VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:20
Behavior list
Basic Information
MD5:db9593cf9fadc8b1a32dc830a538a55e
file type:EXE
Production company:517VPN
version:3.2.3.5---517VPN
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\%temp%\1443016022.321287.exe---> Offset = 3459
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avtask.exe\Debugger
Behavior description:常规加载驱动
details:\??\C:\WINDOWS\system32\drivers\WmiSvc.sys
Behavior description:杀掉进程
details:C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\%temp%\1443016021.193271.exe
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a4, Text = 517VPN登陆器, ClassName = #32770.
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts---> Offset = 0
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x020104f1, DC = 0x020104f1.
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
DfSharedHeap3D5834
\WINDOWS\system32\zh-cn\wshext.dll.mui
Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_16384
Local\!PrivacIE!SharedMem!Counter
Local\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384
Local\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384
Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_16384
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_32768
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_49152
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_65536
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_81920
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JHOH343A
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3ZZUPF9A
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BQDFNYTS
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LNBR8ZYO
C:\Documents and Settings\NetworkService\Cookies
C:\Documents and Settings\NetworkService\IETldCache
Behavior description:创建系统服务
details:[服务创建成功]: 6to4, %SystemRoot%\System32\svchost.exe -k netsvcs
[服务创建成功]: WmiSvc, C:\WINDOWS\system32\drivers\WmiSvc.sys
Behavior description:按名称获取主机地址
details:www.dy2004.com
computer
wpad
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "c:\docume~1\admini~1\locals~1\temp\tempdel.bat"
ImagePath = c:\program files\internet explorer\iexplore.exe, CmdLine = "c:\program files\internet explorer\iexplore.exe" http://www.dy2004.com/msn/mm.htm
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TempDel.bat" "
ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dy2004.com/msn/mm.htm
ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3564 CREDAT:79873
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tem81.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tem81.exe"
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\Program Files\Internet Explorer\iexplore.exe
File behavior
Behavior description:修改原系统的EXE文件
details:C:\%temp%\1443016022.321287.exe---> Offset = 3459
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tem81.exe
C:\WINDOWS\system32\dllcache\6to4.dll
C:\WINDOWS\system32\6to4.dll
C:\WINDOWS\system32\drivers\WmiSvc.sys
C:\WINDOWS\system32\dllcache\systembox.bak
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tem81.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TempDel.bat
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\%temp%\1443016021.193271.exe
Behavior description:修改HOST文件
details:C:\WINDOWS\system32\drivers\etc\hosts---> Offset = 0
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
DfSharedHeap3D5834
\WINDOWS\system32\zh-cn\wshext.dll.mui
Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_16384
Local\!PrivacIE!SharedMem!Counter
Local\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384
Local\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384
Local\C:_Documents and Settings_NetworkService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_16384
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_32768
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_49152
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_65536
Local\C:_Documents and Settings_NetworkService_IETldCache_index.dat_81920
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JHOH343A
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3ZZUPF9A
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BQDFNYTS
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LNBR8ZYO
C:\Documents and Settings\NetworkService\Cookies
C:\Documents and Settings\NetworkService\IETldCache
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\517VPN.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_img.img---> Offset = 0
C:\WINDOWS\system32\wbem\Logs\wbemess.log---> Offset = 5455
C:\WINDOWS\system32\wbem\Logs\wbemess.log---> Offset = 5550
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JHOH343A\desktop.ini---> Offset = 0
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3ZZUPF9A\desktop.ini---> Offset = 0
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BQDFNYTS\desktop.ini---> Offset = 0
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LNBR8ZYO\desktop.ini---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dnserrordiagoff_webOC[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]---> Offset = 0
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat---> Offset = 0
Network behavior
Behavior description:枚举网络共享资源
details:N/A
Behavior description:联网打开网址
details:InternetOpenUrlA: http://110.110.110.110:80/wpad.dat hInternet = 0x000004d4
Behavior description:下载文件
details:URLDownloadToFileW: http://www.dy2004.com/msn/mm.txt ---> C:\WINDOWS\TEMP\TempLocal.txt
C:\WINDOWS\Temp\TempLocal.txt
Behavior description:连接指定站点
details:InternetConnectA: ServerName = www.517vpn.com, PORT = 80
InternetConnectA: ServerName = www.dy2004.com, PORT = 80
Behavior description:建立到一个指定的套接字连接
details:127.0.0.1:1031
127.0.0.1:1032
Behavior description:读取网络文件
details:hFile = 0x000004d4, BytesToRead =4010, BytesRead = 4010.
Behavior description:打开HTTP请求
details:HttpOpenRequestA: www.517vpn.com:80/tpgg.html, hConnect = 0x00000470
HttpOpenRequestA: www.dy2004.com:80/msn/mm.htm, hConnect = 0xffffffff
HttpOpenRequestA: www.dy2004.com:80/msn/mm.htm, hConnect = 0x00000424
Behavior description:按名称获取主机地址
details:www.dy2004.com
computer
wpad
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\517VPN\996E\Path
\REGISTRY\MACHINE\SOFTWARE\517VPN\996E\Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\6to4\Parameters\ServiceDll
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TempDel.bat
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
Behavior description:删除注册表键
details:\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000
\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile
\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}
Behavior description:修改注册表_镜像劫持
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avtask.exe\Debugger
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:删除注册表键值
details:\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%windir%\System32\ieframe.dll.mui,-12385
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\System32\ieframe.dll.mui,-12385
Other behavior
Behavior description:设置对象安全信息
details:MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Local\!PrivacIE!SharedMemory!Mutex
Local\c:!documents and settings!networkservice!cookies!
Local\c:!documents and settings!networkservice!local settings!history!history.ie5!
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:常规加载驱动
details:\??\C:\WINDOWS\system32\drivers\WmiSvc.sys
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [Static,]
Behavior description:启动系统服务
details:[服务启动成功]: , WmiSvc, \??\C:\WINDOWS\system32\drivers\WmiSvc.sys
Behavior description:窗口信息
details:Pid = 1396, Hwnd=0x202b2, Text = 取消, ClassName = Button.
Pid = 1396, Hwnd=0x302ba, Text = 最小化, ClassName = Button.
Pid = 1396, Hwnd=0x302dc, Text = 保存密码, ClassName = Button.
Pid = 1396, Hwnd=0x202d6, Text = 注册会员, ClassName = Static.
Pid = 1396, Hwnd=0x202d8, Text = 免费测试, ClassName = Static.
Pid = 1396, Hwnd=0x202c2, Text = 连接, ClassName = Button.
Pid = 1396, Hwnd=0x202c4, Text = 取消, ClassName = Button.
Pid = 1396, Hwnd=0x202c8, Text = 使用帮助, ClassName = Button.
Pid = 1396, Hwnd=0x202ca, Text = 检测, ClassName = Button.
Pid = 1396, Hwnd=0x202c6, Text = 全国主力1, ClassName = ComboBox.
Pid = 1396, Hwnd=0x302b8, Text = 自动更新完毕., ClassName = Button.
Pid = 1396, Hwnd=0x202a4, Text = 517VPN登陆器, ClassName = #32770.
Pid = 1396, Hwnd=0x202c6, Text = 全国主力2, ClassName = ComboBox.
Behavior description:获取系统权限
details:SE_AUDIT_PRIVILEGE
SE_TCB_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 488296, SleepMilliseconds = 1000.
TickCount = 488500, SleepMilliseconds = 1000.
TickCount = 488531, SleepMilliseconds = 1000.
TickCount = 488546, SleepMilliseconds = 1000.
TickCount = 488578, SleepMilliseconds = 1000.
TickCount = 488781, SleepMilliseconds = 1000.
TickCount = 488812, SleepMilliseconds = 1000.
TickCount = 488953, SleepMilliseconds = 1000.
TickCount = 488968, SleepMilliseconds = 1000.
TickCount = 489125, SleepMilliseconds = 1000.
TickCount = 489140, SleepMilliseconds = 1000.
TickCount = 489906, SleepMilliseconds = 1000.
TickCount = 489968, SleepMilliseconds = 1000.
TickCount = 490000, SleepMilliseconds = 1000.
TickCount = 490015, SleepMilliseconds = 1000.
Behavior description:获取光标位置
details:CursorPos = (106,18467), SleepMilliseconds = 1000.
CursorPos = (6399,26500), SleepMilliseconds = 1000.
CursorPos = (19234,15724), SleepMilliseconds = 1000.
CursorPos = (11543,29358), SleepMilliseconds = 1000.
CursorPos = (27027,24464), SleepMilliseconds = 1000.
CursorPos = (5770,28145), SleepMilliseconds = 1000.
CursorPos = (23346,16827), SleepMilliseconds = 1000.
CursorPos = (10026,491), SleepMilliseconds = 1000.
CursorPos = (3060,11942), SleepMilliseconds = 1000.
CursorPos = (4892,5436), SleepMilliseconds = 1000.
CursorPos = (32456,14604), SleepMilliseconds = 1000.
CursorPos = (3967,153), SleepMilliseconds = 1000.
CursorPos = (357,12382), SleepMilliseconds = 1000.
CursorPos = (17486,18716), SleepMilliseconds = 1000.
CursorPos = (19783,19895), SleepMilliseconds = 1000.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x000202a4, Text = 517VPN登陆器, ClassName = #32770.
Behavior description:打开指定IE网页
details:http://www.dy2004.com/msn/mm.htm
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x020104f1, DC = 0x020104f1.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
Behavior description:创建系统服务
details:[服务创建成功]: 6to4, %SystemRoot%\System32\svchost.exe -k netsvcs
[服务创建成功]: WmiSvc, C:\WINDOWS\system32\drivers\WmiSvc.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号