VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:11
Behavior list
Basic Information
MD5:a2971bc2bb0b7763e429202fa575d107
file type:JAR文件
Production company:
version:
Shell or compiler information:
Subfile information:knzAv / bd7ff096e94b71a16c33e506130c672e / Unknown
Mains.class / 09ea9ac40aba74145cf7581476e80228 / Unknown
MANIFEST.MF / 235703e88ebb0812ef50c2243f0e05e2 / Unknown
ererferf.fwe / fa9f9a113299ff9632b19a35a4f80469 / Unknown
Key behavior
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger
Behavior description:修改注册表_任务管理器关键属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:杀掉进程
details:TASKKILL = taskkill /IM UserAccountControlSettings.exe /T /F
TASKKILL = taskkill /IM Taskmgr.exe /T /F
C:\WINDOWS\system32\taskmgr.exe
TASKKILL = taskkill /IM ProcessHacker.exe /T /F
TASKKILL = taskkill /IM procexp.exe /T /F
TASKKILL = taskkill /IM MSASCui.exe /T /F
TASKKILL = taskkill /IM MsMpEng.exe /T /F
TASKKILL = taskkill /IM MpUXSrv.exe /T /F
TASKKILL = taskkill /IM MpCmdRun.exe /T /F
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\ITecvYUzmVz
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\PfeCPuowenn
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive2874405681709303123.vbs
ImagePath = , CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive7828956632900690629.vbs
ImagePath = , CmdLine = xcopy "C:\Program Files\Java\jre7" "C:\Documents and Settings\Administrator\Application Data\Oracle\" /e
ImagePath = , CmdLine = cmd.exe
ImagePath = , CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v PfeCPuowenn /t REG_EXPAND_SZ /d "\"C:\Documents and Settings\Administrator\Application Data\Oracle\bin\javaw.exe\" -jar \"C:\Documents and Settings\Administrator\ITecvYUzmVz\kjDZUniXKXX.sxAOks\"" /
ImagePath = , CmdLine = attrib +h "C:\Documents and Settings\Administrator\ITecvYUzmVz\*.*"
ImagePath = , CmdLine = attrib +h "C:\Documents and Settings\Administrator\ITecvYUzmVz"
ImagePath = , CmdLine = "C:\Documents and Settings\Administrator\Application Data\Oracle\bin\javaw.exe" -jar "C:\Documents and Settings\Administrator\ITecvYUzmVz\kjDZUniXKXX.sxAOks"
ImagePath = , CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive4499745429127513672.vbs
ImagePath = , CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive6573918494490416448.vbs
ImagePath = , CmdLine = taskkill /IM UserAccountControlSettings.exe /T /F
ImagePath = , CmdLine = cmd.exe /c regedit.exe /s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vtKHuCLHVg1089525326199854512.reg
ImagePath = , CmdLine = taskkill /IM Taskmgr.exe /T /F
ImagePath = , CmdLine = taskkill /IM ProcessHacker.exe /T /F
ImagePath = , CmdLine = taskkill /IM procexp.exe /T /F
Behavior description:创建进程
details:[0x00000a80]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive2874405681709303123.vbs
[0x00000aa0]ImagePath = C:\WINDOWS\system32\cscript.exe, CmdLine = cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive2874405681709303123.vbs
[0x00000ac0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive7828956632900690629.vbs
[0x00000ac8]ImagePath = C:\WINDOWS\system32\cscript.exe, CmdLine = cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive7828956632900690629.vbs
[0x00000afc]ImagePath = C:\WINDOWS\system32\xcopy.exe, CmdLine = xcopy "C:\Program Files\Java\jre7" "C:\Documents and Settings\Administrator\Application Data\Oracle\" /e
[0x00000ed0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe
[0x00000ef4]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v PfeCPuowenn /t REG_EXPAND_SZ /d "\"C:\Documents and Settings\Administrator\Application Data\Oracle\bin\javaw.exe\" -jar \"C:\Documents and Settings\Administrator\ITecvYUzmVz\kjDZUniXKXX.sxAOks\"" /
[0x00000efc]ImagePath = C:\WINDOWS\system32\attrib.exe, CmdLine = attrib +h "C:\Documents and Settings\Administrator\ITecvYUzmVz\*.*"
[0x00000f04]ImagePath = C:\WINDOWS\system32\attrib.exe, CmdLine = attrib +h "C:\Documents and Settings\Administrator\ITecvYUzmVz"
[0x00000f6c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive4499745429127513672.vbs
[0x00000f74]ImagePath = C:\WINDOWS\system32\cscript.exe, CmdLine = cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive4499745429127513672.vbs
[0x00000fac]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /C cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive6573918494490416448.vbs
[0x00000fb4]ImagePath = C:\WINDOWS\system32\cscript.exe, CmdLine = cscript.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Retrive6573918494490416448.vbs
[0x00000fd0]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe
[0x00000794]ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = taskkill /IM UserAccountControlSettings.exe /T /F
Behavior description:创建本地线程
details:TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2620, StartAddress = 0040A0D1, Parameter = 00036650
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2640, StartAddress = 78AFC724, Parameter = 18C46650
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2644, StartAddress = 78AFC724, Parameter = 18C46650
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2648, StartAddress = 78AFC724, Parameter = 18C46650
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2652, StartAddress = 78AFC724, Parameter = 18C46650
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2656, StartAddress = 78AFC724, Parameter = 18D9E118
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2660, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2664, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2668, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2672, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2676, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2680, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: java.exe, InheritedFromPID = 2000, ProcessID = 2596, ThreadID = 2684, StartAddress = 78AFC724, Parameter = 18D9FBB8
TargetProcess: cscript.exe, InheritedFromPID = 2688, ProcessID = 2720, ThreadID = 2728, StartAddress = 01002A66, Parameter = 008E3FB0
TargetProcess: cscript.exe, InheritedFromPID = 2688, ProcessID = 2720, ThreadID = 2732, StartAddress = 765E964D, Parameter = 001BD180
Behavior description:创建新文件进程
details:[0x00000f0c]ImagePath = C:\Documents and Settings\Administrator\Application Data\Oracle\bin\javaw.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Oracle\bin\javaw.exe" -jar "C:\Documents and Settings\Administrator\ITecvYUzmVz\kjDZUniXKXX.sxAOks"
Behavior description:杀掉进程
details:TASKKILL = taskkill /IM UserAccountControlSettings.exe /T /F
TASKKILL = taskkill /IM Taskmgr.exe /T /F
C:\WINDOWS\system32\taskmgr.exe
TASKKILL = taskkill /IM ProcessHacker.exe /T /F
TASKKILL = taskkill /IM procexp.exe /T /F
TASKKILL = taskkill /IM MSASCui.exe /T /F
TASKKILL = taskkill /IM MsMpEng.exe /T /F
TASKKILL = taskkill /IM MpUXSrv.exe /T /F
TASKKILL = taskkill /IM MpCmdRun.exe /T /F
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2596
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive2874405681709303123.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive7828956632900690629.vbs
C:\Documents and Settings\Administrator\Application Data\Oracle\COPYRIGHT
C:\Documents and Settings\Administrator\Application Data\Oracle\LICENSE
C:\Documents and Settings\Administrator\Application Data\Oracle\README.txt
C:\Documents and Settings\Administrator\Application Data\Oracle\release
C:\Documents and Settings\Administrator\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt
C:\Documents and Settings\Administrator\Application Data\Oracle\Welcome.html
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dcpr.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deploy.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deployJava1.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_shmem.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dcpr.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deploy.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deployJava1.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_shmem.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_socket.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\eula.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\fontmanager.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\hprof.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\instrument.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pcsc.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pkcs11.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\jaas_nt.dll
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\java-rmi.exe
Behavior description:修改脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive2874405681709303123.vbs ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive7828956632900690629.vbs ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive4499745429127513672.vbs ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive6573918494490416448.vbs ---> Offset = 0
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive2874405681709303123.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive7828956632900690629.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive4499745429127513672.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive6573918494490416448.vbs
C:\WINDOWS\system32\test.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\vtKHuCLHVg1089525326199854512.reg
Behavior description:查找文件
details:FileName = C:\Program Files\Java\jre7\bin\java.dll
FileName = C:\Program Files\Java\jre7\bin\client\jvm.dll
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\hsperfdata_Administrator\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\hsperfdata_Administrator\2596
FileName = C:\Program Files\Java\jre7\lib\resources.jar
FileName = C:\Program Files\Java\jre7\lib\rt.jar
FileName = C:\Program Files\Java\jre7\lib\sunrsasign.jar
FileName = C:\Program Files\Java\jre7\lib\jsse.jar
FileName = C:\Program Files\Java\jre7\lib\jce.jar
FileName = C:\Program Files\Java\jre7\lib\charsets.jar
FileName = C:\Program Files\Java\jre7\classes
FileName = C:\Program Files
FileName = C:\Program Files\Java
FileName = C:\Program Files\Java\jre7
FileName = C:\Program Files\Java\jre7\lib
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\2596
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive2874405681709303123.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive7828956632900690629.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\hsperfdata_Administrator\3852
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive4499745429127513672.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\Retrive6573918494490416448.vbs
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\ITecvYUzmVz
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\Oracle\COPYRIGHT ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\LICENSE ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\README.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\release ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt ---> Offset = 131072
C:\Documents and Settings\Administrator\Application Data\Oracle\Welcome.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> Offset = 196608
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> Offset = 262144
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll ---> Offset = 65536
Network behavior
Behavior description:建立到一个指定的套接字连接
details:URL: jb****et, IP: **.133.40.**:1177, SOCKET = 0x00000498
URL: jb****et, IP: **.133.40.**:1177, SOCKET = 0x00000528
URL: jb****et, IP: **.133.40.**:1177, SOCKET = 0x000005b0
URL: jb****et, IP: **.133.40.**:1177, SOCKET = 0x0000051c
Behavior description:按名称获取主机地址
details:gethostbyname: computer
gethostbyname: jb****et
Registry behavior
Behavior description:修改注册表_组策略
details:\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger
Behavior description:修改注册表_任务管理器关键属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\Environment\SEE_MASK_NOZONECHECKS
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\PromptOnSecureDesktop
Behavior description:修改注册表_系统环境变量
details:\REGISTRY\USER\S-*\Environment\SEE_MASK_NOZONECHECKS
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\SaveZoneInformation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\LowRiskFileTypes
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\PfeCPuowenn
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
Behavior description:打开事件
details:\INSTALLATION_SECURITY_HOLD
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2720
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.2760
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.3956
MSFT.VSA.COM.DISABLE.4020
MSFT.VSA.COM.DISABLE.1940
MSFT.VSA.COM.DISABLE.1932
MSFT.VSA.COM.DISABLE.1656
MSFT.VSA.COM.DISABLE.1004
MSFT.VSA.COM.DISABLE.1480
MSFT.VSA.COM.DISABLE.1288
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dcpr.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deploy.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deployJava1.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_shmem.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_socket.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\eula.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\fontmanager.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\hprof.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\instrument.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pcsc.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pkcs11.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\jaas_nt.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\java-rmi.exe(签名验证: 通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll ---> 567d46179e7a673711cd9fea512c5364
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\axbridge.dll ---> eff7a9746acee42802ac563859f28558
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dcpr.dll ---> 71418cc50746fc2cb3f517cb3f5a022e
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deploy.dll ---> a958d75082496fbd6d27d290c41f1231
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\deployJava1.dll ---> 15dd43b041053ee102b61d83297bd2bf
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_shmem.dll ---> 71b5450786095045b9c7a2b895d43df3
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\dt_socket.dll ---> 11abdfeb7a18677514456da84ee0e86b
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\eula.dll ---> 28dc1be7b39fb98004c4bf1b0b76ce77
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\fontmanager.dll ---> 81e5fa9746a38dc190698f917ed821e7
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\hprof.dll ---> dfa311bd38648c339dd7f0e2f3d88fc7
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\instrument.dll ---> da3f57cedd36d54ec5491f40d6cb4492
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pcsc.dll ---> 8c8d07744786aeaf39f88192c247678a
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\j2pkcs11.dll ---> 0dfeb41ae7ba5eb3cab4ebf370675295
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\jaas_nt.dll ---> 4ab7312304183076ad987edcb209c483
C:\Documents and Settings\Administrator\Application Data\Oracle\bin\java-rmi.exe ---> ac8e2614b542e0b9e8732b67fccb0c7c
Behavior description:打开互斥体
details:ShimCacheMutex
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\msvcr100.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\client\jvm.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\verify.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\java.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\zip.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\sunec.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\net.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\nio.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\awt.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\management.dll.
Image: C:\Documents and Settings\Administrator\Application Data\Oracle\bin\sunmscapi.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号