VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:74
Behavior list
Basic Information
MD5:7d36cacd597053d15490ac946772fe56
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Subfile information:upx_c_7a714760dumpFile / c602754e085562e19f63440b7edc1b02 / EXE
U1603.exedumpFile / c92ca9b2e2b5463fe2ada76c7eed1b58 / EXE
U1603.exe / c92ca9b2e2b5463fe2ada76c7eed1b58 / EXE
Key behavior
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00090358, Text = 无界浏览 16.03, ClassName = #32770.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016082920160830
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType: BIN
Behavior description:获取TickCount值
details:TickCount = 5358059, SleepMilliseconds = 200.
TickCount = 5358090, SleepMilliseconds = 200.
TickCount = 5358121, SleepMilliseconds = 200.
TickCount = 5358168, SleepMilliseconds = 200.
TickCount = 5358309, SleepMilliseconds = 200.
TickCount = 5358340, SleepMilliseconds = 200.
TickCount = 5358450, SleepMilliseconds = 200.
TickCount = 5358465, SleepMilliseconds = 200.
TickCount = 5361343, SleepMilliseconds = 3000.
TickCount = 5361359, SleepMilliseconds = 3000.
TickCount = 5358809, SleepMilliseconds = 200.
TickCount = 5361625, SleepMilliseconds = 3000.
TickCount = 5358856, SleepMilliseconds = 200.
TickCount = 5358871, SleepMilliseconds = 200.
TickCount = 5358887, SleepMilliseconds = 200.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe -L="127.0.0.1:9666" -CID="2e7bd183", -ProgPath="C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\\" -TmpPath="C:\Documents and Sett
Behavior description:创建本地线程
details:TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1252, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1656, StartAddress = 5FE01259, Parameter = 00000000
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1128, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 968, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1124, StartAddress = 004B5B57, Parameter = 010E6090
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1204, StartAddress = 004B5B57, Parameter = 010E8C80
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 1844, StartAddress = 004B5B57, Parameter = 010E8A60
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 300, StartAddress = 004B5B57, Parameter = 010E8660
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 156, StartAddress = 004B5B57, Parameter = 010E83C0
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2052, StartAddress = 004B5B57, Parameter = 010E8020
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2056, StartAddress = 004B5B57, Parameter = 010E9DE0
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2060, StartAddress = 004B5B57, Parameter = 010E9CB0
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2064, StartAddress = 004B5B57, Parameter = 010E9A90
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2068, StartAddress = 004B5B57, Parameter = 010E9870
TargetProcess: U1603.exe, InheritedFromPID = 1944, ProcessID = 1172, ThreadID = 2072, StartAddress = 004B5B57, Parameter = 010E96C0
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe" -L="127.0.0.1:9666" -CID="2e7bd183", -ProgPath="C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\\" -TmpPath="C:\Documents and Se
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\1240
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Riqknmiwdk3s1y0w
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Bldgedpjvs1h5x3p
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Pbewaprtcl0z9i8f
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016082920160830\index.dat
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
FileName = C:\Documents and Settings\Administrator\Local Settings\History
FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016061420160615\*.*
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\1240
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Riqknmiwdk3s1y0w
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Bldgedpjvs1h5x3p
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Pbewaprtcl0z9i8f
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\noConnect[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\complete[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\host[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\masthead_fill[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\welcome_zh_CN[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\progress_fg_right[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\progress_zh_CN[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\l10n[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\common[1]
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016082920160830
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Riqknmiwdk3s1y0w ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Bldgedpjvs1h5x3p ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\Pbewaprtcl0z9i8f ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe ---> Offset = 1519616
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016082920160830\index.dat ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = d1****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = d2****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000000
InternetConnectA: ServerName = d3****et, PORT = 443, UserName = , Password = , hSession = 0x00cc001c, hConnect = 0x00cc0020, Flags = 0x00000000
InternetConnectA: ServerName = **.20.61.**, PORT = 443, UserName = , Password = , hSession = 0x00cc0028, hConnect = 0x00cc002c, Flags = 0x00000000
InternetConnectA: ServerName = **.20.62.**, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = s3****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000000
InternetConnectA: ServerName = s3****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = d2****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = d3****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.20.61.**, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000000
InternetConnectA: ServerName = d1****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0004, Flags = 0x00000000
InternetConnectA: ServerName = **.20.62.**, PORT = 443, UserName = , Password = , hSession = 0x00cc0008, hConnect = 0x00cc0004, Flags = 0x00000000
InternetConnectA: ServerName = d1****et, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc000c, Flags = 0x00000000
InternetConnectA: ServerName = **.20.61.**, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:建立到一个指定的套接字连接
details:URL: d3****et, IP: **.133.40.**:443, SOCKET = 0x0000046c
URL: d1****et, IP: **.133.40.**:443, SOCKET = 0x00000430
URL: d2****et, IP: **.133.40.**:443, SOCKET = 0x00000520
URL: , IP: **.20.61.**:443, SOCKET = 0x00000594
URL: d1****et, IP: **.133.40.**:443, SOCKET = 0x00000468
URL: , IP: **.20.62.**:443, SOCKET = 0x00000468
URL: s3****om, IP: **.133.40.**:443, SOCKET = 0x00000400
URL: s3****om, IP: **.133.40.**:443, SOCKET = 0x00000490
URL: d1****et, IP: **.133.40.**:443, SOCKET = 0x00000414
URL: s3****om, IP: **.133.40.**:443, SOCKET = 0x00000468
URL: d2****et, IP: **.133.40.**:443, SOCKET = 0x00000404
URL: d3****et, IP: **.133.40.**:443, SOCKET = 0x000003ec
URL: s3****om, IP: **.133.40.**:443, SOCKET = 0x00000410
URL: , IP: **.20.61.**:443, SOCKET = 0x000003ec
URL: s3****om, IP: **.133.40.**:443, SOCKET = 0x000003d8
Behavior description:打开HTTP请求
details:HttpOpenRequestA: d1****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/csqhtfk6q0pb3gt/kwck7lqxxo/b5fmnbjvhop/vsytizgq_/ewxi2mtp/6babyy0flzu8/a4q48iqvoy_b2/nz4ajxpsqjov/djiq-tvlc3byb/7r-8v7yl2y/dcbqhbywgnf1/5fqv6jckxmvg/rwkuetsczwx/jebhtyub_20n/vklh6, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d2****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/cjsvvqpp3c6xfoz/v_sotea7iuj/eo4amrw9lu/icu41_hthnbbb/5lynfj7l/vpu4npzu/4nkuabpn/xp-xqheb8watp/c_gsuedf/uoqw1wfsf1nt/aahofwhqpsnd-/tobbsqlfws5l/fzr4fiziyk/6tzczblcrsi/zdvoo08/lv8zb, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d3****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/r1e3wntdr/q34ck0g/fytb3odlie/ivv84pqg/ejfkumdunfiyg/-9-ptaypq3nc/mhetxb5f/oj2t4vbs-m/6xx_blinlyh_/a7v9fxi/fmcgvhd7n/cej3aer_wj/qkvega6/ad98qs39uha/jzpyxjktlw4/8ptjcvd_2phti/gwil1h, hConnect = 0x00cc0020, hRequest = 0x00cc0024, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: **.20.61.**:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/zsrxfq34hg6vsp/fiufw89xr3wxb/bdxcoph4u/7e5-x-_7/mypjajjtmql/gxl4ljw/9aqespk6-/qlqf1i_k/1ybw_6t2ac/s6by2nze-z/0c0_udg/u-zrjg0xxc6s7/hzqukx7g0/beozl5xuju/jdjjoso/s3wlo4?pad=euwgzggmeqmjzkibwkvlsnbm, hConnect = 0x00cc002c, hRequest = 0x00cc0030, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d1****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/hpcxr4gqj0wnr0/xg4py2xanl53/lsb47sdfyyy/m9jo9eh5wt4z/cxmtg9h/cwggf_-5vpgqt/5wupzyhkxarsc/zcdeisi/ekgvxhoys/a1kv2nucj/9ewlkahoipc7/nyml2m3cmhc/tbr4buv/3ybyyaecbklwf/0cscolea/gaquqj, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: **.20.62.**:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/23qvwi0kjmiqkw_u/qn7k7hi/fmmoipcqfe-m/afact4nf/ho_upob72pqn/9vm5cfbst/cxt8lotejg22/nyjyxgab87/uo-zwcit2l-/kve5vo_cq/dbih2yv6/jwpgphmf5/lth9gkqctbq/biqkfhba0vpz/a01su?pad=ggybbxuqxzlejbtolgzcyurbc, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: s3****om:443/ultrasurfus/cn1503/ynnfdxlvn?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswn, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: s3****om:443/ultrasurfus/cn1503/ygkgdffxr?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswn, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d1****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/owqie0ty/38l_pyfa/3lmwwuho/onhncot/ztovxd_dl/l9b_izbf3j0z9/d_amr9vcivpk/8xgjyu1ylgrxs/gqybj32y5lpw/dhp4eek3fjk5/bwrwuhfwi-eai/3jprtmrs-/adw6su0/yrnhiuxflyw/mciy2uk0jjro5/j4mq49nln, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: s3****om:443/ultrasurfus/cn1503/nojyzvuky?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswn, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d2****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/itw_krab/1j5jd9k_/kuv5ch7ugyb_z/60vigpl9wudu/pl0jjey-jx5/c6yyum5s/oakvqzqvhwp1p/vdpdz7udf05/ry1hqra/n5ucp0c7agymq/bu-stz2wjud/dn86msg/7z4jre6teta/u-0sgzfgw3jf1/phi5ay03fmwm/wkhpff, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d3****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/s5c_zcniwv9ar/hj1vmbxf/svaxjn-zz/veg5nuoqnaa/j-qiq7vd/abe5dlr/cqxbfvvn8ma0v/qojywf3xc/skkszowzrwmz/rlr5r2soo4/tx2vzomu29j5/t_bzfeq7mrzo/qd9qsm1u4v5/hcfjw6r4h/f8tscjdi0dd/f5rowid/e, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: s3****om:443/ultrasurfus/cn1503/ynnfdxlvn?hqghumeaylnlfdxfircvscxggbwkfnqduxwfnfozvsrtkjprepggxrpnrvystmwcysyycqpevikeffmznimkkasvwsrenzkycxfxtlsgypsfadpooefxzbcoejuvpvaboygpoeylfpbnpljvrvipyamyehwqnqrqpmxujjloovaowuxwhmsncbxcoksfzkvatxdknlyjyhfixjswn, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: **.20.61.**:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/yu8y90t7kwzfh3y/4d8eozo-8zd0/ghimemx993s/_k9eq9l8/ccs5pwaw/8s_lpeudt/gmm5e3t-z/kxrq3cgyg/ptuhw7box/wphm4-cxoc/hyfku47nxr7g/uaefgot/pf98esgt4z6ti/xx2kwcm2tb/knr19uqay?pad=dxtolmcyvqcleemxcbrndlzwa, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00800100
HttpOpenRequestA: d1****et:443/_nuksuawuxrjhx1yweobajk2iwvyfabwqpdoxtnwjwr30/vxsi9yhslkvcco/eja4en4/no1lh1mw-qbc3/adu3rcl3/wdznijqhn/nibfyq-qx-/khg4tgv/ov3732nvpeah8/vxxdpktkoxv/nkupljrnqza/2_vkrefq/ml3j8iynpx/d6bx5gihukp/82whnnddbq/ibbgzvmj0xwj/chzvt-zj0w, hConnect = 0x00cc0004, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00800100
Behavior description:按名称获取主机地址
details:GetAddrInfoW: d2****et
GetAddrInfoW: d3****et
GetAddrInfoW: d1****et
GetAddrInfoW: s3****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\UseHTTP
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\UseTCP
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\UseUDP
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\UseMulticast
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyStyle
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Isolation
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016061420160615\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016082920160830\
Behavior description:修改注册表_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Isolation
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\TypedURLs\url1
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\TypedURLs\url2
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\TypedURLs\url3
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\TypedURLs\url4
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\TypedURLs\url5
Other behavior
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.IBB
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012016082920160830!
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = U2T48FAER2EL
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.IBB.IC
EventName = MSCTF.SendReceiveConection.Event.IBB.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Global\crypt32LogoffEvent
_fCanRegisterWithShellService
Behavior description:获取TickCount值
details:TickCount = 5358059, SleepMilliseconds = 200.
TickCount = 5358090, SleepMilliseconds = 200.
TickCount = 5358121, SleepMilliseconds = 200.
TickCount = 5358168, SleepMilliseconds = 200.
TickCount = 5358309, SleepMilliseconds = 200.
TickCount = 5358340, SleepMilliseconds = 200.
TickCount = 5358450, SleepMilliseconds = 200.
TickCount = 5358465, SleepMilliseconds = 200.
TickCount = 5361343, SleepMilliseconds = 3000.
TickCount = 5361359, SleepMilliseconds = 3000.
TickCount = 5358809, SleepMilliseconds = 200.
TickCount = 5361625, SleepMilliseconds = 3000.
TickCount = 5358856, SleepMilliseconds = 200.
TickCount = 5358871, SleepMilliseconds = 200.
TickCount = 5358887, SleepMilliseconds = 200.
Behavior description:获取光标位置
details:CursorPos = (71,18468), SleepMilliseconds = 200.
CursorPos = (6364,26501), SleepMilliseconds = 200.
CursorPos = (19199,15725), SleepMilliseconds = 200.
CursorPos = (71,18468), SleepMilliseconds = 500.
CursorPos = (11508,29359), SleepMilliseconds = 500.
CursorPos = (6364,26501), SleepMilliseconds = 1000.
CursorPos = (19199,15725), SleepMilliseconds = 500.
CursorPos = (11508,29359), SleepMilliseconds = 1000.
CursorPos = (26992,24465), SleepMilliseconds = 200.
CursorPos = (19199,15725), SleepMilliseconds = 3000.
CursorPos = (5735,28146), SleepMilliseconds = 200.
CursorPos = (11508,29359), SleepMilliseconds = 3000.
CursorPos = (6364,26501), SleepMilliseconds = 1200.
CursorPos = (26992,24465), SleepMilliseconds = 1000.
CursorPos = (19199,15725), SleepMilliseconds = 1000.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00090358, Text = 无界浏览 16.03, ClassName = #32770.
Behavior description:窗口信息
details:Pid = 1172, Hwnd=0x1002c8, Text = 打开IE, ClassName = Button.
Pid = 1172, Hwnd=0x1802fe, Text = Chrome, ClassName = Button.
Pid = 1172, Hwnd=0xb032a, Text = 高级设置, ClassName = Button.
Pid = 1172, Hwnd=0x503b0, Text = 帮助, ClassName = Button.
Pid = 1172, Hwnd=0x703ba, Text = 隐藏, ClassName = Button.
Pid = 1172, Hwnd=0x40392, Text = 退出, ClassName = Button.
Pid = 1172, Hwnd=0x403a2, Text = 无界浏览, ClassName = Static.
Pid = 1172, Hwnd=0x1902ce, Text = 服务器选择, ClassName = Static.
Pid = 1172, Hwnd=0x7038a, Text = 连接速度, ClassName = Static.
Pid = 1172, Hwnd=0x1d02bc, Text = 0%, ClassName = Static.
Pid = 1172, Hwnd=0x603ac, Text = 0%, ClassName = Static.
Pid = 1172, Hwnd=0xc03a0, Text = 0%, ClassName = Static.
Pid = 1172, Hwnd=0x1302c4, Text = Progress1, ClassName = msctls_progress32.
Pid = 1172, Hwnd=0x10034c, Text = Progress1, ClassName = msctls_progress32.
Pid = 1172, Hwnd=0x13033a, Text = Progress1, ClassName = msctls_progress32.
Behavior description:查找PE资源信息
details:(FindResourceA) hModule = 0x00000000, ResName: , ResType: BIN
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 200.
[2]: MilliSeconds = 200.
[3]: MilliSeconds = 200.
[4]: MilliSeconds = 200.
[5]: MilliSeconds = 200.
[6]: MilliSeconds = 200.
[7]: MilliSeconds = 200.
[8]: MilliSeconds = 500.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 3000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,tooltips_class32]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\utmp\u.exe ---> a4deb7fc18874bfea5f43bc4403d0ec6
Behavior description:打开互斥体
details:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
_!SHMSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012016082920160830!
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号