VirSCAN VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー

言語
サーバーロード
Server Load

ファイル情報
安全性評価:78
行動リスト
行動分析レポート:         Threatbookファイルの動作分析レポート
基本情報
MD5:f51e56baf477343044961a6e10412a4c
ファイルタイプ:Nsis
制作会社:Mo Hong
バージョン:3.2.0.0---3.2.0.0
シェルまたはコンパイラ情報:
サブファイル情報:GHOST32.EXEdumpFile / e3b7d0837242ee28f6d0fdc20e804e0e / EXE
BCDBOOT.EXEdumpFile / d2f9d807e1f1b684f28df58c438936ac / EXE
BOOTSECT.EXEdumpFile / 9594bc046765df20f4ac8ded4d1dd5d8 / EXE
CGI.WCZdumpFile / 9aab60aa2e97d8835b1efc66c6d8c1d7 / Unknown
GP.EXEdumpFile / 4b3f142c33581d255f122fa66955a6a5 / EXE
Dicon1.icodumpFile / cdf99409adaa1de82b5d06ffa80d4f37 / Unknown
[NSIS].nsidumpFile / 978b8e87e9af3d60896507cb4f6a6e17 / Unknown
Ghost64.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
HDSIZEID.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
IMAGEX32.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
IMAGEX64.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
IsoCmd.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
ISODrive.sysdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
ISODrv64.sysdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
MARK32.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
MARK64.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
OSVOLNumber.exedumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
PECMD.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
USORT.EXEdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
主な行動
行動の説明:常规加载驱动
詳細:\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISODrive.sys
行動の説明:隐藏指定窗口
詳細:[Window,Class] = [,ComboLBox]
[Window,Class] = [3.请选择目标分区:,Static]
[Window,Class] = [源分区:无,Static]
[Window,Class] = [目标分区:无,Static]
[Window,Class] = [3.请选择目标硬盘:,Static]
[Window,Class] = [源硬盘:无,Static]
[Window,Class] = [目标硬盘:无,Static]
[Window,Class] = [,Static]
[Window,Class] = [标准版 32/64位自适应,Static]
[Window,Class] = [正在搜索镜像文件,请稍候... 已用时间: 1秒,Edit]
行動の説明:杀掉进程
詳細:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\WOW.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\USORT.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\HDSIZEID.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISOCMD.EXE
C:\WINDOWS\system32\CMD.EXE
プロセスの動作
行動の説明:隐藏窗口创建进程
詳細:ImagePath = , CmdLine = wow.exe
ImagePath = , CmdLine = usort.exe -mohong
ImagePath = , CmdLine = hdsizeid.exe -mohong
ImagePath = , CmdLine = isocmd.exe -number 1
ImagePath = , CmdLine = isocmd.exe -i
ImagePath = , CmdLine = isocmd.exe -change 1 z:
ImagePath = , CmdLine = cmd.exe /c ver
行動の説明:创建进程
詳細:ImagePath = C:\WINDOWS\system32\CMD.EXE, CmdLine = CMD.EXE /C ver
行動の説明:创建新文件进程
詳細:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\PECMD.EXE, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\PECMD.EXE LOAD CGI.WCZ
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\WOW.EXE, CmdLine = WOW.EXE
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\USORT.EXE, CmdLine = USORT.EXE -mohong
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\HDSIZEID.EXE, CmdLine = HDSIZEID.EXE -mohong
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISOCMD.EXE, CmdLine = ISOCMD.EXE -number 1
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISOCMD.EXE, CmdLine = ISOCMD.EXE -i
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISOCMD.EXE, CmdLine = ISOCMD.EXE -change 1 Z:
行動の説明:杀掉进程
詳細:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\WOW.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\USORT.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\HDSIZEID.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISOCMD.EXE
C:\WINDOWS\system32\CMD.EXE
ファイルの動作
行動の説明:写权限映射文件
詳細:PECMD:MSGSVR:HWND
行動の説明:重命名文件
詳細:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\IMAGEX32.EXE ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\IMAGEX.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\MARK32.EXE ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\MARK.EXE
行動の説明:创建可执行文件
詳細:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\BCDBOOT.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\BOOTSECT.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\GHOST32.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\GP.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\Ghost64.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\HDSIZEID.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\IMAGEX32.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\IMAGEX64.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISODrive.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISODrv64.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\IsoCmd.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\MARK32.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\MARK64.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\OSVOLNumber.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\PECMD.EXE
行動の説明:修改文件内容
詳細:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\cgipath.dat---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\CGI.WCZ---> Offset = 49152
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\Dicon1.ico---> Offset = 0
レジストリの動作
行動の説明:修改注册表
詳細:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISODrive\Parameters\NumberOfDevices
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISODrive\Parameters\ExcludeDrives
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ISODrive\Parameters\Device0\DRIVE
その他の動作
行動の説明:创建驱动文件镜像
詳細:C:\WINDOWS\system32\drivers\fastfat.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISODrive.sys
行動の説明:创建互斥体
詳細:SHIMLIB_LOG_MUTEX
行動の説明:隐藏指定窗口
詳細:[Window,Class] = [,ComboLBox]
[Window,Class] = [3.请选择目标分区:,Static]
[Window,Class] = [源分区:无,Static]
[Window,Class] = [目标分区:无,Static]
[Window,Class] = [3.请选择目标硬盘:,Static]
[Window,Class] = [源硬盘:无,Static]
[Window,Class] = [目标硬盘:无,Static]
[Window,Class] = [,Static]
[Window,Class] = [标准版 32/64位自适应,Static]
[Window,Class] = [正在搜索镜像文件,请稍候... 已用时间: 1秒,Edit]
行動の説明:常规加载驱动
詳細:\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CLDStandard\ISODrive.sys
行動の説明:获取系统权限
詳細:SE_LOAD_DRIVER_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行動の説明:窗口信息
詳細:Pid = 2052, Hwnd=0xa01aa, Text = P1, ClassName = #32770.
Pid = 2052, Hwnd=0xa018c, Text = 1.请选择您要进行的操作:, ClassName = Static.
Pid = 2052, Hwnd=0xe016e, Text = 还原分区, ClassName = Button(RadioButton).
Pid = 2052, Hwnd=0xa0198, Text = 备份分区, ClassName = Button(RadioButton).
Pid = 2052, Hwnd=0xd01a4, Text = 分区对拷, ClassName = Button(RadioButton).
Pid = 2052, Hwnd=0xa0196, Text = 2.请选择分区(用鼠标左键单击), ClassName = Static.
Pid = 2052, Hwnd=0xb016c, Text = 3.请选择镜像文件:, ClassName = Static.
Pid = 2052, Hwnd=0xb0174, Text = ..., ClassName = Button.
Pid = 2052, Hwnd=0xb01e0, Text = ..., ClassName = Button.
Pid = 2052, Hwnd=0xb01a2, Text = 正在搜索镜像文件,请稍候... 已用时间: 1秒, ClassName = Edit.
Pid = 2052, Hwnd=0xc01ee, Text = 3.请选择目标分区:, ClassName = Static.
Pid = 2052, Hwnd=0xc01a6, Text = 状态:, ClassName = Static.
Pid = 2052, Hwnd=0xb0200, Text = 所选操作:还原分区, ClassName = Static.
Pid = 2052, Hwnd=0xd01f6, Text = 所选分区:无, ClassName = Static.
Pid = 2052, Hwnd=0xc017a, Text = 源分区:无, ClassName = Static.
行動の説明:直接操作物理设备
詳細:\??\PhysicalDrive0
スクリーンショットを実行する
VirSCAN

VirSCANについて | 免責事項 | コンタクト | フレンドリーなリンク | ヘルプ
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号