VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:4016e08f71db4cdc67c9ea6374265346
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 隐藏指定窗口
details: [Window,Class] = [,Button]
[Window,Class] = [顶尖数据恢复,Static]
[Window,Class] = [顶尖数据恢复 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
Behavior description: 探测 Virtual PC 是否存在
details: N/A
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\All Users\桌面\顶尖数据恢复.lnk
Behavior description: 写权限映射文件
details: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EHM..LJBIF
MSCTF.MarshalInterface.FileMap.EHM.B.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.C.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.D.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.E.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.F.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.G.LJBIF
MSCTF.Shared.SFM.EHM
MSCTF.MarshalInterface.FileMap.MOH..CCHLF
MSCTF.MarshalInterface.FileMap.MOH.B.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.C.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.D.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.E.CDHLF
MSCTF.MarshalInterface.FileMap.MOH.F.CDHLF
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]

Process behavior

Behavior description: 创建新文件进程
details: ImagePath = C:\Program Files\OkDataRecovery\OkDataRecovery.exe, CmdLine = "C:\Program Files\OkDataRecovery\OkDataRecovery.exe"
Behavior description: 枚举进程
details: N/A

File behavior

Behavior description: 写权限映射文件
details: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EHM..LJBIF
MSCTF.MarshalInterface.FileMap.EHM.B.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.C.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.D.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.E.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.F.LJBIF
MSCTF.MarshalInterface.FileMap.EHM.G.LJBIF
MSCTF.Shared.SFM.EHM
MSCTF.MarshalInterface.FileMap.MOH..CCHLF
MSCTF.MarshalInterface.FileMap.MOH.B.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.C.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.D.CCHLF
MSCTF.MarshalInterface.FileMap.MOH.E.CDHLF
MSCTF.MarshalInterface.FileMap.MOH.F.CDHLF
Behavior description: 在系统敏感位置(如开始菜单等)释放链接或快捷方式
details: C:\Documents and Settings\All Users\「开始」菜单\程序\顶尖数据恢复\顶尖数据恢复.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\顶尖数据恢复\卸载顶尖数据恢复.lnk
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\All Users\桌面\顶尖数据恢复.lnk
Behavior description: 创建可执行文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\InstallOptions.dll
C:\Program Files\OkDataRecovery\Activate.exe
C:\Program Files\OkDataRecovery\DRCom.dll
C:\Program Files\OkDataRecovery\OkDataRecovery.exe
C:\Program Files\OkDataRecovery\preview.dll
C:\Program Files\OkDataRecovery\rescfg.dat
C:\Program Files\OkDataRecovery\uninst.exe
Behavior description: 修改文件内容
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 36
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\modern-wizard.bmp---> Offset = 32768
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 124
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 33
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 43
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 60
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 277
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 316
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 371
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 379
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 391
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 225
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 339
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\ioSpecial.ini---> Offset = 621

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\OkDataRecovery\path
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\顶尖数据恢复\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\顶尖数据恢复\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\顶尖数据恢复\DisplayIcon
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations

Other behavior

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
------------kavdr single version setup------------
E911010A-2011-4d3c-BB58-6D609AB66880
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.EHM
B1735F35-9970-4458-9F0E-9C6546D63B68
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,Button]
[Window,Class] = [顶尖数据恢复,Static]
[Window,Class] = [顶尖数据恢复 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
Behavior description: 探测 Virtual PC 是否存在
details: N/A
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\SIWVID
\??\NTICE
Behavior description: 获取系统权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
Behavior description: 窗口信息
details: Pid = 3184, Hwnd=0x10354, Text = 下一步(&N) >, ClassName = Button.
Pid = 3184, Hwnd=0x10356, Text = 取消(&C), ClassName = Button.
Pid = 3184, Hwnd=0x10362, Text = 顶尖数据恢复 , ClassName = Static.
Pid = 3184, Hwnd=0x10364, Text = 顶尖数据恢复, ClassName = Static.
Pid = 3184, Hwnd=0x10374, Text = 欢迎使用“顶尖数据恢复”安装向导, ClassName = Static.
Pid = 3184, Hwnd=0x10376, Text = 这个向导将指引你完成“顶尖数据恢复”的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系统, ClassName = Static.
Pid = 3184, Hwnd=0x1034e, Text = 顶尖数据恢复 安装, ClassName = #32770.
Pid = 3184, Hwnd=0x10352, Text = < 上一步(&P), ClassName = Button.
Pid = 3184, Hwnd=0x10354, Text = 安装(&I), ClassName = Button.
Pid = 3184, Hwnd=0x10368, Text = 选择安装位置, ClassName = Static.
Pid = 3184, Hwnd=0x1036a, Text = 选择“顶尖数据恢复”的安装文件夹。, ClassName = Static.
Pid = 3184, Hwnd=0x20376, Text = C:\Program Files\OkDataRecovery, ClassName = Edit.
Pid = 3184, Hwnd=0x20374, Text = 浏览(&B)..., ClassName = Button.
Pid = 3184, Hwnd=0x20372, Text = 可用空间: 5.8GB, ClassName = Static.
Pid = 3184, Hwnd=0x1037c, Text = 所需空间: 6.4MB, ClassName = Static.
Behavior description: 内联HOOK
details: C:\WINDOWS\system32\ntdll.dll--->DbgBreakPoint Offset = 0x0
Behavior description: 搜索kernel32.dll基地址
details: Instruction Address = 0x008bea4d
Behavior description: 打开图片文件
details: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\modern-wizard.bmp
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]

Abnormal crash

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
------------kavdr single version setup------------
E911010A-2011-4d3c-BB58-6D609AB66880
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.EHM
B1735F35-9970-4458-9F0E-9C6546D63B68
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,Button]
[Window,Class] = [顶尖数据恢复,Static]
[Window,Class] = [顶尖数据恢复 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
Behavior description: 探测 Virtual PC 是否存在
details: N/A
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\SIWVID
\??\NTICE
Behavior description: 获取系统权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe (ntice.sys)
lstrcmpiA: ntice.sys <------> hal.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> KDCOM.DLL (ntice.sys)
lstrcmpiA: ntice.sys <------> BOOTVID.dll (ntice.sys)
lstrcmpiA: ntice.sys <------> ACPI.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> WMILIB.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> pci.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> isapnp.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> compbatt.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> BATTC.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> intelide.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS (ntice.sys)
lstrcmpiA: ntice.sys <------> MountMgr.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> ftdisk.sys (ntice.sys)
lstrcmpiA: ntice.sys <------> dmload.sys (ntice.sys)
Behavior description: 窗口信息
details: Pid = 3184, Hwnd=0x10354, Text = 下一步(&N) >, ClassName = Button.
Pid = 3184, Hwnd=0x10356, Text = 取消(&C), ClassName = Button.
Pid = 3184, Hwnd=0x10362, Text = 顶尖数据恢复 , ClassName = Static.
Pid = 3184, Hwnd=0x10364, Text = 顶尖数据恢复, ClassName = Static.
Pid = 3184, Hwnd=0x10374, Text = 欢迎使用“顶尖数据恢复”安装向导, ClassName = Static.
Pid = 3184, Hwnd=0x10376, Text = 这个向导将指引你完成“顶尖数据恢复”的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系统, ClassName = Static.
Pid = 3184, Hwnd=0x1034e, Text = 顶尖数据恢复 安装, ClassName = #32770.
Pid = 3184, Hwnd=0x10352, Text = < 上一步(&P), ClassName = Button.
Pid = 3184, Hwnd=0x10354, Text = 安装(&I), ClassName = Button.
Pid = 3184, Hwnd=0x10368, Text = 选择安装位置, ClassName = Static.
Pid = 3184, Hwnd=0x1036a, Text = 选择“顶尖数据恢复”的安装文件夹。, ClassName = Static.
Pid = 3184, Hwnd=0x20376, Text = C:\Program Files\OkDataRecovery, ClassName = Edit.
Pid = 3184, Hwnd=0x20374, Text = 浏览(&B)..., ClassName = Button.
Pid = 3184, Hwnd=0x20372, Text = 可用空间: 5.8GB, ClassName = Static.
Pid = 3184, Hwnd=0x1037c, Text = 所需空间: 6.4MB, ClassName = Static.
Behavior description: 内联HOOK
details: C:\WINDOWS\system32\ntdll.dll--->DbgBreakPoint Offset = 0x0
Behavior description: 搜索kernel32.dll基地址
details: Instruction Address = 0x008bea4d
Behavior description: 打开图片文件
details: \DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp5.tmp\modern-wizard.bmp
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]