VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:29
Behavior list
Basic Information
MD5:81388ca8ec158ef18a19a8cf27e4322e
file type:Autoit
Production company:
version:3.0.0.5---3.0.0.5
Shell or compiler information:PACKER:UPolyX v0.5
Subfile information:AutoItScript / b49f668061da300fcbb9b553306f3eca / Unknown
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00bb0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00d70000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c50000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c60000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01010000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01020000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035e0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035f0000, Size = 0x00001000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d20000, Size = 0x00002000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d30000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\taskmgr.exe, WriteAddress = 0x00c00000, Size = 0x00002000
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Explorer.EXE
Behavior description:检测自身是否被调试
details:N/A
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\lkhkjn.sys
Behavior description:创建远程线程
details:TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 1408, StartAddress = 00BB0000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 556, StartAddress = 00D70000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 764, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 1004, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 1140, StartAddress = 00C50000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 1872, StartAddress = 00C60000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 744, StartAddress = 01010000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2044, StartAddress = 01020000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 1808, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 1856, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 300, StartAddress = 035E0000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 156, StartAddress = 035F0000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 1048, StartAddress = 00D20000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 968, StartAddress = 00D30000, Parameter = 00000000
TargetProcess: taskmgr.exe, InheritedFromPID = 1944, ProcessID = 1620, ThreadID = 1528, StartAddress = 00C00000, Parameter = 00000000
Behavior description:获取TickCount值
details:TickCount = 5352105, SleepMilliseconds = 12.
TickCount = 5352340, SleepMilliseconds = 12.
TickCount = 5352402, SleepMilliseconds = 12.
TickCount = 5352677, SleepMilliseconds = 256.
TickCount = 5352693, SleepMilliseconds = 256.
TickCount = 5352709, SleepMilliseconds = 256.
TickCount = 5352980, SleepMilliseconds = 512.
TickCount = 5352996, SleepMilliseconds = 512.
TickCount = 5353012, SleepMilliseconds = 512.
TickCount = 5652500, SleepMilliseconds = 300000.
TickCount = 5652546, SleepMilliseconds = 300000.
TickCount = 5652578, SleepMilliseconds = 300000.
TickCount = 5652609, SleepMilliseconds = 300000.
TickCount = 5652625, SleepMilliseconds = 300000.
TickCount = 5652640, SleepMilliseconds = 300000.
Behavior description:设置特殊文件属性
details:C:\rtvt.exe
C:\DiskD\jktbxn.exe
C:\DiskX\rvahwf.pif
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\lkhkjn.sys
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00bb0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00d70000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c50000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c60000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01010000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01020000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035e0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035f0000, Size = 0x00001000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d20000, Size = 0x00002000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d30000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\taskmgr.exe, WriteAddress = 0x00c00000, Size = 0x00002000
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 896, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1552, StartAddress = 004C67E8, Parameter = 000C5116
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1384, StartAddress = 00436E15, Parameter = 02B52F60
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 388, StartAddress = 01ACD570, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 164, StartAddress = 01AC53B2, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1996, StartAddress = 01ACE507, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 444, StartAddress = 01AC3FAA, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 252, StartAddress = 01AC57A0, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1012, StartAddress = 01AC1189, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1360, StartAddress = 01AC3911, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 576, ThreadID = 1372, StartAddress = 01AC3D9B, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 1388, StartAddress = 00BB06D2, Parameter = 007AF000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 1796, StartAddress = 009A06D2, Parameter = 0059F000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 168, StartAddress = 009006D2, Parameter = 004FF000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 1392, StartAddress = 00D206D2, Parameter = 0091F000
Behavior description:创建远程线程
details:TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 1408, StartAddress = 00BB0000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 556, StartAddress = 00D70000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 764, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 1004, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 1140, StartAddress = 00C50000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 1872, StartAddress = 00C60000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 744, StartAddress = 01010000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2044, StartAddress = 01020000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 1808, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 1856, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 300, StartAddress = 035E0000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 156, StartAddress = 035F0000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 1048, StartAddress = 00D20000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 968, StartAddress = 00D30000, Parameter = 00000000
TargetProcess: taskmgr.exe, InheritedFromPID = 1944, ProcessID = 1620, ThreadID = 1528, StartAddress = 00C00000, Parameter = 00000000
Behavior description:枚举进程
details:N/A
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:79873
File behavior
Behavior description:修改原系统的EXE文件
details:C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe
C:\rtvt.exe
C:\DiskD\jktbxn.exe
C:\DiskX\rvahwf.pif
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{784030C8-5D17-11E6-91BE-7B****28}.dat
C:\WINDOWS\system32\drivers\lkhkjn.sys
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5DAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\winsqtmb.exe
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe
C:\rtvt.exe
C:\DiskD\jktbxn.exe
C:\DiskX\rvahwf.pif
C:\WINDOWS\system32\drivers\lkhkjn.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winsqtmb.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe
C:\WINDOWS\system32\drivers\lkhkjn.sys
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5DAD.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\winsqtmb.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\*
FileName = C:\ANALYZECONTROL\*
FileName = D:\*
FileName = E:\*
FileName = C:\DISKD\*
FileName = F:\*
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
Behavior description:内存映射方式修改可执行文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
Behavior description:设置特殊文件属性
details:C:\rtvt.exe
C:\DiskD\jktbxn.exe
C:\DiskX\rvahwf.pif
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description:修改文件内容
details:C:\WINDOWS\system.ini ---> Offset = 231
C:\WINDOWS\system.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe ---> Offset = 0
C:\autorun.inf ---> Offset = 0
C:\rtvt.exe ---> Offset = 0
C:\DiskD\autorun.inf ---> Offset = 0
C:\DiskD\jktbxn.exe ---> Offset = 0
C:\DiskX\autorun.inf ---> Offset = 0
C:\DiskX\rvahwf.pif ---> Offset = 0
C:\DiskD\jktbxn.exe ---> Offset = 102400
C:\WINDOWS\system32\drivers\lkhkjn.sys ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{784030C8-5D17-11E6-91BE-7B****28}.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{784030C8-5D17-11E6-91BE-7B****28}.dat ---> Offset = 512
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5DAD.tmp ---> Offset = 16383
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe ---> Offset = 405504
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0004, Flags = 0x80000010
Behavior description:连接指定站点
details:InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x80000010
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: wpad, IP: **.133.40.**:128, SOCKET = 0x000004cc
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =4010, BytesRead = 4010.
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128 Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80000010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: computer
GetAddrInfoW: wpad
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
\REGISTRY\USER\S-*\SessionInformation\ProgramCount
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:删除注册表键_安全模式启动项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon\
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\Explorer.EXE
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:隐藏指定窗口
details:[Window,Class] = [QQ2013,TXGuiFoundation]
[Window,Class] = [OP_2269840561,CTXOPConntion_Class]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,Auto-Suggest Dropdown]
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\lkhkjn.sys
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe(签名验证: 未通过)
C:\rtvt.exe(签名验证: 未通过)
C:\DiskD\jktbxn.exe(签名验证: 未通过)
C:\DiskX\rvahwf.pif(签名验证: 未通过)
C:\WINDOWS\system32\drivers\lkhkjn.sys(签名验证: 未通过)
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:修改后的可执行文件签名信息
details:C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe(签名验证: 未通过)
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\winycxshs.exe ---> 25aa9bb549ecc7bb6100f8d179452508
C:\rtvt.exe ---> 993d499d5ccac15592943a3a52ec9b09
C:\DiskD\jktbxn.exe ---> 993d499d5ccac15592943a3a52ec9b09
C:\DiskX\rvahwf.pif ---> 993d499d5ccac15592943a3a52ec9b09
C:\WINDOWS\system32\drivers\lkhkjn.sys ---> bf31a8d79f704f488e3dbcb6eea3b3e3
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\lkhkjn.sys
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_532_
csrss.exeM_588_
winlogon.exeM_612_
services.exeM_656_
lsass.exeM_668_
33oxservice.exeM_828_
33acthlp.exeM_840_
svchost.exeM_880_
svchost.exeM_944_
svchost.exeM_984_
svchost.exeM_1068_
svchost.exeM_1100_
spoolsv.exeM_1240_
33upgradehelper.exeM_1504_
Behavior description:获取TickCount值
details:TickCount = 5352105, SleepMilliseconds = 12.
TickCount = 5352340, SleepMilliseconds = 12.
TickCount = 5352402, SleepMilliseconds = 12.
TickCount = 5352677, SleepMilliseconds = 256.
TickCount = 5352693, SleepMilliseconds = 256.
TickCount = 5352709, SleepMilliseconds = 256.
TickCount = 5352980, SleepMilliseconds = 512.
TickCount = 5352996, SleepMilliseconds = 512.
TickCount = 5353012, SleepMilliseconds = 512.
TickCount = 5652500, SleepMilliseconds = 300000.
TickCount = 5652546, SleepMilliseconds = 300000.
TickCount = 5652578, SleepMilliseconds = 300000.
TickCount = 5652609, SleepMilliseconds = 300000.
TickCount = 5652625, SleepMilliseconds = 300000.
TickCount = 5652640, SleepMilliseconds = 300000.
Behavior description:窗口信息
details:Pid = 576, Hwnd=0x80358, Text = 确定, ClassName = Button.
Pid = 576, Hwnd=0x1002c8, Text = 不能打开脚本文件., ClassName = Static.
Pid = 576, Hwnd=0xd02d6, Text = AutoIt 错误, ClassName = #32770.
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x004c617e
Behavior description:创建事件对象
details:EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
EventName = MSCTF.SendReceive.Event.ELH.IC
EventName = MSCTF.SendReceiveConection.Event.ELH.IC
EventName = Isolation Signal Registry Event (784030C5-5D17-11E6-91BE-7B****28, 0)
EventName = IE_EarlyTabStart_0x984
EventName = Isolation Signal Registry Event (784030C6-5D17-11E6-91BE-7B****28, 0)
EventName = MSCTF.SendReceiveConection.Event.MJH.IC
EventName = MSCTF.SendReceive.Event.MJH.IC
EventName = MSCTF.SendReceive.Event.ALH.IC
EventName = MSCTF.SendReceiveConection.Event.ALH.IC
EventName = MSCTF.SendReceive.Event.IIH.IC
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\lkhkjn.sys
Behavior description:修改后的可执行文件MD5
details:C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe ---> 0a5496eda914f1eaf5e9829b1999f937
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000041
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000041
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
MSCTF.SendReceiveConection.Event.MOG.IC
MSCTF.SendReceive.Event.MOG.IC
Isolation Signal Registry Event (784030C5-5D17-11E6-91BE-7B****28, 0)
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.2432
MSFT.VSA.IEC.STATUS.6c736db0
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 120000.
[2]: MilliSeconds = 180000.
[3]: MilliSeconds = 1024.
[4]: MilliSeconds = 256.
[5]: MilliSeconds = 512.
[6]: MilliSeconds = 300000.
[7]: MilliSeconds = 256.
[8]: MilliSeconds = 512.
[9]: MilliSeconds = 18734.
[10]: MilliSeconds = 1024.
Behavior description:打开互斥体
details:ShimCacheMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!BrowserEmulation!SharedMemory!Mutex
RasPbFile
CtfmonInstMutexDefaultS-*
Local\RSS Eventing Connection Database Mutex 00000980
Local\c:!documents and settings!administrator!local settings!application data!microsoft!feeds cache!
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号