VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:87
Behavior list
Basic Information
MD5:410c22185176c0485fda6f946426028b
file type:EXE
Production company:下载港软件站
version:3.0.0.1679---3.0.0.1679
Shell or compiler information:COMPILER:Free Pascal v1.06 [Overlay] *
Key behavior
Behavior description:修改注册表_安装输入法项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Ime File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Layout File
\REGISTRY\USER\S-*\Keyboard Layout\Preload\2
\REGISTRY\USER\S-*\Keyboard Layout\Preload\1
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\1
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\2
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\3
\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1
\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\2
\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\1
\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\2
\REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\1
\REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\2
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x001e02b6, Text = 搜狗五笔输入法 3.0正式版 安装 , ClassName = #32770.
Behavior description:在系统目录释放敏感文件
details:C:\WINDOWS\system32\SogouWB.ime
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x000b03ba, DC = 0x01010055.
Behavior description:获取TickCount值
details:TickCount = 5461787, SleepMilliseconds = 100.
TickCount = 5461803, SleepMilliseconds = 100.
TickCount = 5462568, SleepMilliseconds = 100.
TickCount = 5462584, SleepMilliseconds = 100.
TickCount = 5463350, SleepMilliseconds = 100.
TickCount = 5463365, SleepMilliseconds = 100.
TickCount = 5467959, SleepMilliseconds = 100.
TickCount = 5467975, SleepMilliseconds = 100.
TickCount = 5468006, SleepMilliseconds = 100.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\ns54.tmp" icacls "C:\WINDOWS\system32\IME\SogouWB" /grant EVERYONE:F /t
Behavior description:创建进程
details:[0x00000b24]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s /u "C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBrokerPS.dll"
[0x00000b44]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s /i "C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBrokerPS.dll"
[0x00000b4c]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\SogouWBTSF.ime"
[0x00000b5c]ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /s /i "C:\Program Files\SogouWBInput\3.0.0.1679\SogouTSF.dll"
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 1388, ThreadID = 2092, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 1388, ThreadID = 2096, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 1388, ThreadID = 2200, StartAddress = 00404A47, Parameter = 000403D2
TargetProcess: ImeUtil.exe, InheritedFromPID = 1388, ProcessID = 2832, ThreadID = 2848, StartAddress = 77DC845A, Parameter = 00000000
Behavior description:创建新文件进程
details:[0x00000ae0]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\ns54.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\ns54.tmp" icacls "C:\WINDOWS\system32\IME\SogouWB" /grant EVERYONE:F /t
[0x00000afc]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Install.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\install.exe" -i -w
[0x00000b10]ImagePath = C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe, CmdLine = "C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe" -repairdict -1 -1
[0x00000b18]ImagePath = C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBroker.exe, CmdLine = "C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBroker.exe" -UnRegServer
[0x00000b2c]ImagePath = C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBroker.exe, CmdLine = "C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBroker.exe" -RegServer
[0x00000b54]ImagePath = C:\Program Files\SogouWBInput\3.0.0.1679\SkinReg.exe, CmdLine = "C:\Program Files\SogouWBInput\3.0.0.1679\SkinReg.exe" -register "C:\Program Files\SogouWBInput\3.0.0.1679"
[0x00000b64]ImagePath = C:\Program Files\SogouWBInput\3.0.0.1679\ScdReg.exe, CmdLine = "C:\Program Files\SogouWBInput\3.0.0.1679\ScdReg.exe" -cdefault
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsq51.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-header.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ButtonLinker.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\nsDialogs.dll
C:\Documents and Settings\Administrator\Application Data\SogouWB\env.ini
C:\Documents and Settings\Administrator\Application Data\SogouWB\scdlist.ini
C:\Program Files\SogouWBInput\3.0.0.1679\ConfigIE.exe
C:\Program Files\SogouWBInput\3.0.0.1679\HWSignature.dll
C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe
C:\Program Files\SogouWBInput\3.0.0.1679\Punctures.ini
C:\Program Files\SogouWBInput\3.0.0.1679\QQWbConfig.cupf
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ButtonLinker.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\nsDialogs.dll
C:\Program Files\SogouWBInput\3.0.0.1679\ConfigIE.exe
C:\Program Files\SogouWBInput\3.0.0.1679\HWSignature.dll
C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe
C:\Program Files\SogouWBInput\3.0.0.1679\Resource.dll
C:\Program Files\SogouWBInput\3.0.0.1679\ScdReg.exe
C:\Program Files\SogouWBInput\3.0.0.1679\SkinReg.exe
C:\Program Files\SogouWBInput\3.0.0.1679\SogouTSF.dll
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWB7.ime
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWBSvc.exe
C:\Program Files\SogouWBInput\3.0.0.1679\SpeedMeter.exe
C:\Program Files\SogouWBInput\3.0.0.1679\UserPage.exe
C:\Program Files\SogouWBInput\3.0.0.1679\WbConfig.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsq51.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\AutoNewWord.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\BatchNewWord.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\ManualNewWord.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\PunctureModule.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\StatisticsModule.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\StrDictModule.dll
C:\Program Files\SogouWBInput\3.0.0.1679\Plugins64\WbScdModule.dll
C:\Program Files\SogouWBInput\3.0.0.1679\ZipLib64.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\SogouWB.ime
C:\Documents and Settings\Administrator\Local Settings\Temp\SogouWB64.ime
C:\Documents and Settings\Administrator\Local Settings\Temp\Install64.exe
C:\Documents and Settings\Administrator\Application Data\SogouWB\usr55.tmp
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ns54.tmp
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\nsExec.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\ns54.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SogouWB.ime ---> C:\WINDOWS\system32\SogouWB.ime
Behavior description:在系统目录释放敏感文件
details:C:\WINDOWS\system32\SogouWB.ime
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp
FileName = C:\Program Files\SogouWBInput
FileName = C:\Program Files
FileName = C:\Program Files\SogouWBInput\*
FileName = C:\Program Files\SogouWBInput\*.*
FileName = C:\Program Files\SogouWBInput\3.0.0.1679\*.*
FileName = C:\Program Files\SogouWBInput\3.0.0.1679
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Application Data\SogouWB.users\acc.dat.wtm.sgbak ---> C:\Documents and Settings\Administrator\Application Data\SogouWB.users\acc.dat.wtm
C:\Documents and Settings\Administrator\Application Data\SogouWB.users\acc.dat.wtm ---> C:\Documents and Settings\Administrator\Application Data\SogouWB.users\acc.dat
C:\Documents and Settings\Administrator\Application Data\SogouWB\sgim_wbusr.bin.sgbak ---> C:\Documents and Settings\Administrator\Application Data\SogouWB\sgim_wbusr.bin
C:\Documents and Settings\Administrator\Application Data\SogouWB\sgim_pyusr.bin.sgbak ---> C:\Documents and Settings\Administrator\Application Data\SogouWB\sgim_pyusr.bin
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp ---> Offset = 55012
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp ---> Offset = 71252
C:\Documents and Settings\Administrator\Local Settings\Temp\nsw52.tmp ---> Offset = 87508
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-header.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-header.bmp ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\modern-wizard.bmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ButtonLinker.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\nsDialogs.dll ---> Offset = 0
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\SogouWBInput\
\REGISTRY\MACHINE\SOFTWARE\SogouWBInput\Version
\REGISTRY\MACHINE\SOFTWARE\SogouWBInput\Region
\REGISTRY\MACHINE\SOFTWARE\SogouWBInput\VersionType
\REGISTRY\MACHINE\SOFTWARE\SogouWBInput\StartMenuFolder
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{60E38716-01BE-4AF1-8794-5B090BDA98D6}\
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\SogouWBImeBroker.EXE\AppID
\REGISTRY\MACHINE\SOFTWARE\Classes\SogouWBImeBroker.SogouWBBroker.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\SogouWBImeBroker.SogouWBBroker.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\SogouWBImeBroker.SogouWBBroker\
\REGISTRY\MACHINE\SOFTWARE\Classes\SogouWBImeBroker.SogouWBBroker\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\SogouWBImeBroker.SogouWBBroker\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6891650-D273-4F34-84FF-BAC043EC8956}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6891650-D273-4F34-84FF-BAC043EC8956}\AppId
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6891650-D273-4F34-84FF-BAC043EC8956}\ProgID\
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:删除注册表键_安装输入法项
details:\REGISTRY\USER\S-*\Keyboard Layout\Preload\
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\
\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\
\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\
\REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\
Behavior description:修改注册表_安装输入法项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Ime File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0200804\Layout File
\REGISTRY\USER\S-*\Keyboard Layout\Preload\2
\REGISTRY\USER\S-*\Keyboard Layout\Preload\1
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\1
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\2
\REGISTRY\USER\DEFAULT_USER\Keyboard Layout\Preload\3
\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1
\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\2
\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\1
\REGISTRY\USER\S-1-5-19\Keyboard Layout\Preload\2
\REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\1
\REGISTRY\USER\S-1-5-20\Keyboard Layout\Preload\2
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
搜狗五笔输入法 3.0正式版
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.EJ
Local\mutex_file_0x00160064.wb
Local\mutex_file_0x00730051.wb
oleacc-msaa-loaded
Local\wbfilemap_mutex.wb
Local\sgfmWbVRMutex.wb
Local\sgime_wbuser_lock.wb
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [搜狗五笔输入法,Static]
[Window,Class] = [搜狗五笔输入法 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000053
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000053
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Behavior description:获取TickCount值
details:TickCount = 5461787, SleepMilliseconds = 100.
TickCount = 5461803, SleepMilliseconds = 100.
TickCount = 5462568, SleepMilliseconds = 100.
TickCount = 5462584, SleepMilliseconds = 100.
TickCount = 5463350, SleepMilliseconds = 100.
TickCount = 5463365, SleepMilliseconds = 100.
TickCount = 5467959, SleepMilliseconds = 100.
TickCount = 5467975, SleepMilliseconds = 100.
TickCount = 5468006, SleepMilliseconds = 100.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x001e02b6, Text = 搜狗五笔输入法 3.0正式版 安装 , ClassName = #32770.
Behavior description:窗口信息
details:Pid = 1388, Hwnd=0x140306, Text = 下一步(&N) >, ClassName = Button.
Pid = 1388, Hwnd=0xa03b0, Text = 取消(&C), ClassName = Button.
Pid = 1388, Hwnd=0x603c6, Text = 搜狗五笔输入法 , ClassName = Static.
Pid = 1388, Hwnd=0xc038a, Text = 搜狗五笔输入法, ClassName = Static.
Pid = 1388, Hwnd=0xb03ba, Text = 访问96IE导航网, ClassName = Static.
Pid = 1388, Hwnd=0xa03ac, Text = 欢迎使用 “搜狗五笔输入法 3.0正式版”, ClassName = Static.
Pid = 1388, Hwnd=0x100398, Text = 这个向导将指引你完成“搜狗五笔输入法 3.0正式版”的安装进程。 在开始安装之前,建议先关闭其他所有应用程序。这将允许“安装程序”更新指定的系统文件,而不需要重新启动你的计算机。 单击 [下一步(N)] 继续。, ClassName = Static.
Pid = 1388, Hwnd=0x1e02b6, Text = 搜狗五笔输入法 3.0正式版 安装, ClassName = #32770.
Pid = 1388, Hwnd=0x60380, Text = < 上一步(&P), ClassName = Button.
Pid = 1388, Hwnd=0x140306, Text = 我接受(I), ClassName = Button.
Pid = 1388, Hwnd=0x403ca, Text = 许可证协议, ClassName = Static.
Pid = 1388, Hwnd=0x6037e, Text = 在安装“搜狗五笔输入法 3.0正式版”之前,请阅读授权协议。, ClassName = Static.
Pid = 1388, Hwnd=0x110398, Text = 按 [PgDn] 阅读“授权协议”的其余部分。, ClassName = Static.
Pid = 1388, Hwnd=0x2002fe, Text = 如果你接受协议中的条款,单击 [我接受(I)] 继续安装。如果你选定 [取消(C)] ,安装程序将会关闭。必须接受协议才能安装“搜狗五笔输入法 3.0正式版”。, ClassName = Static.
Pid = 1388, Hwnd=0x140306, Text = 安装(&I), ClassName = Button.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x000b03ba, DC = 0x01010055.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ButtonLinker.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\nsDialogs.dll(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\ConfigIE.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\HWSignature.dll(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\Resource.dll(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\ScdReg.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\SkinReg.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\SogouTSF.dll(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWB7.ime(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWBSvc.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\SpeedMeter.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\UserPage.exe(签名验证: 通过)
C:\Program Files\SogouWBInput\3.0.0.1679\WbConfig.exe(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.EJ.IC
EventName = MSCTF.SendReceiveConection.Event.EJ.IC
EventName = ShellCopyEngineRunning
EventName = ShellCopyEngineFinished
EventName = Global\userenv: User Profile setup event
EventName = Local\sgwbime_repairdict_et
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\System.dll ---> 6f5257c0b8c0ef4d440f4f4fce85fb1b
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\ButtonLinker.dll ---> 9c2dc08c70fe91b6c19084764743796e
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb53.tmp\nsDialogs.dll ---> fe73cbae47e811cbf61bafdf4f806bbd
C:\Program Files\SogouWBInput\3.0.0.1679\ConfigIE.exe ---> b39fc3d7ec5a32c222e5fde1a9bc474e
C:\Program Files\SogouWBInput\3.0.0.1679\HWSignature.dll ---> e50cc9a2b1a2316d581bdda3fafb9c59
C:\Program Files\SogouWBInput\3.0.0.1679\ImeUtil.exe ---> b5dcedd6bb498d39f13b6eed4c9b5eb8
C:\Program Files\SogouWBInput\3.0.0.1679\Resource.dll ---> 9bba3a35b2978f4addb6e29d7e874bc8
C:\Program Files\SogouWBInput\3.0.0.1679\ScdReg.exe ---> df8b8e70e7b4baf2d83ddb0c6f341294
C:\Program Files\SogouWBInput\3.0.0.1679\SkinReg.exe ---> 50bf55d4c2fc3eb64bd07d6070cad979
C:\Program Files\SogouWBInput\3.0.0.1679\SogouTSF.dll ---> 0c20db233ac3f5e8af45191314403e1d
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWB7.ime ---> 3ba2ca5c4d3481f1fe7359d2c54e0de8
C:\Program Files\SogouWBInput\3.0.0.1679\SogouWBSvc.exe ---> 70ccd686696108976713479d0ed6605f
C:\Program Files\SogouWBInput\3.0.0.1679\SpeedMeter.exe ---> 7c4d73661dcd3e6c2a7430f880a3d718
C:\Program Files\SogouWBInput\3.0.0.1679\UserPage.exe ---> a6beb28d33ba6abb0af572ac8da66d99
C:\Program Files\SogouWBInput\3.0.0.1679\WbConfig.exe ---> 510c03687f587964ba2b48c15f53c40a
Behavior description:打开互斥体
details:ShimCacheMutex
Local\mutex_file_0x00160064.wb
Local\mutex_file_0x00730051.wb
Local\wbfilemap_mutex.wb
Local\sgfmWbVRMutex.wb
Local\sgime_wbuser_lock.wb
Local\mutex_file_0x0009001B.wb
Local\mutex_file_0x00490049.wb
Local\WbUsrDict.mutex.sogouime.wb
Local\mutex_file_0x002B001C.wb
Local\mutex_file_0x00030046.wb
Local\PyUsrDict.mutex.sogouime.wb
Local\mutex_file_0x0030001B.wb
Local\mutex_file_0x00180041.wb
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\ButtonLinker.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\nsDialogs.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb53.tmp\nsExec.dll.
Image: C:\WINDOWS\system32\IME\SogouWB\SogouWBImeBrokerPS.dll.
Image: C:\Program Files\SogouWBInput\3.0.0.1679\SogouTSF.dll.
Image: C:\Program Files\SogouWBInput\3.0.0.1679\HWSignature.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号