VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:71
Behavior list
Basic Information
MD5:810ca3b0cee93001ee6b609d9a1ea71c
file type:EXE
Production company:成都东软学院信息中心
version:1.15.9.18---1.15.9.18
Shell or compiler information:
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
Global\Cor_Private_IPCBlock_v4_1344
Global\Cor_SxSPublic_IPCBlock_1344
Global\NLS_CodePage_936_3_2_0_0
Local\UrlZonesSM_Administrator
Global\Cor_Private_IPCBlock_v4_2508
Global\Cor_SxSPublic_IPCBlock_2508
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
MSCTF.MarshalInterface.FileMap.ANJ..FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.B.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.C.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.D.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.E.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.F.FNIIH
MSCTF.MarshalInterface.FileMap.ANJ.G.FNIIH
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowsForms10.tooltips_class32.app.0.2bf8098_r28_ad1]
[Window,Class] = [Tip: 全新校园客户端正在加紧研发和测试,欢迎报名参与内测... Ctrl + 右方向键 可立即随机获取共享背景图及配色 在[开始]菜单按钮旁有快捷导航工具栏可供使用,WindowsForms10.tooltips_cla
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe
Behavior description:按名称获取主机地址
details:aaa.nsu.edu.cn
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\windows\microsoft.net\framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"c:\documents and settings\administrator\local settings\temp\vbocldxk.cmdline"
ImagePath = , CmdLine = c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe /nologo /readonly /machine:ix86 "/out:c:\docume~1\admini~1\locals~1\temp\res4.tmp" "c:\documents and settings\administrator\local settings\temp\csc3.tmp"
ImagePath = , CmdLine = "c:\windows\microsoft.net\framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"c:\documents and settings\administrator\local settings\temp\2s2sqbrp.cmdline"
ImagePath = , CmdLine = c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe /nologo /readonly /machine:ix86 "/out:c:\docume~1\admini~1\locals~1\temp\res6.tmp" "c:\documents and settings\administrator\local settings\temp\csc5.tmp"
ImagePath = , CmdLine = "c:\windows\microsoft.net\framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"c:\documents and settings\administrator\local settings\temp\1i3vbylt.cmdline"
ImagePath = , CmdLine = c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe /nologo /readonly /machine:ix86 "/out:c:\docume~1\admini~1\locals~1\temp\res8.tmp" "c:\documents and settings\administrator\local settings\temp\csc7.tmp"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\vbocldxk.cmdline"
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES4.tmp" "c:\Documents and Settings\Administrator
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\2s2sqbrp.cmdline"
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES6.tmp" "c:\Documents and Settings\Administrator
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\1i3vbylt.cmdline"
ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, CmdLine = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES8.tmp" "c:\Documents and Settings\Administrator
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe" 635809444661690000 1B255F8A4D0811B8E1EDC78D999B81B4 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EB
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
Global\Cor_Private_IPCBlock_v4_1344
Global\Cor_SxSPublic_IPCBlock_1344
Global\NLS_CodePage_936_3_2_0_0
Local\UrlZonesSM_Administrator
Global\Cor_Private_IPCBlock_v4_2508
Global\Cor_SxSPublic_IPCBlock_2508
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
MSCTF.MarshalInterface.FileMap.ANJ..FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.B.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.C.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.D.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.E.FMIIH
MSCTF.MarshalInterface.FileMap.ANJ.F.FNIIH
MSCTF.MarshalInterface.FileMap.ANJ.G.FNIIH
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\vbocldxk.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\2s2sqbrp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\1i3vbylt.dll
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\vbocldxk.0.cs---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\vbocldxk.dll---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\vbocldxk.cmdline---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC3.tmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES4.tmp---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\2s2sqbrp.0.cs---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\2s2sqbrp.dll---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\2s2sqbrp.cmdline---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC5.tmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RES6.tmp---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\1i3vbylt.0.cs---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\1i3vbylt.dll---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\1i3vbylt.cmdline---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\CSC7.tmp---> Offset = 0
Behavior description:查找文件
details:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Web.Services\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Services.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.INI
Network behavior
Behavior description:按名称获取主机地址
details:aaa.nsu.edu.cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\A3578B04.exe
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\A3578B04.exe
\REGISTRY\USER\.DEFAULT\Software\VB and VBA Program Settings\NSUAAAC\ADP
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\A3578B04.exe
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ANJ
Behavior description:隐藏指定窗口
details:[Window,Class] = [,WindowsForms10.tooltips_class32.app.0.2bf8098_r28_ad1]
[Window,Class] = [Tip: 全新校园客户端正在加紧研发和测试,欢迎报名参与内测... Ctrl + 右方向键 可立即随机获取共享背景图及配色 在[开始]菜单按钮旁有快捷导航工具栏可供使用,WindowsForms10.tooltips_cla
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 548093, SleepMilliseconds = 60000.
TickCount = 548125, SleepMilliseconds = 60000.
TickCount = 548156, SleepMilliseconds = 60000.
TickCount = 548468, SleepMilliseconds = 60000.
TickCount = 548546, SleepMilliseconds = 60000.
TickCount = 548656, SleepMilliseconds = 60000.
TickCount = 548671, SleepMilliseconds = 60000.
TickCount = 548687, SleepMilliseconds = 60000.
TickCount = 548921, SleepMilliseconds = 60000.
TickCount = 489146, SleepMilliseconds = 100.
TickCount = 489287, SleepMilliseconds = 100.
TickCount = 489396, SleepMilliseconds = 100.
TickCount = 489412, SleepMilliseconds = 100.
TickCount = 489521, SleepMilliseconds = 100.
TickCount = 489631, SleepMilliseconds = 100.
Behavior description:窗口信息
details:Pid = 2508, Hwnd=0x302ac, Text = Tip: 全新校园客户端正在加紧研发和测试,欢迎报名参与内测... Ctrl + 右方向键 可立即随机获取共享背景图及配色 在[开始]菜单按钮旁有, ClassName = WindowsForms10.tooltips_class32.
Pid = 2508, Hwnd=0x402be, Text = NSUAAAC快捷导航工具栏, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x202d6, Text = 保存用户名和密码, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x202c2, Text = 登陆, ClassName = WindowsForms10.BUTTON.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x202ca, Text = 用户名:, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x202c6, Text = 密 码:, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x302da, Text = 0, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x302b8, Text = 3, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x202b0, Text = r, ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x302ba, Text = 成都东软学院 AAA 客户端, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x102de, Text = 确定, ClassName = Button.
Pid = 2508, Hwnd=0x102e2, Text = 用户名不能为空!, ClassName = Static.
Pid = 2508, Hwnd=0x202d2, Text = 提示, ClassName = #32770.
Pid = 2508, Hwnd=0x202d0, Text = 10-20 13:27:54 准备就绪. 10-20 13:27:54 用户名不能为空! , ClassName = WindowsForms10.STATIC.app.0.2bf8098_r28_ad1.
Pid = 2508, Hwnd=0x302d2, Text = 确定, ClassName = Button.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = -1.
Behavior description:内联HOOK
details:C:\WINDOWS\system32\ntdll.dll--->LdrFindResource_U Offset = 0x0
C:\WINDOWS\system32\ntdll.dll--->LdrAccessResource Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->LoadStringW Offset = 0x0
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号