VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:c1bc99ae904db7c82ec137246add9a45
file type:EXE
Production company:狂飙的蜗牛
version:1.0.0.0---1.0.0.0
Shell or compiler information:COMPILER:Elan
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x004276CF
Behavior description:获取TickCount值
details:TickCount = 242734, SleepMilliseconds = 250.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd /c devcon find "pci\ven_1022&dev_2000&subsys_20001022" >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
ImagePath = , CmdLine = cmd /c ipconfig >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
ImagePath = , CmdLine = cmd /c devcon find "pci\ven_1022&dev_2000" >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
Behavior description:创建进程
details:[0x00000b18]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c devcon find "pci\ven_1022&dev_2000&subsys_20001022" >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
[0x00000b34]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ipconfig >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
[0x00000b3c]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = ipconfig
[0x00000b60]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c devcon find "pci\ven_1022&dev_2000" >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
[0x00000b70]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ipconfig >C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FindD.net
[0x00000b78]ImagePath = C:\WINDOWS\system32\ipconfig.exe, CmdLine = ipconfig
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2804, StartAddress = 0041CD9C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2632, ThreadID = 2948, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:[0x00000b28]ImagePath = C:\WINDOWS\system32\devcon.exe, CmdLine = devcon find "pci\ven_1022&dev_2000&subsys_20001022"
[0x00000b68]ImagePath = C:\WINDOWS\system32\devcon.exe, CmdLine = devcon find "pci\ven_1022&dev_2000"
File behavior
Behavior description:创建文件
details:C:\WINDOWS\system32\devcon.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\FindD.net
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\devcon.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\FindD.net
Behavior description:查找文件
details:FileName = C:\WINDOWS\system32\devcon.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\devcon.*
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\devcon
FileName = C:\Python27\devcon.*
FileName = C:\Python27\devcon
FileName = C:\Python27\Scripts\devcon.*
FileName = C:\Python27\Scripts\devcon
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\FindD.net
Behavior description:修改文件内容
details:C:\WINDOWS\system32\devcon.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\FindD.net ---> Offset = 0
Network behavior
Behavior description:按名称获取主机地址
details:DnsQuery_W: 131.184.168.192.in-addr.arpa.
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MEK
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.MEK.IC
EventName = MSCTF.SendReceiveConection.Event.MEK.IC
Behavior description:直接调用系统关键API
details:Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x004276CF
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
Behavior description:获取TickCount值
details:TickCount = 242734, SleepMilliseconds = 250.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2632, Hwnd=0x103e8, Text = IP修改器帮助信息, ClassName = Button(GroupBox).
Pid = 2632, Hwnd=0x103e6, Text = 联系我:, ClassName = _EL_Label.
Pid = 2632, Hwnd=0x103e2, Text = 网克后操作流程:网克后把生成的ipset.ini和程序一起拷贝到母盘里,启动程序后按回车即可进入自动设置界面,直接输机器号回车就修改完成了! 步骤:启动程序→回车→输入机器号码→回车→完成! 另外:请注意好你程序内网吧修改设置内的内容,请参考程序自带参数,如果填写错误则后果自负,其次机器标识注意不要使用数字,因为如果系统的机器名为纯数字则有可能带来不稳定的因素,这点本人已实践过,望各位好自为之! 声明:本程序仅支持 2000/XP 以上系统,程序不一定能通用和, ClassName = _EL_Label.
Pid = 2632, Hwnd=0x103e0, Text = IP自动修改+自动登陆+机器名修改一步搞定!并综合网吧加入了批量设置功能!可以快速高效的设置你的机器网络相关的设置!网克后使用更方便! , ClassName = _EL_Label.
Pid = 2632, Hwnd=0x103de, Text = 确定, ClassName = Button.
Pid = 2632, Hwnd=0x103d8, Text = IP资料, ClassName = Button.
Pid = 2632, Hwnd=0x103fa, Text = 删除USB子项目, ClassName = Button.
Pid = 2632, Hwnd=0x103f8, Text = 删除USB项目, ClassName = Button.
Pid = 2632, Hwnd=0x103f6, Text = 打开USB, ClassName = Button.
Pid = 2632, Hwnd=0x103f2, Text = 开启所有activex等Internet选项, ClassName = Button.
Pid = 2632, Hwnd=0x103f0, Text = 禁止, ClassName = Button(RadioButton).
Pid = 2632, Hwnd=0x103ee, Text = 开启, ClassName = Button(RadioButton).
Pid = 2632, Hwnd=0x103ce, Text = 修改IP, ClassName = Button.
Pid = 2632, Hwnd=0x103cc, Text = 网吧修改, ClassName = Button.
Pid = 2632, Hwnd=0x103ca, Text = 退出, ClassName = Button.
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\WINDOWS\system32\devcon.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 250.
Behavior description:隐藏指定窗口
details:[Window,Class] = [<,AfxWnd42s]
[Window,Class] = [>,AfxWnd42s]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [1,Edit]
[Window,Class] = [0,Edit]
[Window,Class] = [系统自动登陆设置,Button]
[Window,Class] = [,Button]
[Window,Class] = [IP资料,Button]
[Window,Class] = [,ListBox]
[Window,Class] = [,Edit]
[Window,Class] = [IP修改器帮助信息,Button]
[Window,Class] = [,Afx:1510000:b:10011:0:0]
Behavior description:可执行文件MD5
details:C:\WINDOWS\system32\devcon.exe ---> c4b470269324517ee838789c7cf5e606
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号