VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:30
Behavior list
Basic Information
MD5:1e7d4e0ba52d55996bc6786de7ec6c50
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:nSPack 3.1 -> North Star/Liu Xing Ping [Overlay]
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 65536
C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 1956
C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 81847
C:\install.exe---> Offset = 65536
C:\install.exe---> Offset = 1956
C:\install.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 81847
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Behavior description:隐藏指定窗口
details:[Window,Class] = [压缩率,Static]
[Window,Class] = [正在准备文件...,#32770]
[Window,Class] = [WinRAR,WinRarWindow]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SetupLD.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frwstub.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger
Behavior description:常规加载驱动
details:\??\c:\z1.tmp
Behavior description:杀掉进程
details:C:\Program Files\Internet Explorer\IEXPLORE.EXE
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263956.605679.exe
Behavior description:停止系统服务
details:ServiceName = z1z1z1z1
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Internet Explorer Immutable Application State (00000D8C-0000-0000-0000-000000000000)
ie_lcie_main_d8c
Isolation Process Registry (B03901BD-7F83-11E5-91BE-000000000000)
Isolation Signal Registry (B03901BD-7F83-11E5-91BE-000000000000, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3468
ie_lcie_ConnHashTable<3468>
DfRoot0003E40E5
AtlDebugAllocator_FileMappingNameStatic3_d8c
Internet Explorer Immutable Application State (00000838-0000-0000-0000-000000000000)
ie_lcie_main_838
Isolation Process Registry (B34BC9C1-7F83-11E5-91BE-000000000000)
Behavior description:按名称获取主机地址
details:computer
wpad
Behavior description:创建系统服务
details:[服务创建成功]: z1z1z1z1, c:\z1.tmp
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = c:\program files\internet explorer\iexplore.exe, CmdLine = "c:\program files\internet explorer\iexplore.exe" http://www.ipshougou.com/tj.htm
ImagePath = c:\program files\internet explorer\iexplore.exe, CmdLine = "c:\program files\internet explorer\iexplore.exe" http://s43.cnzz.com/stat.php?id=1212193&web_id=1212193
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9$$.bat
ImagePath = C:\Program Files\WinRAR\winrar.exe, CmdLine = "C:\Program Files\WinRAR\winrar.exe" x -inul -ibck -p- "C:\AnalyzeControl.rar" "c:\MyRARwork"
ImagePath = C:\Program Files\WinRAR\winrar.exe, CmdLine = "C:\Program Files\WinRAR\winrar.exe" u -as -ep1 -inul -ibck "C:\AnalyzeControl.rar" "c:\MyRARwork\*.*"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share X$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share D$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share C$ /del /y
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share admin$ /del /y
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.ipshougou.com/tj.htm
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share X$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share D$ /del /y
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3468 CREDAT:79873
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share C$ /del /y
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share admin$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share X$ /del /y
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share D$ /del /y
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\system32\drivers\TXPlatf0rmm.exe, CmdLine = C:\WINDOWS\system32\drivers\TXPlatf0rmm.exe
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263954.543741.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263954.543741.exe"
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\Program Files\Internet Explorer\IEXPLORE.EXE
File behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 65536
C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 1956
C:\222c25ed\IE8-Setup-Full\installservices.exe---> Offset = 81847
C:\install.exe---> Offset = 65536
C:\install.exe---> Offset = 1956
C:\install.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe---> Offset = 81847
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 65536
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 1956
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe---> Offset = 81847
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263954.522977.exe.exe
C:\WINDOWS\system32\drivers\TXPlatf0rmm.exe
C:\z1.tmp
C:\MyRARwork\%temp%\1446263954.533332.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\Desktop_1.ini
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9$$.bat
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\drivers
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263956.654240.exe
FileName = C:\WINDOWS\system32\drivers\Desktop_1.ini
FileName = X:\*.*
FileName = D:\*.*
FileName = C:\*.*
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
Internet Explorer Immutable Application State (00000D8C-0000-0000-0000-000000000000)
ie_lcie_main_d8c
Isolation Process Registry (B03901BD-7F83-11E5-91BE-000000000000)
Isolation Signal Registry (B03901BD-7F83-11E5-91BE-000000000000, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3468
ie_lcie_ConnHashTable<3468>
DfRoot0003E40E5
AtlDebugAllocator_FileMappingNameStatic3_d8c
Internet Explorer Immutable Application State (00000838-0000-0000-0000-000000000000)
ie_lcie_main_838
Isolation Process Registry (B34BC9C1-7F83-11E5-91BE-000000000000)
Behavior description:重命名文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263956.525544.exe.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263956.525544.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\__rar_33.592 ---> C:\AnalyzeControl.rar
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Behavior description:修改文件内容
details:C:\z.tmp---> Offset = 0
C:\z1.tmp---> Offset = 0
C:\GK.TMP---> Offset = 0
C:\222c25ed\Desktop_1.ini---> Offset = 0
C:\222c25ed\Desktop_2.ini---> Offset = 0
C:\222c25ed\IE8-Setup-Full\Desktop_1.ini---> Offset = 0
C:\222c25ed\IE8-Setup-Full\Desktop_2.ini---> Offset = 0
C:\222c25ed\IE8-Setup-Full\log\Desktop_2.ini---> Offset = 0
C:\AnalyzeControl\Desktop_2.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\10$$.Ico---> Offset = 0
C:\222c25ed\IE8-Setup-Full\log\Desktop_1.ini---> Offset = 0
C:\AnalyzeControl\Desktop_1.ini---> Offset = 0
C:\DiskD\Desktop_1.ini---> Offset = 0
C:\DiskX\Desktop_1.ini---> Offset = 0
C:\EasyWebSvr\Desktop_1.ini---> Offset = 0
Behavior description:自删除
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446263956.605679.exe
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://110.110.110.110:80/wpad.dat hInternet = 0x00000418
InternetOpenUrlA: http://110.110.110.110:80/wpad.dat hInternet = 0x000004c4
Behavior description:连接指定站点
details:InternetConnectA: ServerName = s43.cnzz.com, PORT = 80
Behavior description:建立到一个指定的套接字连接
details:127.0.0.1:1033
Behavior description:读取网络文件
details:hFile = 0x00000418, BytesToRead =4010, BytesRead = 4010.
hFile = 0x000004c4, BytesToRead =4010, BytesRead = 4010.
Behavior description:打开HTTP请求
details:HttpOpenRequestA: s43.cnzz.com:80/stat.php?id=1212193&web_id=1212193, hConnect = 0x00000338
HttpOpenRequestA: s43.cnzz.com:80/stat.php?id=1212193&web_id=1212193, hConnect = 0x00000440
Behavior description:按名称获取主机地址
details:computer
wpad
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{B03901C0-7F83-11E5-91BE-000000000000}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{B34BC9C4-7F83-11E5-91BE-000000000000}
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Window_Placement
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeCount
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SetupLD.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frwstub.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_文件夹关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
WinRAR_Busy
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
SHIMLIB_LOG_MUTEX
Local\ZonesLockedCacheCounterMutex
RasPbFile
ConnHashTable<3468>_HashTable_Mutex
oleacc-msaa-loaded
Behavior description:隐藏指定窗口
details:[Window,Class] = [压缩率,Static]
[Window,Class] = [正在准备文件...,#32770]
[Window,Class] = [WinRAR,WinRarWindow]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Behavior description:常规加载驱动
details:\??\c:\z1.tmp
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [WinRarWindow,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:枚举窗口
details:N/A
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 488594, SleepMilliseconds = 1.
TickCount = 488610, SleepMilliseconds = 1.
Behavior description:打开指定IE网页
details:http://www.ipshougou.com/tj.htm
http://s43.cnzz.com/stat.php?id=1212193&web_id=1212193
Behavior description:停止系统服务
details:ServiceName = z1z1z1z1
Behavior description:创建系统服务
details:[服务创建成功]: z1z1z1z1, c:\z1.tmp
Abnormal crash
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
WinRAR_Busy
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
SHIMLIB_LOG_MUTEX
Local\ZonesLockedCacheCounterMutex
RasPbFile
ConnHashTable<3468>_HashTable_Mutex
oleacc-msaa-loaded
Behavior description:隐藏指定窗口
details:[Window,Class] = [压缩率,Static]
[Window,Class] = [正在准备文件...,#32770]
[Window,Class] = [WinRAR,WinRarWindow]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Behavior description:常规加载驱动
details:\??\c:\z1.tmp
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [WinRarWindow,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:枚举窗口
details:N/A
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 488594, SleepMilliseconds = 1.
TickCount = 488610, SleepMilliseconds = 1.
Behavior description:打开指定IE网页
details:http://www.ipshougou.com/tj.htm
http://s43.cnzz.com/stat.php?id=1212193&web_id=1212193
Behavior description:停止系统服务
details:ServiceName = z1z1z1z1
Behavior description:创建系统服务
details:[服务创建成功]: z1z1z1z1, c:\z1.tmp
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号