VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:5b30178d8bee76973b63f14fe04f2d21
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe

Process behavior

Behavior description: 创建进程
details: ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_pf_ud.bat
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol c: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol c: 2>nul"
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol d: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol d: 2>nul"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol e: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol e: 2>nul"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol f: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol f: 2>nul"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol g: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol g: 2>nul"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol h: 2>nul|find "驱动器"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" vol h: 2>nul"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c vol i: 2>nul|find "驱动器"
Behavior description: 创建新文件进程
details: ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1738090 "__IRAFN:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455721842.808809.exe_7zdump\一键GHOST优盘版\3_安装
Behavior description: 进程退出
details: N/A
Behavior description: 枚举进程
details: N/A
Behavior description: 创建本地线程
details: N/A

File behavior

Behavior description: 创建文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.BMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.JPG
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\menu.lst
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\ghost.img
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\BOOTICE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\HELP.CHM
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\袖珍龙汉字系统补丁.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\dh_pf_ud.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\dh_pf_ue.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\filedown_368241.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_pf_ud.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_pf_ue.bat
Behavior description: 创建可执行文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\BOOTICE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\袖珍龙汉字系统补丁.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\filedown_368241.exe
Behavior description: 查找文件
details: FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\All Users\Application Data
FileName = C:\WINDOWS
Behavior description: 删除文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat
Behavior description: 修改BAT脚本文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\dh_pf_ud.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\dh_pf_ue.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_pf_ud.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_pf_ue.bat
Behavior description: 修改文件内容
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat---> Offset = 131072
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.BMP---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.JPG---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\menu.lst---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\ghost.img---> Offset = 126322
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\HELP.CHM---> Offset = 72153

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe

Other behavior

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
oleacc-msaa-loaded
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MFI
SHIMLIB_LOG_MUTEX
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MFI.IC
EventName = MSCTF.SendReceiveConection.Event.MFI.IC
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 获取系统权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 窗口信息
details: Pid = 2136, Hwnd=0x302b4, Text = 帮助(&H), ClassName = Button.
Pid = 2136, Hwnd=0x302bc, Text = 下一步(&N) >, ClassName = Button.
Pid = 2136, Hwnd=0x202d4, Text = 取消(&C), ClassName = Button.
Pid = 2136, Hwnd=0x302cc, Text = 一键GHOST 优盘版 安装程序, ClassName = Afx:00400000:3:00010011:01900015:000102F9.
Pid = 2136, Hwnd=0x302d4, Text = 下一步(&N) >, ClassName = Button.
Pid = 2136, Hwnd=0x402bc, Text = 取消(&C), ClassName = Button.
Pid = 2136, Hwnd=0x402ba, Text = 许可协议: * 本软件使用 ghost.exe 版权归 Symantec 公司所有. * 本软件是免费软件,不经允许禁止用于商业用途. * 本软件具有一, ClassName = Edit.
Pid = 2136, Hwnd=0x402b4, Text = 我同意该许可协议的条款, ClassName = Button.
Pid = 2136, Hwnd=0x302dc, Text = 我不同意该许可协议的条款, ClassName = Button.
Pid = 2136, Hwnd=0x202d6, Text = 帮助(&H), ClassName = Button.
Pid = 2136, Hwnd=0x202d8, Text = < 返回(&B), ClassName = Button.
Pid = 3980, Hwnd=0x402dc, Text = C:\WINDOWS\system32\cmd.exe, ClassName = ConsoleWindowClass.
Behavior description: 可执行文件签名信息
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll(签名验证: 通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\BOOTICE.EXE(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\袖珍龙汉字系统补丁.exe(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\filedown_368241.exe(签名验证: 通过)
Behavior description: 隐藏指定窗口
details: [Window,Class] = [Initializing...,#32770]
[Window,Class] = [Debug,#32770]
[Window,Class] = [帮助(&H),Button]
[Window,Class] = [,Button]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [取消(&C),Button]
[Window,Class] = [许可协议: * 本软件使用 ghost.exe 版权归 Symantec 公司所有. * 本软件是免费软件,不经允许禁止用于商业用途. * 本软件具有一定的危险性,请初学者慎用. * 本软件优盘版支持WINX
[Window,Class] = [我同意该许可协议的条款,Button]
[Window,Class] = [我不同意该许可协议的条款,Button]
[Window,Class] = [< 返回(&B),Button]
[Window,Class] = [,msctls_progress32]
Behavior description: 可执行文件MD5
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe ---> 3a4c547012fba01e353e14eb9b8bf156
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll ---> 57ff4c85c5855ba67aacb0a3ea4108e3
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\BOOTICE.EXE ---> 0e72509b2d5c55093e2c9ad141067644
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\袖珍龙汉字系统补丁.exe ---> 82656b32b5c6eaad305a05446267d56c
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\filedown_368241.exe ---> 7e879fe004345ebb50f948399c915b4c
Behavior description: 加载新释放的文件
details: Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll.