VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:87
Behavior list
Basic Information
MD5:9c30ba2d8feeaf898ab8c9e89ec48c6c
file type:EXE
Production company:JFX
version:3.8.7.0---3,8,7.0
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Subfile information:WinNTSetup_x64.exe / 1d3f267d0b694240e153fa3bdb7c40d1 / EXE
wimgapi.dll / f9bb4a709903d28d6b7436ea7aa7d546 / DLL
libwim-15.dll / a8c1055940fb378412c9175bc5112c1c / DLL
wimgapi.old / 248d35235912b3ab90754be74d406aa5 / DLL
libwim-15.dll / b77314cf873f7d9c93e094c4570abfae / DLL
wimgapi.dll / a6bda7664746ad31e176e0cf261d11fd / DLL
wimgapi.old / 7902e73aafff59a6633fd25db341f101 / DLL
WinNTSetup_x86.exe / 0d074dd423c039e368aa05dc67e5ad29 / EXE
BOOTICEx64.exe / c8dd28f1135c11861eb7d93b7a931433 / EXE
BOOTICEx86.exe / 0e72509b2d5c55093e2c9ad141067644 / EXE
bcdedit.exe / 9535e3809322a2a34aacb9ba6461c416 / EXE
bcdedit.exe / c4d5b7b0cc017c7f5b906252a3f42c11 / EXE
wofadk.sys / 6f9248f6c354e39a20e27c5229b9b5db / SYS
wofadk.sys / b71ed7e0b29189702df65dee7d114569 / SYS
bcdboot.exe / 6fc4e47506182128712da4e5e7d3455a / EXE
upx_c_ac66ce42dumpFile / a7820c8d4de5041410d537e4d6f444dc / EXE
bcdboot.exe / fd1a2e75be2661cb15e20b121f8d82d4 / EXE
bootsect.exe / bbcd51279be0b3e8705853ae2a0a62ce / EXE
wimlib-imagex.exe / 60cf62e26e88aeb347a7d409d5d32948 / EXE
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WinNTSetup
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_iso.cmd"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_iso.cmd" "
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 120, ThreadID = 1772, StartAddress = 004012E3, Parameter = 00A00048
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 120, ThreadID = 1828, StartAddress = 77C0A341, Parameter = 00A00320
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 120, ThreadID = 1008, StartAddress = 77C0A341, Parameter = 0091DD98
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 120, ThreadID = 196, StartAddress = 77C0A341, Parameter = 0091DE28
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 120, ThreadID = 1252, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_x86.exe, CmdLine = WinNTSetup_x86.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\WimBootCompress.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\WinNTSetup_iso.cmd
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.old
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\WinNTSetup_iso.cmd
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bootsect.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\DISM\wofadk.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MinHook.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MSSTMake.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\offreg.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\libwim-15.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.old
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bootsect.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\DISM\wofadk.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MinHook.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MSSTMake.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\offreg.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\libwim-15.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\wimlib-imagex.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdboot.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdedit.exe
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\WimBootCompress.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\WinNTSetup_iso.cmd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.old ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\WinNTSetup_iso.cmd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> Offset = 12800
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> Offset = 78336
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> Offset = 143872
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> Offset = 209408
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe ---> Offset = 37888
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WinNTSetup
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\WinNTSetup_iso.cmd
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_iso.cmd
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_x86.exe
FileName = C:\WINDOWS\system32\WinNTSetup_iso.cmd
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Lang\Language.dll
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Lang\2052.dll
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\WinNTSetup_iso.cmd
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.ELH
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_SYSTEM_ENVIRONMENT_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2708, Hwnd=0xe039e, Text = MBR, ClassName = Static.
Pid = 2708, Hwnd=0xb0398, Text = NTLDR PBR, ClassName = Static.
Pid = 2708, Hwnd=0x110342, Text = BOOT FLAG, ClassName = Static.
Pid = 2708, Hwnd=0x7038e, Text = MBR, ClassName = Static.
Pid = 2708, Hwnd=0x10032e, Text = BOOTMGR PBR, ClassName = Static.
Pid = 2708, Hwnd=0xe02aa, Text = BOOT PART, ClassName = Static.
Pid = 2708, Hwnd=0x1203be, Text = F, ClassName = Button.
Pid = 2708, Hwnd=0x503b8, Text = F, ClassName = Button.
Pid = 2708, Hwnd=0x120340, Text = C:, ClassName = Edit.
Pid = 2708, Hwnd=0x160324, Text = C:, ClassName = Edit.
Pid = 2708, Hwnd=0xc034a, Text = 选项, ClassName = Button(GroupBox).
Pid = 2708, Hwnd=0xb0370, Text = 选择包含Windows安装文件的文件夹, ClassName = Static.
Pid = 2708, Hwnd=0x1802f8, Text = 选择..., ClassName = Button.
Pid = 2708, Hwnd=0x100334, Text = 选择..., ClassName = Button.
Pid = 2708, Hwnd=0xc034e, Text = 5 GB free NTFS Space Align 63 S, ClassName = Static.
Behavior description:直接操作物理设备
details:\??\PHYSICALDRIVE0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.old(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bootsect.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\DISM\wofadk.sys(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MinHook.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MSSTMake.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\offreg.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\libwim-15.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\wimlib-imagex.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdboot.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdedit.exe(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [,ComboBoxEx32]
[Window,Class] = [模式,Button]
[Window,Class] = [MBR,Static]
[Window,Class] = [NTLDR PBR,Static]
[Window,Class] = [BOOT FLAG,Static]
[Window,Class] = [,Edit]
[Window,Class] = [选择...,Button]
[Window,Class] = [,Button]
[Window,Class] = [预分配驱动器盘符,Button]
[Window,Class] = [破解uxtheme.dll以支持使用第三方未签名主题,Button]
[Window,Class] = [无人值守,Button]
[Window,Class] = [添加驱动,Button]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.old ---> 248d35235912b3ab90754be74d406aa5
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old ---> 7902e73aafff59a6633fd25db341f101
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdboot.exe ---> 6fc4e47506182128712da4e5e7d3455a
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bcdedit.exe ---> 9535e3809322a2a34aacb9ba6461c416
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\BOOTICEx64.exe ---> c8dd28f1135c11861eb7d93b7a931433
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\bootsect.exe ---> bbcd51279be0b3e8705853ae2a0a62ce
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\DISM\wofadk.sys ---> 6f9248f6c354e39a20e27c5229b9b5db
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MinHook.dll ---> 997ec2601a0dcd44a0ee17be828650c5
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\MSSTMake.exe ---> 64d41e1e1a0410bf669c1d0820ed4c1f
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\offreg.dll ---> b2b03261a0d03cc674713477a1249cc9
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimgapi.dll ---> f9bb4a709903d28d6b7436ea7aa7d546
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\libwim-15.dll ---> a8c1055940fb378412c9175bc5112c1c
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x64\wimlib\wimlib-imagex.exe ---> 60cf62e26e88aeb347a7d409d5d32948
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdboot.exe ---> fd1a2e75be2661cb15e20b121f8d82d4
C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\bcdedit.exe ---> c4d5b7b0cc017c7f5b906252a3f42c11
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\Tools\x86\offreg.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7ZipSfx.000\Tools\x86\MinHook.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimgapi.old.
Image: C:\Documents and Settings\Administrator\Local Settings\Temp\7ZipSfx.000\Tools\x86\wimlib\libwim-15.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号