VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:a840132c5fab5018f6bb0ae4c784b9d5
file type:EXE
Production company:Microsoft Corporation
version:1.4.9200.17350---1.4.9200.17350
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Subfile information:Windows10UpgraderApp.exe / 1208ae6fe27bf1dd64b43b2fa1316a5f / EXE
windlp.dll / eff1f65fd8882edb752e028ad4fef661 / DLL
GetCurrentDeploy.dll / d3f5e7f4e9cf707a5b1dc61233f7418c / DLL
DW20.EXE / 1ed0089aaef4ca14fe6f0552daf20a4c / EXE
GatherOSState.EXE / 6a123eb1cfa9cc0fbef8825e28d0e458 / EXE
wimgapi.dll / faf4b24de0ae1b7ea9d2e50d338d7ac5 / DLL
appraiserxp.dll / e10f457a494c5d0760d015a19902c33d / DLL
DevInv.dll / 41b9a0ef708d36625fe46e47127bd3b7 / DLL
downloader.dll / 4a249dceee21ff4284252642f2c6e419 / DLL
GetCurrentOOBE.dll / 415ee086a6b7e464d282013f639e2cc5 / DLL
bootsect.exe / 92fb4b2fe4a3f4b8bc687522526855af / EXE
GetCurrentRollback.EXE / 04dc894c9b6ff4bd6f0446d93cef0fe6 / EXE
ESDHelper.dll / a60e8c16bad663c5d1fbbc5bdf9ba758 / DLL
cosquery.dll / 160849d95cd1660995bf073c40ce393e / DLL
DWDCW20.DLL / 5b7ddeca6b427dcdbec45e5cb4d31d5c / DLL
DWTRIG20.EXE / 3703ffb66d8083c71a9099215f94a720 / EXE
esdstub.dll / a8146f79f8df738c959b277fcb1fc8d1 / DLL
HttpHelper.exe / 2b35489c7e3f05ebb9c5e69e4f419511 / EXE
WinREBootApp64.exe / 91c7d843a75b3459b62ba60d294ee6e0 / EXE
Key behavior
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\微软 Windows 10 易升.lnk
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3664, ThreadID = 3684, StartAddress = 00419D9E, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\cosquery.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DevInv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DW20.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWDCW20.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWTRIG20.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentDeploy.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\ESDHelper.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GatherOSState.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentRollback.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\wimgapi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\windlp.dll
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\微软 Windows 10 易升.lnk
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\cosquery.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DevInv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DW20.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWDCW20.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWTRIG20.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentDeploy.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\ESDHelper.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GatherOSState.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentRollback.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\wimgapi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\windlp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\esdstub.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\downloader.dll
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\2052\DWINTL20.DLL ---> C:\Windows10Upgrade\2052\DWINTL20.DLL
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\2052\DWINTL20.DLL-newfile ---> C:\Windows10Upgrade\2052\DWINTL20.DLL-newfile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\2052\DWINTL20.DLL-samplefile ---> C:\Windows10Upgrade\2052\DWINTL20.DLL-samplefile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\2052\DWINTL20.DLL.AmBackup23 ---> C:\Windows10Upgrade\2052\DWINTL20.DLL.AmBackup23
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\微软 Windows 10 易升.lnk
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\2052\DWINTL20.DLL
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Windows10Upgrade\Windows10UpgraderApp.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WXU4C.tmp\2052\*
FileName = C:\Windows10Upgrade
FileName = C:\Windows10Upgrade\Windows10UpgraderApp.exe\*.*
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\「开始」菜单
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\All Users\Application Data
FileName = C:\Documents and Settings\Administrator\Application Data
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log ---> Offset = 15
C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log ---> Offset = 17
C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log ---> Offset = 29
C:\Documents and Settings\Administrator\Local Settings\Temp\UpgraderStub.log ---> Offset = 31
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> Offset = 11576
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> Offset = 44344
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> Offset = 77112
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> Offset = 109880
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D5C69738-B486-402E-85AC-2456D98A64E4}\EstimatedSize
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Global\Microsoft.Windows.Windows10Upgrader
MSCTF.Shared.MUTEX.ELH
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 3664, Hwnd=0x1002c8, Text = 确定, ClassName = Button.
Pid = 3664, Hwnd=0xb032a, Text = 找不到所需的文件。请检查您是否有权写入到安装文件夹。, ClassName = Static.
Pid = 3664, Hwnd=0xc02b2, Text = 错误, ClassName = #32770.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\cosquery.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DevInv.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DW20.EXE(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWDCW20.DLL(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWTRIG20.EXE(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentDeploy.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\ESDHelper.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GatherOSState.EXE(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentRollback.EXE(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\wimgapi.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\windlp.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\esdstub.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\downloader.dll(签名验证: 通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\Windows10UpgraderApp.exe ---> 1208ae6fe27bf1dd64b43b2fa1316a5f
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\appraiserxp.dll ---> e10f457a494c5d0760d015a19902c33d
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\cosquery.dll ---> 160849d95cd1660995bf073c40ce393e
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DevInv.dll ---> 41b9a0ef708d36625fe46e47127bd3b7
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DW20.EXE ---> 1ed0089aaef4ca14fe6f0552daf20a4c
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWDCW20.DLL ---> 5b7ddeca6b427dcdbec45e5cb4d31d5c
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\DWTRIG20.EXE ---> 3703ffb66d8083c71a9099215f94a720
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentDeploy.dll ---> d3f5e7f4e9cf707a5b1dc61233f7418c
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\ESDHelper.dll ---> a60e8c16bad663c5d1fbbc5bdf9ba758
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GatherOSState.EXE ---> 6a123eb1cfa9cc0fbef8825e28d0e458
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\GetCurrentRollback.EXE ---> 04dc894c9b6ff4bd6f0446d93cef0fe6
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\wimgapi.dll ---> faf4b24de0ae1b7ea9d2e50d338d7ac5
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\windlp.dll ---> eff1f65fd8882edb752e028ad4fef661
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\esdstub.dll ---> a8146f79f8df738c959b277fcb1fc8d1
C:\Documents and Settings\Administrator\Local Settings\Temp\WXU4C.tmp\downloader.dll ---> 4a249dceee21ff4284252642f2c6e419
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号