VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:209298bedb944459d4c9e72e8d6499e0
file type:EXE
Production company:Piriform Ltd
version:2.0.0.0---2.0.0.0
Shell or compiler information:COMPILER:NSIS
Subfile information:CCleaner64.exe / big file / EXE
CCleaner.exe / big file / EXE
pfUI.dll / 4406a985e08f66b8921dce39fd3e7a2d / DLL
PF-Toolbar-2016.exe / 0f32452f14ff2cd57bea1b35efd6c839 / EXE
PF-Chrome-2016.exe / 5e4ea467333b37ca9ef4ae4f8df1ed22 / EXE
gcapi_dll.dll / 2973af8515effd0a3bfc7a43b03b3fcc / DLL
syschk.dll / 42fb0c5333071b1f4b04587b4e38353e / DLL
uninst.exe / eb0ffa9cc5ba6436edd9a2363a9cdf5e / EXE
pfWWW.dll / cb1d8d51abc47fcf036a8aac36c5f4aa / DLL
pfWWW.dll / 1bf8a77ace38e746320dc8d67b2e7236 / DLL
[NSIS].nsi / 87ae86f654c166c065197c80ad249653 / Unknown
PF_computer.png / 7f4f45c9393a0664d9d0725a2ff42c6b / Unknown
gtapi_signed.dll / 61bc40d1fad9e0faa9a07219b90ba0e4 / DLL
lang-1034.dll / 6cd7577a75af804a5b86ec45d5502ec3 / DLL
lang-1032.dll / 585acd1c5eefad7e5affa6fa27c84c4b / DLL
lang-1043.dll / 02b58822487ade004a1feda37ad02a37 / DLL
lang-1027.dll / 9e6b5e2685c9035fc35cc4261281d83f / DLL
lang-1036.dll / bf826da0ac5050c93e55c49ad0935948 / DLL
lang-1109.dll / 91c063a67c117c0bf547eef782b95cd0 / DLL
Key behavior
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\CCleaner.lnk
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016081720160818
C:\Documents and Settings\Administrator\UserData
Behavior description:获取TickCount值
details:TickCount = 5371396, SleepMilliseconds = 100.
TickCount = 5371506, SleepMilliseconds = 100.
TickCount = 5371521, SleepMilliseconds = 100.
TickCount = 5371537, SleepMilliseconds = 100.
TickCount = 5371553, SleepMilliseconds = 100.
TickCount = 5371568, SleepMilliseconds = 100.
TickCount = 5371584, SleepMilliseconds = 100.
TickCount = 5371600, SleepMilliseconds = 100.
TickCount = 5371615, SleepMilliseconds = 100.
TickCount = 5371631, SleepMilliseconds = 100.
TickCount = 5371646, SleepMilliseconds = 100.
TickCount = 5371662, SleepMilliseconds = 100.
TickCount = 5371678, SleepMilliseconds = 100.
TickCount = 5371693, SleepMilliseconds = 100.
TickCount = 5371709, SleepMilliseconds = 100.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns4F.tmp" ping -n 1 -w 1000 www.piriform.com
ImagePath = , CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns50.tmp" ping -n 1 -w 5000 www.piriform.com
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\ping.exe, CmdLine = ping -n 1 -w 1000 www.piriform.com
ImagePath = C:\WINDOWS\system32\ping.exe, CmdLine = ping -n 1 -w 5000 www.piriform.com
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns4F.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns4F.tmp" ping -n 1 -w 1000 www.piriform.com
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns50.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns50.tmp" ping -n 1 -w 5000 www.piriform.com
ImagePath = C:\Program Files\CCleaner\CCleaner.exe, CmdLine = "C:\Program Files\CCleaner\CCleaner.exe"
ImagePath = C:\Program Files\CCleaner\CCleaner.exe, CmdLine = "C:\Program Files\CCleaner\CCleaner.exe" /monitor
Behavior description:枚举进程
details:N/A
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4272, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4708, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4776, StartAddress = 6359727B, Parameter = 002232B0
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4780, StartAddress = 6359727B, Parameter = 010F61A0
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4000, StartAddress = 004052AC, Parameter = 000A039C
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4544, StartAddress = 035C1D79, Parameter = 00020434
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4304, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 4496, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 3824, ThreadID = 2252, StartAddress = 6302B849, Parameter = 031F3FD8
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 4180, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 3904, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 1760, StartAddress = 0061097D, Parameter = 01202FC8
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 2208, StartAddress = 004B8CFF, Parameter = 0120D6D8
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 4120, StartAddress = 004B8CFF, Parameter = 0120D6D8
TargetProcess: CCleaner.exe, InheritedFromPID = 3824, ProcessID = 4668, ThreadID = 3780, StartAddress = 004B8CFF, Parameter = 0235DFF8
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsw4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1025.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1026.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1027.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1028.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1029.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1030.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1031.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1032.html
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\CCleaner\CCleaner Homepage.url
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\UserInfo.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\pfWWW.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\pfWWW.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\syschk.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\nsExec.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ns4F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\pfUI.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1031.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1041.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1049.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1053.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1042.dll
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ns4F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ns50.tmp
Behavior description:复制文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\nsExec.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns4F.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\nsExec.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns50.tmp
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\All Users\桌面\CCleaner.lnk
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsw4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\installcheck[1].aspx
C:\Documents and Settings\Administrator\Local Settings\Temp\CheckUpdate.log
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ButtonEvent.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar-screenshot.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1025.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1026.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1027.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1028.html
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtb\toolbar_1029.html
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\g
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\p
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ns4F.tmp
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016081720160818
C:\Documents and Settings\Administrator\UserData
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh4D.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\UserInfo.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll ---> Offset = 32768
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010
InternetOpenUrlA: https://ww****om/go/app_cc_pro_trialkey, hInternet = 0x00cc0004, Flags = 0x80800000
InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0008, Flags = 0x00000010
Behavior description:下载文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\CheckUpdate.log
Behavior description:连接指定站点
details:InternetConnectA: ServerName = se****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000010
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: NSIS, hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
InternetOpenA: UserAgent: Mozilla/4.0 (CCleaner, 5.21.5700), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0008
Behavior description:建立到一个指定的套接字连接
details:URL: wpad, IP: **.133.40.**:128, SOCKET = 0x0000038c
URL: se****om, IP: **.133.40.**:80, SOCKET = 0x00000384
URL: wpad, IP: **.133.40.**:128, SOCKET = 0x000003fc
Behavior description:读取网络文件
details:hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc000c, BytesToRead =8192, BytesRead = 8192.
hFile = 0x00cc0010, BytesToRead =4010, BytesRead = 4010.
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /installcheck.aspx?p=1&v=5.21.5700&vx=&l=1033&b=1&o=5.1W3&g=1&i=1&a=0&e=0&n=%temp%\****.exe&id=003 HTTP/1.1 User-Agent: NSIS Host: se****om Connection: Keep-Alive Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: se****om:80/installcheck.aspx?p=1&v=5.21.5700&vx=&l=1033&b=1&o=5.1w3&g=1&i=1&a=0&e=0&n=%temp%\****.exe&id=003, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80400000
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x00000010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: computer
GetAddrInfoW: wpad
GetAddrInfoW: se****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar\test
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Run CCleaner\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command\
\REGISTRY\MACHINE\SOFTWARE\Piriform\CCleaner\UpdateCheck
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\
\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ccleaner.exe\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ccleaner.exe\Path
\REGISTRY\MACHINE\SOFTWARE\Piriform\CCleaner\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner\UninstallString
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar\
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:修改注册表_URL协议关联
details:\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\URL Protocol
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Google\Google Toolbar\test
\REGISTRY\MACHINE\SOFTWARE\Google\No Toolbar Offer Until\Piriform Ltd
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner\InstallDate
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\CCleaner\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Piriform\CCleaner\AutoICS
\REGISTRY\USER\S-*\Software\Piriform\CCleaner\AutoUpdateNotificationExpiryTime
Other behavior
Behavior description:获取光标位置
details:CursorPos = (71,18468), SleepMilliseconds = 50.
CursorPos = (6364,26501), SleepMilliseconds = 50.
CursorPos = (19199,15725), SleepMilliseconds = 50.
CursorPos = (11508,29359), SleepMilliseconds = 50.
CursorPos = (26992,24465), SleepMilliseconds = 50.
CursorPos = (5735,28146), SleepMilliseconds = 50.
CursorPos = (23311,16828), SleepMilliseconds = 50.
CursorPos = (9991,492), SleepMilliseconds = 50.
CursorPos = (3025,11943), SleepMilliseconds = 50.
CursorPos = (4857,5437), SleepMilliseconds = 50.
CursorPos = (32421,14605), SleepMilliseconds = 50.
CursorPos = (3932,154), SleepMilliseconds = 50.
CursorPos = (322,12383), SleepMilliseconds = 50.
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
MSCTF.Shared.MUTEX.EHM
RasPbFile
Piriform_CCleaner_PreventSecondInstance
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.EHM.IC
EventName = MSCTF.SendReceiveConection.Event.EHM.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [PiriformRegistration,]
NtUserFindWindowEx: [Class,Window] = [#32770,Piriform CCleaner]
NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,CCleaner]
NtUserFindWindowEx: [Class,Window] = [PiriformCCleaner,]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
Behavior description:窗口信息
details:Pid = 3824, Hwnd=0x803ba, Text = Install, ClassName = Button.
Pid = 3824, Hwnd=0x403a2, Text = Customize, ClassName = Static.
Pid = 3824, Hwnd=0x1902ce, Text = English, ClassName = ComboBox.
Pid = 3824, Hwnd=0x7037c, Text = View license agreement, ClassName = Static.
Pid = 3824, Hwnd=0x1702d8, Text = View privacy policy, ClassName = Static.
Pid = 3824, Hwnd=0x9039c, Text = Cancel, ClassName = Button.
Pid = 3824, Hwnd=0x1d02bc, Text = CCleaner v5.21 Setup, ClassName = Static.
Pid = 3824, Hwnd=0x603ac, Text = By installing this product you agree to our license agreement and privacy policy., ClassName = Static.
Pid = 3824, Hwnd=0x10034c, Text = Install, ClassName = Button.
Pid = 3824, Hwnd=0x13033a, Text = Back, ClassName = Static.
Pid = 3824, Hwnd=0xe039e, Text = More, ClassName = Static.
Pid = 3824, Hwnd=0xb0398, Text = Add Desktop Shortcut, ClassName = Button.
Pid = 3824, Hwnd=0x110342, Text = Add Start Menu Shortcuts, ClassName = Button.
Pid = 3824, Hwnd=0x7038e, Text = Add "Run CCleaner" option to Recycle Bin context menu, ClassName = Button.
Pid = 3824, Hwnd=0x10032e, Text = Add "Open CCleaner..." option to Recycle Bin context menu, ClassName = Button.
Behavior description:获取TickCount值
details:TickCount = 5371396, SleepMilliseconds = 100.
TickCount = 5371506, SleepMilliseconds = 100.
TickCount = 5371521, SleepMilliseconds = 100.
TickCount = 5371537, SleepMilliseconds = 100.
TickCount = 5371553, SleepMilliseconds = 100.
TickCount = 5371568, SleepMilliseconds = 100.
TickCount = 5371584, SleepMilliseconds = 100.
TickCount = 5371600, SleepMilliseconds = 100.
TickCount = 5371615, SleepMilliseconds = 100.
TickCount = 5371631, SleepMilliseconds = 100.
TickCount = 5371646, SleepMilliseconds = 100.
TickCount = 5371662, SleepMilliseconds = 100.
TickCount = 5371678, SleepMilliseconds = 100.
TickCount = 5371693, SleepMilliseconds = 100.
TickCount = 5371709, SleepMilliseconds = 100.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_RESTORE_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000043
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000043
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000044
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\UserInfo.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\pfWWW.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\pfWWW.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\syschk.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\nsExec.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ns4F.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\pfUI.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1031.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1041.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1049.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1053.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1042.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 100.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 100.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,AtlAxWinLic100]
[Window,Class] = [Install Options,Static]
[Window,Class] = [Add Desktop Shortcut,Button]
[Window,Class] = [Add Start Menu Shortcuts,Button]
[Window,Class] = [Add "Run CCleaner" option to Recycle Bin context menu,Button]
[Window,Class] = [Add "Open CCleaner..." option to Recycle Bin context menu,Button]
[Window,Class] = [Automatically check for updates to CCleaner,Button]
[Window,Class] = [Install,Button]
[Window,Class] = [Back,Static]
[Window,Class] = [More,Static]
[Window,Class] = [Enable Intelligent Cookie Scan,Button]
[Window,Class] = [Choose Users,Static]
[Window,Class] = [C:\Program Files\CCleaner,Edit]
[Window,Class] = [Choose Install Location,Static]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\System.dll ---> 41a3c964232edd2d7d5edea53e8245cd
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\UserInfo.dll ---> c1f778a6d65178d34bde4206161a98e0
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gtapi_signed.dll ---> 61bc40d1fad9e0faa9a07219b90ba0e4
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\gcapi_dll.dll ---> 2973af8515effd0a3bfc7a43b03b3fcc
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\g\pfWWW.dll ---> 1bf8a77ace38e746320dc8d67b2e7236
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\pfWWW.dll ---> cb1d8d51abc47fcf036a8aac36c5f4aa
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\p\syschk.dll ---> 42fb0c5333071b1f4b04587b4e38353e
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\nsExec.dll ---> 5ed60250f74fa36a5a247a715bcd026e
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ns4F.tmp ---> 5ed60250f74fa36a5a247a715bcd026e
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\pfUI.dll ---> 4406a985e08f66b8921dce39fd3e7a2d
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1031.dll ---> 0e3d62552e9528c3ec7e23aee8f7d411
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1041.dll ---> d24c64f3d6529a44e8ed818e6efd04e6
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1049.dll ---> 11b3da0ff6708b25b0395ac6b605c50a
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1053.dll ---> 459213c8d62c8204cfd9cd028d1ee829
C:\Documents and Settings\Administrator\Local Settings\Temp\nsb4E.tmp\ui\res\lang-1042.dll ---> f545ad78ff071be57919869e332887d6
Behavior description:打开互斥体
details:ShimCacheMutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
CtfmonInstMutexDefaultS-*
_!SHMSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012016081720160818!
RasPbFile
Local\c:!documents and settings!administrator!userdata!
Behavior description:使用SCSI指令读写硬盘
details:N/A
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\UserInfo.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\g\gtapi_signed.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\g\gcapi_dll.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\nsExec.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ui\pfUI.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\nsDialogs.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\ButtonEvent.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\nsProcess.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsb4E.tmp\inetc.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号