VirSCAN VirSCAN

1, Ви можете надсилати файли для перевірки розміром не більше 20 мб.
2, VirSCAN перевіряє Rar/Zip файли, але не більше 20-ти файлів.
3, VirSCAN може перевіряти заархівовані файли з наступними паролями 'infected' або 'virus'.
4, Якщо ваш переглядач не може вивантажити файли, будь ласка, звантажити вивантаження VirSCAN.

Мова
Завантаження сервера
Server Load

VirSCAN
VirSCAN

1, Ви можете надсилати файли для перевірки розміром не більше 20 мб.
2, VirSCAN перевіряє Rar/Zip файли, але не більше 20-ти файлів.
3, VirSCAN може перевіряти заархівовані файли з наступними паролями 'infected' або 'virus'.

   Інформація про файл

Основна інформація

MD5:a9c60051f3377d1f5caa9ff956b80e82
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Назва пакета:
Мінімальне робоче середовище:
Авторське право:

Ключова поведінка

Опис поведінки: 设置特殊文件夹属性
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019040220190403
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Опис поведінки: 设置消息钩子
Подробиці: C:\WINDOWS\system32\IEFRAME.dll

Процес поведінки

Опис поведінки: 创建进程
Подробиці: [0x00000b44]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2736 CREDAT:79873
[0x00000c54]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2736 CREDAT:14340
Опис поведінки: 创建本地线程
Подробиці: TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2752, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2828, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2832, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2836, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2840, StartAddress = 77E56C7D, Parameter = 00196878
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2844, StartAddress = 5DE05ABD, Parameter = 00198670
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2848, StartAddress = 5DE05BC0, Parameter = 001941D8
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2852, StartAddress = 0122F74F, Parameter = 00000214
TargetProcess: iexplore.exe, InheritedFromPID = 2736, ProcessID = 2884, ThreadID = 2892, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2896, StartAddress = 77C0A341, Parameter = 003F6C40
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2900, StartAddress = 77E56C7D, Parameter = 001B6298
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2904, StartAddress = 769AE43B, Parameter = 001B8CE8
TargetProcess: iexplore.exe, InheritedFromPID = 2000, ProcessID = 2736, ThreadID = 2908, StartAddress = 769AE43B, Parameter = 001BB390
TargetProcess: iexplore.exe, InheritedFromPID = 2736, ProcessID = 2884, ThreadID = 2912, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2736, ProcessID = 2884, ThreadID = 2916, StartAddress = 7C930230, Parameter = 00000000

Поведінка файлів

Опис поведінки: 创建文件
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C27ECBFE-550D-11E9-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF538D.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFF-550D-11E9-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF59C6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favicon[1].ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019040220190403\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C8C35A94-550D-11E9-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE217.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\yixun_com[1]
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF22E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF25B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF536.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF555.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFD3E.tmp
Опис поведінки: 创建可执行文件
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Опис поведінки: 查找文件
Подробиці: FileName = C:\Program Files\Common Files\Adobe
FileName = C:\Program Files\Common Files\Adobe\Acrobat
FileName = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX
FileName = C:\Program Files\Java
FileName = C:\Program Files\Java\jre7
FileName = C:\Program Files\Java\jre7\bin
FileName = C:\Program Files\Java\jre7\bin\jp2ssv.dll
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\bg.html
FileName = C:\Program Files\Internet Explorer\iexplore.exe
Опис поведінки: 删除文件
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Temp\~DF538D.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF59C6.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favicon[1].ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016091220160913\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE217.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF22E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF25B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF536.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF555.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFD3E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFD51.tmp
Опис поведінки: 设置特殊文件夹属性
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019040220190403
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Опис поведінки: 修改文件内容
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C27ECBFE-550D-11E9-91C0-7B****28}.dat ---> Offset = 512
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C27ECBFE-550D-11E9-91C0-7B****28}.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF538D.tmp ---> Offset = 16383
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF538D.tmp ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C27ECBFE-550D-11E9-91C0-7B****28}.dat ---> Offset = 3072
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C27ECBFE-550D-11E9-91C0-7B****28}.dat ---> Offset = 1536
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFF-550D-11E9-91C0-7B****28}.dat ---> Offset = 512
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFF-550D-11E9-91C0-7B****28}.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF59C6.tmp ---> Offset = 16383
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF59C6.tmp ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFF-550D-11E9-91C0-7B****28}.dat ---> Offset = 3072
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFF-550D-11E9-91C0-7B****28}.dat ---> Offset = 1536
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012019040220190403\index.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C8C35A94-550D-11E9-91C0-7B****28}.dat ---> Offset = 512

Поведінка мережі

Опис поведінки: 下载文件
Подробиці: URLDownloadToFileW: http://ww****om/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Опис поведінки: 连接指定站点
Подробиці: InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ur****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000200
Опис поведінки: 打开HTTP连接
Подробиці: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: VCSoapClient, hSession = 0x00cc0010
Опис поведінки: 建立到一个指定的套接字连接
Подробиці: URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000055c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000448
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000006dc
URL: ur****om, IP: **.133.40.**:443, SOCKET = 0x0000059c
Опис поведінки: 读取网络文件
Подробиці: hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
hFile = 0x00cc0018, BytesToRead =4095, BytesRead = 4095.
Опис поведінки: 发送HTTP包
Подробиці: GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET / HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive
Опис поведінки: 打开HTTP请求
Подробиці: HttpOpenRequestA: ww****om:80/favicon.ico, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00600010
HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ur****om:443/urs.asmx?msurs-client-key=ll8zfgsp2dysekxtpogv4g%3d%3d&msurs-patented-lock=%2bcepapplygm%3d, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04880300
Опис поведінки: 按名称获取主机地址
Подробиці: GetAddrInfoW: ww****om
GetAddrInfoW: ur****om

Реєстр поведінки

Опис поведінки: 修改注册表
Подробиці: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{C27ECBFE-550D-11E9-91C0-7B****28}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
Опис поведінки: 删除注册表键值
Подробиці: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration
Опис поведінки: 删除注册表键
Подробиці: \REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\

Інша поведінка

Опис поведінки: 创建互斥体
Подробиці: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\!BrowserEmulation!SharedMemory!Mutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
ConnHashTable<2736>_HashTable_Mutex
oleacc-msaa-loaded
Local\ZonesCounterMutex
Local\RSS Eventing Connection Database Mutex 00000ab0
Опис поведінки: 创建事件对象
Подробиці: EventName = Isolation Signal Registry Event (C27ECBFB-550D-11E9-91C0-7B****28, 0)
EventName = IE_EarlyTabStart_0xab4
EventName = Isolation Signal Registry Event (C27ECBFC-550D-11E9-91C0-7B****28, 0)
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Local\RSS Eventing Event Event 00000ab0
EventName = Global\crypt32LogoffEvent
EventName = IEFrame.EventCheckDefaultBrowser
EventName = IE_EarlyTabStart_0xc50
EventName = Isolation Signal Registry Event (C27ECC00-550D-11E9-91C0-7B****28, 0)
EventName = MSCTF.SendReceive.Event.ELK.IC
EventName = MSCTF.SendReceiveConection.Event.ELK.IC
EventName = MSCTF.SendReceive.Event.IHL.IC
EventName = MSCTF.SendReceiveConection.Event.IHL.IC
EventName = Local\Feed Arbitration Lock Event [ Process : 0x00000ab0 ]
Опис поведінки: 查找指定窗口
Подробиці: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Опис поведінки: 窗口信息
Подробиці: Pid = 2736, Hwnd=0x10358, Text = 导航栏, ClassName = WorkerW.
Pid = 2736, Hwnd=0x10362, Text = 地址组合控制, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x10366, Text = 页面控制, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x10376, Text = 搜索..., ClassName = Edit.
Pid = 2736, Hwnd=0x1037a, Text = 搜索组合控制, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x1037c, Text = 搜索控制, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x10396, Text = 命令栏, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x1038e, Text = 收藏夹命令栏, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x10382, Text = LinksBand, ClassName = LinksBandClass.
Pid = 2736, Hwnd=0x1038a, Text = 收藏夹栏, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x10386, Text = 添加到收藏夹栏, ClassName = ToolbarWindow32.
Pid = 2884, Hwnd=0x103ac, Text = ITBarHost, ClassName = InternetToolbarHost.
Pid = 2884, Hwnd=0x103ae, Text = 菜单栏, ClassName = WorkerW.
Pid = 2884, Hwnd=0x103c0, Text = 缩放级别, ClassName = ToolbarWindow32.
Pid = 2736, Hwnd=0x2033c, Text = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\bg.html - Windows Internet Explorer, ClassName = IEFrame.
Опис поведінки: 调整进程token权限
Подробиці: SE_LOAD_DRIVER_PRIVILEGE
Опис поведінки: 打开事件
Подробиці: \SECURITY\LSA_AUTHENTICATION_INITIALIZED
Isolation Signal Registry Event (C27ECBFB-550D-11E9-91C0-7B****28, 0)
_fCanRegisterWithShellService
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2736
MSFT.VSA.IEC.STATUS.6c736db0
Isolation Signal Registry Event (C27ECBFC-550D-11E9-91C0-7B****28, 0)
IE_EarlyTabStart_0xab4
MSFT.VSA.COM.DISABLE.2884
Local\RSS Eventing Event Event 00000ab0
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Опис поведінки: 可执行文件签名信息
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico(签名验证: 未通过)
Опис поведінки: 隐藏指定窗口
Подробиці: [Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,AddressDisplay Control]
[Window,Class] = [,CtrlNotifySink]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [http://www.yixun.com/ - Windows Internet Explorer,IEFrame]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
[Window,Class] = [,TabBandClass]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
Опис поведінки: 可执行文件MD5
Подробиці: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> fe1d0ee5901dd167ee9b28eece31786c
Опис поведінки: 打开互斥体
Подробиці: Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!BrowserEmulation!SharedMemory!Mutex
ShimCacheMutex
RasPbFile
CtfmonInstMutexDefaultS-*
Local\!IETld!Mutex
Local\RSS Eventing Connection Database Mutex 00000ab0
_!SHMSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012019040220190403!