VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :84
基本信息
MD5:2a5d8838bdb4d404ec632318c94adc96
文件类型:Nsis
出品公司:NetSoft Studio
版本:4.3.4.0---
壳或编译器信息:
子文件信息:p2pover.exe / 9c1b0c92c47a0b29b204bf7b9fe0f0f7 / EXE
p2pover.exedumpFile / 9c1b0c92c47a0b29b204bf7b9fe0f0f7 / EXE
vista.ski / b9c73e956aeded4b3c6701af637c24be / DLL
bwtest.exedumpFile / 4a5676e1de76f762df30062544d8960c / EXE
bwtest.exe / 4a5676e1de76f762df30062544d8960c / EXE
adbrowser.exedumpFile / 0855f2871e1ea978364a0ef2e54296da / EXE
adbrowser.exe / 0855f2871e1ea978364a0ef2e54296da / EXE
rsc.dll / d20d4f7bd405c2b9cdad1ab58d31e89d / DLL
rsc.dll / 19ca2e6771884f878287f3092c71d39d / DLL
office2007.ski / 6c81f596bfda0b754e3514a46ee48119 / DLL
mac-prefixes / c4360e40bdb708a0123befa66908f9b2 / Unknown
mac-prefixesdumpFile / c4360e40bdb708a0123befa66908f9b2 / Unknown
winpcap.exe / 9d31a3ce6eb9801b1948ff838001f8dd / Nsis
wpcap.dlldumpFile / a2473cc88aba67391ce7929e5c69e767 / DLL
core.dll / 9ee956aed3ec4345d382ea9be247b744 / DLL
core.dlldumpFile / 9ee956aed3ec4345d382ea9be247b744 / DLL
LiteZip.dll / e0f880d45393899af84b0855769d186a / DLL
LiteZip.dlldumpFile / e0f880d45393899af84b0855769d186a / DLL
config.dll / b0804f718ec59e3788fde392ba17b9ec / DLL
关键行为
行为描述:常规加载驱动
详情信息:system32\drivers\npf.sys
system32\DRIVERS\ipfltdrv.sys
\??\C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:在桌面创建快捷方式
详情信息:C:\Documents and Settings\All Users\桌面\P2P终结者.lnk
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,Button]
[Window,Class] = [NetSoft Studio,Static]
[Window,Class] = [NetSoft Studio ,Static]
[Window,Class] = [,Static]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
[Window,Class] = [,#32770]
[Window,Class] = [,AfxWnd42s]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [帮助,Button]
[Window,Class] = [应用(&A),Button]
[Window,Class] = [,ComboLBox]
行为描述:创建系统服务
详情信息:[服务创建成功]: npf, system32\drivers\npf.sys
[服务已存在]: IpFilterDriver, System32\Drivers\IpFltDrv.sys
[服务创建成功]: p2pfilter, C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsi8.tmp\ns9.tmp" net stop npf
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\nsi8.tmp\nsa.tmp" net start npf
行为描述:创建进程
详情信息:ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net stop npf
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 stop npf
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net start npf
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 start npf
行为描述:创建新文件进程
详情信息:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcap\winpcap.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcap\winpcap.exe" /S
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\ns9.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\ns9.tmp" net stop npf
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\nsA.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\nsA.tmp" net start npf
ImagePath = C:\Documents and Settings\Administrator\Application Data\p2pover\p2pover.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\p2pover\p2pover.exe"
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:在系统敏感位置(如开始菜单等)释放链接或快捷方式
详情信息:C:\Documents and Settings\All Users\「开始」菜单\程序\P2P终结者\P2P终结者.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\P2P终结者\卸载P2P终结者.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\P2P终结者\宽带网络测速.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\P2P终结者\访问P2P终结者主页.url
行为描述:创建可执行文件
详情信息:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\KillProcDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\LiteUnzip.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\LiteZip.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\adbrowser.exe
C:\Documents and Settings\Administrator\Application Data\p2pover\bwtest.exe
C:\Documents and Settings\Administrator\Application Data\p2pover\core.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
C:\Documents and Settings\Administrator\Application Data\p2pover\p2pover.exe
C:\Documents and Settings\Administrator\Application Data\p2pover\pvt.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\stat.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\update.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\lang\chs\config.dll
C:\Documents and Settings\Administrator\Application Data\p2pover\lang\chs\rsc.dll
行为描述:在桌面创建快捷方式
详情信息:C:\Documents and Settings\All Users\桌面\P2P终结者.lnk
行为描述:写权限映射文件
详情信息:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\ns9.tmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsi8.tmp\nsA.tmp
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\mshtml.dll.mui
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:修改文件内容
详情信息:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\modern-wizard.bmp---> Offset = 16384
C:\Documents and Settings\Administrator\Application Data\p2pover\backup.ini---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\bwtest.ico---> Offset = 16384
C:\Documents and Settings\Administrator\Application Data\p2pover\mac-prefixes---> Offset = 49152
C:\Documents and Settings\Administrator\Application Data\p2pover\rule.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\schedule.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\setup.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\version.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\acl\WWW白名单[工作时间].acl---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\acl\WWW黑名单模版[工作时间].acl---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\acl\限速[工作时间].acl---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\acl\限制P2P[工作时间].acl---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\config\ed2k.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\config\sample.blk---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\p2pover\config\sample.wht---> Offset = 0
网络行为
行为描述:建立到一个指定的套接字连接
详情信息:127.0.0.1:1043
行为描述:下载文件
详情信息:URLDownloadToFileW: http://www.netsoft2012.com/cfg/getconf.php?ver=4.34&lang=2052 ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\urlconf.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\urlconf.tmp
URLDownloadToFileW: ?ver=4.34&lang=2052&u=about:blank ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpquery.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpquery.tmp
URLDownloadToFileW: ?ver=4.34&lang=2052 ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\urltrack.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\urltrack.tmp
URLDownloadToFileW: ?ver=4.34&lang=2052 ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pvte.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pvte.tmp
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass
\REGISTRY\MACHINE\SOFTWARE\WinPcap\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\QuietUninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\URLUpdateInfo
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\VersionMajor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\VersionMinor
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\InstalledBy
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst\NoRepair
行为描述:修改注册表_延迟重命名项
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\PendingFileRenameOperations
行为描述:修改注册表_服务项
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\npf\Start
行为描述:删除注册表键值_IE连接设置
详情信息:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:创建驱动文件镜像
详情信息:C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:创建互斥体
详情信息:SHIMLIB_LOG_MUTEX
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Local\!PrivacIE!SharedMemory!Mutex
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,Button]
[Window,Class] = [NetSoft Studio,Static]
[Window,Class] = [NetSoft Studio ,Static]
[Window,Class] = [,Static]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
[Window,Class] = [,#32770]
[Window,Class] = [,AfxWnd42s]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [帮助,Button]
[Window,Class] = [应用(&A),Button]
[Window,Class] = [,ComboLBox]
行为描述:常规加载驱动
详情信息:system32\drivers\npf.sys
system32\DRIVERS\ipfltdrv.sys
\??\C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
行为描述:启动系统服务
详情信息:[服务启动成功]: , NetGroup Packet Filter Driver, system32\drivers\npf.sys
[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , p2pfilter, \??\C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:窗口信息
详情信息:Pid = 3844, Hwnd=0xc016a, Text = 下一步(&N) >, ClassName = Button.
Pid = 3844, Hwnd=0xe0166, Text = 取消(&C), ClassName = Button.
Pid = 3844, Hwnd=0xb01b0, Text = NetSoft Studio , ClassName = Static.
Pid = 3844, Hwnd=0xa018c, Text = NetSoft Studio, ClassName = Static.
Pid = 3844, Hwnd=0xb0170, Text = 欢迎使用“P2P终结者4.34”安装向导, ClassName = Static.
Pid = 3844, Hwnd=0xb01ce, Text = 这个向导将指引你完成“P2P终结者4.34”的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系, ClassName = Static.
Pid = 3844, Hwnd=0xe0180, Text = P2P终结者4.34 安装, ClassName = #32770.
Pid = 3844, Hwnd=0xc01de, Text = < 上一步(&P), ClassName = Button.
Pid = 3844, Hwnd=0xc016a, Text = 我接受(&I), ClassName = Button.
Pid = 3844, Hwnd=0xa0198, Text = 许可证协议, ClassName = Static.
Pid = 3844, Hwnd=0xd01a4, Text = 在安装“P2P终结者4.34”之前,请阅读授权协议。, ClassName = Static.
Pid = 3844, Hwnd=0xc01ce, Text = 按 [PgDn] 阅读“授权协议”的其余部分。, ClassName = Static.
Pid = 3844, Hwnd=0xd01b4, Text = 如果你接受协议中的条款,单击 [我接受(I)] 继续安装。如果你选定 [取消(C)] ,安装程序将会关闭。必须接受协议才能安装“P2P终结者4.34”, ClassName = Static.
Pid = 3844, Hwnd=0xa0198, Text = 正在安装, ClassName = Static.
Pid = 3844, Hwnd=0xd01a4, Text = “P2P终结者4.34”正在安装,请等候..., ClassName = Static.
行为描述:获取系统权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行为描述:创建系统服务
详情信息:[服务创建成功]: npf, system32\drivers\npf.sys
[服务已存在]: IpFilterDriver, System32\Drivers\IpFltDrv.sys
[服务创建成功]: p2pfilter, C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:枚举窗口
详情信息:N/A
行为描述:内联HOOK
详情信息:C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635161
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe928
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb478
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x67bf
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635319
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb444
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x689b
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x56353b5
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635395
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x563531d
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe920
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb414
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x689f
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635029
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe970
行为描述:打开图片文件
详情信息:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\modern-wizard.bmp
异常崩溃
行为描述:创建驱动文件镜像
详情信息:C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:创建互斥体
详情信息:SHIMLIB_LOG_MUTEX
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Local\!PrivacIE!SharedMemory!Mutex
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,Button]
[Window,Class] = [NetSoft Studio,Static]
[Window,Class] = [NetSoft Studio ,Static]
[Window,Class] = [,Static]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
[Window,Class] = [,#32770]
[Window,Class] = [,AfxWnd42s]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [帮助,Button]
[Window,Class] = [应用(&A),Button]
[Window,Class] = [,ComboLBox]
行为描述:常规加载驱动
详情信息:system32\drivers\npf.sys
system32\DRIVERS\ipfltdrv.sys
\??\C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
行为描述:启动系统服务
详情信息:[服务启动成功]: , NetGroup Packet Filter Driver, system32\drivers\npf.sys
[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , p2pfilter, \??\C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:窗口信息
详情信息:Pid = 3844, Hwnd=0xc016a, Text = 下一步(&N) >, ClassName = Button.
Pid = 3844, Hwnd=0xe0166, Text = 取消(&C), ClassName = Button.
Pid = 3844, Hwnd=0xb01b0, Text = NetSoft Studio , ClassName = Static.
Pid = 3844, Hwnd=0xa018c, Text = NetSoft Studio, ClassName = Static.
Pid = 3844, Hwnd=0xb0170, Text = 欢迎使用“P2P终结者4.34”安装向导, ClassName = Static.
Pid = 3844, Hwnd=0xb01ce, Text = 这个向导将指引你完成“P2P终结者4.34”的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系, ClassName = Static.
Pid = 3844, Hwnd=0xe0180, Text = P2P终结者4.34 安装, ClassName = #32770.
Pid = 3844, Hwnd=0xc01de, Text = < 上一步(&P), ClassName = Button.
Pid = 3844, Hwnd=0xc016a, Text = 我接受(&I), ClassName = Button.
Pid = 3844, Hwnd=0xa0198, Text = 许可证协议, ClassName = Static.
Pid = 3844, Hwnd=0xd01a4, Text = 在安装“P2P终结者4.34”之前,请阅读授权协议。, ClassName = Static.
Pid = 3844, Hwnd=0xc01ce, Text = 按 [PgDn] 阅读“授权协议”的其余部分。, ClassName = Static.
Pid = 3844, Hwnd=0xd01b4, Text = 如果你接受协议中的条款,单击 [我接受(I)] 继续安装。如果你选定 [取消(C)] ,安装程序将会关闭。必须接受协议才能安装“P2P终结者4.34”, ClassName = Static.
Pid = 3844, Hwnd=0xa0198, Text = 正在安装, ClassName = Static.
Pid = 3844, Hwnd=0xd01a4, Text = “P2P终结者4.34”正在安装,请等候..., ClassName = Static.
行为描述:获取系统权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行为描述:创建系统服务
详情信息:[服务创建成功]: npf, system32\drivers\npf.sys
[服务已存在]: IpFilterDriver, System32\Drivers\IpFltDrv.sys
[服务创建成功]: p2pfilter, C:\Documents and Settings\Administrator\Application Data\p2pover\p2pfilter.sys
行为描述:枚举窗口
详情信息:N/A
行为描述:内联HOOK
详情信息:C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635161
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe928
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb478
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x67bf
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635319
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb444
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x689b
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x56353b5
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635395
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x563531d
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe920
C:\WINDOWS\system32\packet.dll--->PacketGetAirPcapHandle Offset = 0xb414
C:\WINDOWS\system32\MFC42u.DLL--->DllUnregisterServer Offset = 0x689f
C:\WINDOWS\system32\SHELL32.dll--->SHLockShared Offset = 0x5635029
C:\WINDOWS\system32\wpcap.dll--->pcap_get_airpcap_handle Offset = 0xe970
行为描述:打开图片文件
详情信息:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa5.tmp\modern-wizard.bmp
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号