VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:6c71ec0736ddd38225efab1991df0b4c
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 DLL
Subfile information:download_interface.dll / e651698b237650040103f07db79f46c4 / DLL
Thunder5.exe / 3f544f45553295afc3d7b03d65d092c5 / EXE
streammedialib.dll / 7808bcce972ee491fade4a4e8df51476 / DLL
XLCommunity.dll / bc00e4ec963a3b499b2afdef8663afb4 / DLL
record.bin / e8e742f84d453d1a2fa16d0d1ea296c9 / Unknown
stlport_vc646.dll / d63628e0815f280130ca011d5593767e / DLL
ThunderSafe.dll / 9bcc34f5732e49ea8da8198b6893eed3 / DLL
XAFilter.ax / f856e143c8332ae7965b26400fc8e942 / DLL
PPlayer.dll / 2d694993239715fc7e66c5fb9c5c7c41 / DLL
IJL15.DLL / 237f3af09fef941e504dc77789f00364 / DLL
TDAtOnce_Now.dll / 6c73ca1ecb87db28ea3c93ebb36cd965 / DLL
TDAtOnce.dll / 6c73ca1ecb87db28ea3c93ebb36cd965 / DLL
DapPlayer.dll / c09e266d374c3926aa89f3cc70322f56 / DLL
DapPlayer3.0.28.50.dll / c09e266d374c3926aa89f3cc70322f56 / DLL
XPlayer.dll / 94958ffb8b0faa8d2f60a6e34942b526 / DLL
al.dll / 2e199405510f78f10a12dd2c1ecccffb / DLL
xlsf.dll / 9d41863ea6ffcc132137a816db311cb3 / DLL
xlsf_Now.dll / 9d41863ea6ffcc132137a816db311cb3 / DLL
PlayerHelper.dll / 04b48b527858d2342a79397e8167c530 / DLL
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\streammedialib.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\al.dll
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改注册表_BHO
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\
Process behavior
Behavior description:创建进程
details:[0x00000ef0]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe" /e88a2276 /Documents and Settings/Administrator/Local Settings/Temp/EB93A6/%temp%\****.exe_7zdump\Thunder.exe"
Behavior description:创建本地线程
details:TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 3920, StartAddress = 77C0A341, Parameter = 003F7EF8
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 3960, StartAddress = 2165E6F0, Parameter = 0120FE60
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 3988, StartAddress = 216A0DE0, Parameter = 011E87F8
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 3992, StartAddress = 216A0DE0, Parameter = 011F5A98
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4000, StartAddress = 216A0DE0, Parameter = 01240118
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4004, StartAddress = 216563C0, Parameter = 01240530
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4008, StartAddress = 217B89A0, Parameter = 0123FFA8
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4012, StartAddress = 216A0DE0, Parameter = 01248E08
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4016, StartAddress = 216A0DE0, Parameter = 01248F80
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4020, StartAddress = 216A0DE0, Parameter = 01248FD8
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4024, StartAddress = 216563C0, Parameter = 01249018
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4028, StartAddress = 216A0DE0, Parameter = 012498F8
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4032, StartAddress = 216563C0, Parameter = 0122B298
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4036, StartAddress = 004A447B, Parameter = 00000000
TargetProcess: Thunder5.exe, InheritedFromPID = 3792, ProcessID = 3824, ThreadID = 4040, StartAddress = 216563C0, Parameter = 0124B6D8
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\WINDOWS\system32\cid_store.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF8FB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF923.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF962.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF981.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF9A1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\update[1]
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll
Behavior description:修改原系统的EXE文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\streammedialib.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\al.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll
Behavior description:复制文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\XunLeiBHO.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF8FB.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF923.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF962.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF981.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF9A1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\update[1]
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_OLD_0.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_OLD_0.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_OLD_0.dll
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe
FileName = D:\Thunder v5.7.3.3890\Languages\zh_cn\Thunder.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Languages\zh_cn\Thunder.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Languages\zh_cn\Connection.ini
FileName = C:\WINDOWS\system32\drivers\etc\Hosts
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_OLD_0.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_OLD_0.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_OLD_0.dll
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe ---> Offset = 655360
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe ---> Offset = 720896
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe ---> Offset = 786432
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe ---> Offset = 851968
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe ---> Offset = 917504
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 649
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 775
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 795
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 823
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 878
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Profiles\UserConfig.ini ---> Offset = 864
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll ---> Offset = 196608
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://ay****et/thunder/update, hInternet = 0x00cc0004, Flags = 0x00000000
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ay****et, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ur****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000200
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1), hSession = 0x00cc0004
InternetOpenA: UserAgent: VCSoapClient, hSession = 0x00cc0010
Behavior description:建立到一个指定的套接字连接
details:URL: mv****et, IP: **.133.40.**:80, SOCKET = 0x000001bc
URL: sp****et, IP: **.133.40.**:80, SOCKET = 0x000002f8
URL: co****et, IP: **.133.40.**:80, SOCKET = 0x0000036c
URL: ay****et, IP: **.133.40.**:80, SOCKET = 0x00000428
URL: sp****et, IP: **.133.40.**:8080, SOCKET = 0x000004ac
IP: **.61.39.**:8080, SOCKET = 0x000004b4
IP: **.254.39.**:8080, SOCKET = 0x000004b8
URL: sp****et, IP: **.133.40.**:21, SOCKET = 0x000004bc
IP: **.61.39.**:21, SOCKET = 0x000004c0
IP: **.254.39.**:21, SOCKET = 0x000004c4
IP: **.0.0.**:0, SOCKET = 0x000004c8
URL: bw****et, IP: **.133.40.**:8000, SOCKET = 0x000004c4
URL: hu****et, IP: **.133.40.**:80, SOCKET = 0x000002fc
URL: hu****et, IP: **.133.40.**:80, SOCKET = 0x000004d8
URL: ur****om, IP: **.133.40.**:443, SOCKET = 0x000005dc
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =7, BytesRead = 7.
hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
hFile = 0x00cc0018, BytesToRead =4095, BytesRead = 4095.
Behavior description:发送HTTP包
details:POST / HTTP/1.1 Host: sp****et:80 Content-type: application/octet-stream Content-Length: 76 Connection: Keep-Alive 
GET /Thunder5_cfg.ini HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: co****et Referer: http://conf.sandai.net Pragma: no-cache Cache-Control: no-cache Connection: close
GET /thunder/update HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: ay****et
POST / HTTP/1.1 Host: bw****et:8000 Content-type: application/octet-stream Content-Length: 60 Connection: Keep-Alive 
POST / HTTP/1.1 Host: hu****et:80 Content-type: application/octet-stream Content-Length: 140 Connection: Keep-Alive 4
POST / HTTP/1.1 Host: hu****et:80 Content-type: application/octet-stream Content-Length: 44 Connection: Keep-Alive <
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ay****et:80/thunder/update, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00000000
HttpOpenRequestA: ur****om:443/urs.asmx?msurs-client-key=m9v8fsmartjce2h1weztzg%3d%3d&msurs-patented-lock=b8l0izi2dzq%3d, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04880300
Behavior description:按名称获取主机地址
details:gethostbyname: computer
gethostbyname: mv****et
gethostbyname: hu****et
gethostbyname: sp****et
gethostbyname: co****et
GetAddrInfoW: ay****et
gethostbyname: bw****et
GetAddrInfoW: ur****om
Registry behavior
Behavior description:修改注册表_浏览器右键菜单
details:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\MenuExt\使用迅雷下载\
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\MenuExt\使用迅雷下载\Contexts
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\MenuExt\使用迅雷下载全部链接\
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\MenuExt\使用迅雷下载全部链接\Contexts
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\
Behavior description:修改注册表_浏览器默认下载工具
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\DownloadUI
Behavior description:修改注册表_BHO
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\Thunder5.exe
\REGISTRY\MACHINE\SOFTWARE\Classes\.torrent\
\REGISTRY\MACHINE\SOFTWARE\Classes\bittorrent\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\bittorrent\DefaultIcon\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}\iexplore\Flags
\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAgent.Agent.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAgent.Agent.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAgent.Agent\
\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAgent.Agent\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAgent.Agent\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}\InprocServer32\
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:thunder5_shell_mutex
thunder5_app_mutex
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
F8730FC7_1436_4121_9FA6_C0FBF4817482
TDPingServiceStartMutex
MSCTF.Shared.MUTEX.IOH
Behavior description:隐藏指定窗口
details:[Window,Class] = [,tooltips_class32]
[Window,Class] = [,SysListView32]
[Window,Class] = [,Afx:400000:8:10011:6:0]
[Window,Class] = [雷友信息,Afx:400000:8:10011:6:0]
[Window,Class] = [ToolBarChevron,AfxWnd42]
[Window,Class] = [MenuBarChevron,AfxWnd42]
[Window,Class] = [,#32770]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
Behavior description:修改后的可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll ---> d63628e0815f280130ca011d5593767e
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\streammedialib.dll ---> 7808bcce972ee491fade4a4e8df51476
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\al.dll ---> 2e199405510f78f10a12dd2c1ecccffb
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Thunder Shell Stop Delay
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Isolation Signal Registry Event (1D97FC65-669F-11E7-91C0-7B****28, 0)
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
Behavior description:修改后的可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\stlport_vc646.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\streammedialib.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Program\al.dll(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll(签名验证: 通过)
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.EPO.IC
EventName = MSCTF.SendReceiveConection.Event.EPO.IC
EventName = Local\5f4_29
EventName = Global\crypt32LogoffEvent
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll ---> b6ac7d7f342f81f827cf7f07eb6c0d16
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll ---> c834c3acf52594bff72c6ba8910258ef
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll ---> 6c73ca1ecb87db28ea3c93ebb36cd965
Behavior description:打开互斥体
details:Local\!IETld!Mutex
ShimCacheMutex
DBWinMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\ThunderAgent_Now.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\xunleiBHO_Now.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ComDlls\TDAtOnce_Now.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号