1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
Language
Server load
1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
| Safety rating:18 |
| Behavior list |
| Basic Information | |
|---|---|
| MD5: | 8e874d793e4d295d352be277eeb587ee |
| file type: | EXE |
| Production company: | 周晓波 |
| version: | 1.2.0.0---1.2.0.0 |
| Shell or compiler information: | PACKER:UPolyX v0.5 |
| Key behavior | |
|---|---|
| Behavior description: | 获取QQ临时密码 |
| details: | HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200 |
| HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x01331eff, EDX = 0x000000b7 |
| EAX = 0x01331f4b, EDX = 0x000000b7 | |
| EAX = 0x01331f97, EDX = 0x000000b7 | |
| EAX = 0x01331fe3, EDX = 0x000000b7 | |
| EAX = 0x0133202f, EDX = 0x000000b7 | |
| EAX = 0x0133207b, EDX = 0x000000b7 | |
| EAX = 0x013320c7, EDX = 0x000000b7 | |
| EAX = 0x01332113, EDX = 0x000000b7 | |
| EAX = 0x0133215f, EDX = 0x000000b7 | |
| EAX = 0x013321ab, EDX = 0x000000b7 | |
| Behavior description: | 屏蔽窗口关闭消息 |
| details: | hWnd = 0x0001036c, Text = , ClassName = WTWindow. |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 282265, SleepMilliseconds = 60000. |
| TickCount = 282281, SleepMilliseconds = 60000. | |
| TickCount = 282296, SleepMilliseconds = 60000. | |
| TickCount = 282312, SleepMilliseconds = 60000. | |
| TickCount = 222443, SleepMilliseconds = 100. | |
| TickCount = 222459, SleepMilliseconds = 100. | |
| TickCount = 222475, SleepMilliseconds = 100. | |
| TickCount = 222506, SleepMilliseconds = 100. | |
| TickCount = 222521, SleepMilliseconds = 100. | |
| Process behavior | |
|---|---|
| Behavior description: | 创建本地线程 |
| details: | TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2660, StartAddress = 77DC845A, Parameter = 00000000 |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2664, StartAddress = 4AEA7456, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2840, StartAddress = 7C947EBB, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2844, StartAddress = 7C930230, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2848, StartAddress = 77E56C7D, Parameter = 024F9B48 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2852, StartAddress = 769AE43B, Parameter = 0028A568 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2856, StartAddress = 0323507F, Parameter = 00129294 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2872, StartAddress = 00417A18, Parameter = 00000000 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2888, StartAddress = 6359727B, Parameter = 02516CC8 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2892, StartAddress = 6359727B, Parameter = 052BD9A0 | |
| TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2648, ThreadID = 2896, StartAddress = 6359727B, Parameter = 052BDA40 | |
| File behavior | |
|---|---|
| Behavior description: | 创建文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\login[1] |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\link[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] | |
| Behavior description: | 覆盖已有文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] | |
| Behavior description: | 查找文件 |
| details: | FileName = C:\Documents and Settings |
| FileName = C:\Documents and Settings\Administrator | |
| FileName = C:\Documents and Settings\Administrator\Local Settings | |
| FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk | |
| FileName = C:\WINDOWS\system32\Ras\*.pbk | |
| FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk | |
| FileName = C:\WINDOWS | |
| FileName = C:\WINDOWS\system32 | |
| FileName = C:\WINDOWS\system32\urlmon.dll | |
| FileName = C:\WINDOWS\system32\ieframe.dll | |
| Behavior description: | 删除文件 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\login[1] |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\link[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2] | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2] | |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| Behavior description: | 修改文件内容 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] ---> Offset = 0 |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1] ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1] ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1] ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1] ---> Offset = 0 | |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1] ---> Offset = 0 | |
| Network behavior | |
|---|---|
| Behavior description: | 连接指定站点 |
| details: | InternetConnectA: ServerName = ui****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000 |
| InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000000 | |
| Behavior description: | 打开HTTP连接 |
| details: | InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004 |
| InternetOpenA: UserAgent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, hSession = 0x00cc0008 | |
| Behavior description: | 建立到一个指定的套接字连接 |
| details: | URL: ui****om, IP: **.133.40.**:80, SOCKET = 0x00000390 |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003c0 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003d4 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003ec | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000003e0 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000400 | |
| URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000040c | |
| URL: ui****om, IP: **.133.40.**:80, SOCKET = 0x000003f4 | |
| Behavior description: | 读取网络文件 |
| details: | hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096. |
| hFile = 0x00cc0010, BytesToRead =1024, BytesRead = 1024. | |
| Behavior description: | 发送HTTP包 |
| details: | GET /cgi-bin/login?appid=549000912&style=12&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup%23!%2F778761682%2Fhome HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ui****om Connection: Keep-Alive � |
| GET /link?url=XOU8mx0UCuuXjzg8XWZ3rYtTCOJt53_mhjMWkAqN_X2R0kR-rCxaEXJS9LshSLUd&wd=&eqid=d08779f800009bb9000000065a529297 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=19x4uB3vY6IG7YuHBp4UK92ufPpEGpxdoucwOeSR7na&wd=&eqid=a8673c1c00009eef000000065a5294dc HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=KjyJDHBaPivg-hit1ajWKhQ0ShfrogP0VA-HJmEbpX5PyL0ccH4I41vWiZUQMA3h&wd=&eqid=ea3ce31400009cff000000065a5294f4 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=k8XyoAXvzfe2rEgcpIqJH1K_5ps9W4_2buVuot4fVzCJdDZKpbA9_E3BgUmlh66L&wd=&eqid=9b15f7ba0000a2ef000000065a529520 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=VqTEk2ym7ACiRkXEcAd1VpWlQJlExniX-0sl7vjcqhV11HdVu-FTPmuz0UfXa_rv&wd=&eqid=cc25d6130000b4bf000000065a5295ae HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=s89ryucvcmrIfjfTWtAXKkf1mgQzWmkYdvI7eeSoWx4kiIZVz_JZzczkyBkTkM5Y&wd=&eqid=cc25d6130000b4bf000000065a5295ae HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=OVies1lLCN-hl4yHvzcaQWcEk8Uc7cDLt--viHynBLVf11PBv-yei8yWp1QdEaU_&wd=&eqid=e74af9b70000ae54000000065a529643 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=R4sAx4rAKtwqdNrWk3HPCPQVkjJiWcbR-t7pXY31kGy&wd=&eqid=961968b50000bbe6000000065a5296ef HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=36lCi0TumPdErcN_GDLEitW0lPNI25bT-2A7FujCFvDROTa8fey_7nBQ7i_CTu-A&wd=&eqid=c5e9a0870000b97c000000065a529738 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| GET /link?url=g4L8inug-hEv3XbOIgp0awmqmYyaRenQTxe8w3kXpqC&wd=&eqid=c5e9a0870000b97c000000065a529738 HTTP/1.1 Accept: text/html,application/xhtml+xml,*/* Referer: https://www.baidu.com/s?wd=%E6%98%93%E8%AF%AD%E8%A8%80&pn=80&oq=%E6%98%93%E8%AF%AD%E8%A8%80&tn=baiduhome_pg&ie=utf-8&usm=3&rsv_idx=2&rsv_pq=9f967c08000097cf&rsv_t=c44cSyNF5gZHCzExOQIBSbMjjFKIUPvqi%2B41B2naPjEH%2FUpgBqhi9nhwxPisWApknqzk&rsv_page=1 Accept-Language: zh-CN User-Agent: Mozilla/5.0 (MSIE 9.0; qdesk 2.4.1266.203; Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache � | |
| Behavior description: | 打开HTTP请求 |
| details: | HttpOpenRequestA: ww****om:80/link?url=xou8mx0ucuuxjzg8xwz3ryttcojt53_mhjmwkaqn_x2r0kr-rcxaexjs9lshslud&wd=&eqid=d08779f800009bb9000000065a529297, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 |
| HttpOpenRequestA: ww****om:80/link?url=19x4ub3vy6ig7yuhbp4uk92ufppegpxdoucwoesr7na&wd=&eqid=a8673c1c00009eef000000065a5294dc, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=kjyjdhbapivg-hit1ajwkhq0shfrogp0va-hjmebpx5pyl0cch4i41vwizuqma3h&wd=&eqid=ea3ce31400009cff000000065a5294f4, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=k8xyoaxvzfe2regcpiqjh1k_5ps9w4_2buvuot4fvzcjddzkpba9_e3bgumlh66l&wd=&eqid=9b15f7ba0000a2ef000000065a529520, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=vqtek2ym7acirkxecad1vpwlqjlexnix-0sl7vjcqhv11hdvu-ftpmuz0ufxa_rv&wd=&eqid=cc25d6130000b4bf000000065a5295ae, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=s89ryucvcmrifjftwtaxkkf1mgqzwmkydvi7eesowx4kiizvz_jzzczkybktkm5y&wd=&eqid=cc25d6130000b4bf000000065a5295ae, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=ovies1llcn-hl4yhvzcaqwcek8uc7cdlt--vihynblvf11pbv-yei8ywp1qdeau_&wd=&eqid=e74af9b70000ae54000000065a529643, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=r4sax4raktwqdnrwk3hpcpqvkjjiwcbr-t7pxy31kgy&wd=&eqid=961968b50000bbe6000000065a5296ef, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=36lci0tumpdercn_gdleitw0lpni25bt-2a7fujcfvdrota8fey_7nbq7i_ctu-a&wd=&eqid=c5e9a0870000b97c000000065a529738, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| HttpOpenRequestA: ww****om:80/link?url=g4l8inug-hev3xboigp0awmqmyyarenqtxe8w3kxpqc&wd=&eqid=c5e9a0870000b97c000000065a529738, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x80004010 | |
| Behavior description: | 按名称获取主机地址 |
| details: | GetAddrInfoW: ui****om |
| GetAddrInfoW: ww****om | |
| Registry behavior | |
|---|---|
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0) |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings | |
| Behavior description: | 删除注册表键值 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL | |
| Other behavior | |
|---|---|
| Behavior description: | 调整进程token权限 |
| details: | SE_LOAD_DRIVER_PRIVILEGE |
| Behavior description: | 创建互斥体 |
| details: | RasPbFile |
| CTF.LBES.MutexDefaultS-* | |
| CTF.Compart.MutexDefaultS-* | |
| CTF.Asm.MutexDefaultS-* | |
| CTF.Layouts.MutexDefaultS-* | |
| CTF.TMD.MutexDefaultS-* | |
| CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-* | |
| MSCTF.Shared.MUTEX.IOH | |
| Local\ZonesCounterMutex | |
| Local\ZoneAttributeCacheCounterMutex | |
| Local\ZonesCacheCounterMutex | |
| Local\ZonesLockedCacheCounterMutex | |
| CritOpMutex | |
| Local\!PrivacIE!SharedMemory!Mutex | |
| MSIMGSIZECacheMutex | |
| Behavior description: | 创建事件对象 |
| details: | EventName = DINPUTWINMM |
| EventName = Global\userenv: User Profile setup event | |
| EventName = MSCTF.SendReceive.Event.MFK.IC | |
| EventName = MSCTF.SendReceiveConection.Event.MFK.IC | |
| EventName = MSCTF.SendReceive.Event.ICL.IC | |
| EventName = MSCTF.SendReceiveConection.Event.ICL.IC | |
| Behavior description: | 打开互斥体 |
| details: | RasPbFile |
| ShimCacheMutex | |
| Local\!IETld!Mutex | |
| Local\_!MSFTHISTORY!_ | |
| Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! | |
| Local\c:!documents and settings!administrator!cookies! | |
| Local\c:!documents and settings!administrator!local settings!history!history.ie5! | |
| Local\WininetStartupMutex | |
| Local\WininetConnectionMutex | |
| Local\WininetProxyRegistryMutex | |
| CtfmonInstMutexDefaultS-* | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] |
| NtUserFindWindowEx: [Class,Window] = [Shell Embedding,] | |
| NtUserFindWindowEx: [Class,Window] = [Shell DocObject View,] | |
| NtUserFindWindowEx: [Class,Window] = [Internet Explorer_Server,] | |
| NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,] | |
| NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,] | |
| NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,] | |
| Behavior description: | 获取QQ临时密码 |
| details: | HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200 |
| HttpOpenRequestA: ui.ptlogin2.qq.com:80/cgi-bin/login?appid=549000912&style=12&s_url=http%3a%2f%2fqun.qzone.qq.com%2fgroup%23!%2f778761682%2fhome, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010 | |
| Behavior description: | 窗口信息 |
| details: | Pid = 2648, Hwnd=0x303b2, Text = 您想运行或保存此文件吗?, ClassName = Static. |
| Pid = 2648, Hwnd=0x10404, Text = 名称:, ClassName = Static. | |
| Pid = 2648, Hwnd=0x10406, Text = update.exe, ClassName = SysLink. | |
| Pid = 2648, Hwnd=0x10408, Text = 发行者:, ClassName = Static. | |
| Pid = 2648, Hwnd=0x1040c, Text = 类型:, ClassName = Static. | |
| Pid = 2648, Hwnd=0x1040e, Text = 应用程序, 358KB, ClassName = Static. | |
| Pid = 2648, Hwnd=0x10410, Text = 从:, ClassName = Static. | |
| Pid = 2648, Hwnd=0x10412, Text = ui.ptlogin2.qq.com, ClassName = Static. | |
| Pid = 2648, Hwnd=0x10414, Text = 运行(&R), ClassName = Button. | |
| Pid = 2648, Hwnd=0x10416, Text = 保存(&S), ClassName = Button. | |
| Pid = 2648, Hwnd=0x10418, Text = 取消, ClassName = Button. | |
| Pid = 2648, Hwnd=0x1041a, Text = 打开此类文件前总是询问(&W), ClassName = Button(CheckBox). | |
| Pid = 2648, Hwnd=0x10420, Text = 来自 Internet 的文件可能对您有所帮助,但此文件类型可能危害您的计算机。如果您不信任其来源,请不要运行或保存该软件。<A>有何风险?</A>, ClassName = SysLink. | |
| Pid = 2648, Hwnd=0x203b0, Text = 文件下载 - 安全警告, ClassName = #32770. | |
| Pid = 2648, Hwnd=0x103d2, Text = 下载完毕, ClassName = Static. | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 282265, SleepMilliseconds = 60000. |
| TickCount = 282281, SleepMilliseconds = 60000. | |
| TickCount = 282296, SleepMilliseconds = 60000. | |
| TickCount = 282312, SleepMilliseconds = 60000. | |
| TickCount = 222443, SleepMilliseconds = 100. | |
| TickCount = 222459, SleepMilliseconds = 100. | |
| TickCount = 222475, SleepMilliseconds = 100. | |
| TickCount = 222506, SleepMilliseconds = 100. | |
| TickCount = 222521, SleepMilliseconds = 100. | |
| Behavior description: | 获取光标位置 |
| details: | CursorPos = (80,18468), SleepMilliseconds = 60000. |
| CursorPos = (6373,26501), SleepMilliseconds = 60000. | |
| CursorPos = (19208,15725), SleepMilliseconds = 60000. | |
| CursorPos = (11517,29359), SleepMilliseconds = 60000. | |
| CursorPos = (27001,24465), SleepMilliseconds = 60000. | |
| CursorPos = (5744,28146), SleepMilliseconds = 60000. | |
| CursorPos = (23320,16828), SleepMilliseconds = 60000. | |
| CursorPos = (10000,492), SleepMilliseconds = 60000. | |
| CursorPos = (3034,11943), SleepMilliseconds = 60000. | |
| CursorPos = (4866,5437), SleepMilliseconds = 60000. | |
| CursorPos = (32430,14605), SleepMilliseconds = 60000. | |
| CursorPos = (3941,154), SleepMilliseconds = 60000. | |
| CursorPos = (331,12383), SleepMilliseconds = 60000. | |
| CursorPos = (17460,18717), SleepMilliseconds = 60000. | |
| CursorPos = (19757,19896), SleepMilliseconds = 60000. | |
| Behavior description: | 屏蔽窗口关闭消息 |
| details: | hWnd = 0x0001036c, Text = , ClassName = WTWindow. |
| Behavior description: | 打开事件 |
| details: | HookSwitchHookEnabledEvent |
| \SECURITY\LSA_AUTHENTICATION_INITIALIZED | |
| CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010 | |
| CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010 | |
| MSCTF.SendReceiveConection.Event.IOH.IC | |
| MSCTF.SendReceive.Event.IOH.IC | |
| Global\SvcctrlStartEvent_A3752DX | |
| \INSTALLATION_SECURITY_HOLD | |
| MSFT.VSA.COM.DISABLE.2648 | |
| MSFT.VSA.IEC.STATUS.6c736db0 | |
| _fCanRegisterWithShellService | |
| CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011 | |
| CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011 | |
| MSCTF.SendReceiveConection.Event.IOH.IM | |
| MSCTF.SendReceive.Event.IOH.IM | |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 60000. |
| [2]: MilliSeconds = 100. | |
| [3]: MilliSeconds = 60000. | |
| Behavior description: | 隐藏指定窗口 |
| details: | [Window,Class] = [,ComboLBox] |
| [Window,Class] = [,_EL_Timer] | |
| [Window,Class] = [,WindowEx] | |
| [Window,Class] = [,PictureEx] | |
| [Window,Class] = [,LabelEx] | |
| [Window,Class] = [,SysLink] | |
| [Window,Class] = [,Static] | |
| [Window,Class] = [文件大小未知,Static] | |
| [Window,Class] = [打开此类文件前总是询问(&W),Button] | |
| [Window,Class] = [发行者:,Static] | |
| [Window,Class] = [,_EL_ShapeBox] | |
| [Window,Class] = [,Shell Embedding] | |
| [Window,Class] = [,Internet Explorer_Server] | |
| Behavior description: | 直接获取CPU时钟 |
| details: | EAX = 0x01331eff, EDX = 0x000000b7 |
| EAX = 0x01331f4b, EDX = 0x000000b7 | |
| EAX = 0x01331f97, EDX = 0x000000b7 | |
| EAX = 0x01331fe3, EDX = 0x000000b7 | |
| EAX = 0x0133202f, EDX = 0x000000b7 | |
| EAX = 0x0133207b, EDX = 0x000000b7 | |
| EAX = 0x013320c7, EDX = 0x000000b7 | |
| EAX = 0x01332113, EDX = 0x000000b7 | |
| EAX = 0x0133215f, EDX = 0x000000b7 | |
| EAX = 0x013321ab, EDX = 0x000000b7 | |
| Run screenshot |
|---|
 |
HOME
