VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :35
基本信息
MD5:a16eb25a19ef7025673604237613afa8
文件类型:EXE
出品公司:
版本:
壳或编译器信息:PACKER:PolyEnE 0.01+ by Lennart Hedlund *
子文件信息:upack0.39_64ceb8cfdumpFile / 1ddf3c3c40ad837f0367629fb361bd5d / EXE
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ce0
行为描述:对比可疑进程名
详情信息:lstrcmpiA: avp.exe <------> [System Process] Des: 卡巴斯基
lstrcmpiA: avp.exe <------> System Des: 卡巴斯基
lstrcmpiA: avp.exe <------> smss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> wininit.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> csrss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> winlogon.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> services.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsass.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsm.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> svchost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RSwxService.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> audiodg.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> spoolsv.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> taskhost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> dwm.exe Des: 卡巴斯基
行为描述:搜索可疑进程名
详情信息:strstr: avp.exe <------> Des: 卡巴斯基
行为描述:插入APC(异步过程调用)
详情信息:C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
行为描述:设置特殊文件夹属性
详情信息:C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache
行为描述:直接获取CPU时钟
详情信息:EAX = 0x05bf5e20, EDX = 0x00000088
EAX = 0x184df8d6, EDX = 0x00000088
行为描述:创建系统服务
详情信息:[服务创建成功]: Booth, C:\Windows\system32\Shennong.bat
进程行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000c7c
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x00000ce0
TargetProcess = C:\Windows\System32\Shennong.bat, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ce0
行为描述:创建新文件进程
详情信息:[0x00000c7c]ImagePath = C:\Windows\System32\Shennong.bat, CmdLine = C:\Windows\system32\Shennong.bat
[0x00000ce0]ImagePath = C:\Windows\System32\Shennong.bat, CmdLine = C:\Windows\system32\Shennong.bat Win7
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:创建文件
详情信息:C:\Windows\System32\Shennong.bat
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4811EC9B-5938-11E8-A49B-080027488980}.dat
C:\Users\Administrator\AppData\Local\Temp\~DF8F24D137B235CAC4.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4811EC9C-5938-11E8-A49B-080027488980}.dat
C:\Users\Administrator\AppData\Local\Temp\~DFAE4452C21E5DC51C.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\yixun_com[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\favicon[1].ico
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行为描述:创建可执行文件
详情信息:C:\Windows\System32\Shennong.bat
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行为描述:修改脚本文件
详情信息:C:\Windows\System32\Shennong.bat ---> Offset = 0
行为描述:复制文件
详情信息:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Windows\system32\Shennong.bat
行为描述:删除文件
详情信息:C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Users\Administrator\AppData\Local\Temp\~DF8F24D137B235CAC4.TMP
C:\Users\Administrator\AppData\Local\Temp\~DFAE4452C21E5DC51C.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\favicon[1].ico
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行为描述:查找文件
详情信息:FileName = C:\Windows\system32\Shennong.bat
FileName = C:\Windows
FileName = C:\Windows\WinSxS
FileName = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
FileName = C:\Program Files\Java
FileName = C:\Program Files\Java\jre1.8.0_144\bin
FileName = C:\Program Files\Java\jre1.8.0_144\bin\jp2ssv.dll
FileName = C:\Program Files\Java\jre1.8.0_144\bin\deploy.dll
FileName = C:\Windows\system32
FileName = C:\Windows\system32\urlmon.dll
FileName = C:\Program Files
FileName = C:\Program Files\Internet Explorer
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
行为描述:设置特殊文件夹属性
详情信息:C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache
行为描述:修改文件内容
详情信息:C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 19668
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 19672
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 16
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 0
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 393216
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 98304
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4811EC9B-5938-11E8-A49B-080027488980}.dat ---> Offset = 512
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4811EC9B-5938-11E8-A49B-080027488980}.dat ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\~DF8F24D137B235CAC4.TMP ---> Offset = 16383
C:\Users\Administrator\AppData\Local\Temp\~DF8F24D137B235CAC4.TMP ---> Offset = 12288
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4811EC9B-5938-11E8-A49B-080027488980}.dat ---> Offset = 3072
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4811EC9B-5938-11E8-A49B-080027488980}.dat ---> Offset = 1536
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4811EC9C-5938-11E8-A49B-080027488980}.dat ---> Offset = 512
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4811EC9C-5938-11E8-A49B-080027488980}.dat ---> Offset = 0
网络行为
行为描述:下载文件
详情信息:URLDownloadToFileW: http://ww****om/favicon.ico ---> C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行为描述:连接指定站点
详情信息:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ur****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000200
行为描述:打开HTTP连接
详情信息:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2), hSession = 0x00cc0004
InternetOpenA: UserAgent: VCSoapClient, hSession = 0x00cc0010
行为描述:建立到一个指定的套接字连接
详情信息:IP: **.115.129.**:8259, SOCKET = 0x000000c0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000424
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000564
URL: ur****om, IP: **.133.40.**:443, SOCKET = 0x000005f8
行为描述:读取网络文件
详情信息:hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
hFile = 0x00cc0018, BytesToRead =4095, BytesRead = 4095.
行为描述:发送HTTP包
详情信息:GET / HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive
GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Host: ww****om Connection: Keep-Alive
行为描述:打开HTTP请求
详情信息:HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ww****om:80/favicon.ico, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00600010
HttpOpenRequestA: ur****om:443/urs.asmx?msurs-client-key=xblivnmuj%2byg9ondqpkltw%3d%3d&msurs-patented-lock=9zsqc0bofgo%3d, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04880300
行为描述:按名称获取主机地址
详情信息:GetAddrInfoW: ww****om
GetAddrInfoW: ur****om
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Booth\Description
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4811EC9B-5938-11E8-A49B-080027488980}
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Window_Placement
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:114.115.129.137:8259:Booth
Global\Instance0: ESENT Performance Data Schema Version 85
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
Local\ZonesCounterMutex
Local\RSS Eventing Connection Database Mutex 00000f70
Local\Feed Eventing Shared Memory Mutex S-*
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!IECompat!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!iecompatcache!
ConnHashTable<3952>_HashTable_Mutex
CritOpMutex
SmartScreen_UrsCacheMutex_2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2High_S-*
SmartScreen_ClientId_Mutex
行为描述:搜索可疑进程名
详情信息:strstr: avp.exe <------> Des: 卡巴斯基
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [http://www.yixun.com/ - Windows Internet Explorer,IEFrame]
[Window,Class] = [,Static]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
[Window,Class] = [,TabBandClass]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
行为描述:打开互斥体
详情信息:Local\RSS Eventing Connection Database Mutex 00000f70
Local\!BrowserEmulation!SharedMemory!Mutex
Local\!IECompat!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!iecompatcache!
ConnHashTable<3952>_HashTable_Mutex
Local\WininetStartupMutex
Local\MSCTF.Asm.MutexDefault1
行为描述:对比可疑进程名
详情信息:lstrcmpiA: avp.exe <------> [System Process] Des: 卡巴斯基
lstrcmpiA: avp.exe <------> System Des: 卡巴斯基
lstrcmpiA: avp.exe <------> smss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> wininit.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> csrss.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> winlogon.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> services.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsass.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> lsm.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> svchost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> RSwxService.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> audiodg.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> spoolsv.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> taskhost.exe Des: 卡巴斯基
lstrcmpiA: avp.exe <------> dwm.exe Des: 卡巴斯基
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
行为描述:启动系统服务
详情信息:[服务启动成功]: LocalSystem, Booth Discovery Service, C:\Windows\system32\Shennong.bat
行为描述:调整进程token权限
详情信息:SE_DEBUG_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
SE_AUDIT_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.3952
MSFT.VSA.IEC.STATUS.6c736db0
Global\TabletHardwarePresent
Local\RSS Eventing Event Event 00000f70
Isolation Signal Registry Event (4811EC99-5938-11E8-A49B-080027488980, 0)
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Local\fa4_29
行为描述:插入APC(异步过程调用)
详情信息:C:\Windows\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
行为描述:可执行文件签名信息
详情信息:C:\Windows\System32\Shennong.bat(签名验证: 未通过)
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 15000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 15000.
行为描述:创建事件对象
详情信息:EventName = OleDfRoot8A21EB6FFE29C985
EventName = OleDfRoot92CE0EF1AC991D0E
EventName = Local\RSS Eventing Event Event 00000f70
EventName = IEFrame.EventCheckDefaultBrowser
EventName = Local\fa4_29
行为描述:可执行文件MD5
详情信息:C:\Windows\System32\Shennong.bat ---> a16eb25a19ef7025673604237613afa8
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> d0966601ecd6239a9ce0241c9aa21571
行为描述:直接获取CPU时钟
详情信息:EAX = 0x05bf5e20, EDX = 0x00000088
EAX = 0x184df8d6, EDX = 0x00000088
行为描述:创建系统服务
详情信息:[服务创建成功]: Booth, C:\Windows\system32\Shennong.bat
行为描述:加载新释放的文件
详情信息:Image: C:\Windows\System32\Shennong.bat.
Image: C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico.
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号