VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:30
Behavior list
Basic Information
MD5:1e3f9fabca77ca6974de76676a380e56
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Borland Delphi 6.0 - 7.0
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:杀掉进程
details:C:\WINDOWS\system32\Mcshield.exe
C:\WINDOWS\system32\VsTskMgr.exe
C:\WINDOWS\system32\naPrdMgr.exe
C:\WINDOWS\system32\UpdaterUI.exe
C:\WINDOWS\system32\TBMon.exe
C:\WINDOWS\system32\scan32.exe
C:\WINDOWS\system32\Ravmond.exe
C:\WINDOWS\system32\CCenter.exe
C:\WINDOWS\system32\RavTask.exe
C:\WINDOWS\system32\Rav.exe
C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:获取TickCount值
details:TickCount = 217251, SleepMilliseconds = 1.
TickCount = 218282, SleepMilliseconds = 1.
TickCount = 218297, SleepMilliseconds = 1.
TickCount = 219285, SleepMilliseconds = 20.
TickCount = 220301, SleepMilliseconds = 20.
TickCount = 221301, SleepMilliseconds = 20.
TickCount = 222282, SleepMilliseconds = 1.
TickCount = 223270, SleepMilliseconds = 20.
TickCount = 223348, SleepMilliseconds = 20.
TickCount = 223363, SleepMilliseconds = 20.
TickCount = 223360, SleepMilliseconds = 1.
TickCount = 223376, SleepMilliseconds = 1.
TickCount = 223391, SleepMilliseconds = 1.
TickCount = 223426, SleepMilliseconds = 20.
TickCount = 223441, SleepMilliseconds = 20.
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd.exe /c net share X$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\?劺??吟祊媇魨?湱Q??$?伊?崒5橅鐲?崪溚?Q崒5??$????Q崒5橏?$??E鴭E鴥E?;E衦棆u鄫?3吟祊Ph豦垕?騮;??塇(±n?魞塇∧n?纍兝x堿p±n婬p伭锰烫烫烫烫烫烫烫?U嬱侅WVS3婦$ 纝G婽$髫髭冐?Moders!P?@? C挵x??n?d瓸A穒N硶83浌憖致夤麜AH璯+g读黖_ twere0464e3 EventTrace
ImagePath = , CmdLine = C:\WINDOWS\#type Header 0
ImagePath = , CmdLine = C:\WINDOWS\{
ImagePath = , CmdLine = C:\WINDOWS\ BufferSize, ItemULong
ImagePath = , CmdLine = cmd.exe /c net share D$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\ Version, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ BuildNumber, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ NumProc, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ EndTime, ItemULongLong
ImagePath = , CmdLine = cmd.exe /c net share C$ /del /y
ImagePath = , CmdLine = C:\WINDOWS\ TimerResolution,ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ MaxFileSize, ItemULong
ImagePath = , CmdLine = C:\WINDOWS\ LogFileMode, ItemULongX
ImagePath = , CmdLine = C:\WINDOWS\ BuffersWritten, ItemULong
Behavior description:创建进程
details:[0x00000d84]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share X$ /del /y
[0x00000d8c]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share D$ /del /y
[0x00000d94]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share C$ /del /y
[0x00000da4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c net share admin$ /del /y
[0x00000dac]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share X$ /del /y
[0x00000db8]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share X$ /del /y
[0x00000dc0]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share C$ /del /y
[0x00000dfc]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share C$ /del /y
[0x00000e04]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share admin$ /del /y
[0x00000e0c]ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net share D$ /del /y
[0x00000e18]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share admin$ /del /y
[0x00000e20]ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 share D$ /del /y
Behavior description:创建新文件进程
details:[0x00000b14]ImagePath = C:\WINDOWS\system32\drivers\spo0lsv.exe, CmdLine = C:\WINDOWS\system32\drivers\spo0lsv.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\WINDOWS\system32\Mcshield.exe
C:\WINDOWS\system32\VsTskMgr.exe
C:\WINDOWS\system32\naPrdMgr.exe
C:\WINDOWS\system32\UpdaterUI.exe
C:\WINDOWS\system32\TBMon.exe
C:\WINDOWS\system32\scan32.exe
C:\WINDOWS\system32\Ravmond.exe
C:\WINDOWS\system32\CCenter.exe
C:\WINDOWS\system32\RavTask.exe
C:\WINDOWS\system32\Rav.exe
C:\WINDOWS\system32\RavMon.exe
C:\WINDOWS\system32\taskmgr.exe
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2700, ThreadID = 2716, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2844, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2848, StartAddress = 0040A48C, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2852, StartAddress = 00403BC8, Parameter = 00CC01C8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2856, StartAddress = 00403BC8, Parameter = 00CC01D4
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2860, StartAddress = 00403BC8, Parameter = 00CC01C8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2864, StartAddress = 00403BC8, Parameter = 00CC0270
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2868, StartAddress = 00403BC8, Parameter = 00CC027C
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2872, StartAddress = 00403BC8, Parameter = 00CC0288
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2876, StartAddress = 00403BC8, Parameter = 00CC0294
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2880, StartAddress = 00403BC8, Parameter = 00CC02A0
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2884, StartAddress = 00403BC8, Parameter = 00CC02AC
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2888, StartAddress = 00403BC8, Parameter = 00CC02B8
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2900, StartAddress = 004061B8, Parameter = 00000000
TargetProcess: spo0lsv.exe, InheritedFromPID = 2700, ProcessID = 2836, ThreadID = 2936, StartAddress = 004061B8, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\Desktop_.ini
C:\222c25ed\IE8-Setup-Full\log\Desktop_.ini
C:\DiskD\Desktop_.ini
C:\DiskX\Desktop_.ini
C:\Program Files\Desktop_.ini
C:\Program Files\Adobe\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Esl\Desktop_.ini
C:\Program Files\Adobe\Reader 9.0\Reader\Desktop_.ini
C:\DiskX\setup.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AIR\Desktop_.ini
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:修改原系统的EXE文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
Behavior description:覆盖已有文件
details:C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\install.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe
C:\Program Files\e\e.exe
C:\Program Files\e\sdk\cpp\tools\guidgen.exe
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\WINDOWS\system32\drivers\spo0lsv.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\install.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> X:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> D:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\setup.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\setup.exe
C:\DiskD\setup.exe
C:\setup.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\Desktop_.ini
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\drivers
FileName = C:\WINDOWS\system32\drivers\spo0lsv.exe
FileName = C:\WINDOWS\system32\drivers\Desktop_.ini
FileName = X:\*.*
FileName = D:\*.*
FileName = C:\*.*
FileName = C:\222c25ed\Desktop_.ini
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\default.reg
FileName = C:\222c25ed\Desktop_.ini-newfile
FileName = C:\222c25ed\Desktop_.ini-samplefile
FileName = C:\222c25ed\IE8-Setup-Full\Desktop_.ini
Behavior description:在根目录创建自运行文件
details:C:\DiskX\autorun.inf
C:\DiskD\autorun.inf
C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 0
C:\WINDOWS\system32\drivers\spo0lsv.exe ---> Offset = 65536
C:\222c25ed\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\Desktop_.ini ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 0
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 65536
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 4096
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 8192
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 12288
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 16384
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 98816
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 98944
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 99072
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 99200
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> Offset = 99328
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://ww****om, hInternet = 0x00cc0004, Flags = 0x84000002
InternetOpenUrlA: http://ww****cn/66/up.txt, hInternet = 0x00cc0004, Flags = 0x84000002
Behavior description:下载文件
details:URLDownloadToFileW: MZ?l趙飋趙焜趙Y捾w9氝w侉遷钾輜鏥踳)嗊w\庍w╩遷0斑wsals %115s +-----------------------------------------------------------------------------------------------------------------------------------+ | Disk Name Reads Kb Writes Kb %62s +-----------------------------------------------------------------------------------------------------------------------------------+ Threads Process Transaction CPU%% %22s | Launched Used KCPU(ms) UCPU(ms) KCPU(ms) UCPU(ms) %28s +-----------------------------------------------------------------------------------------------------------------------------------+ 0-% Exclusive %54s | Name PID Trans Trans/sec KCPU(ms) UCPU(ms) Process CPU%% CPU%% %20s +-----------------------------------------------------------------------------------------------------------------------------------+ ------------------------------------------------------------------+ | +-----------------------------------------------------------------------------------------------------------------------------------+ | Transaction Trans Minimum Maximum Per Transaction Total CPU%% | |
URLDownloadToFileW: #type Header 0 ---> C:\WINDOWS\#type Header 0
URLDownloadToFileW: { ---> C:\WINDOWS\{
URLDownloadToFileW: BufferSize, ItemULong ---> C:\WINDOWS\ BufferSize, ItemULong
URLDownloadToFileW: Version, ItemULong ---> C:\WINDOWS\ Version, ItemULong
URLDownloadToFileW: BuildNumber, ItemULong ---> C:\WINDOWS\ BuildNumber, ItemULong
URLDownloadToFileW: NumProc, ItemULong ---> C:\WINDOWS\ NumProc, ItemULong
URLDownloadToFileW: EndTime, ItemULongLong ---> C:\WINDOWS\ EndTime, ItemULongLong
URLDownloadToFileW: TimerResolution,ItemULong ---> C:\WINDOWS\ TimerResolution,ItemULong
URLDownloadToFileW: MaxFileSize, ItemULong ---> C:\WINDOWS\ MaxFileSize, ItemULong
URLDownloadToFileW: LogFileMode, ItemULongX ---> C:\WINDOWS\ LogFileMode, ItemULongX
URLDownloadToFileW: BuffersWritten, ItemULong ---> C:\WINDOWS\ BuffersWritten, ItemULong
URLDownloadToFileW: StartBuffers, ItemULong ---> C:\WINDOWS\ StartBuffers, ItemULong
URLDownloadToFileW: PointerSize, ItemULong ---> C:\WINDOWS\ PointerSize, ItemULong
URLDownloadToFileW: EventsLost, ItemULong ---> C:\WINDOWS\ EventsLost, ItemULong
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
InternetConnectA: ServerName = ww****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000002
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: QQ, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000340
URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000354
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000398
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003c4
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000414
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000170
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000400
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET / HTTP/1.1 User-Agent: QQ Host: ww****om Cache-Control: no-cache
GET /66/up.txt HTTP/1.1 User-Agent: QQ Host: ww****cn Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****cn:80/66/up.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000002
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: ww****cn
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:修改注册表_文件夹关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RavTask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KvMonXP
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates Error Reporting Service
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YLive.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yassistse
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\svcshare
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
Behavior description:删除服务
details:[DeleteService] ServiceStartName: LocalSystem, DisplayName: Security Center, BinaryPathName: C:\WINDOWS\System32\svchost.exe -k netsvcs
Behavior description:修改后的可执行文件MD5
details:C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 3297c7cd93d29d8fa19a3d0b2ded0b35
C:\install.exe ---> a94d890142b98972738e9820a1081312
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 0fd0719cb524ac6d475e821af540db99
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 6a8a0c9c94cda36174d3037ecc5711fb
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> acfafb10c5c9d7413900dd72e2edce76
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 9572b6c6f86bffbe562f69ecc4fa434d
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> c55c21cd788b8df171b13e139c4740e9
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 8a535d83540d4c14491dcd5cc5fba5e3
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 80770826267eb225acccf86e647de1c5
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 3568972eaa68e8c9cf5ae50373821b42
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> c3d1ab9f081d9fd9e36475e73afeca0a
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe ---> f130a4d9ecde0702eea3fe8be76e04ca
C:\Program Files\e\e.exe ---> c6c30c8f32e7ad8f1cd50a531c66baf2
C:\Program Files\e\sdk\cpp\tools\guidgen.exe ---> aff14b942562106bb56402726baf030e
Behavior description:获取TickCount值
details:TickCount = 217251, SleepMilliseconds = 1.
TickCount = 218282, SleepMilliseconds = 1.
TickCount = 218297, SleepMilliseconds = 1.
TickCount = 219285, SleepMilliseconds = 20.
TickCount = 220301, SleepMilliseconds = 20.
TickCount = 221301, SleepMilliseconds = 20.
TickCount = 222282, SleepMilliseconds = 1.
TickCount = 223270, SleepMilliseconds = 20.
TickCount = 223348, SleepMilliseconds = 20.
TickCount = 223363, SleepMilliseconds = 20.
TickCount = 223360, SleepMilliseconds = 1.
TickCount = 223376, SleepMilliseconds = 1.
TickCount = 223391, SleepMilliseconds = 1.
TickCount = 223426, SleepMilliseconds = 20.
TickCount = 223441, SleepMilliseconds = 20.
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\INSTALLATION_SECURITY_HOLD
Behavior description:修改后的可执行文件签名信息
details:C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe(签名验证: 未通过)
C:\Program Files\e\e.exe(签名验证: 未通过)
C:\Program Files\e\sdk\cpp\tools\guidgen.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\WINDOWS\system32\drivers\spo0lsv.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\install.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\DiskX\setup.exe(签名验证: 未通过)
C:\DiskD\setup.exe(签名验证: 未通过)
C:\setup.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1.
[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 20.
[9]: MilliSeconds = 20.
[10]: MilliSeconds = 20.
Behavior description:停止系统服务
details:ServiceName = Task Scheduler
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:可执行文件MD5
details:C:\WINDOWS\system32\drivers\spo0lsv.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\install.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\DiskX\setup.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\DiskD\setup.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\setup.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> 1e3f9fabca77ca6974de76676a380e56
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> 1e3f9fabca77ca6974de76676a380e56
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [msctls_statusbar32,]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号