VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:12
Behavior list
Basic Information
MD5:1b32054a52265abb638091776bcbc6bc
file type:EXE
Production company:Microsoft Corporation
version:11.0.5510.0---11.0.5510
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0 - 8.0 [Overlay] *
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12378112
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 405504
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 102400
C:\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE---> Offset = 472576
C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE---> Offset = 584704
C:\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE---> Offset = 18430976
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 249856
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE---> Offset = 6482432
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009b0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00c70000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01220000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01230000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
GetFileAttributes: FileName = c:\windows\system32\vboxtray.exe
Behavior description:修改注册表_任务管理器关键属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\pigmu.sys
Behavior description:创建远程线程
details:C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1442912281.924667.exe
C:\%temp%\1442912281.931805.exe
C:\WINDOWS\system32\taskmgr.exe
C:\%temp%\1442912281.953099.exe
C:\%temp%\1442912281.960091.exe
C:\WINDOWS\system32\patchupdate.exe
C:\WINDOWS\system32\tm.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\winword.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\powerpnt.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\excel.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\microsoft office\office11\powerpnt.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\ffor.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:写权限映射文件
details:hh8geqpHJTkdns0
purity_control_90833
\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winockxaa.exe
\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
Local\UrlZonesSM_Administrator
\DiskX\ffor.exe
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
\WINDOWS\system32\cmd.exe
\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE
\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE
\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE
\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
\Program Files\VMware\VMware Tools\VMwareTray.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改注册表_禁用注册表编辑器项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\pigmu.sys
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009b0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00c70000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01220000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01230000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096
Behavior description:创建远程线程
details:C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1442912281.924667.exe
C:\%temp%\1442912281.931805.exe
C:\WINDOWS\system32\taskmgr.exe
C:\%temp%\1442912281.953099.exe
C:\%temp%\1442912281.960091.exe
C:\WINDOWS\system32\patchupdate.exe
C:\WINDOWS\system32\tm.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:枚举进程
details:N/A
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12378112
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 405504
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 102400
C:\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE---> Offset = 472576
C:\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE---> Offset = 584704
C:\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE---> Offset = 18430976
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 249856
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE---> Offset = 6482432
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\pigmu.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winockxaa.exe
C:\DiskX\ffor.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
FileName = C:\*
FileName = C:\ANALYZECONTROL\*
FileName = D:\*
FileName = C:\DISKD\*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\DISKX\*
FileName = C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\winword.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\powerpnt.exe
\device\harddiskvolume1\program files\microsoft office 2007\office12\excel.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\microsoft office\office11\powerpnt.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:设置特殊文件属性
details:C:\DiskX\ffor.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:写权限映射文件
details:hh8geqpHJTkdns0
purity_control_90833
\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winockxaa.exe
\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
Local\UrlZonesSM_Administrator
\DiskX\ffor.exe
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
\WINDOWS\system32\cmd.exe
\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE
\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE
\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE
\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
\Program Files\VMware\VMware Tools\VMwareTray.exe
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\system.ini---> Offset = 231
C:\77390---> Offset = 0
C:\DiskD\77797---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\oauxe.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkdwsv.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winffgwm.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jryb.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrwpry.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fbfiao.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awmr.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\durkri.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windysw.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winargcqu.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvdv.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winklmn.exe---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://sagocugenc.sa.funpic.de/images/logos.gif?7c07f=1016062 hInternet = 0x00000554
InternetOpenUrlA: http://www.eleonuccorini.com/images/logos.gif?77872=1468758 hInternet = 0x00000554
InternetOpenUrlA: http://www.cityofangelsmagazine.com/images/logos.gif?778b1=3917192 hInternet = 0x00000554
InternetOpenUrlA: http://www.21yybuyukanadolu.com/images/logos.gif?776ff=978430 hInternet = 0x00000554
InternetOpenUrlA: http://yucelcavdar.com/logos_s.gif?7762e=4401054 hInternet = 0x00000554
InternetOpenUrlA: http://www.luster-adv.com/gallery/Fusion/images/logos.gif?2c147c=8666484 hInternet = 0x00000554
InternetOpenUrlA: http://sagocugenc.sa.funpic.de/images/logos.gif?77da2=4418226 hInternet = 0x0000054c
InternetOpenUrlA: http://www.eleonuccorini.com/images/logos.gif?77de1=490977 hInternet = 0x0000054c
InternetOpenUrlA: http://www.cityofangelsmagazine.com/images/logos.gif?77e2f=3437385 hInternet = 0x0000054c
InternetOpenUrlA: http://www.21yybuyukanadolu.com/images/logos.gif?10a22d=3270279 hInternet = 0x0000054c
InternetOpenUrlA: http://yucelcavdar.com/logos_s.gif?10a25c=10901400 hInternet = 0x0000054c
InternetOpenUrlA: http://www.luster-adv.com/gallery/Fusion/images/logos.gif?10a29b=4360812 hInternet = 0x0000054c
InternetOpenUrlA: http://sagocugenc.sa.funpic.de/images/logos.gif?77ff2=3440542 hInternet = 0x00000554
InternetOpenUrlA: http://www.eleonuccorini.com/images/logos.gif?78120=491808 hInternet = 0x00000554
InternetOpenUrlA: http://www.cityofangelsmagazine.com/images/logos.gif?77f5e=3439506 hInternet = 0x00000554
Behavior description:下载文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\oauxe.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkdwsv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winffgwm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jryb.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrwpry.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fbfiao.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awmr.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\durkri.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windysw.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winargcqu.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvdv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winklmn.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pyatv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlvos.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlkri.exe
Behavior description:读取网络文件
details:hFile = 0x00000554, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000054c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000544, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000056c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000540, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000530, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000006f8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000051c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000520, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000518, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000050c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004f8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000500, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004f0, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004e4, BytesToRead =1024, BytesRead = 1024.
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:修改注册表_任务管理器关键属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\1442912282.244568.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter\
Behavior description:修改注册表_禁用注册表编辑器项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools
Other behavior
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_532_
csrss.exeM_588_
winlogon.exeM_612_
services.exeM_656_
lsass.exeM_668_
33oxservice.exeM_828_
33acthlp.exeM_840_
svchost.exeM_880_
svchost.exeM_944_
svchost.exeM_984_
svchost.exeM_1068_
svchost.exeM_1100_
spoolsv.exeM_1240_
33upgradehelper.exeM_1504_
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\pigmu.sys
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\pigmu.sys
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
GetFileAttributes: FileName = c:\windows\system32\vboxtray.exe
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 484871, SleepMilliseconds = 12.
TickCount = 484902, SleepMilliseconds = 12.
TickCount = 485012, SleepMilliseconds = 12.
TickCount = 785046, SleepMilliseconds = 300000.
TickCount = 785062, SleepMilliseconds = 300000.
TickCount = 785078, SleepMilliseconds = 300000.
TickCount = 785093, SleepMilliseconds = 300000.
TickCount = 785109, SleepMilliseconds = 300000.
TickCount = 785125, SleepMilliseconds = 300000.
TickCount = 785140, SleepMilliseconds = 300000.
TickCount = 785156, SleepMilliseconds = 300000.
TickCount = 785171, SleepMilliseconds = 300000.
TickCount = 785187, SleepMilliseconds = 300000.
TickCount = 785203, SleepMilliseconds = 300000.
TickCount = 785218, SleepMilliseconds = 300000.
Behavior description:枚举窗口
details:N/A
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 300000.
[2]: MilliSeconds = 1800000.
[3]: MilliSeconds = 1024.
[4]: MilliSeconds = 512.
[5]: MilliSeconds = 300000.
[6]: MilliSeconds = 10240.
[7]: MilliSeconds = -1.
[8]: MilliSeconds = -1.
[9]: MilliSeconds = 10000.
[10]: MilliSeconds = 512.
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\pigmu.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号