VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Basic Information

MD5:e0166446a676adb9e3160c9c06e56401
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 隐藏指定窗口
details: [Window,Class] = [,tooltips_class32]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Behavior description: 设置消息钩子
details: C:\WINDOWS\system32\DINPUT8.dll
C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
Behavior description: 设置特殊文件属性
details: C:\monitor\sample .exe
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Application Data\Fomesaod
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\All Users\Application Data\Fomesaod
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\LocalService\Local Settings\History
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5
C:\Documents and Settings\LocalService\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description: 创建系统服务
details: [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
[服务创建失败]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
Behavior description: 按名称获取主机地址
details: wpad
www.yixun.com

Process behavior

Behavior description: 隐藏窗口创建进程
details: ImagePath = c:\program files\internet explorer\iexplore.exe, CmdLine = "c:\program files\internet explorer\iexplore.exe" http://www.yixun.com/
Behavior description: 创建进程
details: ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3332 CREDAT:79873
Behavior description: 创建新文件进程
details: ImagePath = c:\monitor\sample .exe, CmdLine = "c:\monitor\sample .exe"
ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe"
ImagePath = C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
ImagePath = C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe, CmdLine = "C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe"
Behavior description: 枚举进程
details: N/A

File behavior

Behavior description: 创建可执行文件
details: C:\monitor\sample .exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{B5564BC2-13A5-4F05-B4EA-44CD5159BEE5}\fpb.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{6C55B513-C478-4780-B6D6-A83697827603}\fpb.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX1.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX2.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX3.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX4.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX5.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX6.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX7.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX8.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX9.tmp
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCXA.tmp
C:\Documents and Settings\All Users\Application Data\Fomesaod\qege.exe
Behavior description: 设置特殊文件属性
details: C:\monitor\sample .exe
Behavior description: 写权限映射文件
details: Local\b7b7bc2512ee1fedcd76bdc68926d4f7b
\WINDOWS\system32\zh-cn\ieframe.dll.mui
VIDEOMEMORY
AMResourceMapping2-0x0000-0x0000051e
Global\c1128acc29a2f4c564400859e81d4b5b3
Local\UrlZonesSM_Administrator
Local\bd41d8cd98f00b204e9800998ecf8427e
Internet Explorer Immutable Application State (00000D04-0000-0000-0000-000000000000)
Local\SqmData_IESQM-3332_S-1-5-21-1482476501-1645522239-1417001333-500
ie_lcie_main_d04
Isolation Process Registry (6B31027B-8D2D-11E4-B5D3-000C2938259F)
Isolation Signal Registry (6B31027B-8D2D-11E4-B5D3-000C2938259F, 0)
ie_lcie_LogonMedium
Local\IEFrame!GetAsyncKeyStateSharedMem!3332
ie_lcie_ConnHashTable<3332>
Behavior description: 重命名文件
details: C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX1.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX2.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX3.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX4.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX5.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX6.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX7.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX8.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCX9.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\Documents and Settings\Administrator\Application Data\Fomesaod\RCXA.tmp ---> C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
C:\WINDOWS\RCXC.tmp ---> C:\WINDOWS\regedit.exe
C:\WINDOWS\RCXD.tmp ---> C:\WINDOWS\regedit.exe
C:\WINDOWS\RCXE.tmp ---> C:\WINDOWS\regedit.exe
C:\WINDOWS\RCXF.tmp ---> C:\WINDOWS\regedit.exe
C:\WINDOWS\RCX10.tmp ---> C:\WINDOWS\regedit.exe
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Application Data\Fomesaod
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\All Users\Application Data\Fomesaod
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\LocalService\Local Settings\History
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5
C:\Documents and Settings\LocalService\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Application Data\Fomesaod\gieh\ababnus.sys---> Offset = 4121
C:\Documents and Settings\Administrator\Application Data\Fomesaod\fowone\fiel.dat---> Offset = 4105
C:\Documents and Settings\Administrator\Application Data\Fomesaod\fowone\muokowl.drv---> Offset = 4111
C:\Documents and Settings\Administrator\Application Data\Fomesaod\siu.drv---> Offset = 4114
C:\Documents and Settings\Administrator\Application Data\Fomesaod\hiesa.dat---> Offset = 4112
C:\Documents and Settings\Administrator\Application Data\Fomesaod\itloaspu\wonaesan.drv---> Offset = 8223
C:\Documents and Settings\Administrator\Application Data\Fomesaod\itloaspu\okvou.sys---> Offset = 4111
C:\Documents and Settings\Administrator\Application Data\Fomesaod\abheha.cat---> Offset = 4118
C:\Documents and Settings\Administrator\Application Data\Fomesaod\duapbihale.cat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Fomesaod\lakaucda\ecvoorsoar\puboguceo.bin---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Fomesaod\lakaucda\ecvoorsoar\hia.cat---> Offset = 4101
C:\Documents and Settings\Administrator\Application Data\Fomesaod\lakaucda\ecvoorsoar\giecqoxau.dmp---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Fomesaod\lakaucda\ecvoorsoar\rowaeft.sys---> Offset = 4107
C:\Documents and Settings\Administrator\Application Data\Fomesaod\lakaucda\iqexxebi.dat---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Fomesaod\ibweoloca---> Offset = 0
Behavior description: 修改新生成的可执行文件
details: C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe---> Offset = 18556928
C:\WINDOWS\regedit.exe---> Offset = 358400
C:\WINDOWS\winhelp.exe---> Offset = 358400
C:\WINDOWS\winhlp32.exe---> Offset = 358400
C:\WINDOWS\$NtUninstallKB2412687$\spuninst\spuninst.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\19b50dd470540911fc5cc65331a769e4\ComSvcConfig.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\87c84ffaaad81d8d106a9aa9d68b5926\MSBuild.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\6781b87c8d3b55e6120b1e86bea6e040\ServiceModelReg.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\b9c1a29e684bc02e49226ff1e9eec253\SMSvcHost.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\7d2a3adbdcb675f872eb2dbf21f73596\WsatConfig.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2b3bb967d405eb9e0c95b184f7ae8979\ComSvcConfig.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\MSBuild\e2799fc6d0e3b74e8fa3c2ce0225a940\MSBuild.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\SMSvcHost\048beed5824506fe8ac3453e5d71edb2\SMSvcHost.ni.exe---> Offset = 358400
C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\WsatConfig\d44ea63953312a5b92800127d1f48932\WsatConfig.ni.exe---> Offset = 358400
C:\WINDOWS\ie8\spuninst\spuninst.exe---> Offset = 358400

Network behavior

Behavior description: 连接指定站点
details: InternetConnectA: ServerName = icanhazip.com, PORT = 80
InternetConnectA: ServerName = example.com, PORT = 80
InternetConnectA: ServerName = z3mm6cupmtw5b2xx.onion, PORT = 80
InternetConnectA: ServerName = leuvuftet.ddns.net, PORT = 80
InternetConnectA: ServerName = obneifqumea.ddns.net, PORT = 80
InternetConnectA: ServerName = bodihemouxk.ddns.net, PORT = 80
InternetConnectA: ServerName = lefiilqevireqe.ddns.net, PORT = 80
InternetConnectA: ServerName = puovlaru.ddns.net, PORT = 80
InternetConnectA: ServerName = ehohimtoanlemav.ddns.net, PORT = 80
InternetConnectA: ServerName = cetagueh.ddns.net, PORT = 80
InternetConnectA: ServerName = ekuhupiwim.ddns.net, PORT = 80
InternetConnectA: ServerName = qehareosowfui.ddns.net, PORT = 80
InternetConnectA: ServerName = isilovinkiu.ddns.net, PORT = 80
InternetConnectA: ServerName = ebesisfikuguu.ddns.net, PORT = 80
InternetConnectA: ServerName = uxiwkakaw.ddns.net, PORT = 80
Behavior description: 下载文件
details: URLDownloadToFileW: http://www.live.com/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Behavior description: 读取网络文件
details: hFile = 0x00000364, BytesToRead =1023, BytesRead = 1023.
hFile = 0x00000338, BytesToRead =1023, BytesRead = 1023.
hFile = 0x00000300, BytesToRead =1023, BytesRead = 1023.
hFile = 0x0000024c, BytesToRead =1023, BytesRead = 1023.
hFile = 0x0000023c, BytesToRead =1023, BytesRead = 1023.
Behavior description: 打开HTTP请求
details: HttpOpenRequestA: z3mm6cupmtw5b2xx.onion:80/si.php?xd={"f6226":""}, hConnect = 0x0000035c
HttpOpenRequestA: leuvuftet.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: obneifqumea.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: bodihemouxk.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: lefiilqevireqe.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: puovlaru.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: ehohimtoanlemav.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: cetagueh.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: ekuhupiwim.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: qehareosowfui.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: isilovinkiu.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: ebesisfikuguu.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: uxiwkakaw.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
HttpOpenRequestA: saciurasfuwakem.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000300
HttpOpenRequestA: ekesowpiilw.ddns.net:80/si.php?xd={"f6226":""}, hConnect = 0x00000338
Behavior description: 按名称获取主机地址
details: wpad
www.yixun.com

Registry behavior

Behavior description: 删除注册表键
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\DefaultIcon
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}
Behavior description: 修改注册表_组策略
details: \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisablePCA
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\AppCompat\DisablePCA
Behavior description: 删除注册表键值_IE连接设置
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description: 修改注册表
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Direct3D\MostRecentApplication\Name
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\IsShortcut
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\DefaultIcon\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\NeverShowExt
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\open\command\IsolatedCommand
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shell\runas\command\IsolatedCommand
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command\IsolatedCommand
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\UwxuOwcauq\shellex\IconHandler\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.lnk\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command\
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Macromedia\FlashPlayer\ConflictingProcs
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration
Behavior description: 删除注册表键_文件关联
details: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\runas\command
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\EnopIqecebeh\shell\open\command

Other behavior

Behavior description: 创建驱动文件镜像
details: C:\WINDOWS\system32\drivers\fastfat.sys
Behavior description: 创建互斥体
details: oleacc-msaa-loaded
DirectSound DllMain mutex (0x00000170)
DDrawWindowListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
{FEC7EF28-53E7-4f06-8F56-FA6D670C8D3C}
AMResourceMutex2
VideoRenderer
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-1482476501-1645522239-1417001333-500
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
IESQM-3332_S-1-5-21-1482476501-1645522239-1417001333-500
IExplore.Sqm.psenr
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,tooltips_class32]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
Behavior description: 设置消息钩子
details: C:\WINDOWS\system32\DINPUT8.dll
C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Behavior description: 启动系统服务
details: [服务启动成功]: LocalSystem, GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
Behavior description: 打开指定IE网页
details: http://www.yixun.com/
Behavior description: 获取系统权限
details: SE_INC_BASE_PRIORITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 枚举窗口
details: N/A
Behavior description: 窗口信息
details: Pid = 368, Hwnd=0xb016a, Text = 退出, ClassName = Button.
Pid = 368, Hwnd=0xb01de, Text = 安装, ClassName = Button.
Pid = 368, Hwnd=0xd01c8, Text = 我已经阅读并同意 Flash Player 许可协议的条款。, ClassName = Button.
Pid = 368, Hwnd=0xc01c2, Text = <a href="http://www.adobe.com/products/eulas/#flash_player">单击此处阅读许可。</a>, ClassName = Button.
Pid = 368, Hwnd=0xa0186, Text = Adobe Flash Player 16.0 安装程序, ClassName = AdobeFlashPlayerInstaller.
Behavior description: 创建系统服务
details: [服务创建成功]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe
[服务创建失败]: GiseXuvo, C:\Documents and Settings\Administrator\Application Data\Fomesaod\qege.exe