VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:85
Behavior list
Basic Information
MD5:cfe26a74237d06f74329e168c1583dae
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0 [Overlay]
Subfile information:sysrc_trial.exe / big file / EXE
注册码.txt / 896b4a111d4b3f6c1c13d86e233c70b6 / Unknown
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EHK..FCOFF
MSCTF.MarshalInterface.FileMap.EHK.B.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.C.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.D.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.E.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.F.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.G.EDOFF
MSCTF.Shared.SFM.EHK
Behavior description:隐藏指定窗口
details:[Window,Class] = [安装程序,TApplication]
Process behavior
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\jscript.dll"
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-KUO5E.tmp\sysrc_trial.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-KUO5E.tmp\sysrc_trial.tmp" /SL5="$1034C,5185390,163328,c:\%temp%\1434883072.242277.exe_7zdump\sysrc_trial.exe"
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EHK..FCOFF
MSCTF.MarshalInterface.FileMap.EHK.B.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.C.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.D.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.E.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.F.EDOFF
MSCTF.MarshalInterface.FileMap.EHK.G.EDOFF
MSCTF.Shared.SFM.EHK
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-KUO5E.tmp\sysrc_trial.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\_isetup\_shfoldr.dll
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\amazon_zh.bmp---> Offset = 262144
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\pcbackup.bmp---> Offset = 262144
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\setup_en.bmp---> Offset = 262144
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.EHK
Behavior description:隐藏指定窗口
details:[Window,Class] = [安装程序,TApplication]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2672, Hwnd=0x10386, Text = 单击以下的“下一步”按钮表示您同意《最终用户许可协议》 , ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x10384, Text = 《最终用户许可协议》, ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x10382, Text = 欢迎安装 RegClean Pro , ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x10380, Text = 即将在您的计算机上安装 RegClean Pro。 建议您关闭所有的运行程序后继续。 点击 下一步 继续,点击 取消 取消安装。, ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x20368, Text = C:\Program Files\RegClean Pro, ClassName = TEdit.
Pid = 2672, Hwnd=0x2037c, Text = 下一步(&N) >, ClassName = TNewButton.
Pid = 2672, Hwnd=0x2037a, Text = 取消, ClassName = TNewButton.
Pid = 2672, Hwnd=0x2035e, Text = 安装程序 - RegClean Pro, ClassName = TWizardForm.
Pid = 2672, Hwnd=0x1039c, Text = 拒绝, ClassName = TButton.
Pid = 2672, Hwnd=0x10396, Text = Install Amazon Browser Bar, ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x10392, Text = 帮助 , ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x10390, Text = 隐私权政策, ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x1038e, Text = 使用条款, ClassName = TNewStaticText.
Pid = 2672, Hwnd=0x1039a, Text = < 上一步(&B), ClassName = TNewButton.
Pid = 2672, Hwnd=0x2037c, Text = 接受 >>, ClassName = TNewButton.
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\amazon_zh.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\pcbackup.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-62970.tmp\setup_en.bmp
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号