VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:510f0b949854300af2e35e9972dadbc6
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\NoRepair
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\HelpLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\Contact
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayIcon
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\Administrator\桌面\一键GHOST.lnk

Process behavior

Behavior description: 创建进程
details: ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_sys2.bat
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\ds dsptw.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\fi fi.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ren c:\dosh\ghos\fr fr.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c c:\dosh\ghos\dsptw 1 /find:all /GhostStyle /y >c:\dosh\ghos\ds_all.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c c:\dosh\ghos\dsptw 1 /find:all /GhostStyle /y >c:\dosh\ghos\ds_all0.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c c:\dosh\ghos\dsptw 2 /find:all /GhostStyle /y >c:\dosh\ghos\ds_all2.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c c:\dosh\ghos\dsptw 3 /find:all /GhostStyle /y >c:\dosh\ghos\ds_all3.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c c:\dosh\ghos\dsptw 4 /find:all /GhostStyle /y >c:\dosh\ghos\ds_all4.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c type c:\dosh\ghos\ds_all2.txt>>c:\dosh\ghos\ds_all0.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c type c:\dosh\ghos\ds_all3.txt>>c:\dosh\ghos\ds_all0.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ver|find " 6." >nul&&ren c:\dosh\ghos\nt vt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" ver"
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find " 6."
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ver|find " 10." >nul&&ren c:\dosh\ghos\nt vt
Behavior description: 创建新文件进程
details: ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1738090 "__IRAFN:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1455874533.727019.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe" 1
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe" 2
ImagePath = c:\dosh\ghos\ghost32.exe, CmdLine = c:\dosh\ghos\ghost32.exe -dd
ImagePath = c:\dosh\ghos\dsptw.exe, CmdLine = c:\dosh\ghos\dsptw 1 /find:all /GhostStyle /y
ImagePath = c:\dosh\ghos\dsptw.exe, CmdLine = c:\dosh\ghos\dsptw 2 /find:all /GhostStyle /y
ImagePath = c:\dosh\ghos\dsptw.exe, CmdLine = c:\dosh\ghos\dsptw 3 /find:all /GhostStyle /y
ImagePath = c:\dosh\ghos\dsptw.exe, CmdLine = c:\dosh\ghos\dsptw 4 /find:all /GhostStyle /y
Behavior description: 进程退出
details: N/A
Behavior description: 枚举进程
details: N/A
Behavior description: 创建本地线程
details: N/A

File behavior

Behavior description: 创建文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.BMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.JPG
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\bcdedit
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\krnln.fnr
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\eAPI.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shell.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shellEx.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcr71.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcp71.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\xc
Behavior description: 在系统敏感位置(如开始菜单等)释放链接或快捷方式
details: C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\一键GHOST.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\帮助文件.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\GhostExp.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\DOS之家.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\Ghost32.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\个人文件转移工具.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\一键GHOST\卸载 一键GHOST.lnk
Behavior description: 创建可执行文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\bcdedit
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\krnln.fnr
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\eAPI.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shell.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shellEx.fne
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcr71.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcp71.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\xc
C:\dosh\ghos\uninstall.exe
C:\dosh\ghos\lua5.1.dll
C:\dosh\ghos\gho_run.exe
C:\dosh\ghos\md5
Behavior description: 覆盖已有文件
details: C:\dosh\ghos\uninstall.dat
C:\dosh\ghos\uninstall.xml
Behavior description: 复制文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.BMP ---> c:\dosh\ghos\IRIMG1.BMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.JPG ---> c:\dosh\ghos\IRIMG1.JPG
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\Administrator\桌面\一键GHOST.lnk
Behavior description: 删除文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat
C:\dosh\ghos\uni4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\GHSTSTAT.TXT
Behavior description: 查找文件
details: FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\All Users\Application Data
FileName = C:\WINDOWS
Behavior description: 修改BAT脚本文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_sys2.bat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dh_spt01.bat
Behavior description: 重命名文件
details: C:\dosh\ghos\ds ---> C:\dosh\ghos\dsptw.exe
C:\dosh\ghos\fi ---> C:\dosh\ghos\fi.exe
C:\dosh\ghos\fr ---> C:\dosh\ghos\fr.exe
C:\dosh\ghos\GHSTSTA.TXT ---> C:\dosh\ghos\GHSTSTAT.TXT
Behavior description: 修改文件内容
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.dat---> Offset = 131072
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.BMP---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\IRIMG1.JPG---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan---> Offset = 0
C:\dosh\ghos\uni4.tmp---> Offset = 24576
C:\dosh\ghos\uninstall.dat---> Offset = 0
C:\dosh\ghos\uninstall.dat---> Offset = 65536
C:\dosh\ghos\uninstall.xml---> Offset = 0
C:\dosh\ghos\menu.lst---> Offset = 0
C:\dosh\ghos\memdisk---> Offset = 0
C:\dosh\ghos\ghost.img---> Offset = 126322
C:\dosh\ghos\gho_pass.txt---> Offset = 0
C:\dosh\ghos\help.chm---> Offset = 37788
C:\dosh\ghos\gho_run---> Offset = 0
C:\dosh\ghos\1KG_rd---> Offset = 0

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\NoModify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\NoRepair
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\HelpLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\Contact
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\1KEY GHOST\DisplayIcon

Other behavior

Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
oleacc-msaa-loaded
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IFI
SHIMLIB_LOG_MUTEX
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IFI.IC
EventName = MSCTF.SendReceiveConection.Event.IFI.IC
Behavior description: 使用SCSI指令读写硬盘
details: LBA = 0x2400 SCSIOP = 0x12
LBA = 0x0 SCSIOP = 0x0
LBA = 0x3E00 SCSIOP = 0x12
LBA = 0x2A000000 SCSIOP = 0x5A
LBA = 0x2A0000 SCSIOP = 0x46
LBA = 0x2F0000 SCSIOP = 0x46
Behavior description: 获取系统权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 窗口信息
details: Pid = 2132, Hwnd=0x160142, Text = 帮助(&H), ClassName = Button.
Pid = 2132, Hwnd=0x602bc, Text = 下一步(&N) >, ClassName = Button.
Pid = 2132, Hwnd=0x302d4, Text = 取消(&C), ClassName = Button.
Pid = 2132, Hwnd=0x150134, Text = 一键GHOST 安装程序, ClassName = Afx:00400000:3:00010011:01900015:000102F5.
Pid = 2132, Hwnd=0x170142, Text = 下一步(&N) >, ClassName = Button.
Pid = 2132, Hwnd=0x4015a, Text = 取消(&C), ClassName = Button.
Pid = 2132, Hwnd=0x402d4, Text = 许可协议: * 本软件使用 ghost.exe,ghost32.exe,ghostexp.exe 版权归 Symantec 公司所有. * 本软件是免费软件,不经允许禁止用于商, ClassName = Edit.
Pid = 2132, Hwnd=0x702bc, Text = 我同意该许可协议的条款, ClassName = Button.
Pid = 2132, Hwnd=0x402dc, Text = 我不同意该许可协议的条款, ClassName = Button.
Pid = 2132, Hwnd=0x502d6, Text = 帮助(&H), ClassName = Button.
Pid = 2132, Hwnd=0x202d8, Text = < 返回(&B), ClassName = Button.
Pid = 2132, Hwnd=0x180142, Text = 下一步(&N) >, ClassName = Button.
Pid = 2132, Hwnd=0x5015a, Text = 取消(&C), ClassName = Button.
Pid = 2132, Hwnd=0x302d8, Text = 普通模式(多数等待时间设置成10秒,timeout=5,适于中高级用户), ClassName = Button.
Pid = 2132, Hwnd=0x602d6, Text = 快速模式(全部等待时间均设置成1秒,timeout=1,适于初级用户), ClassName = Button.
Behavior description: 直接操作物理设备
details: \??\PhysicalDrive0
Behavior description: 可执行文件签名信息
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll(签名验证: 通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\bcdedit(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\krnln.fnr(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\eAPI.fne(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shell.fne(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shellEx.fne(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcr71.dll(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcp71.dll(签名验证: 未通过)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\xc(签名验证: 未通过)
C:\dosh\ghos\uninstall.exe(签名验证: 未通过)
C:\dosh\ghos\lua5.1.dll(签名验证: 通过)
C:\dosh\ghos\gho_run.exe(签名验证: 未通过)
C:\dosh\ghos\md5(签名验证: 未通过)
Behavior description: 隐藏指定窗口
details: [Window,Class] = [Initializing...,#32770]
[Window,Class] = [Debug,#32770]
[Window,Class] = [帮助(&H),Button]
[Window,Class] = [,Button]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [取消(&C),Button]
[Window,Class] = [许可协议: * 本软件使用 ghost.exe,ghost32.exe,ghostexp.exe 版权归 Symantec 公司所有. * 本软件是免费软件,不经允许禁止用于商业用途. * 本软件具有一定的危险性,请初学者慎用. * 本
[Window,Class] = [我同意该许可协议的条款,Button]
[Window,Class] = [我不同意该许可协议的条款,Button]
[Window,Class] = [< 返回(&B),Button]
[Window,Class] = [普通模式(多数等待时间设置成10秒,timeout=5,适于中高级用户),Button]
[Window,Class] = [快速模式(全部等待时间均设置成1秒,timeout=1,适于初级用户),Button]
[Window,Class] = [一键GHOST 安装程序,Afx:00400000:3:00010011:01900015:000102F5]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [一键GHOST Setup,Afx:00400000:3:00010011:00000006:000102F5]
Behavior description: 可执行文件MD5
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe ---> 3a4c547012fba01e353e14eb9b8bf156
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll ---> 57ff4c85c5855ba67aacb0a3ea4108e3
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\win_lan.exe ---> 78796e3276c8c400c8f01d32a85746f5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\bcdedit ---> 780836bb63852990382df27de7fefd20
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\krnln.fnr ---> 44e2ca67c060fbe3dc0d030149f5a478
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\eAPI.fne ---> 8a8dfdd6ef9f17e5caba3d2fd9995805
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shell.fne ---> 98174c8c2995000efbda01e1b86a1d4d
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shellEx.fne ---> cbe7b9dbe063b6f94b1b53e936f6c0a4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcr71.dll ---> 86f1895ae8c5e8b17d99ece768a70732
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\msvcp71.dll ---> 561fa2abb31dfa8fab762145f81667c2
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\xc ---> 98f2272a7d1ba8e3155fbea167bcc613
C:\dosh\ghos\uninstall.exe ---> 3a4c547012fba01e353e14eb9b8bf156
C:\dosh\ghos\lua5.1.dll ---> 57ff4c85c5855ba67aacb0a3ea4108e3
C:\dosh\ghos\gho_run.exe ---> fd7369e1e1eba5126d83a3702cb4cfe7
C:\dosh\ghos\md5 ---> 8b255bc20606c097b62ab9ff48a3db78
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description: 加载新释放的文件
details: Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\lua5.1.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\krnln.fnr.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_ir_sf_temp_0\shellEx.fne.