VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:0
Behavior list
Basic Information
MD5:595a470861ffa8f44f54d5400c669a31
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:FSG 2.0 -> bart/xt [Overlay]
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
Behavior description:获取TickCount值
details:TickCount = 216329, SleepMilliseconds = 1.
TickCount = 216344, SleepMilliseconds = 1.
TickCount = 217395, SleepMilliseconds = 20.
TickCount = 217391, SleepMilliseconds = 1.
TickCount = 218344, SleepMilliseconds = 1.
TickCount = 219363, SleepMilliseconds = 20.
TickCount = 220344, SleepMilliseconds = 1.
TickCount = 221344, SleepMilliseconds = 1.
TickCount = 222363, SleepMilliseconds = 20.
TickCount = 222379, SleepMilliseconds = 20.
TickCount = 222457, SleepMilliseconds = 20.
TickCount = 222473, SleepMilliseconds = 20.
TickCount = 222488, SleepMilliseconds = 20.
TickCount = 222520, SleepMilliseconds = 20.
TickCount = 222535, SleepMilliseconds = 20.
Behavior description:杀掉进程
details:C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\62$$.bat
ImagePath = , CmdLine = cmd.exe /c net share X$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\?劺??吟祊媇魨?湱Q??$?伊?崒5橅鐲?崪溚?Q崒5??$????Q崒5橏?$??E鴭E鴥E?;E衦棆u鄫?3吟祊Ph豦垕?騮;??塇(±n?魞塇∧n?纍兝x堿p±n婬p伭锰烫烫烫烫烫烫烫?U嬱侅WVS3婦$ 纝G婽$髫髭冐?Moders!P?@? C挵x??n?d瓸A穒N硶83浌憖致夤麜AH璯+g读黖_ twere0464e3 EventTrace
ImagePath = , CmdLine = C:\WINDOWS\#type Header 0
ImagePath = , CmdLine = C:\WINDOWS\{
ImagePath = , CmdLine = C:\WINDOWS\ BufferSize, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ Version, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ BuildNumber, ItemULong
ImagePath = , CmdLine = cmd.exe /c net share D$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\ NumProc, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ EndTime, ItemULongLong
ImagePath = , CmdLine = C:\WINDOWS\ TimerResolution,ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ MaxFileSize, ItemULong
ImagePath = , CmdLine = cmd.exe /c net share C$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\ LogFileMode, ItemULongX
Behavior description:创建进程
details:[0x000009f4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\62$$.bat
[0x00000c4c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share X$ /del /y
[0x00000c68]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share D$ /del /y
[0x00000c7c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share C$ /del /y
[0x00000ca8]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share admin$ /del /y
[0x00000cbc]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share X$ /del /y
[0x00000ccc]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share D$ /del /y
[0x00000ce0]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share C$ /del /y
[0x00000cf0]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share X$ /del /y
[0x00000d00]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share admin$ /del /y
[0x00000d10]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share D$ /del /y
[0x00000d18]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share C$ /del /y
[0x00000d20]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share admin$ /del /y
Behavior description:创建新文件进程
details:[0x00000a08]ImagePath = C:\WINDOWS\system32\drivers\spo0lsv.exe, CmdLine = C:\WINDOWS\system32\drivers\spo0lsv.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2460, ThreadID = 2500, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2584, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2588, StartAddress = 0040A48C, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2592, StartAddress = 00403BC8, Parameter = 00CC01C8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2596, StartAddress = 00403BC8, Parameter = 00CC0264
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2600, StartAddress = 00403BC8, Parameter = 00CC02F4
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2604, StartAddress = 00403BC8, Parameter = 00CC0300
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2608, StartAddress = 00403BC8, Parameter = 00CC030C
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2612, StartAddress = 00403BC8, Parameter = 00CC0318
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2616, StartAddress = 00403BC8, Parameter = 00CC0324
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2620, StartAddress = 00403BC8, Parameter = 00CC0330
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2624, StartAddress = 00403BC8, Parameter = 00CC033C
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2628, StartAddress = 00403BC8, Parameter = 00CC0348
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2640, StartAddress = 004061B8, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2460, ProcessID = 2568, ThreadID = 2676, StartAddress = 004061B8, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\62$$.bat
C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\log\Desktop_.ini
C:\DiskD\Desktop_.ini
C:\DiskX\Desktop_.ini
C:\Program Files\Desktop_.ini
C:\Program Files\Adobe\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Esl\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Reader\Desktop_.ini
C:\DiskX\setup.exe
C:\DiskD\setup.exe
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\62$$.bat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\62$$.bat ---> Offset = 128
C:\Documents and Settings\Administrator\Local Settings\Temp\62$$.bat ---> Offset = 256
C:\Documents and Settings\Administrator\Local Settings\Temp\62$$.bat ---> Offset = 384
Behavior description:覆盖已有文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
Behavior description:复制文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\install.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> X:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> D:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Desktop_.ini
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\62$$.bat
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\drivers
FileName = C:\WINDOWS\system32\drivers\spo0lsv.exe
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> Offset = 128
C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> Offset = 256
C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> Offset = 384
C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> Offset = 512
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 0
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 128
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 256
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 384
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 512
C:\222c25ed\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 4096
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 8192
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://ww****om, hInternet = 0x00cc0004, Flags = 0x84000002
InternetOpenUrlA: http://ww****cn/66/up.txt, hInternet = 0x00cc0004, Flags = 0x84000002
Behavior description:下载文件
details:URLDownloadToFileW: MZ?l趙飋趙焜趙Y捾w9氝w侉遷钾輜鏥踳)嗊w\庍w╩遷0斑wsals %115s +-----------------------------------------------------------------------------------------------------------------------------------+ | Disk Name Reads Kb Writes Kb %62s +-----------------------------------------------------------------------------------------------------------------------------------+ Threads Process Transaction CPU%% %22s | Launched Used KCPU(ms) UCPU(ms) KCPU(ms) UCPU(ms) %28s +-----------------------------------------------------------------------------------------------------------------------------------+ 0-% Exclusive %54s | Name PID Trans Trans/sec KCPU(ms) UCPU(ms) Process CPU%% CPU%% %20s +-----------------------------------------------------------------------------------------------------------------------------------+ ------------------------------------------------------------------+ | +-----------------------------------------------------------------------------------------------------------------------------------+ | Transaction Trans Minimum Maximum Per Transaction Total CPU%% | |
URLDownloadToFileW: #type Header 0 ---> C:\WINDOWS\#type Header 0
URLDownloadToFileW: { ---> C:\WINDOWS\{
URLDownloadToFileW: BufferSize, ItemULong ---> C:\WINDOWS\ BufferSize, ItemULong
URLDownloadToFileW: Version, ItemULong ---> C:\WINDOWS\ Version, ItemULong
URLDownloadToFileW: BuildNumber, ItemULong ---> C:\WINDOWS\ BuildNumber, ItemULong
URLDownloadToFileW: NumProc, ItemULong ---> C:\WINDOWS\ NumProc, ItemULong
URLDownloadToFileW: EndTime, ItemULongLong ---> C:\WINDOWS\ EndTime, ItemULongLong
URLDownloadToFileW: TimerResolution,ItemULong ---> C:\WINDOWS\ TimerResolution,ItemULong
URLDownloadToFileW: MaxFileSize, ItemULong ---> C:\WINDOWS\ MaxFileSize, ItemULong
URLDownloadToFileW: LogFileMode, ItemULongX ---> C:\WINDOWS\ LogFileMode, ItemULongX
URLDownloadToFileW: BuffersWritten, ItemULong ---> C:\WINDOWS\ BuffersWritten, ItemULong
URLDownloadToFileW: StartBuffers, ItemULong ---> C:\WINDOWS\ StartBuffers, ItemULong
URLDownloadToFileW: PointerSize, ItemULong ---> C:\WINDOWS\ PointerSize, ItemULong
URLDownloadToFileW: EventsLost, ItemULong ---> C:\WINDOWS\ EventsLost, ItemULong
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: QQ, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000310
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000304
URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000358
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000035c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000100
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET / HTTP/1.1 User-Agent: QQ Host: ww****om Cache-Control: no-cache
GET /66/up.txt HTTP/1.1 User-Agent: QQ Host: ww****cn Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****cn:80/66/up.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000002
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: ww****cn
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:修改注册表_文件夹关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
Behavior description:删除服务
details:[DeleteService] ServiceStartName: LocalSystem, DisplayName: Security Center, BinaryPathName: C:\WINDOWS\System32\svchost.exe -k netsvcs
Behavior description:修改后的可执行文件MD5
details:C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 3f5a55e1892fe71d9fcf92c2cf666ac4
C:\install.exe ---> c0c092580331bc5e67b2a621bfee37ca
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> de590430669939846b495ca8b19aa5da
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> e3ed037b2c9641db1a1ccacb8280b707
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 9629d1a8a49372d3b674369a71f02c89
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 8aa22547ef43bffebbd05976eb868766
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> d0283402e9834b334332fefe34307b3b
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 97a0d24d270b46b8cc8d07080cc92beb
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 553f87e01e55ac4e1083063cf9178516
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 393162aef10fd43d76114233f8231175
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> 86f77253fa8a11cb292c1365199b0886
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ---> 1e4555ccac07bbd148042b48ae9d2aef
C:\Program Files\e\e.exe ---> 2b86c76d2723a97bf06ef432048555ea
Behavior description:获取TickCount值
details:TickCount = 216329, SleepMilliseconds = 1.
TickCount = 216344, SleepMilliseconds = 1.
TickCount = 217395, SleepMilliseconds = 20.
TickCount = 217391, SleepMilliseconds = 1.
TickCount = 218344, SleepMilliseconds = 1.
TickCount = 219363, SleepMilliseconds = 20.
TickCount = 220344, SleepMilliseconds = 1.
TickCount = 221344, SleepMilliseconds = 1.
TickCount = 222363, SleepMilliseconds = 20.
TickCount = 222379, SleepMilliseconds = 20.
TickCount = 222457, SleepMilliseconds = 20.
TickCount = 222473, SleepMilliseconds = 20.
TickCount = 222488, SleepMilliseconds = 20.
TickCount = 222520, SleepMilliseconds = 20.
TickCount = 222535, SleepMilliseconds = 20.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\INSTALLATION_SECURITY_HOLD
Behavior description:修改后的可执行文件签名信息
details:C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe(签名验证: 未通过)
C:\Program Files\e\e.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe(签名验证: 未通过)
C:\WINDOWS\system32\drivers\spo0lsv.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\DiskX\setup.exe(签名验证: 未通过)
C:\DiskD\setup.exe(签名验证: 未通过)
C:\setup.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 20.
[9]: MilliSeconds = 20.
[10]: MilliSeconds = 20.
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\instfile.exe.exe ---> c55aeffcb6b0e72a63c0dfd13cefc637
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\install.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\DiskX\setup.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\DiskD\setup.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\setup.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 512301c535c88255c9a252fdf70b7a03
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 512301c535c88255c9a252fdf70b7a03
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号