VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:79
Behavior list
Basic Information
MD5:cb8b28f650ab23634d168c4647baa565
file type:EXE
Production company:爱封装|www.2fz.cc
version:4.9.3.409---4.9.3.409
Shell or compiler information:COMPILER:Free Pascal v1.06 [Overlay] *
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:直接获取CPU时钟
details:EAX = 0x8537a97d, EDX = 0x000000bb
EAX = 0x8537a9c9, EDX = 0x000000bb
EAX = 0x8537aa15, EDX = 0x000000bb
EAX = 0x8d2577fe, EDX = 0x000000bb
EAX = 0x8d25784a, EDX = 0x000000bb
EAX = 0x9d0113d0, EDX = 0x000000bb
EAX = 0x45492465, EDX = 0x000000bc
EAX = 0x454924b1, EDX = 0x000000bc
EAX = 0x57ac8f74, EDX = 0x000000bc
EAX = 0x57ac8fc0, EDX = 0x000000bc
Behavior description:获取TickCount值
details:TickCount = 294515, SleepMilliseconds = 60000.
TickCount = 294703, SleepMilliseconds = 60000.
TickCount = 294718, SleepMilliseconds = 60000.
TickCount = 294734, SleepMilliseconds = 60000.
TickCount = 294750, SleepMilliseconds = 60000.
TickCount = 294765, SleepMilliseconds = 60000.
TickCount = 294796, SleepMilliseconds = 60000.
TickCount = 294843, SleepMilliseconds = 60000.
TickCount = 294875, SleepMilliseconds = 60000.
TickCount = 294953, SleepMilliseconds = 60000.
TickCount = 294968, SleepMilliseconds = 60000.
TickCount = 295000, SleepMilliseconds = 60000.
TickCount = 295187, SleepMilliseconds = 60000.
TickCount = 295203, SleepMilliseconds = 60000.
TickCount = 295218, SleepMilliseconds = 60000.
Process behavior
Behavior description:创建新文件进程
details:[0x00000bd4]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\DiskGenius.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\DiskGenius.exe
Behavior description:枚举进程
details:N/A
Behavior description:创建本地线程
details:TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3036, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3200, StartAddress = 005DE5B0, Parameter = 001D6300
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3204, StartAddress = 005DE5B0, Parameter = 00223020
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3208, StartAddress = 005DE5B0, Parameter = 00224968
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3212, StartAddress = 005DE5B0, Parameter = 00224028
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3248, StartAddress = 765E964D, Parameter = 001D65C8
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3264, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3280, StartAddress = 759D8761, Parameter = 00000000
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3308, StartAddress = 757D4D37, Parameter = 00247638
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3316, StartAddress = 757D4D37, Parameter = 0023A1C0
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3320, StartAddress = 757D4D37, Parameter = 001E70E8
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3348, StartAddress = 77E56C7D, Parameter = 03FB05E8
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3352, StartAddress = 769AE43B, Parameter = 03FA1EA8
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3356, StartAddress = 007E118E, Parameter = 03FD2C60
TargetProcess: DiskGenius.exe, InheritedFromPID = 2632, ProcessID = 3028, ThreadID = 3388, StartAddress = 00430D0A, Parameter = 20800000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsp3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DGBCDX64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DiskGenius.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\FileType.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwLDM.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwRD.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwSmartInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVdi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhdx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Hdrwvm.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\LangCRes.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DGBCDX64.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DiskGenius.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\FileType.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwLDM.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwRD.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwSmartInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVdi.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhd.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhdx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Hdrwvm.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\LangCRes.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Letarm.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\SDL.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp
Behavior description:查找文件
details:FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsp3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp ---> Offset = 40556
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp ---> Offset = 73324
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu4.tmp ---> Offset = 77899
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> Offset = 65536
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = cr****om, PORT = 80, UserName = , Password = , hSession = 0x04c52000, hConnect = 0x04c52100, Flags = 0x00000000
WinHttpConnect: ServerName = th****om, PORT = 80, UserName = , Password = , hSession = 0x04c52000, hConnect = 0x04c52100, Flags = 0x00000000
InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000000
InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0010, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Microsoft-CryptoAPI/5.131.2600.5512, hSession = 0x04c52000
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; ), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; ), hSession = 0x00cc0008
Behavior description:建立到一个指定的套接字连接
details:URL: cr****om, IP: **.133.40.**:80, SOCKET = 0x00000390
URL: cr****om, IP: **.133.40.**:80, SOCKET = 0x00000338
URL: th****om, IP: **.133.40.**:80, SOCKET = 0x00000338
URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000598
URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x000005a8
Behavior description:读取网络文件
details:hFile = 0x00cc0014, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00cc0018, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET /ThawtePremiumServerCA.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
GET /ThawtePCA.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: cr****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
GET /th.crl HTTP/1.1 Accept: */* User-Agent: Microsoft-CryptoAPI/5.131.2600.5512 Host: th****om Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache
GET /adbar/adconfig.php?ver=4%2e9%2e3%2e409prochs HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; ) Accept: */* Host: ww****cn
POST /pro/statistics/update.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* User-Agent: Mozilla/4.0 (compatible; ) Host: ww****cn Content-Length: 225 Connection: Keep-Alive Cache-Control: no-cache ver=4%2e9%2e3%2e409_x86_pro_chs&winver=5%2e1%2e2600%2esp3%2e0%2e00000100&reslang=chs&syslang=chs&code=DLE4D-WEVAX-DYER2-G3KMU-Y5GHQ&disk1=XLAVFO%5CJJG]EQXL99<l%3D<<9%23<7>6:ll%3DQ<>79%3F;<>&appname=DiskGenius&appcs=3341849234
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: cr****om:80/thawtepremiumserverca.crl, hConnect = 0x04c52100, hRequest = 0x04cc0000, Verb: GET, Referer: , Flags = 0x00000100
WinHttpOpenRequest: cr****om:80/thawtepca.crl, hConnect = 0x04c52100, hRequest = 0x04cc0000, Verb: GET, Referer: , Flags = 0x00000100
WinHttpOpenRequest: th****om:80/th.crl, hConnect = 0x04c52100, hRequest = 0x04cc0000, Verb: GET, Referer: , Flags = 0x00000100
HttpOpenRequestA: ww****cn:80/adbar/adconfig.php?ver=4%2e9%2e3%2e409prochs, hConnect = 0x00cc000c, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x04000000
HttpOpenRequestA: ww****cn:80/pro/statistics/update.php, hConnect = 0x00cc0010, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04400040
Behavior description:按名称获取主机地址
details:GetAddrInfoW: cr****om
GetAddrInfoW: th****om
GetAddrInfoW: ww****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
oleacc-msaa-loaded
Global\FT_ET-ARM_GLOBE_MUTEX
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = DownTask0-3028
EventName = DownTask1-3028
EventName = DownTask2-3028
EventName = DownTask3-3028
EventName = Global\Microsoft Smart Card Resource Manager Started
EventName = HdrwntDiskIOEventRun001D62E8-3028
EventName = HdrwntDiskIOEventOK001D62E8-3028
EventName = E8063-3028
EventName = HdrwntVolumeIOEventRun00224010-3028
EventName = HdrwntVolumeIOEventOK00224010-3028
EventName = EventC-3028
EventName = HdrwntVolumeIOEventRun00223008-3028
EventName = HdrwntVolumeIOEventOK00223008-3028
Behavior description:打开互斥体
details:ShimCacheMutex
Global\FT_ET-ARM_GLOBE_MUTEX
RasPbFile
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:使用SCSI指令读写硬盘
details:N/A
Behavior description:窗口信息
details:Pid = 3028, Hwnd=0x103b0, Text = DiskGenius磁盘分区及数据恢复软件, ClassName = Static.
Pid = 3028, Hwnd=0x103b2, Text = 版本 4.9.3.409 , ClassName = Static.
Pid = 3028, Hwnd=0x103b6, Text = http://www.diskgenius.cn, ClassName = Static.
Pid = 3028, Hwnd=0x10560, Text = 发现刚刚使用的功能不错呦,我也要分享一下,让更多人使用!, ClassName = Static.
Pid = 3028, Hwnd=0x10562, Text = 不再提示, ClassName = Button(CheckBox).
Pid = 3028, Hwnd=0x10432, Text = Tab1, ClassName = SysTabControl32.
Pid = 3028, Hwnd=0x1046c, Text = 分析, ClassName = Button.
Pid = 3028, Hwnd=0x10470, Text = 详情, ClassName = Button.
Pid = 3028, Hwnd=0x1047c, Text = 当前字节序: 小端, ClassName = Static.
Pid = 3028, Hwnd=0x1047e, Text = 8位(±):, ClassName = Static.
Pid = 3028, Hwnd=0x10480, Text = 8位(+):, ClassName = Static.
Pid = 3028, Hwnd=0x10482, Text = 16位(±):, ClassName = Static.
Pid = 3028, Hwnd=0x10484, Text = 16位(+):, ClassName = Static.
Pid = 3028, Hwnd=0x10486, Text = 24位(±):, ClassName = Static.
Pid = 3028, Hwnd=0x10488, Text = 24位(+):, ClassName = Static.
Behavior description:获取TickCount值
details:TickCount = 294515, SleepMilliseconds = 60000.
TickCount = 294703, SleepMilliseconds = 60000.
TickCount = 294718, SleepMilliseconds = 60000.
TickCount = 294734, SleepMilliseconds = 60000.
TickCount = 294750, SleepMilliseconds = 60000.
TickCount = 294765, SleepMilliseconds = 60000.
TickCount = 294796, SleepMilliseconds = 60000.
TickCount = 294843, SleepMilliseconds = 60000.
TickCount = 294875, SleepMilliseconds = 60000.
TickCount = 294953, SleepMilliseconds = 60000.
TickCount = 294968, SleepMilliseconds = 60000.
TickCount = 295000, SleepMilliseconds = 60000.
TickCount = 295187, SleepMilliseconds = 60000.
TickCount = 295203, SleepMilliseconds = 60000.
TickCount = 295218, SleepMilliseconds = 60000.
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x0175e832
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
Global\Microsoft Smart Card Resource Manager Started
Global\userenv: Machine Group Policy has been applied
userenv: User Group Policy has been applied
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.3028
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00197C00, DataLen: 276, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x0023A368, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00258738, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x0026E760, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x0027FC80, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F34FC8, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F39788, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F4E5E8, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F5D660, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F6BEA0, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F7BCD8, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F83E58, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03F92220, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x03FA0F58, DataLen: 148, Flags: 0x00000000
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DGBCDX64.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DiskGenius.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\FileType.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwLDM.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwRD.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwSmartInfo.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVdi.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhd.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhdx.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Hdrwvm.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\LangCRes.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Letarm.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\SDL.dll(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 120.
[7]: MilliSeconds = 119.
[8]: MilliSeconds = 120.
[9]: MilliSeconds = 120.
[10]: MilliSeconds = 120.
Behavior description:隐藏指定窗口
details:[Window,Class] = [分析,Button]
[Window,Class] = [,AfxWnd120su]
[Window,Class] = [详情,Button]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,#32770]
[Window,Class] = [,SysListView32]
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 120.
CursorPos = (5744,28146), SleepMilliseconds = 120.
CursorPos = (23320,16828), SleepMilliseconds = 120.
CursorPos = (10000,492), SleepMilliseconds = 120.
CursorPos = (3034,11943), SleepMilliseconds = 120.
CursorPos = (4866,5437), SleepMilliseconds = 120.
CursorPos = (32430,14605), SleepMilliseconds = 120.
CursorPos = (3941,154), SleepMilliseconds = 120.
CursorPos = (331,12383), SleepMilliseconds = 119.
CursorPos = (17460,18717), SleepMilliseconds = 120.
CursorPos = (19757,19896), SleepMilliseconds = 120.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Barray.dll ---> bb850b109e3541cdbe1bb6d1a7876f7a
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Charset.dll ---> 6f0f6efbe20ea610d41d0c8b38e4645f
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DGBCDX64.exe ---> dddba8f71db796a70c7de297afdb2b79
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\DiskGenius.exe ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\FileType.dll ---> f28d861766e99e22dbd4e8dd84c7c5c8
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwLDM.dll ---> be971bbbc9524d1abaa1556fff2e66f4
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwRD.dll ---> 5fe4841898724220e1da0b7c3c3d9808
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwSmartInfo.dll ---> a9a405244eeea19a566b12df2a883379
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVdi.dll ---> 9d0194f219e900d0c2cc695328e2acc2
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhd.dll ---> 9c0bf3cafacbdc270ca0ffb4845b9049
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\HdrwVhdx.dll ---> adca7b823ff3d875cb9e9d3584f3ed98
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Hdrwvm.dll ---> b670a8c02169e468048b00dbc2e7930a
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\LangCRes.dll ---> e7739de134ebc193ab7f91f243d26aca
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\Letarm.dll ---> f85f7c66a349d1cc24393427d93c88cb
C:\Documents and Settings\Administrator\Local Settings\Temp\DiskGenius\SDL.dll ---> 66205274ef5dfb30c822a38a09a6880b
Behavior description:直接获取CPU时钟
details:EAX = 0x8537a97d, EDX = 0x000000bb
EAX = 0x8537a9c9, EDX = 0x000000bb
EAX = 0x8537aa15, EDX = 0x000000bb
EAX = 0x8d2577fe, EDX = 0x000000bb
EAX = 0x8d25784a, EDX = 0x000000bb
EAX = 0x9d0113d0, EDX = 0x000000bb
EAX = 0x45492465, EDX = 0x000000bc
EAX = 0x454924b1, EDX = 0x000000bc
EAX = 0x57ac8f74, EDX = 0x000000bc
EAX = 0x57ac8fc0, EDX = 0x000000bc
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\SDL.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\avcodec-54.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\avutil-52.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\avformat-54.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\swresample-0.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\swscale-2.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\Hdrwvm.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\HdrwVdi.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\HdrwVhd.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\HdrwVhdx.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\Letarm.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DiskGenius\LangCRes.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号