VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:18
Behavior list
Basic Information
MD5:8e874d793e4d295d352be277eeb587ee
file type:EXE
Production company:周晓波
version:1.2.0.0---1.2.0.0
Shell or compiler information:PACKER:UPolyX v0.5
Key behavior
Behavior description:获取QQ临时密码
details:HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:直接获取CPU时钟
details:EAX = 0x01331eff, EDX = 0x000000b7
EAX = 0x01331f4b, EDX = 0x000000b7
EAX = 0x01331f97, EDX = 0x000000b7
EAX = 0x01331fe3, EDX = 0x000000b7
EAX = 0x0133202f, EDX = 0x000000b7
EAX = 0x0133207b, EDX = 0x000000b7
EAX = 0x013320c7, EDX = 0x000000b7
EAX = 0x01332113, EDX = 0x000000b7
EAX = 0x0133215f, EDX = 0x000000b7
EAX = 0x013321ab, EDX = 0x000000b7
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0001036c, Text = , ClassName = WTWindow.
Behavior description:获取TickCount值
details:TickCount = 282265, SleepMilliseconds = 60000.
TickCount = 282281, SleepMilliseconds = 60000.
TickCount = 282296, SleepMilliseconds = 60000.
TickCount = 282312, SleepMilliseconds = 60000.
TickCount = 222443, SleepMilliseconds = 100.
TickCount = 222459, SleepMilliseconds = 100.
TickCount = 222475, SleepMilliseconds = 100.
TickCount = 222506, SleepMilliseconds = 100.
TickCount = 222521, SleepMilliseconds = 100.
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2664, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2840, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2844, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2848, StartAddress = 77E56C7D, Parameter = 024F9B48
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2852, StartAddress = 769AE43B, Parameter = 0028A568
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2856, StartAddress = 0323507F, Parameter = 00129294
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2872, StartAddress = 00417A18, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2888, StartAddress = 6359727B, Parameter = 02516CC8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2892, StartAddress = 6359727B, Parameter = 052BD9A0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2896, StartAddress = 6359727B, Parameter = 052BDA40
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\login[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\link[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\urlmon.dll
FileName = C:\WINDOWS\system32\ieframe.dll
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\login[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\link[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ui****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, hSession = 0x00cc0008
Behavior description:建立到一个指定的套接字连接
details:URL: ui****om, IP: **.133.40.**:80, SOCKET = 0x00000390
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003c0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003d4
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003ec
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003e0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000400
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000040c
URL: ui****om, IP: **.133.40.**:80, SOCKET = 0x000003f4
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0010, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET /cgi-bin/login?appid=549000912&style=12&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup%23!%2F778761682%2Fhome HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ui****om Connection: Keep-Alive
GET /link?url=XOU8mx0UCuuXjzg8XWZ3rYtTCOJt53_mhjMWkAqN_X2R0kR-rCxaEXJS9LshSLUd&wd=&eqid=d08779f800009bb9000000065a529297 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=19x4uB3vY6IG7YuHBp4UK92ufPpEGpxdoucwOeSR7na&wd=&eqid=a8673c1c00009eef000000065a5294dc HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=KjyJDHBaPivg-hit1ajWKhQ0ShfrogP0VA-HJmEbpX5PyL0ccH4I41vWiZUQMA3h&wd=&eqid=ea3ce31400009cff000000065a5294f4 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=k8XyoAXvzfe2rEgcpIqJH1K_5ps9W4_2buVuot4fVzCJdDZKpbA9_E3BgUmlh66L&wd=&eqid=9b15f7ba0000a2ef000000065a529520 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=VqTEk2ym7ACiRkXEcAd1VpWlQJlExniX-0sl7vjcqhV11HdVu-FTPmuz0UfXa_rv&wd=&eqid=cc25d6130000b4bf000000065a5295ae HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=s89ryucvcmrIfjfTWtAXKkf1mgQzWmkYdvI7eeSoWx4kiIZVz_JZzczkyBkTkM5Y&wd=&eqid=cc25d6130000b4bf000000065a5295ae HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=OVies1lLCN-hl4yHvzcaQWcEk8Uc7cDLt--viHynBLVf11PBv-yei8yWp1QdEaU_&wd=&eqid=e74af9b70000ae54000000065a529643 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=R4sAx4rAKtwqdNrWk3HPCPQVkjJiWcbR-t7pXY31kGy&wd=&eqid=961968b50000bbe6000000065a5296ef HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=36lCi0TumPdErcN_GDLEitW0lPNI25bT-2A7FujCFvDROTa8fey_7nBQ7i_CTu-A&wd=&eqid=c5e9a0870000b97c000000065a529738 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
GET /link?url=g4L8inug-hEv3XbOIgp0awmqmYyaRenQTxe8w3kXpqC&wd=&eqid=c5e9a0870000b97c000000065a529738 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****om:80/link?url=xou8mx0ucuuxjzg8xwz3ryttcojt53_mhjmwkaqn_x2r0kr-rcxaexjs9lshslud&wd=&eqid=d08779f800009bb9000000065a529297, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=19x4ub3vy6ig7yuhbp4uk92ufppegpxdoucwoesr7na&wd=&eqid=a8673c1c00009eef000000065a5294dc, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=kjyjdhbapivg-hit1ajwkhq0shfrogp0va-hjmebpx5pyl0cch4i41vwizuqma3h&wd=&eqid=ea3ce31400009cff000000065a5294f4, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=k8xyoaxvzfe2regcpiqjh1k_5ps9w4_2buvuot4fvzcjddzkpba9_e3bgumlh66l&wd=&eqid=9b15f7ba0000a2ef000000065a529520, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=vqtek2ym7acirkxecad1vpwlqjlexnix-0sl7vjcqhv11hdvu-ftpmuz0ufxa_rv&wd=&eqid=cc25d6130000b4bf000000065a5295ae, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=s89ryucvcmrifjftwtaxkkf1mgqzwmkydvi7eesowx4kiizvz_jzzczkybktkm5y&wd=&eqid=cc25d6130000b4bf000000065a5295ae, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=ovies1llcn-hl4yhvzcaqwcek8uc7cdlt--vihynblvf11pbv-yei8ywp1qdeau_&wd=&eqid=e74af9b70000ae54000000065a529643, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=r4sax4raktwqdnrwk3hpcpqvkjjiwcbr-t7pxy31kgy&wd=&eqid=961968b50000bbe6000000065a5296ef, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=36lci0tumpdercn_gdleitw0lpni25bt-2a7fujcfvdrota8fey_7nbq7i_ctu-a&wd=&eqid=c5e9a0870000b97c000000065a529738, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ww****om:80/link?url=g4l8inug-hev3xboigp0awmqmyyarenqtxe8w3kxpqc&wd=&eqid=c5e9a0870000b97c000000065a529738, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ui****om
GetAddrInfoW: ww****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
CritOpMutex
Local\!PrivacIE!SharedMemory!Mutex
MSIMGSIZECacheMutex
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MFK.IC
EventName = MSCTF.SendReceiveConection.Event.MFK.IC
EventName = MSCTF.SendReceive.Event.ICL.IC
EventName = MSCTF.SendReceiveConection.Event.ICL.IC
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
CtfmonInstMutexDefaultS-*
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [Shell Embedding,]
NtUserFindWindowEx: [Class,Window] = [Shell DocObject View,]
NtUserFindWindowEx: [Class,Window] = [Internet Explorer_Server,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取QQ临时密码
details:HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Behavior description:窗口信息
details:Pid = 2648, Hwnd=0x303b2, Text = 您想运行或保存此文件吗?, ClassName = Static.
Pid = 2648, Hwnd=0x10404, Text = 名称:, ClassName = Static.
Pid = 2648, Hwnd=0x10406, Text = update.exe, ClassName = SysLink.
Pid = 2648, Hwnd=0x10408, Text = 发行者:, ClassName = Static.
Pid = 2648, Hwnd=0x1040c, Text = 类型:, ClassName = Static.
Pid = 2648, Hwnd=0x1040e, Text = 应用程序, 358KB, ClassName = Static.
Pid = 2648, Hwnd=0x10410, Text = 从:, ClassName = Static.
Pid = 2648, Hwnd=0x10412, Text = ui.ptlogin2.qq.com, ClassName = Static.
Pid = 2648, Hwnd=0x10414, Text = 运行(&R), ClassName = Button.
Pid = 2648, Hwnd=0x10416, Text = 保存(&S), ClassName = Button.
Pid = 2648, Hwnd=0x10418, Text = 取消, ClassName = Button.
Pid = 2648, Hwnd=0x1041a, Text = 打开此类文件前总是询问(&W), ClassName = Button(CheckBox).
Pid = 2648, Hwnd=0x10420, Text = 来自 Internet 的文件可能对您有所帮助,但此文件类型可能危害您的计算机。如果您不信任其来源,请不要运行或保存该软件。<A>有何风险?</A>, ClassName = SysLink.
Pid = 2648, Hwnd=0x203b0, Text = 文件下载 - 安全警告, ClassName = #32770.
Pid = 2648, Hwnd=0x103d2, Text = 下载完毕, ClassName = Static.
Behavior description:获取TickCount值
details:TickCount = 282265, SleepMilliseconds = 60000.
TickCount = 282281, SleepMilliseconds = 60000.
TickCount = 282296, SleepMilliseconds = 60000.
TickCount = 282312, SleepMilliseconds = 60000.
TickCount = 222443, SleepMilliseconds = 100.
TickCount = 222459, SleepMilliseconds = 100.
TickCount = 222475, SleepMilliseconds = 100.
TickCount = 222506, SleepMilliseconds = 100.
TickCount = 222521, SleepMilliseconds = 100.
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
CursorPos = (5744,28146), SleepMilliseconds = 60000.
CursorPos = (23320,16828), SleepMilliseconds = 60000.
CursorPos = (10000,492), SleepMilliseconds = 60000.
CursorPos = (3034,11943), SleepMilliseconds = 60000.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0001036c, Text = , ClassName = WTWindow.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2648
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IM
MSCTF.SendReceive.Event.IOH.IM
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [,WindowEx]
[Window,Class] = [,PictureEx]
[Window,Class] = [,LabelEx]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
[Window,Class] = [,_EL_ShapeBox]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:直接获取CPU时钟
details:EAX = 0x01331eff, EDX = 0x000000b7
EAX = 0x01331f4b, EDX = 0x000000b7
EAX = 0x01331f97, EDX = 0x000000b7
EAX = 0x01331fe3, EDX = 0x000000b7
EAX = 0x0133202f, EDX = 0x000000b7
EAX = 0x0133207b, EDX = 0x000000b7
EAX = 0x013320c7, EDX = 0x000000b7
EAX = 0x01332113, EDX = 0x000000b7
EAX = 0x0133215f, EDX = 0x000000b7
EAX = 0x013321ab, EDX = 0x000000b7
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号