VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:20c7e0396de12d823e8b1660650ad999
file type:EXE
Production company:Reimage
version:1.5.4.2---1.542
Shell or compiler information:COMPILER:NSIS
Subfile information:sqlite3.exe / 91cdcea4be94624e198d3012f5442584 / EXE
xml.dll / ebce8f5e440e0be57665e1e58dfb7425 / DLL
installer-164x314.bmp / ab38fac59e7ea098a764eb3b9329186f / Unknown
IpConfig.dll / a75e3775daac9958610ce1308e0bca3b / DLL
WmiInspector.dll / 1a0b4ff3847dc729ed2ee669c8ac0519 / DLL
modern-header.bmp / bbca00f87a00ae8bdb3927d5c93d08cf / Unknown
LogEx.dll / 0f96d9eb959ad4e8fd205e6d58cf01b8 / DLL
MSIBanner.dll / a6021a83d791c4aa2b76dd61cda825b3 / DLL
inetc.dll / 5da9df435ff20853a2c45026e7681cef / DLL
registry.dll / 2b7007ed0262ca02ef69d8990815cbeb / DLL
System.dll / bf712f32249029466fa86756f5546950 / DLL
stack.dll / 867af9bea8b24c78736bf8d0fdb5a78e / DLL
nsDialogs.dll / 4ccc4a742d4423f2f0ed744fd9c81f63 / DLL
md5dll.dll / 7059f133ea2316b9e7e39094a52a8c34 / DLL
nsExec.dll / 132e6153717a7f9710dcea4536f364cd / DLL
ExecDos.dll / 0deb397ca1e716bb7b15e1754e52b2ac / DLL
ButtonEvent.dll / c24568a3b0d7c8d7761e684eb77252b5 / DLL
UserInfo.dll / c7ce0e47c83525983fd2c4c9566b4aad / DLL
Banner.dll / e264d0f91103758bc5b088e8547e0ec1 / DLL
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:在桌面创建文件
details:C:\Documents and Settings\All Users\桌面\重新开始 Reimage Repair 安装.lnk
Behavior description:获取TickCount值
details:TickCount = 218010, SleepMilliseconds = 10.
TickCount = 218119, SleepMilliseconds = 10.
TickCount = 218135, SleepMilliseconds = 10.
TickCount = 218400, SleepMilliseconds = 10.
TickCount = 218416, SleepMilliseconds = 10.
TickCount = 218431, SleepMilliseconds = 10.
TickCount = 218447, SleepMilliseconds = 10.
TickCount = 218463, SleepMilliseconds = 10.
TickCount = 218760, SleepMilliseconds = 10.
TickCount = 219010, SleepMilliseconds = 10.
TickCount = 219209, SleepMilliseconds = 100.
TickCount = 219318, SleepMilliseconds = 100.
TickCount = 219428, SleepMilliseconds = 100.
TickCount = 219537, SleepMilliseconds = 100.
TickCount = 219646, SleepMilliseconds = 100.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns6.tmp" cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns7.tmp" cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
Behavior description:创建进程
details:[0x00000f6c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
[0x00000f74]ImagePath = C:\WINDOWS\system32\tasklist.exe, CmdLine = tasklist /FI "IMAGENAME eq Reimage.exe"
[0x00000fd4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
[0x00000ff4]ImagePath = C:\WINDOWS\system32\tasklist.exe, CmdLine = tasklist /FI "IMAGENAME eq avupdate.exe"
[0x00000650]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s "C:\WINDOWS\system32\jscript.dll"
Behavior description:创建新文件进程
details:[0x00000f44]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns6.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns6.tmp" cmd /C tasklist /FI "IMAGENAME eq Reimage.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
[0x00000fc8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns7.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns7.tmp" cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IsProcessActive.txt
Behavior description:创建下载文件进程
details:[0x00000824]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ReimageRepair.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ReimageRepair.exe" /update=1 /Language=2052 /tracking=0 /campaign=0 /adgroup=0 /Ads_Name=0 /Keyword=0 /ResumeInstall=2 /RunSilent=false /pxkp=Delete /ShowName=False /StartScan=0
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 3800, StartAddress = 00F41113, Parameter = 00000000
TargetProcess: tasklist.exe, InheritedFromPID = 3948, ProcessID = 3956, ThreadID = 3964, StartAddress = 77E56C7D, Parameter = 000EAC50
TargetProcess: tasklist.exe, InheritedFromPID = 3948, ProcessID = 3956, ThreadID = 3968, StartAddress = 769AE43B, Parameter = 000ED5F0
TargetProcess: tasklist.exe, InheritedFromPID = 3948, ProcessID = 3956, ThreadID = 3972, StartAddress = 77E56C7D, Parameter = 000EDD78
TargetProcess: tasklist.exe, InheritedFromPID = 3948, ProcessID = 3956, ThreadID = 4028, StartAddress = 77E56C7D, Parameter = 000F2258
TargetProcess: tasklist.exe, InheritedFromPID = 4052, ProcessID = 4084, ThreadID = 4092, StartAddress = 77E56C7D, Parameter = 000EAC50
TargetProcess: tasklist.exe, InheritedFromPID = 4052, ProcessID = 4084, ThreadID = 1924, StartAddress = 769AE43B, Parameter = 000ED5F0
TargetProcess: tasklist.exe, InheritedFromPID = 4052, ProcessID = 4084, ThreadID = 1940, StartAddress = 77E56C7D, Parameter = 000EDD78
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 1908, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 1984, StartAddress = 011E2710, Parameter = 00050350
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 1748, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 444, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 552, StartAddress = 011E2710, Parameter = 00060350
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3736, ThreadID = 1664, StartAddress = 00F41113, Parameter = 00000000
TargetProcess: regsvr32.exe, InheritedFromPID = 3736, ProcessID = 1616, ThreadID = 1284, StartAddress = 77DC845A, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll
C:\WINDOWS\Reimage.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsExec.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\IsProcessActive.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\inetc.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsExec.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\inetc.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\InstallationPixel.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\registry.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\stack.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader_version.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\xml.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns7.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp
FileName = C:\WINDOWS\Reimage.ini
FileName = C:\WINDOWS\eFix.ini
FileName = C:\WINDOWS\WinFix.ini
FileName = C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\profiles.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies
FileName = C:\Documents and Settings\Administrator\Cookies\*.txt
FileName = C:\Documents and Settings\Administrator\Cookies\low\*.txt
FileName = C:\WINDOWS\reimage.ini
FileName = C:\DOCUME~1
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\nsExec.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns6.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\nsExec.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\ns7.tmp
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\IsProcessActive.txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\install_start[1].php
C:\Documents and Settings\Administrator\Local Settings\Temp\ack0.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\InstallationPixel.txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\downloader_version[1].xml
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\cdnrep_reimage_com[1]
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\inetc.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\installer-164x314.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\modern-header.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsDialogs.dll
Behavior description:在桌面创建文件
details:C:\Documents and Settings\All Users\桌面\重新开始 Reimage Repair 安装.lnk
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\nsk4.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt ---> Offset = 2
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt ---> Offset = 6
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt ---> Offset = 64
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader log.txt ---> Offset = 68
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll ---> Offset = 0
Network behavior
Behavior description:下载文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\InstallationPixel.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader_version.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\ReimageRepair.exe
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = cd****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: NSIS_Inetc (Mozilla), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000002e8
URL: cd****om, IP: **.133.40.**:80, SOCKET = 0x0000036c
URL: cd****om, IP: **.133.40.**:80, SOCKET = 0x00000374
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =8192, BytesRead = 8192.
Behavior description:发送HTTP包
details:GET /includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=c57f50531f7046c3b5643119a3&sessionid=592ea464-e2cf-4e64-99e5-1285e5833d3b&t=CONSUMER&a=ENABLED&u=ENABLED&s=DISABLED&c=DISABLED&v=1542 HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: ww****om Connection: Keep-Alive Cache-Control: no-cache
GET /downloader_version.xml HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: cd****om Connection: Keep-Alive Cache-Control: no-cache
GET / HTTP/1.1 User-Agent: NSIS_Inetc (Mozilla) Host: cd****om Connection: Keep-Alive Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****om:80/includes/install_start.php?trackid=&tracking=&campaign=&minorsessionid=c57f50531f7046c3b5643119a3&sessionid=592ea464-e2cf-4e64-99e5-1285e5833d3b&t=consumer&a=enabled&u=enabled&s=disabled&c=disabled&v=1542, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80400000
HttpOpenRequestA: cd****om:80/downloader_version.xml, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80400000
HttpOpenRequestA: cd****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80400000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: cd****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Reimage\Reimage Repair\Installer Language
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}\
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.MJO
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [,ComboLBox]
[Window,Class] = [ ,Static]
[Window,Class] = [ ,Static]
[Window,Class] = [,Static]
[Window,Class] = [Reimage PC Repair Tool 安装,#32770]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [< 上一步(&P),Button]
[Window,Class] = [取消(&C),Button]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
MSFT.VSA.COM.DISABLE.3956
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.4084
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000012
Behavior description:获取TickCount值
details:TickCount = 218010, SleepMilliseconds = 10.
TickCount = 218119, SleepMilliseconds = 10.
TickCount = 218135, SleepMilliseconds = 10.
TickCount = 218400, SleepMilliseconds = 10.
TickCount = 218416, SleepMilliseconds = 10.
TickCount = 218431, SleepMilliseconds = 10.
TickCount = 218447, SleepMilliseconds = 10.
TickCount = 218463, SleepMilliseconds = 10.
TickCount = 218760, SleepMilliseconds = 10.
TickCount = 219010, SleepMilliseconds = 10.
TickCount = 219209, SleepMilliseconds = 100.
TickCount = 219318, SleepMilliseconds = 100.
TickCount = 219428, SleepMilliseconds = 100.
TickCount = 219537, SleepMilliseconds = 100.
TickCount = 219646, SleepMilliseconds = 100.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:窗口信息
details:Pid = 3736, Hwnd=0x10346, Text = 请稍候……, ClassName = Static.
Pid = 3736, Hwnd=0x1034a, Text = 加载中 Reimage Repair, ClassName = Static.
Pid = 3736, Hwnd=0x20342, Text = 请稍候……, ClassName = #32770.
Pid = 3736, Hwnd=0x20346, Text = 安装 >, ClassName = Button.
Pid = 3736, Hwnd=0x20344, Text = 取消(&C), ClassName = Button.
Pid = 3736, Hwnd=0x4035c, Text = , ClassName = Static.
Pid = 3736, Hwnd=0x4035e, Text = , ClassName = Static.
Pid = 3736, Hwnd=0x3036a, Text = 欢迎来到Reimage Repair设置向导, ClassName = Static.
Pid = 3736, Hwnd=0x3036c, Text = 设置向导将指导您完成安装Reimage Repair。, ClassName = Static.
Pid = 3736, Hwnd=0x3036e, Text = 点击‘安装’以开始安装并扫描电脑(建议使用)。, ClassName = Static.
Pid = 3736, Hwnd=0x10372, Text = 点击"安装"表示您同意并接受我们的许可协议、隐私政策并安装 Reimage Repair., ClassName = Static.
Pid = 3736, Hwnd=0x10374, Text = 查看许可证协议, ClassName = Button.
Pid = 3736, Hwnd=0x10376, Text = 查看隐私政策, ClassName = Button.
Pid = 3736, Hwnd=0x10378, Text = 安装完毕后不要扫描我的电脑。, ClassName = Button(CheckBox).
Pid = 3736, Hwnd=0x1037a, Text = 选择您的语言:, ClassName = Static.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\UserInfo.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsExec.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns6.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns7.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\inetc.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\InstallationPixel.txt(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsDialogs.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\registry.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\stack.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader_version.xml(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\xml.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 10.
[2]: MilliSeconds = 10.
[3]: MilliSeconds = 10.
[4]: MilliSeconds = 10.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 100.
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MJO.IC
EventName = MSCTF.SendReceiveConection.Event.MJO.IC
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\LogEx.dll ---> 0f96d9eb959ad4e8fd205e6d58cf01b8
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\System.dll ---> bf712f32249029466fa86756f5546950
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\Banner.dll ---> e264d0f91103758bc5b088e8547e0ec1
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\UserInfo.dll ---> c7ce0e47c83525983fd2c4c9566b4aad
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.exe ---> 91cdcea4be94624e198d3012f5442584
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsExec.dll ---> 132e6153717a7f9710dcea4536f364cd
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns6.tmp ---> 132e6153717a7f9710dcea4536f364cd
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\ns7.tmp ---> 132e6153717a7f9710dcea4536f364cd
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\inetc.dll ---> 5da9df435ff20853a2c45026e7681cef
C:\Documents and Settings\Administrator\Local Settings\Temp\InstallationPixel.txt ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\nsDialogs.dll ---> 4ccc4a742d4423f2f0ed744fd9c81f63
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\registry.dll ---> 2b7007ed0262ca02ef69d8990815cbeb
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\stack.dll ---> 867af9bea8b24c78736bf8d0fdb5a78e
C:\Documents and Settings\Administrator\Local Settings\Temp\downloader_version.xml ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\nsu5.tmp\xml.dll ---> ebce8f5e440e0be57665e1e58dfb7425
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\LogEx.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\Banner.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\UserInfo.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\nsExec.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\inetc.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\nsDialogs.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\registry.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\stack.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsu5.tmp\xml.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号