VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:95
Behavior list
Basic Information
MD5:a4d90f772e986429878869cfc7b7c562
file type:EXE
Production company:Google Inc.
version:1.3.33.7---1.3.33.7
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000838
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00150000, Size = 0x000005dc TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffd71e8, Size = 0x00000004 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00160000, Size = 0x00000020 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00160020, Size = 0x00000034 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000af4
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation
Behavior description:获取TickCount值
details:TickCount = 224781, SleepMilliseconds = 60000.
TickCount = 224843, SleepMilliseconds = 60000.
TickCount = 251640, SleepMilliseconds = 60000.
TickCount = 281640, SleepMilliseconds = 60000.
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:创建系统服务
details:[服务创建成功]: gupdate, "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
[服务创建成功]: gupdatem, "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000838
TargetProcess = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000838
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00150000, Size = 0x000005dc TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffd71e8, Size = 0x00000004 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00160000, Size = 0x00000020 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00160020, Size = 0x00000034 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000a1c
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000af4
TargetProcess = C:\Program Files\Google\Update\GoogleUpdate.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000af4
Behavior description:创建新文件进程
details:[0x00000838]ImagePath = C:\Program Files\GUM7332.tmp\GoogleUpdate.exe, CmdLine = "C:\Program Files\GUM7332.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&browser=0&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&brand=GTPM"
[0x00000a1c]ImagePath = C:\Program Files\Google\Update\GoogleUpdate.exe, CmdLine = "C:\Program Files\Google\Update\GoogleUpdate.exe" /regsvc
[0x00000af4]ImagePath = C:\Program Files\Google\Update\GoogleUpdate.exe, CmdLine = "C:\Program Files\Google\Update\GoogleUpdate.exe" /regserver
Behavior description:创建进程
details:[0x00000bd8]ImagePath = C:\Program Files\Google\Update\GoogleUpdate.exe, CmdLine = "C:\Program Files\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMzMuNyIgc2hlbGxfdmVyc2lvbj0iMS4zLjMzLjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njk5Q0Y1OUMtMzUxQy00MTJGLTg
[0x00000bcc]ImagePath = C:\Program Files\Google\Update\GoogleUpdate.exe, CmdLine = "C:\Program Files\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&browser=0&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&brand=GTPM" /installsource taggedmi /sessionid "{699CF59C-351C-412F-83DE-406F30BE16F4}
[0x000002f4]ImagePath = C:\Program Files\Google\Update\GoogleUpdate.exe, CmdLine = "C:\Program Files\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMzMuNyIgc2hlbGxfdmVyc2lvbj0iMS4zLjMzLjciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njk5Q0Y1OUMtMzUxQy00MTJGLTg
Behavior description:枚举进程
details:N/A
Behavior description:进程提权信息
details:NT AUTHORITY\SYSTEM
File behavior
Behavior description:创建文件
details:C:\Program Files\GUM7332.tmp
C:\Program Files\GUT7333.tmp
C:\Program Files\GUM7332.tmp\GoogleUpdate.exe
C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe
C:\Program Files\GUM7332.tmp\goopdate.dll
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll
C:\Program Files\GUM7332.tmp\GoogleUpdateHelper.msi
C:\Program Files\GUM7332.tmp\GoogleUpdateBroker.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateOnDemand.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateComRegisterShell64.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateWebPlugin.exe
C:\Program Files\GUM7332.tmp\psmachine.dll
C:\Program Files\GUM7332.tmp\psmachine_64.dll
C:\Program Files\GUM7332.tmp\psuser.dll
C:\Program Files\GUM7332.tmp\psuser_64.dll
Behavior description:创建可执行文件
details:C:\Program Files\GUM7332.tmp\GoogleUpdate.exe
C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe
C:\Program Files\GUM7332.tmp\goopdate.dll
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll
C:\Program Files\GUM7332.tmp\GoogleUpdateBroker.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateOnDemand.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateComRegisterShell64.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateWebPlugin.exe
C:\Program Files\GUM7332.tmp\psmachine.dll
C:\Program Files\GUM7332.tmp\psmachine_64.dll
C:\Program Files\GUM7332.tmp\psuser.dll
C:\Program Files\GUM7332.tmp\psuser_64.dll
C:\Program Files\GUM7332.tmp\GoogleCrashHandler64.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateCore.exe
C:\Program Files\GUM7332.tmp\goopdateres_am.dll
Behavior description:复制文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Program Files\GUM7332.tmp\GoogleUpdateSetup.exe
C:\Program Files\GUM7332.tmp\GoogleUpdate.exe ---> C:\Program Files\Google\Update\1.3.33.7\GoogleUpdate.exe
C:\Program Files\GUM7332.tmp\goopdate.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdate.dll
C:\Program Files\GUM7332.tmp\GoogleUpdateCore.exe ---> C:\Program Files\Google\Update\1.3.33.7\GoogleUpdateCore.exe
C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe ---> C:\Program Files\Google\Update\1.3.33.7\GoogleCrashHandler.exe
C:\Program Files\GUM7332.tmp\GoogleCrashHandler64.exe ---> C:\Program Files\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
C:\Program Files\GUM7332.tmp\GoogleUpdateComRegisterShell64.exe ---> C:\Program Files\Google\Update\1.3.33.7\GoogleUpdateComRegisterShell64.exe
C:\Program Files\GUM7332.tmp\goopdateres_am.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_am.dll
C:\Program Files\GUM7332.tmp\goopdateres_ar.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_ar.dll
C:\Program Files\GUM7332.tmp\goopdateres_bg.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_bg.dll
C:\Program Files\GUM7332.tmp\goopdateres_bn.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_bn.dll
C:\Program Files\GUM7332.tmp\goopdateres_ca.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_ca.dll
C:\Program Files\GUM7332.tmp\goopdateres_cs.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_cs.dll
C:\Program Files\GUM7332.tmp\goopdateres_da.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_da.dll
C:\Program Files\GUM7332.tmp\goopdateres_de.dll ---> C:\Program Files\Google\Update\1.3.33.7\goopdateres_de.dll
Behavior description:删除文件
details:C:\Program Files\GUM7332.tmp
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
Behavior description:查找文件
details:FileName = C:\Program Files\GUM7332.tmp
FileName = C:\Program Files\GUM7332.tmp\*.*
FileName = C:\Program Files\Google
FileName = C:\Program Files\Google\Update
FileName = C:\Program Files\Google\Update\*.*
FileName = C:\Program Files\Google\Update\Download\*
FileName = C:\Program Files\Google\Update\Install\*.*
FileName = C:\Users\Administrator
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Burn\Burn
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:修改文件内容
details:C:\Program Files\GUT7333.tmp ---> Offset = 0
C:\Program Files\GUM7332.tmp\GoogleUpdate.exe ---> Offset = 0
C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe ---> Offset = 0
C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe ---> Offset = 262144
C:\Program Files\GUM7332.tmp\goopdate.dll ---> Offset = 0
C:\Program Files\GUM7332.tmp\goopdate.dll ---> Offset = 262144
C:\Program Files\GUM7332.tmp\goopdate.dll ---> Offset = 524288
C:\Program Files\GUM7332.tmp\goopdate.dll ---> Offset = 786432
C:\Program Files\GUM7332.tmp\goopdate.dll ---> Offset = 1048576
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll ---> Offset = 0
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll ---> Offset = 262144
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll ---> Offset = 524288
C:\Program Files\GUM7332.tmp\GoogleUpdateHelper.msi ---> Offset = 0
C:\Program Files\GUM7332.tmp\GoogleUpdateBroker.exe ---> Offset = 0
C:\Program Files\GUM7332.tmp\GoogleUpdateOnDemand.exe ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = up****om, PORT = 443, UserName = , Password = , hSession = 0x002fb800, hConnect = 0x003123f8, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 443, UserName = , Password = , hSession = 0x00505750, hConnect = 0x0051bd68, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 80, UserName = , Password = , hSession = 0x002fb800, hConnect = 0x003123f8, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 80, UserName = , Password = , hSession = 0x00505750, hConnect = 0x0051bd68, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 443, UserName = , Password = , hSession = 0x00289b50, hConnect = 0x00296fe0, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 443, UserName = , Password = , hSession = 0x00289b50, hConnect = 0x0029cd80, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 80, UserName = , Password = , hSession = 0x00289b50, hConnect = 0x002a1be8, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 443, UserName = , Password = , hSession = 0x00505750, hConnect = 0x004f0c18, Flags = 0x00000000
WinHttpConnect: ServerName = up****om, PORT = 80, UserName = , Password = , hSession = 0x00505750, hConnect = 0x004f0c18, Flags = 0x00000000
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: up****om:443/service/update2, hConnect = 0x003123f8, hRequest = 0x0031c9c0, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:443/service/update2?cup2key=7:1133660464&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00518458, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:443/service/update2?cup2key=7:1243160190&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00517cb0, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:80/service/update2, hConnect = 0x003123f8, hRequest = 0x00324950, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:80/service/update2, hConnect = 0x003123f8, hRequest = 0x003223b8, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:443/service/update2?cup2key=7:3943748031&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00517cb0, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:443/service/update2?cup2key=7:3597714823&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00517cb0, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:80/service/update2?cup2key=7:1823118653&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00518810, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:80/service/update2?cup2key=7:363987040&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00518458, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:80/service/update2, hConnect = 0x003123f8, hRequest = 0x0031c4c8, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:80/service/update2?cup2key=7:1073551001&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00518458, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:80/service/update2?cup2key=7:645015916&cup2hreq=bfd0e67c8957f6e0edf6aa751254b23b65b99e813bb735f2127de1aaa9218bdd, hConnect = 0x0051bd68, hRequest = 0x00518458, Verb: POST, Referer: , Flags = 0x00000100
WinHttpOpenRequest: up****om:443/service/update2, hConnect = 0x00296fe0, hRequest = 0x002970c8, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:443/service/update2, hConnect = 0x0029cd80, hRequest = 0x00294e68, Verb: POST, Referer: , Flags = 0x00800100
WinHttpOpenRequest: up****om:443/service/update2, hConnect = 0x0029cd80, hRequest = 0x002a4c30, Verb: POST, Referer: , Flags = 0x00800100
Behavior description:按名称获取主机地址
details:GetAddrInfoW: up****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\MACHINE\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\usagestats
\REGISTRY\MACHINE\SOFTWARE\Google\Update\path
\REGISTRY\MACHINE\SOFTWARE\Google\Update\UninstallCmdLine
\REGISTRY\MACHINE\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
\REGISTRY\MACHINE\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}\name
\REGISTRY\MACHINE\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\pv
\REGISTRY\MACHINE\SOFTWARE\Google\Update\uid
\REGISTRY\MACHINE\SOFTWARE\Google\Update\uid-create-time
\REGISTRY\MACHINE\SOFTWARE\Google\Update\uid-num-rotations
\REGISTRY\MACHINE\SOFTWARE\Google\Update\uid\CAAnSImA
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe\AppID
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\LocalService
\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ServiceParameters
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Google\Update\eulaaccepted
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachineCore.job
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachineCore.job.fp
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{21405768-cb87-11e4-8598-806e6f6e6963}\DriveNumber
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\CD Recorder Drive
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachineUA.job
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachineUA.job.fp
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTask.job
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTask.job.fp
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachine.job
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\GoogleUpdateTaskMachine.job.fp
\REGISTRY\MACHINE\SOFTWARE\Google\Update\mi
\REGISTRY\MACHINE\SOFTWARE\Google\Update\ui
\REGISTRY\MACHINE\SOFTWARE\Google\Update\LastChecked
\REGISTRY\MACHINE\SOFTWARE\Google\Update\LastCodeRedCheck
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80CEDA75-4539-45AF-AA3E-8C4B2BF73774}\InprocHandler32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80CEDA75-4539-45AF-AA3E-8C4B2BF73774}\
\REGISTRY\MACHINE\SOFTWARE\Google\Update\PersistedPings\{4656EBD9-0D26-4976-875F-045E410A51C3}\
\REGISTRY\MACHINE\SOFTWARE\Google\Update\PersistedPings\{0B02CF8B-9817-457C-A62A-2160C23060A3}\
Other behavior
Behavior description:设置对象安全信息
details:MACHINE\Software\Google\Update\ClientStateMedium\
Behavior description:创建互斥体
details:Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Global\G{A9A86B93-B54E-4570-BE89-42418507707B}
Global\G{C68009EA-1163-4498-8E93-D5C4E317D8CE}
CDBurnNotify
Global\CDBurnExclusive
Global\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}
Global\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}
Global\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}
Behavior description:隐藏指定窗口
details:[Window,Class] = [,CaptionButton]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Static]
[Window,Class] = [,Button]
[Window,Class] = [,SysAnimate32]
[Window,Class] = [正在连网...,Static]
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:启动系统服务
details:[服务启动成功]: NT AUTHORITY\LocalService, WinHTTP Web Proxy Auto-Discovery Service, C:\Windows\system32\svchost.exe -k LocalService
Behavior description:窗口信息
details:Pid = 2104, Hwnd=0x101be, Text = 准备就绪…, ClassName = Static.
Pid = 2104, Hwnd=0x301ac, Text = Google Chrome安装程序, ClassName = #32770.
Behavior description:获取TickCount值
details:TickCount = 224781, SleepMilliseconds = 60000.
TickCount = 224843, SleepMilliseconds = 60000.
TickCount = 251640, SleepMilliseconds = 60000.
TickCount = 281640, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
SE_AUDIT_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2104
MSFT.VSA.IEC.STATUS.6c736db0
Global\G{A0C1F415-D2CE-4ddc-9B48-14E56FD55162}
MSFT.VSA.COM.DISABLE.3020
MSFT.VSA.COM.DISABLE.3480
Global\TermSrvReadyEvent
{A1965210-3A9D-4bca-822B-433645B3F5A2}
Behavior description:可执行文件签名信息
details:C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\GoogleUpdate.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\goopdate.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\goopdateres_zh-TW.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\GoogleUpdateOnDemand.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\GoogleUpdateComRegisterShell64.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\GoogleUpdateWebPlugin.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\psmachine.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\psmachine_64.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\psuser.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\psuser_64.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\goopdateres_am.dll(签名验证: 通过)
C:\Program Files\GUM7332.tmp\GoogleUpdateCore.exe(签名验证: 通过)
C:\Program Files\GUM7332.tmp\goopdateres_ar.dll(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
Behavior description:创建事件对象
details:EventName = Global\G{A0C1F415-D2CE-4ddc-9B48-14E56FD55162}
EventName = Global\G{4917B195-8527-4478-9BB2-A8CE22A4C933}
Behavior description:可执行文件MD5
details:C:\Program Files\GUM7332.tmp\GoogleCrashHandler.exe ---> 900236357482b00944826354eec6b93f
C:\Program Files\GUM7332.tmp\GoogleUpdate.exe ---> 605ccc9ce1839bc5583017df7cae27a6
C:\Program Files\GUM7332.tmp\goopdate.dll ---> 2a8fb43f59128572bc2d118a481a9a56
C:\Program Files\GUM7332.tmp\npGoogleUpdate3.dll ---> 6745b601d1f1fab82c7af08b20250d85
C:\Program Files\GUM7332.tmp\GoogleUpdateBroker.exe ---> b66afe93f1027ab16b15bf73719305d4
C:\Program Files\GUM7332.tmp\GoogleUpdateOnDemand.exe ---> 853aca39e3b789c10cec2443fe5a3999
C:\Program Files\GUM7332.tmp\GoogleUpdateComRegisterShell64.exe ---> 3a722ea9c93b76eecb85b8f185c95274
C:\Program Files\GUM7332.tmp\GoogleUpdateWebPlugin.exe ---> 98e06e321c2802d5191955368fcc2c31
C:\Program Files\GUM7332.tmp\psmachine.dll ---> 14abf200577fc4227993d49716f9068a
C:\Program Files\GUM7332.tmp\psmachine_64.dll ---> 5a5025db4f2903718ad43954dc0626cc
C:\Program Files\GUM7332.tmp\psuser.dll ---> f16d495c65b5aa0c0e05919e642199e6
C:\Program Files\GUM7332.tmp\psuser_64.dll ---> e807da3e8462d3b26e0016004707e604
C:\Program Files\GUM7332.tmp\GoogleCrashHandler64.exe ---> f107219b133e7e574da052c5c88ffbf3
C:\Program Files\GUM7332.tmp\goopdateres_bg.dll ---> 07a9dcabc704ea2250ea561c2fb9a71c
C:\Program Files\GUM7332.tmp\goopdateres_bn.dll ---> 8e2c61285c967c8a9bc977e6c69f4401
Behavior description:打开互斥体
details:Local\MSCTF.Asm.MutexDefault1
CDBurnNotify
Global\CDBurnExclusive
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Behavior description:创建系统服务
details:[服务创建成功]: gupdate, "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
[服务创建成功]: gupdatem, "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc
Behavior description:加载新释放的文件
details:Image: C:\Program Files\GUM7332.tmp\GoogleUpdate.exe.
Image: C:\Program Files\GUM7332.tmp\goopdate.dll.
Image: C:\Program Files\GUM7332.tmp\goopdateres_zh-CN.dll.
Image: C:\Program Files\Google\Update\GoogleUpdate.exe.
Image: C:\Program Files\Google\Update\1.3.33.7\goopdate.dll.
Image: C:\Program Files\Google\Update\1.3.33.7\goopdateres_zh-CN.dll.
Image: C:\Program Files\Google\Update\1.3.33.7\psmachine.dll.
Image: C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号