VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:24a3e5c7100d57b1cffe0c1596c0d386
file type:EXE
Production company:麦子辅助 解放双手.
version:9.6.1.12282---9, 6, 1, 12282
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 [Overlay]
Key behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\DINPUT8.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\NTICE
Behavior description:获取TickCount值
details:TickCount = 1079268, SleepMilliseconds = 50.
TickCount = 1079284, SleepMilliseconds = 50.
TickCount = 1079300, SleepMilliseconds = 50.
TickCount = 1079331, SleepMilliseconds = 50.
TickCount = 1079346, SleepMilliseconds = 50.
TickCount = 1079393, SleepMilliseconds = 50.
TickCount = 1079440, SleepMilliseconds = 50.
TickCount = 1079456, SleepMilliseconds = 50.
TickCount = 1079503, SleepMilliseconds = 50.
TickCount = 1079518, SleepMilliseconds = 50.
TickCount = 1079534, SleepMilliseconds = 50.
TickCount = 1079550, SleepMilliseconds = 50.
TickCount = 1079565, SleepMilliseconds = 50.
TickCount = 1079643, SleepMilliseconds = 50.
TickCount = 1079659, SleepMilliseconds = 50.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\COLOR.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WJWL.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WINDOW.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\MSG.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\FILE.DLL
C:\Documents and Settings\Administrator\Local Settings\Temp\mymacro.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\tmpad.xml
C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\ShieldModule.dat
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\COLOR.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WJWL.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WINDOW.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\MSG.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\FILE.DLL
C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll
C:\Documents and Settings\Administrator\Application Data\mymacro\qdisp.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\liveupdate8.dat.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml.tmp
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD001.dat
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD002.dat
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\c7315.tmp
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = KERNEL32.DLL
FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015082520150826\*.*
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\root
FileName = C:\Documents and Settings\root\My Documents
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\mymacro.zip
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\tmpad.xml
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\liveupdate8[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\ad-mymacro[1].xml
C:\Documents and Settings\Administrator\Local Settings\%temp%\ShieldModule.dat
C:\Documents and Settings\Administrator\Local Settings\%temp%\checkbox_checked.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\checkbox_unchecked.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\checkbox_disabled_checked.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\checkbox_disabled_unchecked.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\browsebox_file.ico
C:\Documents and Settings\Administrator\Local Settings\%temp%\browsebox_dir.ico
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\liveupdate8.dat.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adcon\mm\liveupdate8.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ad-mymacro9.xml
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\plugin.zip ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL ---> Offset = 16384
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010
InternetOpenUrlA: http://hi****om/xjl/mmcount.aspx?mm=0002C102F46DC0E92095431FC28D27EB5DCE3008B92AAB120C8F74A084F1A5A6E3CA5AB6A04C222267BE9848&randcode=00029AD537162A3CAEC391D822447041896D9848, hInternet = 0x00cc0008, Flags = 0x00000001
Behavior description:下载文件
details:URLDownloadToFileW: http://ad****om/qmacro/v9/ad-mymacro.xml ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ad-mymacro9.xml.tmp
URLDownloadToFileW: http://do****om/qmacro/up_mymacro/liveupdate8.dat ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adcon\mm\liveupdate8.dat.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\liveupdate8.dat.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml.tmp
Behavior description:连接指定站点
details:InternetConnectA: ServerName = do****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010
InternetConnectA: ServerName = ad****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = hi****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc000c, Flags = 0x00000001
InternetConnectA: ServerName = yz****cc, PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0010, Flags = 0x00000000
InternetConnectA: ServerName = wl****cc, PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0010, Flags = 0x00000000
InternetConnectA: ServerName = ti****hp, PORT = 80, UserName = , Password = , hSession = 0x00cc000c, hConnect = 0x00cc0010, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
InternetOpenA: UserAgent: 996E, hSession = 0x00cc0008
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc000c
Behavior description:建立到一个指定的套接字连接
details:URL: wpad, IP: **.133.40.**:128, SOCKET = 0x0000040c
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000003f0
URL: ad****om, IP: **.133.40.**:80, SOCKET = 0x000005ec
URL: hi****om, IP: **.133.40.**:80, SOCKET = 0x00000354
URL: yz****cc, IP: **.133.40.**:80, SOCKET = 0x00000300
URL: wl****cc, IP: **.133.40.**:80, SOCKET = 0x000002fc
URL: ti****hp, IP: **.133.40.**:80, SOCKET = 0x0000030c
URL: hi****om, IP: **.133.40.**:80, SOCKET = 0x000002fc
URL: hi****om, IP: **.133.40.**:80, SOCKET = 0x00000300
URL: hi****om, IP: **.133.40.**:80, SOCKET = 0x00000304
Behavior description:读取网络文件
details:hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
hFile = 0x00cc0010, BytesToRead =4096, BytesRead = 4096.
hFile = 0x00cc0014, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /qmacro/up_mymacro/liveupdate8.dat HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: do****om Connection: Keep-Alive
GET /qmacro/v9/ad-mymacro.xml HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ad****om Connection: Keep-Alive
GET /xjl/mmcount.aspx?mm=0002C102F46DC0E92095431FC28D27EB5DCE3008B92AAB120C8F74A084F1A5A6E3CA5AB6A04C222267BE9848&randcode=00029AD537162A3CAEC391D822447041896D9848 HTTP/1.1 User-Agent: 996E Host: hi****om
GET /677/time.php HTTP/1.1 Accept: */* Referer: http://yz.mzcn.cc/677/time.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: yz****cc Cache-Control: no-cache
POST /677/time.php HTTP/1.1 Accept: */* Referer: http://wlyz.mzcn.cc/677/time.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: wl****cc Content-Length: 0 Cache-Control: no-cache
POST / HTTP/1.1 Accept: */* Referer: time.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: ti****hp Content-Length: 0 Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: do****om:80/qmacro/up_mymacro/liveupdate8.dat, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010
HttpOpenRequestA: ad****om:80/qmacro/v9/ad-mymacro.xml, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: hi****om:80/xjl/mmcount.aspx?mm=0002c102f46dc0e92095431fc28d27eb5dce3008b92aab120c8f74a084f1a5a6e3ca5ab6a04c222267be9848&randcode=00029ad537162a3caec391d822447041896d9848, hConnect = 0x00cc000c, hRequest = 0x00cc0010, Verb: GET, Referer: , Flags = 0x00000001
HttpOpenRequestA: yz****cc:80/677/time.php, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: wl****cc:80/677/time.php, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: POST, Referer: , Flags = 0x80004010
HttpOpenRequestA: ti****hp:80/, hConnect = 0x00cc0010, hRequest = 0x00cc0014, Verb: POST, Referer: , Flags = 0x80004010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: computer
GetAddrInfoW: wpad
GetAddrInfoW: do****om
GetAddrInfoW: ad****om
gethostbyname: hi****om
GetAddrInfoW: hi****om
GetAddrInfoW: yz****cc
GetAddrInfoW: wl****cc
GetAddrInfoW: ti****hp
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\
\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\
\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\
\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.III
MSCTF.Shared.MUTEX.ELH
Local\c:!documents and settings!administrator!ietldcache!
MSCTF.Shared.MUTEX.AEJ
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = B1024
EventName = B3880
EventName = B5194
EventName = MSCTF.SendReceive.Event.MJH.IC
EventName = MSCTF.SendReceiveConection.Event.MJH.IC
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000027
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000027
EventName = MSCTF.SendReceive.Event.ELH.IC
EventName = MSCTF.SendReceiveConection.Event.ELH.IC
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000028
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000028
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000029
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [4823-00000029,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [,PVP.net 客户端]
NtUserFindWindowEx: [Class,Window] = [,League of Legends (TM) Client]
NtUserFindWindowEx: [Class,Window] = [,英雄联盟登录程序]
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\NTICE
Behavior description:获取TickCount值
details:TickCount = 1079268, SleepMilliseconds = 50.
TickCount = 1079284, SleepMilliseconds = 50.
TickCount = 1079300, SleepMilliseconds = 50.
TickCount = 1079331, SleepMilliseconds = 50.
TickCount = 1079346, SleepMilliseconds = 50.
TickCount = 1079393, SleepMilliseconds = 50.
TickCount = 1079440, SleepMilliseconds = 50.
TickCount = 1079456, SleepMilliseconds = 50.
TickCount = 1079503, SleepMilliseconds = 50.
TickCount = 1079518, SleepMilliseconds = 50.
TickCount = 1079534, SleepMilliseconds = 50.
TickCount = 1079550, SleepMilliseconds = 50.
TickCount = 1079565, SleepMilliseconds = 50.
TickCount = 1079643, SleepMilliseconds = 50.
TickCount = 1079659, SleepMilliseconds = 50.
Behavior description:枚举窗口
details:N/A
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\COLOR.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WJWL.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WINDOW.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\MSG.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\FILE.DLL(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\mymacro\qdisp.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\liveupdate8.dat.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD001.dat(签名验证: 通过)
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD002.dat(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 900000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,#32770]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [Static,Button]
[Window,Class] = [确定,Button]
[Window,Class] = [取消,Button]
[Window,Class] = [应用(&A),Button]
[Window,Class] = [帮助,Button]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [软件说明页,#32770]
[Window,Class] = [关于麦子辅助吧,#32770]
[Window,Class] = [,Static]
[Window,Class] = [常用工具,Static]
[Window,Class] = [逻辑设置,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [定时停止,Static]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\SYS.DLL ---> 9e540d9b62d97b7ec9761ab519db6a5c
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\REGDLL.DLL ---> e29d9a912204844df5306ca3935b1f1c
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\COLOR.DLL ---> fe826eebfddcb3c0217a356a0ccf6cef
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WJWL.DLL ---> ec076967e6e24f5999c816ea3eac8fd0
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WINDOW.DLL ---> 6b7a84d4bb513320b4b96bdc125f57f6
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\MSG.DLL ---> 3f92f9c3ac33dcf97741eb937c3e7c44
C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\FILE.DLL ---> 4723c8d438821f0b0bc7edfe9811a1dc
C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll ---> 929f56b46242fa68a616374a5403689b
C:\Documents and Settings\Administrator\Application Data\mymacro\qdisp.dll ---> 7171bc500507f070355c8903e0ea6d3d
C:\Documents and Settings\Administrator\Local Settings\Temp\adcon\mm\liveupdate8.dat.tmp ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\ad-mymacro9.xml.tmp ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD001.dat ---> a178063c77d5138d95b19e6930760886
C:\Documents and Settings\Administrator\Application Data\qmacro\shield\SD002.dat ---> da9ee08d671fd560971c0128d2191598
Behavior description:窗口信息
details:Pid = 2364, Hwnd=0xa0300, Text = TAB定位, ClassName = Static.
Pid = 2364, Hwnd=0xa0322, Text = 软件说明页, ClassName = #32770.
Pid = 2364, Hwnd=0x60352, Text = Static, ClassName = Button(GroupBox).
Pid = 2364, Hwnd=0xb02f2, Text = 基本设置: 1. 屏幕分辨率请保证在1280*720以上使用(必须大于这个值) 2. 使用前必须关闭360等安全软件,有瑞星则必, ClassName = Edit.
Pid = 2364, Hwnd=0x9030e, Text = 脚本的属性页, ClassName = #32770.
Pid = 2364, Hwnd=0x60340, Text = 启动PageUp, ClassName = Button.
Pid = 2364, Hwnd=0xa02f0, Text = 暂停/继续Home, ClassName = Button.
Pid = 2364, Hwnd=0x1202ce, Text = 中止PageDown, ClassName = Button.
Pid = 2364, Hwnd=0x60330, Text = 修改热键, ClassName = Button.
Pid = 2364, Hwnd=0x60332, Text = 保存设置, ClassName = Button.
Pid = 2364, Hwnd=0x3036e, Text = 还原设置, ClassName = Button.
Pid = 2364, Hwnd=0x30372, Text = List1, ClassName = SysListView32.
Pid = 2364, Hwnd=0x1037e, Text = maiz, ClassName = #32770.
Pid = 2364, Hwnd=0x1050a, Text = 等级超过, ClassName = Button.
Pid = 2364, Hwnd=0x10502, Text = 任务状态, ClassName = Static.
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Application Data\mymacro\qdisp.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\cfgdll.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\MSG.DLL.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WJWL.DLL.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\WINDOW.DLL.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\plugin\FILE.DLL.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号