VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:41
Behavior list
Basic Information
MD5:5d877c8694f049e028a5b5990cd7f727
file type:EXE
Production company:Microsoft Corporation
version:5.2.3790.4566---5.2.3790.4566 (srv03_sp2_qfe.090805-1438)
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 [Overlay]
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\install.exe
C:\222c25ed\IE8-Setup-Full\IE-REDIST.EXE
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1459826526.066243.exe
C:\%temp%\1459826526.066529.exe
C:\%temp%\1459826526.066813.exe
Behavior description:设置消息钩子
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jka3.tmp
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:获取TickCount值
details:TickCount = 487188, SleepMilliseconds = 1.
TickCount = 490516, SleepMilliseconds = 1.
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\1459826526.049322.exe
Behavior description:关闭系统文件保护
details:N/A
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT2_E88611396FF84AFCB2EE5C1594058E02.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT311_0951773981FA4AB2BC21B7DCEC95892A.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT31_2F252077BA3F4362913955273A708467.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:设置特殊文件夹属性
details:C:\DiskX\RECYCLER
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = DesktopLayer.exe
TargetProcess = iexplore.exe
TargetProcess = fhitkbymjs
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Process behavior
Behavior description:跨进程写入数据
details:C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1459826526.066243.exe
C:\%temp%\1459826526.066529.exe
C:\%temp%\1459826526.066813.exe
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
ImagePath = c:\documents and settings\administrator\local settings\temp\fhitkbymjs, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459826525.908978.exe" a -sc:\documents and settings\administrator\local settings\%temp%\1459826525.908978.exe
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
Behavior description:创建远程线程
details:C:\WINDOWS\system32\winlogon.exe
Behavior description:枚举进程
details:N/A
Behavior description:跨进程写代码段数据
details:C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
Behavior description:创建本地线程
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\1459826526.031981.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459826526.032304.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs
C:\WINDOWS\system32\svchost.exe
Behavior description:进程退出
details:N/A
Behavior description:通过内存映射跨进程修改内存
details:TargetProcess = [System Process]
TargetProcess = DesktopLayer.exe
TargetProcess = iexplore.exe
TargetProcess = fhitkbymjs
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\dmlconf.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs
C:\Documents and Settings\Administrator\Local Settings\%temp%\xbydyhmog
C:\Documents and Settings\Administrator\Local Settings\Temp\irnrmpkrtt.dat
C:\WINDOWS\system32\f5859b27.rdb
C:\WINDOWS\system32\tviwotqwpj
C:\WINDOWS\system32\tewpvwsudf
Behavior description:修改原系统的EXE文件
details:C:\install.exe
C:\222c25ed\IE8-Setup-Full\IE-REDIST.EXE
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs
C:\Documents and Settings\Administrator\Local Settings\Temp\irnrmpkrtt.dat
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Kno1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\KnoC.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\KnoD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4F53.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5D7F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9415.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF949B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF94ED.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF94F2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF951A.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF951F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF99D8.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\xbydyhmog
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
c:\documents and settings\administrator\local settings\%temp%\1459826526.082914.exe ---> c:\documents and settings\administrator\local settings\temp\fhitkbymjs
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT2_E88611396FF84AFCB2EE5C1594058E02.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT311_0951773981FA4AB2BC21B7DCEC95892A.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NEWSHORTCUT31_2F252077BA3F4362913955273A708467.EXE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = KERNEL32.DLL
FileName = C:\WINDOWS\system32\dllcache\*.scr
FileName = C:\*.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.scr
FileName = C:\*.*
FileName = C:\222c25ed\*.exe
FileName = C:\222c25ed\*.scr
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.exe
FileName = C:\222c25ed\IE8-Setup-Full\*.*
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\irnrmpkrtt.dat ---> C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\ekpwi.cc3
Behavior description:设置特殊文件夹属性
details:C:\DiskX\RECYCLER
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp ---> Offset = 10240
C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp ---> Offset = 20480
C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp ---> Offset = 30720
C:\Documents and Settings\Administrator\Local Settings\Temp\jka3.tmp ---> Offset = 40960
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 65536
C:\install.exe ---> Offset = 496092
C:\install.exe ---> Offset = 496440
C:\install.exe ---> Offset = 1152
C:\install.exe ---> Offset = 248
C:\install.exe ---> Offset = 496
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\install.exe ---> Offset = 0
Behavior description:自删除
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\1459826526.049322.exe
Behavior description:修改新生成的可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: il********pl, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x000003c0
URL: go******om, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x0000011c
URL: fg***********om, IP: <FAKE_SERVER_IP>:443, SOCKET = 0x00000128
URL: se**********et, IP: <FAKE_SERVER_IP>:6666, SOCKET = 0x000015dc
URL: an********pl, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x000003fc
Behavior description:按名称获取主机地址
details:gethostbyname: il********pl
gethostbyname: go******om
gethostbyname: fg***********om
gethostbyname: co*********cn
gethostbyname: se**********et
gethostbyname: an********pl
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\xbydyhmog
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\Parameters
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr
Behavior description:通过配置文件还原注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Comhidserv70
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\Parameters\ServiceDll
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\DependOnService
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\Description
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\DisplayName
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\ErrorControl
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\ImagePath
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\ObjectName
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\Start
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\Type
\REGISTRY\MACHINE\SOFTWARE\xbydyhmogr\FailureActions
\REGISTRY\MACHINE\SOFTWARE\xbydyhmog\seRVicemAIN
\REGISTRY\MACHINE\SOFTWARE\xbydyhmog\seRVicedlL
\REGISTRY\MACHINE\SOFTWARE\xbydyhmog\module
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\??\C:\WINDOWS\system32\winlogon.exe
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters\Module
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\dElEtEflAG
Behavior description:修改注册表_启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Other behavior
Behavior description:创建互斥体
details:KyUffThOkYwRRtgPP
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
Global\b24014446_6666j
Behavior description:枚举网络共享资源
details:N/A
Behavior description:创建事件对象
details:EventName = Global\ki761D53A2ll
EventName = KERNEL32.DLL
EventName = MSCTF.SendReceiveConection.Event.MJH.IC
EventName = Global\killllllllllll
EventName = MSCTF.SendReceive.Event.ELH.IC
EventName = MSCTF.SendReceiveConection.Event.ELH.IC
EventName = Global\kiF319FB1Cll
EventName = removeservice
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000012
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000012
Behavior description:修改后的可执行文件MD5
details:C:\install.exe ---> ab0387901884ae8b40a835244eec07eb
C:\222c25ed\IE8-Setup-Full\IE-REDIST.EXE ---> 文件过大!
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> d457cc8ab5fbf52f3bebcb1fa56da2f1
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe ---> e4f75228d592bb229f24db4a5b60fd65
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe ---> b848e5006244ecedcdd445dab3055842
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe ---> b2a10546d33b51a3afc36ae7ea104253
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe ---> 68187ea5ae2b74d9ea8b6f1ac1356edc
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe ---> fc60ab2ad4c4a14830eb752a0c46fddf
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs ---> 文件过大!
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll ---> 0fc91e7727156da6c11be31b1ff1f0ed
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> 5406dfa369dc0f6d077b92259a35e95d
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Human Interface Device Access, C:\WINDOWS\System32\svchost.exe -k netsvcs
Behavior description:关闭系统文件保护
details:N/A
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_TAKE_OWNERSHIP_PRIVILEGE
SE_RESTORE_PRIVILEGE
SE_BACKUP_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
SE_TCB_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 487188, SleepMilliseconds = 1.
TickCount = 490516, SleepMilliseconds = 1.
Behavior description:枚举窗口
details:N/A
Behavior description:修改后的可执行文件签名信息
details:C:\install.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\IE-REDIST.EXE(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayer.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\irnrmpkrtt.dat(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> e89dd9184114a5189a7fe01a0ad30845
C:\Program Files\Microsoft\DesktopLayer.exe ---> e89dd9184114a5189a7fe01a0ad30845
C:\Documents and Settings\Administrator\Local Settings\Temp\fhitkbymjs ---> 5d877c8694f049e028a5b5990cd7f727
C:\Documents and Settings\Administrator\Local Settings\Temp\irnrmpkrtt.dat ---> 文件过大!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jka3.tmp.
Image: C:\Documents and Settings\All Users\Application Data\Storm\update\%SESSIONNAME%\ekpwi.cc3.
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号