Unknown
Data Igloo User Guide.url / 5954fe160c4533ab2113261d327f2c5f / Unknown
Deep Freeze Standard User Guide.url / 31190415f7a9d269a21678247e007f88 / Unknown
Data Igloo Gui輥a de usuario.url / 5cbe2ad2988d24218bbd497aee44716c / Unknown
Deep Freeze Standard Gui輥a de usuario.url / 632d44c61955f3db1680529fdbf077b4 / Unknown
Data Igloo Manuel de l'utilisateur.url / 872381dc88e9248e51ecd9b8602d3935 / Unknown
Deep Freeze Standard Manuel de l'utilisateur.url / 5c078540122fec4c04685284bc39d691 / Unknown
Data Igloo User Guide.url / 93dff501d597ebdf8141b6c5f267ea2f / Unknown
Deep Freeze Standard User Guide.url / f143037f4cdad5e228840f4c855d8da6 / Unknown
Data Igloo User Guide.url / 25d8067b7f9c836ae1ae6072013de0b5 / Unknown
Deep Freeze Standard User Guide.url / 2654fef42e9d23cee31239c354fe7507 / Unknown
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x00010000, Size = 0x000007c2
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x00020000, Size = 0x00000794
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x7ffde010, Size = 0x00000004
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x7ffde1e8, Size = 0x00000004
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x160104a3.
Behavior description:获取TickCount值
details:TickCount = 551968, SleepMilliseconds = 60000.
TickCount = 552000, SleepMilliseconds = 60000.
TickCount = 552031, SleepMilliseconds = 60000.
TickCount = 552046, SleepMilliseconds = 60000.
TickCount = 552062, SleepMilliseconds = 60000.
TickCount = 552078, SleepMilliseconds = 60000.
TickCount = 552093, SleepMilliseconds = 60000.
TickCount = 552109, SleepMilliseconds = 60000.
TickCount = 552140, SleepMilliseconds = 60000.
TickCount = 552156, SleepMilliseconds = 60000.
TickCount = 552171, SleepMilliseconds = 60000.
TickCount = 552187, SleepMilliseconds = 60000.
TickCount = 552250, SleepMilliseconds = 60000.
TickCount = 552265, SleepMilliseconds = 60000.
TickCount = 552281, SleepMilliseconds = 60000.
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x00010000, Size = 0x000007c2
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x00020000, Size = 0x00000794
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x7ffde010, Size = 0x00000004
TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, WriteAddress = 0x7ffde1e8, Size = 0x00000004
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe
Behavior description:创建本地线程
details:TargetProcess: DFStd.exe, InheritedFromPID = 1772, ProcessID = 2076, ThreadID = 2108, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: DFStd.exe, InheritedFromPID = 1772, ProcessID = 2076, ThreadID = 2148, StartAddress = 77E56C7D, Parameter = 001BC5C8
TargetProcess: DFStd.exe, InheritedFromPID = 1772, ProcessID = 2076, ThreadID = 2152, StartAddress = 769AE43B, Parameter = 001BEF50
TargetProcess: DFStd.exe, InheritedFromPID = 1772, ProcessID = 2076, ThreadID = 2156, StartAddress = 77E56C7D, Parameter = 001BF7F0
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nswA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Deutsch\Data Igloo Benutzerhandbuch.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Deutsch\Deep Freeze Standard Benutzerhandbuch.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\English\Data Igloo User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\English\Deep Freeze Standard User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Espanol\Data Igloo Gui輥a de usuario.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Espanol\Deep Freeze Standard Gui輥a de usuario.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Francais\Data Igloo Manuel de l"utilisateur.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Francais\Deep Freeze Standard Manuel de l"utilisateur.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Japanese\Data Igloo User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Japanese\Deep Freeze Standard User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Simplified Chinese\Data Igloo User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Simplified Chinese\Deep Freeze Standard User Guide.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Faronics_Data_Igloo.url
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Faronics_Data_Igloo_README.txt
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nswA.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\DF5B.tmp
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\CONDLG32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\DFTrial.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\ReplaceFile.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Deutsch\Data Igloo Benutzerhandbuch.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Deutsch\Deep Freeze Standard Benutzerhandbuch.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\English\Data Igloo User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\English\Deep Freeze Standard User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Espanol\Data Igloo Gui輥a de usuario.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Espanol\Deep Freeze Standard Gui輥a de usuario.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Francais\Data Igloo Manuel de l"utilisateur.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Francais\Deep Freeze Standard Manuel de l"utilisateur.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Japanese\Data Igloo User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Japanese\Deep Freeze Standard User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Simplified Chinese\Data Igloo User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Simplified Chinese\Deep Freeze Standard User Guide.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Faronics_Data_Igloo.url ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\Faronics_Data_Igloo_README.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\CONDLG32.dll ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.zh-CN
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.zh-Hans
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.zh
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.CHS
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\DFStd.CH
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ACI
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.ACI.IC
EventName = MSCTF.SendReceiveConection.Event.ACI.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:窗口信息
details:Pid = 2076, Hwnd=0x102f6, Text = 使用评估版, ClassName = TCheckBox.
Pid = 2076, Hwnd=0x202c6, Text = 可见, ClassName = TComboBox.
Pid = 2076, Hwnd=0x102ec, Text = C:, ClassName = TComboBox.
Pid = 2076, Hwnd=0x202c8, Text = GB, ClassName = TComboBox.
Pid = 2076, Hwnd=0x102ea, Text = 1, ClassName = TEdit.
Pid = 2076, Hwnd=0x102e6, Text = E:, ClassName = TComboBox.
Pid = 2076, Hwnd=0x102e4, Text = 创建 ThawSpace 解冻空间, ClassName = TCheckBox.
Pid = 2076, Hwnd=0x102e2, Text = IEEE 1394 (FireWire), ClassName = TCheckBox.
Pid = 2076, Hwnd=0x3015a, Text = USB, ClassName = TCheckBox.
Pid = 2076, Hwnd=0x160142, Text = 保持新发现的硬盘驱动器为 Thawed 解冻状态。, ClassName = TCheckBox.
Pid = 2076, Hwnd=0x102e0, Text = 打印(&P), ClassName = TButton.
Pid = 2076, Hwnd=0x102de, Text = 复制(&O), ClassName = TButton.
Pid = 2076, Hwnd=0x202d2, Text = 稍后激活, ClassName = TRadioButton.
Pid = 2076, Hwnd=0x202d0, Text = 在线激活, ClassName = TRadioButton.
Pid = 2076, Hwnd=0x302b6, Text = 离线激活, ClassName = TRadioButton.
Behavior description:获取TickCount值
details:TickCount = 551968, SleepMilliseconds = 60000.
TickCount = 552000, SleepMilliseconds = 60000.
TickCount = 552031, SleepMilliseconds = 60000.
TickCount = 552046, SleepMilliseconds = 60000.
TickCount = 552062, SleepMilliseconds = 60000.
TickCount = 552078, SleepMilliseconds = 60000.
TickCount = 552093, SleepMilliseconds = 60000.
TickCount = 552109, SleepMilliseconds = 60000.
TickCount = 552140, SleepMilliseconds = 60000.
TickCount = 552156, SleepMilliseconds = 60000.
TickCount = 552171, SleepMilliseconds = 60000.
TickCount = 552187, SleepMilliseconds = 60000.
TickCount = 552250, SleepMilliseconds = 60000.
TickCount = 552265, SleepMilliseconds = 60000.
TickCount = 552281, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x160104a3.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\CONDLG32.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\DFTrial.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\ReplaceFile.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\CONDLG32.dll ---> 632c1b2f753e35a8d123b5238178ce86
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\DFTrial.exe ---> eccb3c90783f73957f44c4df2ad7360f
C:\Documents and Settings\Administrator\Local Settings\Temp\Tmp~DFStd\ReplaceFile.exe ---> 4b2ebaaef8ddcf7e7055b6144ae62d06
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tmp~DFStd\CONDLG32.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号