VirSCAN VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.

Lingua
Carico del server
Server Load

Informazioni sui file
Valutazione di sicurezza:82
Elenco dei comportamenti
Informazioni di base
MD5:ce026961baeb63ac43d30e42312b3b9b
Tipo di file:EXE
Società di produzione:
versione:2017.7.6.0
Informazioni sulla shell o sul compilatore:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Informazioni sul file secondario:DiscUtils.dll / d7e2b71dd7a111e9e88f8e9677060fbc / DLL
imdisk.cpl / a69179a0a6f84e9eed222beed368f020 / DLL
imdisk.cpl / 085a36ed3c2cfe0908dfb74118ba7467 / DLL
upx_c_a026d9f0dumpFile / 55dda53e4411edddc9ff684fef1ff60b / EXE
RamDiskUI.exe / 58ac714ee4649d8b745e7ed32d4aa17b / EXE
config.exe / 648dfe058c3ee2ca026ed8b08f66d818 / EXE
MountImg.exe / 13ed51f4a025872a83ec1ee2657a40e0 / EXE
imdisk.exe / 0b8723efa9824026463eb49c707d6e99 / EXE
imdisk.exe / b077e2526442f5179e7d36daa8eb362b / EXE
imdisk.sys / 85e0e6a2e0ff7c2ea46a0ebc9af0e628 / SYS
ImDisk-Dlg.exe / e7b95cc2b188a54bbbb285bf81b786d0 / EXE
imdisk.sys / 84bc9bea3de40191ad70227df7ce36c7 / SYS
ImDiskNet.dll / 68d5d618f26ff4e424998c26459c1c6e / DLL
DevioNet.dll / fcec9b33e924440e1c18efae5b347bad / DLL
french.txt / 037d5fac605e5d7bb3a79959c09b3635 / Unknown
spanish.txt / f1c71ec498656c3fe468f7dfb0a235b0 / Unknown
german.txt / 761954c2e4f25ab55387e1d0f0529ae5 / Unknown
russian.txt / e8e2ef060e73bd5e6ae5591cbc5469ad / Unknown
swedish.txt / 5628d6a1e0ff9bf35e195763f23033e6 / Unknown
Comportamento chiave
Descrizione del comportamento:常规加载驱动
Per ulteriori informazioni:system32\DRIVERS\awealloc.sys
system32\DRIVERS\imdisk.sys
Descrizione del comportamento:直接获取CPU时钟
Per ulteriori informazioni:EAX = 0xab848d67, EDX = 0x000000b6
Descrizione del comportamento:在桌面创建文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\桌面\ImDisk Virtual Disk Driver.lnk
C:\Documents and Settings\Administrator\桌面\Mount Image File.lnk
C:\Documents and Settings\Administrator\桌面\RamDisk Configuration.lnk
Descrizione del comportamento:创建系统服务
Per ulteriori informazioni:[服务创建成功]: AWEAlloc, system32\DRIVERS\awealloc.sys
[服务创建成功]: ImDisk, system32\DRIVERS\imdisk.sys
[服务创建成功]: ImDskSvc, %SystemRoot%\system32\imdsksvc.exe
Descrizione del comportamento:修改注册表_启动项
Per ulteriori informazioni:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Comportamento del processo
Descrizione del comportamento:隐藏窗口创建进程
Per ulteriori informazioni:ImagePath = , CmdLine = rundll32 setupapi.dll,InstallHinfSection DefaultInstall 128 driver\imdisk.inf
ImagePath = , CmdLine = reg copy HKLM\SOFTWARE\ImDisk\DriverBackup HKLM\SYSTEM\CurrentControlSet\Services\ImDisk\Parameters /f
Descrizione del comportamento:创建进程
Per ulteriori informazioni:[0x00000fd8]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = rundll32 setupapi.dll,InstallHinfSection DefaultInstall 128 driver\imdisk.inf
[0x000007d8]ImagePath = C:\WINDOWS\system32\runonce.exe, CmdLine = runonce -r
[0x000003ec]ImagePath = C:\WINDOWS\system32\grpconv.exe, CmdLine = "C:\WINDOWS\system32\grpconv.exe" -o
[0x000000c0]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg copy HKLM\SOFTWARE\ImDisk\DriverBackup HKLM\SYSTEM\CurrentControlSet\Services\ImDisk\Parameters /f
Descrizione del comportamento:创建新文件进程
Per ulteriori informazioni:[0x00000f90]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\config.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\config.exe"
[0x00000774]ImagePath = C:\WINDOWS\system32\imdsksvc.exe, CmdLine = C:\WINDOWS\system32\imdsksvc.exe
Descrizione del comportamento:创建本地线程
Per ulteriori informazioni:TargetProcess: config.exe, InheritedFromPID = 3608, ProcessID = 3984, ThreadID = 4048, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 3984, ProcessID = 4056, ThreadID = 4088, StartAddress = 77C0A1D7, Parameter = 008244D0
TargetProcess: rundll32.exe, InheritedFromPID = 3984, ProcessID = 4056, ThreadID = 4092, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 3984, ProcessID = 4056, ThreadID = 1924, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 3984, ProcessID = 4056, ThreadID = 1940, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 3984, ProcessID = 4056, ThreadID = 112, StartAddress = 765E964D, Parameter = 000E05F0
TargetProcess: imdsksvc.exe, InheritedFromPID = 652, ProcessID = 1908, ThreadID = 1420, StartAddress = 77DC3519, Parameter = 000C6170
Comportamento del file
Descrizione del comportamento:创建文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\cp.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\imdisk.cpl.manifest
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\gpl.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\imdisk.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\install.cmd
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\readme.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\uninstall_imdisk.cmd
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\english.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\french.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\german.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\russian.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\spanish.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\swedish.txt
Descrizione del comportamento:在系统敏感位置(如开始菜单等)释放链接或快捷方式
Per ulteriori informazioni:C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\Uninstall.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\General Settings.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\Home page.url
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\ImDisk Virtual Disk Driver.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\Mount Image File.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\RamDisk Configuration.lnk
Descrizione del comportamento:创建可执行文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\config.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DevioNet.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtils.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtilsDevio.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\awealloc\amd64\awealloc.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\amd64\imdisk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\i386\imdisk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\msgboxw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\runwaitw.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\amd64\imdsksvc.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\i386\imdsksvc.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\sys\amd64\imdisk.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\ImDisk-Dlg.exe
Descrizione del comportamento:查找文件
Per ulteriori informazioni:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\cp.lnk
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cpl\imdisk.cpl.manifest
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\gpl.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\imdisk.inf
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\install.cmd
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\readme.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\uninstall_imdisk.cmd
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\english.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\french.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\german.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\russian.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\spanish.txt
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang\swedish.txt
Descrizione del comportamento:复制文件
Per ulteriori informazioni:lang.txt ---> C:\Program Files\ImDisk\lang.txt
ImDisk-Dlg.exe ---> C:\Program Files\ImDisk\ImDisk-Dlg.exe
config.exe ---> C:\Program Files\ImDisk\config.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\awealloc\i386\awealloc.sys ---> C:\WINDOWS\system32\DRIVERS\SET5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\sys\i386\imdisk.sys ---> C:\WINDOWS\system32\DRIVERS\SET6.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cli\i386\imdisk.exe ---> C:\WINDOWS\system32\SET7.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl ---> C:\WINDOWS\system32\SET8.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\cpl\imdisk.cpl.manifest ---> C:\WINDOWS\system32\SET9.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\svc\i386\imdsksvc.exe ---> C:\WINDOWS\system32\SETA.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\uninstall_imdisk.cmd ---> C:\WINDOWS\system32\SETB.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\driver\imdisk.inf ---> C:\WINDOWS\INF\SETE.tmp
cp.lnk ---> C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\ImDisk Virtual Disk Driver.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\ImDisk\ImDisk Virtual Disk Driver.lnk ---> C:\Documents and Settings\Administrator\桌面\ImDisk Virtual Disk Driver.lnk
DiscUtils.dll ---> C:\Program Files\ImDisk\DiscUtils.dll
DiscUtilsDevio.exe ---> C:\Program Files\ImDisk\DiscUtilsDevio.exe
Descrizione del comportamento:删除文件
Per ulteriori informazioni:C:\WINDOWS\inf\oem15.inf
C:\WINDOWS\system32\drivers\SET5.tmp
C:\WINDOWS\system32\drivers\SET6.tmp
C:\WINDOWS\system32\SET7.tmp
C:\WINDOWS\system32\SET8.tmp
C:\WINDOWS\system32\SET9.tmp
C:\WINDOWS\system32\SETA.tmp
C:\WINDOWS\system32\SETB.tmp
C:\WINDOWS\inf\SETE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\cp.lnk
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DevioNet.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtils.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtilsDevio.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\awealloc\amd64\awealloc.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\awealloc\i386\awealloc.sys
Descrizione del comportamento:在桌面创建文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\桌面\ImDisk Virtual Disk Driver.lnk
C:\Documents and Settings\Administrator\桌面\Mount Image File.lnk
C:\Documents and Settings\Administrator\桌面\RamDisk Configuration.lnk
Descrizione del comportamento:重命名文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\english.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\lang.txt
C:\WINDOWS\LastGood\TMP3.tmp ---> C:\WINDOWS\LastGood\INF\oem15.inf
C:\WINDOWS\LastGood\TMP4.tmp ---> C:\WINDOWS\LastGood\INF\oem15.PNF
C:\WINDOWS\system32\drivers\SET5.tmp ---> C:\WINDOWS\system32\DRIVERS\awealloc.sys
C:\WINDOWS\system32\drivers\SET6.tmp ---> C:\WINDOWS\system32\DRIVERS\imdisk.sys
C:\WINDOWS\system32\SET7.tmp ---> C:\WINDOWS\system32\imdisk.exe
C:\WINDOWS\system32\SET8.tmp ---> C:\WINDOWS\system32\imdisk.cpl
C:\WINDOWS\system32\SET9.tmp ---> C:\WINDOWS\system32\imdisk.cpl.manifest
C:\WINDOWS\system32\SETA.tmp ---> C:\WINDOWS\system32\imdsksvc.exe
C:\WINDOWS\system32\SETB.tmp ---> C:\WINDOWS\system32\uninstall_imdisk.cmd
C:\WINDOWS\LastGood\TMPC.tmp ---> C:\WINDOWS\LastGood\INF\imdisk.inf
C:\WINDOWS\LastGood\TMPD.tmp ---> C:\WINDOWS\LastGood\INF\imdisk.PNF
C:\WINDOWS\inf\SETE.tmp ---> C:\WINDOWS\INF\imdisk.inf
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\RamDyn32.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\RamDyn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\ImDiskTk-svc32.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\ImDiskTk-svc.exe
Descrizione del comportamento:修改文件内容
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\cp.lnk ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\imdisk.cpl.manifest ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\gpl.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\imdisk.inf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\install.cmd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\readme.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\uninstall_imdisk.cmd ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\english.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\french.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\german.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\russian.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\spanish.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\lang\swedish.txt ---> Offset = 0
Comportamento del registro
Descrizione del comportamento:修改注册表
Per ulteriori informazioni:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7zB6AB848D67\config.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDiskApp\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDiskApp\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDiskApp\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDiskApp\EstimatedSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDiskApp\UninstallString
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem15.inf
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem15.PNF
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/imdisk.inf
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/imdisk.PNF
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\HelpLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\UninstallString
Descrizione del comportamento:删除注册表键值
Per ulteriori informazioni:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ImDisk_notif
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ImDisk\DisplayName
Descrizione del comportamento:修改注册表_启动项
Per ulteriori informazioni:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Altro comportamento
Descrizione del comportamento:创建互斥体
Per ulteriori informazioni:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MNP
MSCTF.Shared.MUTEX.EJP
Descrizione del comportamento:隐藏指定窗口
Per ulteriori informazioni:[Window,Class] = [,ComboLBox]
Descrizione del comportamento:常规加载驱动
Per ulteriori informazioni:system32\DRIVERS\awealloc.sys
system32\DRIVERS\imdisk.sys
Descrizione del comportamento:打开互斥体
Per ulteriori informazioni:Local\!IETld!Mutex
ShimCacheMutex
Descrizione del comportamento:查找指定窗口
Per ulteriori informazioni:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Descrizione del comportamento:启动系统服务
Per ulteriori informazioni:[服务启动成功]: LocalSystem, ImDisk Virtual Disk Driver Helper, C:\WINDOWS\system32\imdsksvc.exe
[服务启动成功]: , AWE Memory Allocation Driver, system32\DRIVERS\awealloc.sys
[服务启动成功]: , ImDisk Virtual Disk Driver, system32\DRIVERS\imdisk.sys
Descrizione del comportamento:打开事件
Per ulteriori informazioni:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000012
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000012
CTF.ThreadMIConnectionEvent.000007E8.00000001.00000013
CTF.ThreadMarshalInterfaceEvent.000007E8.00000001.00000013
Descrizione del comportamento:调整进程token权限
Per ulteriori informazioni:SE_LOAD_DRIVER_PRIVILEGE
Descrizione del comportamento:窗口信息
Per ulteriori informazioni:Pid = 3984, Hwnd=0x1034a, Text = Welcome to the installer for ImDisk Toolkit., ClassName = Static.
Pid = 3984, Hwnd=0x1034c, Text = This will install the ImDisk Toolkit (build 20170706)., ClassName = Static.
Pid = 3984, Hwnd=0x1034e, Text = Installation folder:, ClassName = Static.
Pid = 3984, Hwnd=0x10350, Text = C:\Program Files\ImDisk, ClassName = Edit.
Pid = 3984, Hwnd=0x10352, Text = ..., ClassName = Button.
Pid = 3984, Hwnd=0x10354, Text = Components , ClassName = Button(GroupBox).
Pid = 3984, Hwnd=0x10356, Text = ImDisk Virtual Disk Driver (required), ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x10358, Text = DiscUtils library (uses .NET Framework 4), ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x1035a, Text = RamDisk Configuration Tool, ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x1035c, Text = Options , ClassName = Button(GroupBox).
Pid = 3984, Hwnd=0x1035e, Text = Enable entries in context menus, ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x10360, Text = Request administrator rights in Explorer, ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x10362, Text = Create shortcuts on desktop, ClassName = Button(CheckBox).
Pid = 3984, Hwnd=0x10364, Text = Language:, ClassName = Static.
Pid = 3984, Hwnd=0x10366, Text = english, ClassName = ComboBox.
Descrizione del comportamento:可执行文件签名信息
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\config.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DevioNet.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtils.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtilsDevio.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\awealloc\amd64\awealloc.sys(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\amd64\imdisk.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\i386\imdisk.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\msgboxw.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\runwaitw.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\amd64\imdsksvc.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\i386\imdsksvc.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\sys\amd64\imdisk.sys(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\ImDisk-Dlg.exe(签名验证: 未通过)
Descrizione del comportamento:创建事件对象
Per ulteriori informazioni:EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.MNP.IC
EventName = MSCTF.SendReceiveConection.Event.MNP.IC
EventName = MSCTF.SendReceive.Event.EJP.IC
EventName = MSCTF.SendReceiveConection.Event.EJP.IC
Descrizione del comportamento:可执行文件MD5
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\amd64\imdisk.cpl ---> a69179a0a6f84e9eed222beed368f020
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cpl\i386\imdisk.cpl ---> 085a36ed3c2cfe0908dfb74118ba7467
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\config.exe ---> 648dfe058c3ee2ca026ed8b08f66d818
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DevioNet.dll ---> fcec9b33e924440e1c18efae5b347bad
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtils.dll ---> d7e2b71dd7a111e9e88f8e9677060fbc
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\DiscUtilsDevio.exe ---> 10d94ef5328f56c82da9cef84efbda6d
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\awealloc\amd64\awealloc.sys ---> ea8714e533d5a8ffdda4d99abc24bc51
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\amd64\imdisk.exe ---> 0b8723efa9824026463eb49c707d6e99
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\cli\i386\imdisk.exe ---> b077e2526442f5179e7d36daa8eb362b
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\msgboxw.exe ---> ce46f43ff9bd3129a4df6241ac29adaa
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\runwaitw.exe ---> 27b963c1a388f815d6439049b740e362
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\amd64\imdsksvc.exe ---> 80158228bb3d91faa7eb0703d5f5b361
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\svc\i386\imdsksvc.exe ---> 73dcb33604ab86bcd4caa90346d73b49
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\driver\sys\amd64\imdisk.sys ---> 85e0e6a2e0ff7c2ea46a0ebc9af0e628
C:\Documents and Settings\Administrator\Local Settings\Temp\7zB6AB848D67\ImDisk-Dlg.exe ---> e7b95cc2b188a54bbbb285bf81b786d0
Descrizione del comportamento:直接获取CPU时钟
Per ulteriori informazioni:EAX = 0xab848d67, EDX = 0x000000b6
Descrizione del comportamento:创建系统服务
Per ulteriori informazioni:[服务创建成功]: AWEAlloc, system32\DRIVERS\awealloc.sys
[服务创建成功]: ImDisk, system32\DRIVERS\imdisk.sys
[服务创建成功]: ImDskSvc, %SystemRoot%\system32\imdsksvc.exe
Esegui screenshot
VirSCAN

A proposito di VirSCAN | Tutela della privacy | Contattaci | Collegamento amichevole | Aiuta VirSCAN
Tradotto da Riccardo Vianello, Italia
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号