VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:a267bf24151e94071c3884ee11588d31
file type:zip
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 [ZIP SFX]
Subfile information:HSS-3.42-install-plain-701-plain.exe / big file / Nsis
HSSCP.exedumpFile / 1ce8d0b08aa4af5312699838435e5795 / EXE
libeay32.dlldumpFile / 661b770bc4cb72ee4e4b17c5a62b994f / DLL
FBW.exedumpFile / ea1bfe8f11c5422b08c4e33015016d97 / EXE
cmw_srv.exedumpFile / 77ed10c64f9de2bf3f4f0b92541422f6 / EXE
af_proxy.dlldumpFile / cd0be499e65fcde053f300e250072a8b / DLL
sdpkg_resource.dlldumpFile / 88d3e9a86b0f7790464b72a1c94afbb5 / DLL
archconnect.exedumpFile / 057ed242ed9363491b6dcaf64458f5b5 / EXE
openvpn.exedumpFile / 057ed242ed9363491b6dcaf64458f5b5 / EXE
FBWMgr.exedumpFile / 6da18a7821b2d3d8c93a12ec8bd62a43 / EXE
Uninstall.exedumpFile / 4243216699e3c75bb81be32b1013f373 / Nsis
HssRep.dlldumpFile / 0c803876332d3d97a791fc019aec834f / DLL
HssSrvlib.dlldumpFile / 671835a6baa5e41892f29c774b44cdf0 / DLL
hsswd.exedumpFile / 5cb01fd5aa4885bc4811433b54393af2 / EXE
NetworkRep.dlldumpFile / 5efef197a0e4ef94b25a7e79ec1cf49a / DLL
HssInstaller.exedumpFile / 086bc4815269ae04f6aa4e3f56ca2866 / EXE
HssInstaller.exedumpFile / 086bc4815269ae04f6aa4e3f56ca2866 / EXE
af_proxy_cmd.exedumpFile / e0d2751a49d2248bccc1952c9352a08b / EXE
af_proxy_cmd_rep.exedumpFile / e0d2751a49d2248bccc1952c9352a08b / EXE
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015031020150311
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Static]
[Window,Class] = [Nullsoft Install System v2.45-Unicode ,Static]
[Window,Class] = [Nullsoft Install System v2.45-Unicode,Static]
[Window,Class] = [,Button]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [,AtlAxWin110]
[Window,Class] = [取消,Button]
[Window,Class] = [帮助,Button]
[Window,Class] = [完成,Button]
[Window,Class] = [,msctls_progress32]
Behavior description:创建系统服务
details:[服务创建成功]: HssDrv, system32\DRIVERS\HssDrv.sys
[服务已存在]: HssDrv, system32\DRIVERS\HssDrv.sys
[服务创建成功]: HssWd, C:\Program Files\Hotspot Shield\bin\hsswd.exe
[服务创建成功]: taphss, system32\DRIVERS\taphss.sys
Behavior description:按名称获取主机地址
details:rptx.anchorfree.net
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\documents and settings\administrator\application data\hotspot shield\report\af_proxy_cmd_rep.exe" -p -h hash -o -t it -o 7 -u "http://rptx.anchorfree.net/wr-install.php?dm_ver=0&ver=3.42&ch=701&state=initiated"
ImagePath = , CmdLine = c:\documents and settings\administrator\application data\hotspot shield\report\af_proxy_cmd_rep.exe -h hash -o -t it -o 7 -u http://rptx.anchorfree.net/wr-install.php?dm_ver=0&ver=3.42&ch=701&state=initiated
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\hssinstaller.exe" -iswow64
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\tapinstall.exe" -preinstall
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\hssinstaller.exe" -installdriver -c ndis5
ImagePath = , CmdLine =
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\hssinstaller.exe" -compareversions "c:\program files\hotspot shield\hsswpr\hssdrv.sys" "c:\windows\system32\drivers\hssdrv.sys"
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\hsspk.exe" -killpopups
ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\hsspk.exe" -killpopupsloop
ImagePath = , CmdLine = "c:\program files\hotspot shield\hsswpr\hssinstaller.exe" -installdriver -i ndis5 "c:\program files\hotspot shield\hsswpr"
ImagePath = , CmdLine = "c:\program files\hotspot shield\bin\hsswd.exe" -remove -product hss
ImagePath = , CmdLine = "c:\program files\hotspot shield\bin\openvpnas.exe" -remove
ImagePath = , CmdLine = "c:\program files\hotspot shield\bin\cmw_srv.exe" -remove
ImagePath = , CmdLine = "c:\program files\hotspot shield\bin\hsstrayservice.exe" -r hsstrayservice -quit
ImagePath = , CmdLine = "c:\program files\hotspot shield\bin\hssinstaller.exe" -encrypt "c:\hotspot shield\hssstate.xml" "c:\documents and settings\all users\application data\hotspot shield\config\hssstate.cfg" -product hss
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\runonce.exe, CmdLine = runonce -r
Behavior description:创建新文件进程
details:ImagePath = C:\Extracted\HSS-3.42-install-plain-701-plain.exe, CmdLine = "C:\Extracted\HSS-3.42-install-plain-701-plain.exe"
ImagePath = C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe" -P -H hash -O -T it -o 7 -u "http:
ImagePath = C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe" -H hash -O -T it -o 7 -u http://rpt
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe" -iswow64
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tapinstall.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tapinstall.exe" -preinstall
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe" -installdriver -c ndis5
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe" -compareversions "C:\Program Files\Hotspot Shield\HssWPR\hssdrv.sys" "C:\WINDOWS\system32\drivers\hssdrv.sys"
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hsspk.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hsspk.exe" -killpopups
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hsspk.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hsspk.exe" -killpopupsloop
ImagePath = C:\Program Files\Hotspot Shield\bin\HssInstaller.exe, CmdLine = "C:\Program Files\Hotspot Shield\bin\HssInstaller.exe" -encrypt "C:\Hotspot Shield\hssstate.xml" "C:\Documents and Settings\All Users\Application Data\Hotspot Shield\config\hssstate.cf
ImagePath = C:\Program Files\Hotspot Shield\bin\HssInstaller.exe, CmdLine = "C:\Program Files\Hotspot Shield\bin\HssInstaller.exe" -deluser C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\u0_old.txt
ImagePath = C:\Program Files\Hotspot Shield\bin\HssInstaller.exe, CmdLine = "C:\Program Files\Hotspot Shield\bin\HssInstaller.exe" -fbwuser fbwuser C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\u0_old.txt
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe" -reencrypt "" "C:\Program Files\Hotspot Shield\config\sd-info-direct.cfg"
ImagePath = C:\Program Files\Hotspot Shield\bin\hsswd.exe, CmdLine = "C:\Program Files\Hotspot Shield\bin\hsswd.exe" -install_nr -product hss
ImagePath = C:\Program Files\Hotspot Shield\bin\hsswd.exe, CmdLine = "C:\Program Files\Hotspot Shield\bin\hsswd.exe" -start -product hss
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\All Users\「开始」菜单\程序\Hotspot Shield\Hotspot Shield.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\Hotspot Shield\Uninstall Hotspot Shield.lnk
Behavior description:创建可执行文件
details:C:\Extracted\server1.exe
C:\Extracted\HSS-3.42-install-plain-701-plain.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\UserInfo.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\nsProcess.dll
C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy_cmd_rep.exe
C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\af_proxy.dll
C:\Documents and Settings\Administrator\Application Data\Hotspot Shield\report\zlib1.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\ExecDos.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\nsisos.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tapinstall.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hssinst32.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\psdll.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\nsDialogs.dll
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.ELK..ILOJF
MSCTF.MarshalInterface.FileMap.ELK.B.ILOJF
MSCTF.MarshalInterface.FileMap.ELK.C.ILOJF
MSCTF.MarshalInterface.FileMap.ELK.D.ILOJF
MSCTF.MarshalInterface.FileMap.ELK.E.ILOJF
MSCTF.MarshalInterface.FileMap.ELK.F.ILOJF
MSCTF.MarshalInterface.FileMap.ELK.G.ILOJF
Local\UrlZonesSM_Administrator
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015031020150311\index.datndex.dat_16384
\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015031020150311\index.datndex.dat_32768
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.MarshalInterface.FileMap.AOM..HBOLF
Behavior description:重命名文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hssinst32.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hssinst.dll
C:\Program Files\Hotspot Shield\HssWPR\hssinst32.dll ---> C:\Program Files\Hotspot Shield\HssWPR\hssinst.dll
C:\Program Files\Hotspot Shield\bin\hssinst32.dll ---> C:\Program Files\Hotspot Shield\bin\hssinst.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hsspk.exe
C:\WINDOWS\system32\drivers\SET6.tmp ---> C:\WINDOWS\system32\drivers\hssdrv.sys
C:\WINDOWS\LastGood\TMP7.tmp ---> C:\WINDOWS\LastGood\INF\oem12.inf
C:\WINDOWS\LastGood\TMP8.tmp ---> C:\WINDOWS\LastGood\INF\oem12.PNF
C:\WINDOWS\LastGood\TMP9.tmp ---> C:\WINDOWS\LastGood\INF\oem13.inf
C:\WINDOWS\LastGood\TMPA.tmp ---> C:\WINDOWS\LastGood\INF\oem13.PNF
C:\WINDOWS\inf\INFCACHE.1 ---> C:\WINDOWS\inf\INFCACHE.2
C:\WINDOWS\inf\INFCACHE.0 ---> C:\WINDOWS\inf\INFCACHE.1
C:\WINDOWS\inf\INFCACHE.2 ---> C:\WINDOWS\inf\OLDCACHE.000
C:\WINDOWS\LastGood\TMPB.tmp ---> C:\WINDOWS\LastGood\system32\DRIVERS\HssDrv.sys
C:\WINDOWS\system32\drivers\SETD.tmp ---> C:\WINDOWS\system32\drivers\HssDrv.sys
C:\WINDOWS\LastGood\TMPE.tmp ---> C:\WINDOWS\LastGood\INF\oem14.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012015031020150311
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sfx.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HssInstaller.txt---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\modern-header.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\AskToolbar.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\BingDSMSNHPOffer.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\CheckAskPage.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HSSSlideShow.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HSSSlideShowStep1.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HSSSlideShowStep2.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HSSSlideShowStep3.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HSSSlideShowStep4.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HssFinishPage.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HssSafeSearchWelcomePage.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\HssWelcomePage.html---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\MSOfferPage.html---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = cdn.hsselite.com, PORT = 80
Behavior description:建立到一个指定的套接字连接
details:127.0.0.1:1032
127.0.0.1:1033
Behavior description:打开HTTP请求
details:HttpOpenRequestA: cdn.hsselite.com:80/static/inst/slider/index.html, hConnect = 0x000003b0
Behavior description:按名称获取主机地址
details:rptx.anchorfree.net
Registry behavior
Behavior description:删除注册表键_分层网络协议
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Network\NetCfgLockHolder
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014120120141208
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014121920141220
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Extracted\HSS-3.42-install-plain-701-plain.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Network\NetCfgLockHolder\
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031020150311\CachePath
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031020150311\CachePrefix
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031020150311\CacheLimit
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031020150311\CacheOptions
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015031020150311\CacheRepair
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem12.inf
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem12.PNF
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem13.inf
\REGISTRY\MACHINE\SYSTEM\LastKnownGoodRecovery\LastGood\INF/oem13.PNF
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@netcfgx.dll,-50003
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@netcfgx.dll,-50015
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@netcfgx.dll,-50002
Behavior description:修改注册表_分层网络协议
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\InfSectionExt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013\InfSectionExt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\InfSectionExt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003\Linkage\BindPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003\Linkage\Bind
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0003\Linkage\Route
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage\BindPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage\Bind
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage\Route
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Linkage\BindPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Linkage\Bind
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0011\Linkage\Route
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage\BindPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage\Bind
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage\Route
Behavior description:修改注册表_网络设置
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7D7ED9FA-42DD-488E-A5C9-BAEDC177FAA2}\DefaultGateway
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7D7ED9FA-42DD-488E-A5C9-BAEDC177FAA2}\NameServer
Other behavior
Behavior description:创建驱动文件镜像
details:C:\WINDOWS\system32\drivers\HssDrv.sys
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
af_HotspotShield_inst_uninst_upd_Mutex
Global\NetCfgWriteLock
Local\!PrivacIE!SharedMemory!Mutex
_!SHMSFTHISTORY!_
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Static]
[Window,Class] = [Nullsoft Install System v2.45-Unicode ,Static]
[Window,Class] = [Nullsoft Install System v2.45-Unicode,Static]
[Window,Class] = [,Button]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
[Window,Class] = [下一步(&N) >,Button]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [,AtlAxWin110]
[Window,Class] = [取消,Button]
[Window,Class] = [帮助,Button]
[Window,Class] = [完成,Button]
[Window,Class] = [,msctls_progress32]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [,硬件安装]
NtUserFindWindowEx: [Class,Window] = [,软件安装]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, Hotspot Shield Monitoring Service, C:\Program Files\Hotspot Shield\bin\hsswd.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:创建系统服务
details:[服务创建成功]: HssDrv, system32\DRIVERS\HssDrv.sys
[服务已存在]: HssDrv, system32\DRIVERS\HssDrv.sys
[服务创建成功]: HssWd, C:\Program Files\Hotspot Shield\bin\hsswd.exe
[服务创建成功]: taphss, system32\DRIVERS\taphss.sys
Behavior description:窗口信息
details:Pid = 2736, Hwnd=0x10350, Text = OK, ClassName = Button.
Pid = 2736, Hwnd=0x10352, Text = C:\Extracted, ClassName = Edit.
Pid = 2736, Hwnd=0x10354, Text = ..., ClassName = Button.
Pid = 2736, Hwnd=0x10356, Text = Cancel, ClassName = Button.
Pid = 2736, Hwnd=0x10358, Text = , ClassName = Static.
Pid = 2736, Hwnd=0x1035a, Text = Press OK to continue., ClassName = Edit.
Pid = 2736, Hwnd=0x1035c, Text = Progress1, ClassName = msctls_progress32.
Pid = 2736, Hwnd=0x2034c, Text = HSS-3.42-install-plain-701-plain, ClassName = #32770.
Pid = 3292, Hwnd=0x20358, Text = 安装(&I), ClassName = Button.
Pid = 3292, Hwnd=0x20356, Text = 取消, ClassName = Button.
Pid = 3292, Hwnd=0x10362, Text = Nullsoft Install System v2.45-Unicode , ClassName = Static.
Pid = 3292, Hwnd=0x10364, Text = Nullsoft Install System v2.45-Unicode, ClassName = Static.
Pid = 3292, Hwnd=0x4035c, Text = Hotspot Shield 3.42 安装, ClassName = #32770.
Pid = 3976, Hwnd=0x1042c, Text = C:\Program Files\Hotspot Shield\...\hssdrv.sys, ClassName = Static.
Pid = 3976, Hwnd=0x10432, Text = 取消, ClassName = Button.
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsy5.tmp\modern-header.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\img\ask_toolbar.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\img\conduit_toolbar.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\img\logo_grey.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\img\safesearch_toolbar.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Hotspot Shield\html\slider\img\bg.jpg
\Documents and Settings\Administrator\Local Settings\Temp\Hotspot Shield\html\img\conduit_toolbar.bmp
\Program Files\Hotspot Shield\htdocs\connected12.bmp
\Program Files\Hotspot Shield\htdocs\connected16.bmp
\Program Files\Hotspot Shield\htdocs\connected20.bmp
\Program Files\Hotspot Shield\htdocs\connected24.bmp
\Program Files\Hotspot Shield\htdocs\connecting12.bmp
\Program Files\Hotspot Shield\htdocs\connecting16.bmp
\Program Files\Hotspot Shield\htdocs\connecting20.bmp
\Program Files\Hotspot Shield\htdocs\connecting24.bmp
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号