VirSCAN VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.

Taal
Serverbelasting
Server Load

Bestandsinformatie
Veiligheidsclassificatie:60
Gedragslijst
Gedragsanalyse rapport:         Threatbook file behaviour analysis report
Basis informatie
MD5:f08518391709f705402d1f379bdcfd2c
Bestandstype:EXE
Productie bedrijf:卤中仙
versie:7.2.0.0---7.2.0.0
Shell- of compiler-informatie:COMPILER:Elan
Sleutelgedrag
Gedrag beschrijving:设置特殊文件夹属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Gedrag beschrijving:隐藏指定窗口
Voor meer informatie:[Window,Class] = [上一步,Button]
[Window,Class] = [完全控制,Button]
[Window,Class] = [只读模式,Button]
[Window,Class] = [读、写,Button]
[Window,Class] = [打开卤中仙网站,Button]
[Window,Class] = [如果您有朋友或者是自己想开一家熟食店,请点击联系我们,Afx:400000:b:2301b9:1900015:0]
[Window,Class] = [超级按钮,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [第三步:权限设置:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 您的文件夹(磁盘)已经共享,对方电脑可通过:开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机,请点击共享打印机图标,右击你要共享的打印机,你就可以
[Window,Class] = [恭喜,已完成共享!,Afx:400000:b:10011:1900015:0]
[Window,Class] = [不设置权限,Button]
[Window,Class] = [,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启共享中。。。,Afx:400000:b:10011:1900015:0]
[Window,Class] = [第一步:选择共享方式:,Afx:400000:b:10011:1900015:0]
Gedrag beschrijving:设置消息钩子
Voor meer informatie:C:\WINDOWS\system32\IEFRAME.dll
Gedrag beschrijving:按名称获取主机地址
Voor meer informatie:wpad
Verwerk gedrag
Gedrag beschrijving:隐藏窗口创建进程
Voor meer informatie:ImagePath = , CmdLine = c:\monitor\works.bat
ImagePath = , CmdLine = c:\monitor\开启共享.bat
ImagePath = , CmdLine = net start workstation
ImagePath = , CmdLine = net start "computer browser"
ImagePath = , CmdLine = net start server
ImagePath = , CmdLine = net start netbios
Gedrag beschrijving:创建进程
Voor meer informatie:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c c:\monitor\works.bat
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net config workstation
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find "工作站域"
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find /V "DNS"
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 config workstation
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c c:\monitor\开启共享.bat
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = NET USER Guest /active:yes
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 USER Guest /active:yes
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = NET USER Guest /passwordreq:no
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 USER Guest /passwordreq:no
ImagePath = C:\WINDOWS\system32\secedit.exe, CmdLine = Secedit /configure /cfg "security.inf" /db secsetup.sdb /areas USER_RIGHTS /verbose
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net user guest /active:yes
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 user guest /active:yes
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net user guest ""
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 user guest ""
Bestand gedrag
Gedrag beschrijving:写权限映射文件
Voor meer informatie:\WINDOWS\system32\zh-cn\ieframe.dll.mui
Internet Explorer Immutable Application State (00000ED4-0000-0000-0000-000000000000)
Local\SqmData_IESQM-3796_S-1-5-21-1482476501-1645522239-1417001333-500
Local\UrlZonesSM_Administrator
ie_lcie_main_ed4
Isolation Process Registry (E42513D7-3B63-11E4-B5D3-000C2938259F)
Isolation Signal Registry (E42513D7-3B63-11E4-B5D3-000C2938259F, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3796
ie_lcie_ConnHashTable<3796>
DfRoot0000C7C84
AtlDebugAllocator_FileMappingNameStatic3_ed4
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
DfRoot0000CA1BD
Local\Feed Eventing Shared Memory S-1-5-21-1482476501-1645522239-1417001333-500
Gedrag beschrijving:设置特殊文件夹属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Gedrag beschrijving:修改文件内容
Voor meer informatie:C:\monitor\works.bat---> Offset = 0
C:\monitor\开启共享.reg---> Offset = 0
C:\monitor\security.inf---> Offset = 0
C:\monitor\开启共享.bat---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\dnserrordiagoff[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\httpErrorPagesScripts[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\noConnect[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\down[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favcenter[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\tools[1]---> Offset = 0
Netwerk gedrag
Gedrag beschrijving:枚举网络共享资源
Voor meer informatie:N/A
Gedrag beschrijving:下载文件
Voor meer informatie:URLDownloadToFileW: http://www.live.com/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Gedrag beschrijving:连接指定站点
Voor meer informatie:InternetConnectA: ServerName = www.hrcygs.com, PORT = 80
InternetConnectA: ServerName = iframe.ip138.com, PORT = 80
Gedrag beschrijving:建立到一个指定的套接字连接
Voor meer informatie:127.0.0.1:1046
Gedrag beschrijving:读取网络文件
Voor meer informatie:hFile = 0x00000674, BytesToRead =10240, BytesRead = 10240.
Gedrag beschrijving:打开HTTP请求
Voor meer informatie:HttpOpenRequestA: www.hrcygs.com:80/tj, hConnect = 0x00000678
HttpOpenRequestA: iframe.ip138.com:80/ic.asp, hConnect = 0x00000678
HttpOpenRequestA: www.hrcygs.com:80/, hConnect = 0x000004a8
Gedrag beschrijving:按名称获取主机地址
Voor meer informatie:wpad
Register gedrag
Gedrag beschrijving:修改注册表
Voor meer informatie:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LogonTime
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\SQM\PIDs\PID_3796
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Recovery\Active\{E42513DA-3B63-11E4-B5D3-000C2938259F}
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Main\Window_Placement
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\JYW\xd
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
Gedrag beschrijving:删除注册表键
Voor meer informatie:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}
Gedrag beschrijving:删除注册表键值_IE连接设置
Voor meer informatie:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Gedrag beschrijving:删除注册表键值
Voor meer informatie:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration
Ander gedrag
Gedrag beschrijving:创建互斥体
Voor meer informatie:RasPbFile
SHIMLIB_LOG_MUTEX
IESQM-3796_S-1-5-21-1482476501-1645522239-1417001333-500
IExplore.Sqm.psenr
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
ConnHashTable<3796>_HashTable_Mutex
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
oleacc-msaa-loaded
Gedrag beschrijving:隐藏指定窗口
Voor meer informatie:[Window,Class] = [上一步,Button]
[Window,Class] = [完全控制,Button]
[Window,Class] = [只读模式,Button]
[Window,Class] = [读、写,Button]
[Window,Class] = [打开卤中仙网站,Button]
[Window,Class] = [如果您有朋友或者是自己想开一家熟食店,请点击联系我们,Afx:400000:b:2301b9:1900015:0]
[Window,Class] = [超级按钮,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [第三步:权限设置:,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 您的文件夹(磁盘)已经共享,对方电脑可通过:开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机,请点击共享打印机图标,右击你要共享的打印机,你就可以
[Window,Class] = [恭喜,已完成共享!,Afx:400000:b:10011:1900015:0]
[Window,Class] = [不设置权限,Button]
[Window,Class] = [,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启共享中。。。,Afx:400000:b:10011:1900015:0]
[Window,Class] = [第一步:选择共享方式:,Afx:400000:b:10011:1900015:0]
Gedrag beschrijving:设置消息钩子
Voor meer informatie:C:\WINDOWS\system32\IEFRAME.dll
Gedrag beschrijving:查找指定窗口
Voor meer informatie:NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
NtUserFindWindowEx: [Class,Window] = [,Microsoft Internet Explorer]
NtUserFindWindowEx: [Class,Window] = [IEFrame,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Static,]
Gedrag beschrijving:启动系统服务
Voor meer informatie:[服务已运行]: LocalSystem, Workstation, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Computer Browser, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Server, C:\WINDOWS\system32\svchost.exe -k netsvcs
[服务已运行]: , NetBIOS Interface, system32\DRIVERS\netbios.sys
Gedrag beschrijving:打开指定IE网页
Voor meer informatie:http://www.hrcygs.com
Gedrag beschrijving:获取系统权限
Voor meer informatie:SE_LOAD_DRIVER_PRIVILEGE
Gedrag beschrijving:窗口信息
Voor meer informatie:Pid = 300, Hwnd=0xa0196, Text = 下一步, ClassName = Button.
Pid = 300, Hwnd=0xc01e8, Text = 上一步, ClassName = Button.
Pid = 300, Hwnd=0xd01a4, Text = 不再显示设置向导, ClassName = Button(CheckBox).
Pid = 300, Hwnd=0xb018a, Text = 不设置权限, ClassName = Button(RadioButton).
Pid = 300, Hwnd=0xc01b2, Text = 恭喜,已完成共享!, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 300, Hwnd=0xb019c, Text = 您的文件夹(磁盘)已经共享,对方电脑可通过:开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机,请点击共享打印机图, ClassName = Afx:400000:b:10011:190001
Pid = 300, Hwnd=0xb01a2, Text = 第三步:权限设置:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 300, Hwnd=0xd0190, Text = 超级按钮, ClassName = Button.
Pid = 300, Hwnd=0xb0174, Text = 第一步:选择共享方式:, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 300, Hwnd=0xb016c, Text = 如果您有朋友或者是自己想开一家熟食店,请点击联系我们, ClassName = Afx:400000:b:2301b9:1900015:0.
Pid = 300, Hwnd=0xb0192, Text = 打开卤中仙网站, ClassName = Button(CheckBox).
Pid = 300, Hwnd=0xb0164, Text = 读、写, ClassName = Button(RadioButton).
Pid = 300, Hwnd=0xd01ac, Text = 只读模式, ClassName = Button(RadioButton).
Pid = 300, Hwnd=0xb01ce, Text = 完全控制, ClassName = Button(RadioButton).
Pid = 300, Hwnd=0xb0170, Text = 开启局域网共享(对方访问本机要填用户名和密码), ClassName = Button(RadioButton).
Screenshot uitvoeren
VirSCAN

Over VirSCAN | Privacybeleid | Neem contact met ons op | Vriendelijke link | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号