VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:85
Behavior list
Basic Information
MD5:0fed17d6a18178711e7e58d2f91640d7
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:NSIS
Key behavior
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0xb201057a.
Foreground window Info: HWND = 0x00000000, DC = 0x50010568.
Behavior description:获取TickCount值
details:TickCount = 5442515, SleepMilliseconds = 250.
TickCount = 5442531, SleepMilliseconds = 250.
TickCount = 5442546, SleepMilliseconds = 250.
TickCount = 5443906, SleepMilliseconds = 250.
TickCount = 5443921, SleepMilliseconds = 250.
TickCount = 5443984, SleepMilliseconds = 250.
TickCount = 5444000, SleepMilliseconds = 250.
TickCount = 5444031, SleepMilliseconds = 250.
TickCount = 5444593, SleepMilliseconds = 250.
TickCount = 5444609, SleepMilliseconds = 250.
TickCount = 5444687, SleepMilliseconds = 250.
TickCount = 5444703, SleepMilliseconds = 250.
TickCount = 5444781, SleepMilliseconds = 250.
TickCount = 5444968, SleepMilliseconds = 250.
TickCount = 5444984, SleepMilliseconds = 250.
Process behavior
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\msvbvm60.dll /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\oleaut32.dll /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\olepro32.dll /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\asycfilt.dll /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\stdole2.tlb /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\comcat.dll /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\msflxgrd.ocx /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\mschrt20.ocx /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\mscomctl.ocx /e /g Users:R
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\CACLS.exe" C:\WINDOWS\system32\mscomct2.ocx /e /g Users:R
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2084, StartAddress = 004062AE, Parameter = 000903C6
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2260, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2348, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2352, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2356, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2360, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2364, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2476, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2480, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2484, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2488, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2492, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2572, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2576, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2004, ThreadID = 2580, StartAddress = 77DC845A, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\NRG\SymDR\SDR.exe
C:\NRG\SymDR\English.lng
C:\NRG\SymDR\OutAuto.exe
C:\NRG\SymDR\POPAuto.exe
C:\NRG\SymDR\ViewWMF.exe
C:\NRG\SymDR\NefDef.txt
C:\NRG\SymDR\Sample NEF.txt
C:\NRG\SiteFiles\defaultCDMA.ipk
C:\NRG\SiteFiles\defaultDocomo.ipk
C:\NRG\SiteFiles\defaultGSM.ipk
C:\NRG\SiteFiles\defaultSat.ipk
C:\NRG\SymDR\RegKey.dll
C:\WINDOWS\system32\msflxgrd.ocx
C:\WINDOWS\system32\mschrt20.ocx
C:\WINDOWS\system32\mscomct2.ocx
Behavior description:删除文件
details:C:\NRG\SymDR\RegKey.dll
Behavior description:创建可执行文件
details:C:\NRG\SymDR\SDR.exe
C:\NRG\SymDR\English.lng
C:\NRG\SymDR\OutAuto.exe
C:\NRG\SymDR\POPAuto.exe
C:\NRG\SymDR\ViewWMF.exe
C:\NRG\SymDR\RegKey.dll
C:\WINDOWS\system32\msflxgrd.ocx
C:\WINDOWS\system32\mschrt20.ocx
C:\WINDOWS\system32\mscomct2.ocx
Behavior description:修改文件内容
details:C:\NRG\SymDR\SDR.exe ---> Offset = 0
C:\NRG\SymDR\SDR.exe ---> Offset = 32768
C:\NRG\SymDR\SDR.exe ---> Offset = 41684
C:\NRG\SymDR\SDR.exe ---> Offset = 74452
C:\NRG\SymDR\SDR.exe ---> Offset = 107220
C:\NRG\SymDR\English.lng ---> Offset = 0
C:\NRG\SymDR\English.lng ---> Offset = 32768
C:\NRG\SymDR\OutAuto.exe ---> Offset = 0
C:\NRG\SymDR\OutAuto.exe ---> Offset = 32768
C:\NRG\SymDR\POPAuto.exe ---> Offset = 0
C:\NRG\SymDR\POPAuto.exe ---> Offset = 32768
C:\NRG\SymDR\POPAuto.exe ---> Offset = 48326
C:\NRG\SymDR\ViewWMF.exe ---> Offset = 0
C:\NRG\SymDR\ViewWMF.exe ---> Offset = 32768
C:\NRG\SymDR\NefDef.txt ---> Offset = 0
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\..\Manuals\NRG_SymphoniePLUS_Data_Logger_Manual_-_Rev_1.01.pdf
FileName = C:\NRG\SymDR\RegKey.dll
FileName = CACLS.*
FileName = C:\NRG\SymDR\CACLS.*
FileName = C:\WINDOWS\system32\CACLS.*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\CACLS.exe
FileName = C:\WINDOWS\system32\cacls.exe
FileName = C:\WINDOWS\system32\msvbvm60.dll
FileName = C:\WINDOWS\system32\oleaut32.dll
FileName = C:\WINDOWS\system32\olepro32.dll
FileName = C:\WINDOWS\system32\asycfilt.dll
FileName = C:\WINDOWS\system32\stdole2.tlb
FileName = C:\WINDOWS\system32\msflxgrd.ocx
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\.lng\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGLangPack\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGLangPack\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGRawData\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGRawData\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGRawData\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGRawData\shell\View\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGRawData\shell\View\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGSiteDB\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGSiteDB\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGSiteDB\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGPatchFile\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGPatchFile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGPatchFile\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\NRGReportWMF\
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DDE-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE3-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE4-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DDF-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE0-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE1-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE2-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE5-BD4C-11D1-B137-0000F8753F5D}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A2B370C-BA0A-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DDE-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE3-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE4-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DDF-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE0-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE1-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE2-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AC5D0DE5-BD4C-11D1-B137-0000F8753F5D}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IJF
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.IJF.IC
EventName = MSCTF.SendReceiveConection.Event.IJF.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,SDR Silent Batch]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
Behavior description:获取TickCount值
details:TickCount = 5442515, SleepMilliseconds = 250.
TickCount = 5442531, SleepMilliseconds = 250.
TickCount = 5442546, SleepMilliseconds = 250.
TickCount = 5443906, SleepMilliseconds = 250.
TickCount = 5443921, SleepMilliseconds = 250.
TickCount = 5443984, SleepMilliseconds = 250.
TickCount = 5444000, SleepMilliseconds = 250.
TickCount = 5444031, SleepMilliseconds = 250.
TickCount = 5444593, SleepMilliseconds = 250.
TickCount = 5444609, SleepMilliseconds = 250.
TickCount = 5444687, SleepMilliseconds = 250.
TickCount = 5444703, SleepMilliseconds = 250.
TickCount = 5444781, SleepMilliseconds = 250.
TickCount = 5444968, SleepMilliseconds = 250.
TickCount = 5444984, SleepMilliseconds = 250.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2004, Hwnd=0x60380, Text = I Agree, ClassName = Button.
Pid = 2004, Hwnd=0x140306, Text = Cancel, ClassName = Button.
Pid = 2004, Hwnd=0x2102bc, Text = < Back, ClassName = Button.
Pid = 2004, Hwnd=0x16032e, Text = Nullsoft Install System v1.98, ClassName = Static.
Pid = 2004, Hwnd=0x15030c, Text = NRG Systems License Agreement and Limited Warranty, ClassName = Static.
Pid = 2004, Hwnd=0x403ca, Text = 1. SOFTWARE LICENSE GRANT. NRG Systems, Inc. ("NRG"), grants to you (the person or entity who acquired this license) a non-exclus, ClassName = Edit.
Pid = 2004, Hwnd=0x1b0324, Text = Symphonie Data Retriever Setup: License Agreement, ClassName = #32770.
Pid = 2004, Hwnd=0x60380, Text = Next >, ClassName = Button.
Pid = 2004, Hwnd=0x6037e, Text = Select components to install:, ClassName = Static.
Pid = 2004, Hwnd=0xb03ba, Text = Space required: 13.3MB, ClassName = Static.
Pid = 2004, Hwnd=0x40382, Text = This will install Symphonie Data Retriever on your computer., ClassName = Static.
Pid = 2004, Hwnd=0x1b0324, Text = Symphonie Data Retriever Setup: Installation Options, ClassName = #32770.
Pid = 2004, Hwnd=0x60380, Text = Install, ClassName = Button.
Pid = 2004, Hwnd=0x50382, Text = C:\NRG\SymDR, ClassName = Edit.
Pid = 2004, Hwnd=0xc03ba, Text = Browse..., ClassName = Button.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0xb201057a.
Foreground window Info: HWND = 0x00000000, DC = 0x50010568.
Behavior description:可执行文件签名信息
details:C:\NRG\SymDR\SDR.exe(签名验证: 未通过)
C:\NRG\SymDR\English.lng(签名验证: 未通过)
C:\NRG\SymDR\OutAuto.exe(签名验证: 未通过)
C:\NRG\SymDR\POPAuto.exe(签名验证: 未通过)
C:\NRG\SymDR\ViewWMF.exe(签名验证: 未通过)
C:\NRG\SymDR\RegKey.dll(签名验证: 未通过)
C:\WINDOWS\system32\msflxgrd.ocx(签名验证: 通过)
C:\WINDOWS\system32\mschrt20.ocx(签名验证: 通过)
C:\WINDOWS\system32\mscomct2.ocx(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 250.
[2]: MilliSeconds = 250.
[3]: MilliSeconds = 250.
[4]: MilliSeconds = 250.
[5]: MilliSeconds = 250.
[6]: MilliSeconds = 250.
[7]: MilliSeconds = 250.
[8]: MilliSeconds = 250.
[9]: MilliSeconds = 250.
[10]: MilliSeconds = 250.
Behavior description:隐藏指定窗口
details:[Window,Class] = [< Back,Button]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [Show details,Button]
Behavior description:可执行文件MD5
details:C:\NRG\SymDR\SDR.exe ---> 2bf7d57a9eeca4e75f13b14d42c0751c
C:\NRG\SymDR\English.lng ---> 92fe73860d28d2145939c27f35c16984
C:\NRG\SymDR\OutAuto.exe ---> 515cb11d342c6a6132df42c1474fc04e
C:\NRG\SymDR\POPAuto.exe ---> 6723403c3824b4072111bd103c43f899
C:\NRG\SymDR\ViewWMF.exe ---> 40fc6a1a672ca6446529001d00e1620d
C:\NRG\SymDR\RegKey.dll ---> 643c52acbccff8c2636c3b1dbf6c8c48
C:\WINDOWS\system32\msflxgrd.ocx ---> 06ee7bb3c681b9fa8af4280a154ee133
C:\WINDOWS\system32\mschrt20.ocx ---> c80389e4872a0885cbb14fd3641166ab
C:\WINDOWS\system32\mscomct2.ocx ---> c1b4af41a0370e4081d59ac99bcc929d
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Behavior description:加载新释放的文件
details:Image: C:\NRG\SymDR\RegKey.dll.
Image: C:\WINDOWS\system32\msflxgrd.ocx.
Image: C:\WINDOWS\system32\mschrt20.ocx.
Image: C:\WINDOWS\system32\mscomct2.ocx.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号