VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:71080b0b989f817d36608cec11562608
file type:MSI文件
Production company:
version:
Shell or compiler information:
Subfile information:_60339F6C105379F270DF8EC441C02665 / 9796ed5e78b98e46c2de05c1a800c6ff / Cab
!_StringData / c6567a43d76fdf90b0e7bbcb5f2b881d / Unknown
Icon._18be6784.exe / e8004d9bdd3f21e2424d4f06894b63e3 / Unknown
Icon._294823.exe / e8004d9bdd3f21e2424d4f06894b63e3 / Unknown
[5]DigitalSignature / 9c95b423112f5e5637070baeebcef05f / Unknown
!Control / e78abbbcb51381495f59ca3fd7f8923c / Unknown
Binary.DefBannerBitmap / cbc1d3bd33d7d7f11158cf7574da964e / Unknown
!_Validation / 44d87ee1913cadc1548291d7756a4c56 / Unknown
!_StringPool / 28ab1a118481e86c15ff41495742afa2 / Unknown
!_Columns / bfcc809a66e537fd96cd14759b338b02 / Unknown
!ControlEvent / 56406d831102aec4549b10fc93c6c3f2 / Unknown
!ControlCondition / 2f82f35e348be7e273ceda3a35879b0f / Unknown
!Dialog / b52ca7c0068843dc897497dac6ab8f75 / Unknown
[5]SummaryInformation / 3e7c909999958ef0fc3efd00401b89a5 / Unknown
Binary.NewFldrBtn / 326a40f5ae0f716a3818531e475678bf / Unknown
Binary.UpFldrBtn / 4638b2aa55fbd0fa73bb08181895cbe7 / Unknown
!EventMapping / c789ef1276743de1e05088c778cede61 / Unknown
!UIText / 18deb7a72ea31b2a4faebeeb0729d851 / Unknown
!RadioButton / 0b01f4f0439fded0ac9fd2d02996d7b7 / Unknown
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x010046E5
Process behavior
Behavior description:创建本地线程
details:TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2652, StartAddress = 7CAA2A19, Parameter = 0007D7F0
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2656, StartAddress = 765E964D, Parameter = 000F89A0
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2660, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2688, StartAddress = 759D8761, Parameter = 00000000
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2720, StartAddress = 757D4D37, Parameter = 00141EB8
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2764, StartAddress = 77E56C7D, Parameter = 000F8B90
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2768, StartAddress = 769AE43B, Parameter = 0014DBA0
TargetProcess: msiexec.exe, InheritedFromPID = 652, ProcessID = 2776, ThreadID = 2792, StartAddress = 77DC3519, Parameter = 000E8B38
TargetProcess: msiexec.exe, InheritedFromPID = 652, ProcessID = 2776, ThreadID = 2796, StartAddress = 0100AC3F, Parameter = 00000000
TargetProcess: msiexec.exe, InheritedFromPID = 652, ProcessID = 2776, ThreadID = 2800, StartAddress = 77E56C7D, Parameter = 000F8918
TargetProcess: msiexec.exe, InheritedFromPID = 652, ProcessID = 2776, ThreadID = 2804, StartAddress = 769AE43B, Parameter = 000FB330
TargetProcess: msiexec.exe, InheritedFromPID = 652, ProcessID = 2776, ThreadID = 2808, StartAddress = 77E56C7D, Parameter = 000FCBF0
TargetProcess: msiexec.exe, InheritedFromPID = 2000, ProcessID = 2640, ThreadID = 2812, StartAddress = 77E56C7D, Parameter = 0012F398
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi ---> Offset = 28096
C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi ---> Offset = 56192
C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi ---> Offset = 84288
C:\Documents and Settings\Administrator\Local Settings\Temp\351f9.msi ---> Offset = 112384
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.msi
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Microsoft Калькулятор Плюс\
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = cr****om, PORT = 80, UserName = , Password = , hSession = 0x01ab2000, hConnect = 0x01ab2100, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Microsoft-CryptoAPI/5.131.2600.5512, hSession = 0x01ab2000
Behavior description:建立到一个指定的套接字连接
details:URL: cr****om, IP: **.133.40.**:80, SOCKET = 0x000002d4
Behavior description:发送HTTP包
details:GET /pki/crl/products/WindowsPCA.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: cr****om:80/pki/crl/products/windowspca.crl, hConnect = 0x01ab2100, hRequest = 0x01b20000, Verb: GET, Referer: , Flags = 0x00000100
Behavior description:按名称获取主机地址
details:GetAddrInfoW: cr****om
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
RasPbFile
MSCTF.Shared.MUTEX.EFK
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.EFK.IC
EventName = MSCTF.SendReceiveConection.Event.EFK.IC
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x010046E5
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2640, Hwnd=0x10364, Text = &Далее >, ClassName = Button.
Pid = 2640, Hwnd=0x10358, Text = Отмена, ClassName = Button.
Pid = 2640, Hwnd=0x1035a, Text = <&Назад, ClassName = Button.
Pid = 2640, Hwnd=0x1035c, Text = DefBannerBitmap, ClassName = Static.
Pid = 2640, Hwnd=0x1035e, Text = MsiHorizontalLine, ClassName = Static.
Pid = 2640, Hwnd=0x10360, Text = MsiHorizontalLine, ClassName = Static.
Pid = 2640, Hwnd=0x10362, Text = Мастер установки Microsoft Калькулятор Плюс, ClassName = Static.
Pid = 2640, Hwnd=0x10366, Text = ВНИМАНИЕ. Данная программа защищена законами об авторских правах и международными соглашениями. Незаконное воспроизведение или распространение данной программы или любой ее части влечет гражданскую и уголовную ответственность и будет преследоваться по закону., ClassName = Static.
Pid = 2640, Hwnd=0x10368, Text = Установщик поможет установить Microsoft Калькулятор Плюс на данный компьютер., ClassName = Static.
Pid = 2640, Hwnd=0x50352, Text = Microsoft Калькулятор Плюс, ClassName = MsiDialogCloseClass.
Behavior description:调整进程token权限
details:SE_SHUTDOWN_PRIVILEGE
SE_INCREASE_QUOTA_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_CREATE_TOKEN_PRIVILEGE
Behavior description:打开事件
details:CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\crypt32LogoffEvent
Global\userenv: Machine Group Policy has been applied
userenv: User Group Policy has been applied
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\INSTALLATION_SECURITY_HOLD
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.2640
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2776
Behavior description:隐藏指定窗口
details:[Window,Class] = [Windows Installer,#32770]
Behavior description:打开互斥体
details:ShimCacheMutex
RasPbFile
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x000F9F48, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00142120, DataLen: 148, Flags: 0x00000000
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号