VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:90
Behavior list
Basic Information
MD5:4da7b2445cbfa14318665df30201fdc1
file type:Nsis
Production company:腾讯
version:2.0.47.101---2.0.47.101
Shell or compiler information:
Subfile information:Resource.rdb / 51d7013e84c2cf49fe9f637f9c42c506 / Unknown
GF.dll / baa3ae2954bf9aa25ff6f9ee30310446 / DLL
dlcore.dll / d112ee395f419c6cfa825c6e9f35ac27 / DLL
Common.dll / b5bf98af0f08e96779f95cfc6c0f21a9 / DLL
TXSSOSetup.exe / a94d60de94f493b58f45dadfcc8cab72 / Nsis
libeay32.dll / f0603786fb147019adcea400b7cdecb6 / DLL
Tencentdl.exe / 92347a3335388fd8de040b24e4b8a472 / EXE
QQAcc.exe / 3c56012aea8bab32b54c087ccd78abab / EXE
TNProxy.dll / 3bad47f1e11387358ba090fbc2682713 / DLL
DLLAccModeLsp.dll / ccc99f049b1455250293fa5a582e7156 / DLL
DLLAccModeVpn.dll / fdcef0a9628886235c3d994113c5ab9e / DLL
QQVipVpn.dll / ac08e14b64727c7862bdd7390c4cbb8c / DLL
xGui.dll / 757fa62c99d643b7cbd5e5b1ffeb71ec / DLL
Extract.dll / 9da51d4506bd094fbfc7d337338fc872 / DLL
TXProductInstallUpdate.exe / 3efd3c13b18ac15e07d07d7198801655 / EXE
arkGraphic.dll / ec56b3bfdb9e16bac2b448c0e72ecb65 / DLL
DLLAccModeMgr.dll / 67677a47a905b8a5f773ea0b6b8dea6a / DLL
QQAcc15.wav / cd0901c358b4c6084333630d4d3cf373 / Unknown
libjpegturbo.dll / 38ff5214c6c3850de8b2a26cec66e54e / DLL
Key behavior
Behavior description:修改注册表_Winsock劫持
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [loger command window,TXLOGGER_BYCORETEAM_SSO]
[Window,Class] = [loger command window,TXLOGGER_BYCORETEAM]
[Window,Class] = [Timer Helper Window,TXTimer_Class]
[Window,Class] = [Timer Helper Window,TXTimer_Class_SSO]
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0004027e, Text = 网游加速小助手(英雄联盟) 2.0.47.101 安装 , ClassName = #32770.
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\网游加速小助手(英雄联盟).lnk
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Common Files\Tencent\QQDownload\125\Tencentdl.exe
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AMP..NOBJH
MSCTF.MarshalInterface.FileMap.AMP.B.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.C.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.D.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.E.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.F.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.G.NOBJH
MSCTF.Shared.SFM.AMP
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
AtlDebugAllocator_FileMappingNameStatic3_928
AtlDebugAllocator_FileMappingNameStatic3_83c
AtlDebugAllocator_FileMappingNameStatic3_8c4
MSCTF.MarshalInterface.FileMap.AMP.H.EKJNH
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:按名称获取主机地址
details:game.vip.qq.com
dtrp.tencentdlinstallinfo.qq.com
www.qq.com
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = c:\program files\tencent\txacc\accplatform\tencentdl.exe, CmdLine = "c:\program files\tencent\txacc\accplatform\tencentdl.exe" /install
ImagePath = c:\program files\tencent\txacc\accplatform\repairnet.exe, CmdLine = "c:\program files\tencent\txacc\accplatform\repairnet.exe" -repairlsp --true -showwnd --false
ImagePath = c:\windows\system32\netsh.exe, CmdLine = "c:\windows\system32\netsh.exe" winsock reset
ImagePath = c:\windows\system32\netsh.exe, CmdLine = "c:\windows\system32\netsh.exe" firewall delete allowedprogram program="c:\program files\common files\tencent\qqdownload\107\tencentdl.exe" profile=all
ImagePath = c:\program files\common files\tencent\qqdownload\125\tencentdl.exe, CmdLine = "c:\program files\common files\tencent\qqdownload\125\tencentdl.exe" -regserver
ImagePath = c:\windows\system32\netsh.exe, CmdLine = "c:\windows\system32\netsh.exe" firewall add allowedprogram name="腾讯产品下载组件" program="c:\program files\common files\tencent\qqdownload\125\tencentdl.exe" mode=enable profile=all
ImagePath = c:\windows\system32\regsvr32.exe, CmdLine = "c:\windows\system32\regsvr32.exe" /s "c:\program files\common files\tencent\qqdownload\125\downloadproxyps.dll"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\netsh.exe, CmdLine = "C:\WINDOWS\system32\netsh.exe" winsock reset
ImagePath = C:\WINDOWS\system32\netsh.exe, CmdLine = "C:\WINDOWS\system32\netsh.exe" firewall delete allowedprogram program="c:\program files\common files\tencent\qqdownload\107\tencentdl.exe" profile=ALL
ImagePath = C:\WINDOWS\system32\netsh.exe, CmdLine = "C:\WINDOWS\system32\netsh.exe" firewall add allowedprogram name="腾讯产品下载组件" program="c:\program files\common files\tencent\qqdownload\125\tencentdl.exe" mode=ENABLE profile=ALL
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "c:\program files\common files\tencent\qqdownload\125\DownloadProxyPS.dll"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.89\Bin\\SSOCommon.dll"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.89\Bin\\npSSOAxCtrlForPTLogin.dll"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.89\Bin\\SSOLUIControl.dll"
Behavior description:创建新文件进程
details:ImagePath = C:\Program Files\Tencent\TXAcc\AccPlatform\Tencentdl.exe, CmdLine = "C:\Program Files\Tencent\TXAcc\AccPlatform\Tencentdl.exe" /Install
ImagePath = C:\Program Files\Tencent\TXAcc\AccPlatform\RepairNet.exe, CmdLine = "C:\Program Files\Tencent\TXAcc\AccPlatform\RepairNet.exe" -repairlsp --true -showwnd --false
ImagePath = C:\Program Files\Tencent\TXAcc\AccPlatform\TXSSOSetup.exe, CmdLine = "C:\Program Files\Tencent\TXAcc\AccPlatform\TXSSOSetup.exe" -DIR=C:\Program Files\Tencent\TXAcc\AccPlatform
ImagePath = c:\program files\common files\tencent\qqdownload\125\tencentdl.exe, CmdLine = "c:\program files\common files\tencent\qqdownload\125\tencentdl.exe" -RegServer
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TXSSO\InstTXSSO.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TXSSO\InstTXSSO.exe" "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TXSSO\TXSSO" "C:\Program Files\Tencent\TXAcc\AccPlatform"
ImagePath = C:\Program Files\Tencent\TXAcc\AccPlatform\QQAcc.exe, CmdLine = "C:\Program Files\Tencent\TXAcc\AccPlatform\QQAcc.exe" -appid --1
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\Administrator\「开始」菜单\程序\腾讯软件\网游加速小助手\卸载工具\卸载(英雄联盟)小助手.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\腾讯软件\网游加速小助手\网络修复.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\腾讯软件\网游加速小助手\网游加速小助手(英雄联盟).lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\InstProc.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\QQVIPLSP.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\QQVipVpn.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\IcmpHandle.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\RepairNet.exe
C:\Program Files\Tencent\TXAcc\AccPlatform\libeay32.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\ssleay32.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\tapinstall.exe
C:\Program Files\Tencent\TXAcc\AccPlatform\driver\tapqqvipacc.sys
C:\Program Files\Tencent\TXAcc\AccPlatform\DLLAccModeVpn.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\DLLAccModeLsp.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\DLLAccModeMgr.dll
C:\Program Files\Tencent\TXAcc\AccPlatform\QQAcc.exe
C:\Program Files\Tencent\TXAcc\AccPlatform\TXProductInstallUpdate.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\Program Files\Tencent\TXAcc
FileName = C:\Program Files\Tencent
FileName = C:\Program Files
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\网游加速小助手(英雄联盟).lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.AMP..NOBJH
MSCTF.MarshalInterface.FileMap.AMP.B.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.C.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.D.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.E.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.F.NOBJH
MSCTF.MarshalInterface.FileMap.AMP.G.NOBJH
MSCTF.Shared.SFM.AMP
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
AtlDebugAllocator_FileMappingNameStatic3_928
AtlDebugAllocator_FileMappingNameStatic3_83c
AtlDebugAllocator_FileMappingNameStatic3_8c4
MSCTF.MarshalInterface.FileMap.AMP.H.EKJNH
Behavior description:重命名文件
details:C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll ---> C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll~1
C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll ---> C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll~1
C:\Program Files\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll ---> C:\Program Files\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll~1
C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll ---> C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll~1
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-header.bmp---> Offset = 16384
C:\Program Files\Tencent\TXAcc\AccPlatform\ca.crt---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\driver\OemWin2k.inf---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\driver\tapqqvipacc.cat---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\LOGOBY16.ico---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\LoaclNet1.png---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\LoaclNet2.png---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\LoaclNet3.png---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\acc.ico---> Offset = 49152
C:\Program Files\Tencent\TXAcc\AccPlatform\res\alh0.png---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\checked.png---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\log16s-1.ico---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\log16s-2.ico---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\log16s-3.ico---> Offset = 0
C:\Program Files\Tencent\TXAcc\AccPlatform\res\log16s-4.ico---> Offset = 0
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000460, TotalSize = 518, Offset = 0, ReadSize = 518.
SOCKET = 0x00000414, TotalSize = 211, Offset = 0, ReadSize = 211.
SOCKET = 0x00000414, TotalSize = 2, Offset = 0, ReadSize = 2.
SOCKET = 0x00000420, TotalSize = 211, Offset = 0, ReadSize = 211.
SOCKET = 0x00000428, TotalSize = 211, Offset = 0, ReadSize = 211.
Behavior description:联网打开网址
details:InternetOpenUrlA: http://game2.vip.qq.com/cgi-bin/gs_control.fcg?cmd=query_netipqueryserver&version=47&appid=1&gfver=101&udpclientip=&try=519890 hInternet = 0x00000304
InternetOpenUrlA: http://game.vip.qq.com/cgi-bin/gs_control.fcg?cmd=query_netipqueryserver&version=47&appid=1&gfver=101&udpclientip=&try=519890 hInternet = 0x00000314
InternetOpenUrlA: http://game.vip.qq.com/cgi-bin/gs_control.fcg?cmd=query_gameTestIp&version=47&zip=1&appid=1&gfver=101&udpclientip=&try=520265 hInternet = 0x0000033c
InternetOpenUrlA: http://game.vip.qq.com/cgi-bin/gs_control.fcg?cmd=query_gameTestIp&version=47&zip=1&appid=1&gfver=101&udpclientip=&try=520265 hInternet = 0x00000350
InternetOpenUrlA: http://game.vip.qq.com/cgi-bin/gs_control.fcg?cmd=query_gameTestIp&version=47&zip=1&appid=1&gfver=101&udpclientip=&try=520265 hInternet = 0x00000354
Behavior description:连接指定站点
details:InternetConnectA: ServerName = 219.133.40.1, PORT = 80
InternetConnectA: ServerName = game.vip.qq.com, PORT = 80
Behavior description:建立到一个指定的套接字连接
details:110.110.110.110:80
119.147.67.205:9999
112.90.139.111:9999
120.196.211.61:9999
122.225.215.48:9999
Behavior description:打开HTTP请求
details:HttpOpenRequestA: 219.133.40.1:80/tencentdlinstallinfo/dtrp?v=1&&format=json&&product=tencentdlinstallinfo&&cmd=1, hConnect = 0x000002a4
HttpOpenRequestA: 219.133.40.1:80/tencentdlinstallinfo/dtrp?v=1&&format=json&&product=tencentdlinstallinfo&&cmd=1, hConnect = 0x000002a0
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x00000314
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x0000036c
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x00000368
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x00000434
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x000003d4
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x0000042c
HttpOpenRequestA: game.vip.qq.com:80/cgi-bin/gs_log.fcg?cmd=click_log&uin=0&key=&gfver=101&appid=1&udpclientip=&domain=game.vip.qq.com, hConnect = 0x000003fc
Behavior description:按名称获取主机地址
details:game.vip.qq.com
dtrp.tencentdlinstallinfo.qq.com
www.qq.com
Registry behavior
Behavior description:删除注册表键_分层网络协议
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Providers\NetBIOS
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Providers\Tcpip
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Providers
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Well Known Guids
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
Behavior description:修改注册表_Winsock劫持
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\ProgID
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\Programmable
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\TypeLib
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\VersionIndependentProgID
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Control
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ProgID
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Programmable
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ToolboxBitmap32
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\TypeLib
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:删除注册表键值_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\program files\common files\tencent\qqdownload\107\tencentdl.exe
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Tencent\TXAcc\AccPlatform\Tencentdl.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Tencent\TXAcc\AccPlatform\RepairNet.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\netsh.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames
Behavior description:修改注册表_分层网络协议
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Setup Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Provider List
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Known Static Providers
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Well Known Guids\IsoTp
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Well Known Guids\McsXns
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Well Known Guids\AppleTalk
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Setup Migration\Providers\NetBIOS\WinSock 2.0 Provider ID
Behavior description:删除注册表键_Winsock劫持
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Common Files\Tencent\QQDownload\125\Tencentdl.exe
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
QQAccInstall
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.AMP
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
_SHuassist.mtx
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [loger command window,TXLOGGER_BYCORETEAM_SSO]
[Window,Class] = [loger command window,TXLOGGER_BYCORETEAM]
[Window,Class] = [Timer Helper Window,TXTimer_Class]
[Window,Class] = [Timer Helper Window,TXTimer_Class_SSO]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [,{70B0CA31-6F59-4418-B87D-687D191D21C0}3624]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 496468, SleepMilliseconds = 1000.
TickCount = 496515, SleepMilliseconds = 1000.
TickCount = 496546, SleepMilliseconds = 1000.
TickCount = 495812, SleepMilliseconds = 250.
TickCount = 495843, SleepMilliseconds = 250.
TickCount = 495906, SleepMilliseconds = 250.
TickCount = 495921, SleepMilliseconds = 250.
TickCount = 495937, SleepMilliseconds = 250.
TickCount = 495968, SleepMilliseconds = 250.
TickCount = 496109, SleepMilliseconds = 250.
TickCount = 497359, SleepMilliseconds = 250.
TickCount = 497390, SleepMilliseconds = 250.
TickCount = 497421, SleepMilliseconds = 250.
TickCount = 497437, SleepMilliseconds = 250.
TickCount = 497453, SleepMilliseconds = 250.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0004027e, Text = 网游加速小助手(英雄联盟) 2.0.47.101 安装 , ClassName = #32770.
Behavior description:窗口信息
details:Pid = 4028, Hwnd=0x202a4, Text = 安装(&I), ClassName = Button.
Pid = 4028, Hwnd=0x202a6, Text = 取消, ClassName = Button.
Pid = 4028, Hwnd=0x302bc, Text = Copyright (C) 2013 Tencent , ClassName = Static.
Pid = 4028, Hwnd=0x202d4, Text = Copyright (C) 2013 Tencent, ClassName = Static.
Pid = 4028, Hwnd=0x202d6, Text = 选择安装位置, ClassName = Static.
Pid = 4028, Hwnd=0x202d8, Text = 选择“网游加速小助手(英雄联盟) 2.0.47.101”的安装文件夹。, ClassName = Static.
Pid = 4028, Hwnd=0x202ca, Text = C:\Program Files\Tencent\TXAcc, ClassName = Edit.
Pid = 4028, Hwnd=0x202c6, Text = 浏览(&B)..., ClassName = Button.
Pid = 4028, Hwnd=0x302da, Text = 可用空间: 5.8GB, ClassName = Static.
Pid = 4028, Hwnd=0x202b0, Text = 所需空间: 20.4MB, ClassName = Static.
Pid = 4028, Hwnd=0x202ae, Text = 安装程序将安装“网游加速小助手(英雄联盟)”到下列文件夹。要安装到不同文件夹,请单击[浏览(B)...]并选择其他的文件夹,单击[安装(I)]开, ClassName = Static.
Pid = 4028, Hwnd=0x202aa, Text = 目标文件夹, ClassName = Button(GroupBox).
Pid = 4028, Hwnd=0x4027e, Text = 网游加速小助手(英雄联盟) 2.0.47.101 安装 , ClassName = #32770.
Pid = 4028, Hwnd=0x202a4, Text = 完成, ClassName = Button.
Pid = 4028, Hwnd=0x202d6, Text = 正在安装, ClassName = Static.
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
Behavior description:内联HOOK
details:C:\WINDOWS\system32\kernel32.dll--->SetUnhandledExceptionFilter Offset = 0x0
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsa6.tmp\modern-header.bmp
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号