VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:40
Behavior list
Basic Information
MD5:b954147860927181b0d0f9230298a041
file type:Cab
Production company:Microsoft Corporation
version:5.0.3805.0---5.00.3805
Shell or compiler information:
Subfile information:classes.zipdumpFile / big file / zip
wfc.zipdumpFile / c040db5ad3967931c102b68d5deb2ba8 / zip
javabase.cab / a563ec681f952799a9768b1bd4d307d4 / Cab
javax86.cab / 6247b8e6345a76afce4294b8d2c88001 / Cab
javatrig.exe / 1b19973594544ae5692962d9bd07dbdf / EXE
msjava.dlldumpFile / b06b3a7738d3fa28505907ec1b6ed2d4 / DLL
oleaut32.dlldumpFile / 0d303488cce054204c323c37657afa34 / DLL
OAInst.exe / 38582a6ccd888f9d2375154f4163ebe1 / Cab
javart.dlldumpFile / 0b8496a356d6577fa766a8ec17365055 / DLL
CABINETdumpFile / 8656aeccfda05502b2e37eb5ccb50580 / Cab
Dx3.zipdumpFile / b841c94a6287b48f24e6304a50dc0073 / zip
dx3j.dlldumpFile / 0e157a100e76717a727136f32f25cb80 / DLL
vmhelper.dlldumpFile / f27c71cff8492c9949cae32cecde0c86 / DLL
tclasses.zipdumpFile / 8d108950a30ba416747aee1ec064329f / zip
javacypt.dlldumpFile / 4a0df95a051bb670a79b3db9537c77b0 / DLL
jview.exedumpFile / c82db7e992b68034a5de1515a49a3ef1 / EXE
wjview.exedumpFile / 9976a6fd84c634ae27f642aa56d6cc20 / EXE
jit.dlldumpFile / 7ad2e18dc50d5652e3a22a1f85a8727f / DLL
olepro32.dlldumpFile / 6568cb4adca8e02088b4b5f37f9e938e / DLL
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12382208
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 405504
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 102400
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 253952
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x01bb0000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x01e40000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009f0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00cb0000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01120000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01170000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x009f0000, Size = 4096
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\notepad.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
Behavior description:设置特殊文件属性
details:C:\hxaurm.pif
C:\DiskD\jfcr.exe
C:\DiskX\bfxlf.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\mmjhq.sys
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x01bb0000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x01e40000, Size = 4096
TargetProcess = ctfmon.exe, WriteAddress = 0x009a0000, Size = 8192
C:\WINDOWS\system32\ctfmon.exe
TargetProcess = ctfmon.exe, WriteAddress = 0x009f0000, Size = 4096
TargetProcess = QQ.exe, WriteAddress = 0x00c60000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\QQ.exe
TargetProcess = QQ.exe, WriteAddress = 0x00cb0000, Size = 4096
TargetProcess = TXPlatform.exe, WriteAddress = 0x01120000, Size = 8192
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
TargetProcess = TXPlatform.exe, WriteAddress = 0x01170000, Size = 4096
TargetProcess = conime.exe, WriteAddress = 0x00910000, Size = 8192
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x009f0000, Size = 4096
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE---> Offset = 12382208
C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe---> Offset = 405504
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe---> Offset = 102400
C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 253952
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1171456
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE---> Offset = 10419712
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\drivers\mmjhq.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpedu.exe
C:\hxaurm.pif
C:\DiskD\jfcr.exe
C:\DiskX\bfxlf.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\microsoft office\office11\winword.exe
\device\harddiskvolume1\windows\system32\notepad.exe
\device\harddiskvolume1\windows\system32\cmb_pb_liveupdate.exe
\device\harddiskvolume1\program files\adobe\reader 9.0\reader\reader_sl.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\windows\system32\cmd.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
\device\harddiskvolume1\program files\microsoft office\office11\excel.exe
Behavior description:设置特殊文件属性
details:C:\hxaurm.pif
C:\DiskD\jfcr.exe
C:\DiskX\bfxlf.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:写权限映射文件
details:hh8geqpHJTkdns0
purity_control_90833
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincborgn.exe
\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
\WINDOWS\system32\notepad.exe
\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
\DiskD\jfcr.exe
\DiskX\bfxlf.exe
\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
\Program Files\VMware\VMware Tools\VMwareTray.exe
\WINDOWS\system32\cmd.exe
\Program Files\VMware\VMware Tools\VMwareUser.exe
\Program Files\Microsoft Office 2007\Office12\WINWORD.EXE
\Program Files\Microsoft Office 2007\Office12\POWERPNT.EXE
\Program Files\Microsoft Office 2007\Office12\EXCEL.EXE
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\system.ini---> Offset = 231
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wincborgn.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjhcid.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyrif.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwwli.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwnqd.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adrygo.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jjoeow.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winppsv.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqlvt.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsaal.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rmcnfv.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eukfs.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtioo.exe---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kyhpyq.exe---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://althawry.org/images/xs.jpg?5a957=1484124 hInternet = 0x0000057c
InternetOpenUrlA: http://www.careerdesk.org/images/xs.jpg?5a9e3=3711710 hInternet = 0x0000057c
InternetOpenUrlA: http://arthur.niria.biz/xs.jpg?5aa12=2598526 hInternet = 0x0000057c
InternetOpenUrlA: http://amsamex.com/xs.jpg?5aa41=742530 hInternet = 0x0000057c
InternetOpenUrlA: http://apple-pie.in/images/xs.jpg?5aa60=3341664 hInternet = 0x0000057c
InternetOpenUrlA: http://ahmediye.net/xs.jpg?5aaaf=3342375 hInternet = 0x0000057c
InternetOpenUrlA: http://g2.arrowhitech.com/xs.jpg?5aaed=1485748 hInternet = 0x0000057c
InternetOpenUrlA: http://ampyazilim.com.tr/images/xs2.jpg?5ab2c=3715000 hInternet = 0x0000057c
InternetOpenUrlA: http://althawry.org/images/xs.jpg?5af52=2980496 hInternet = 0x00000620
InternetOpenUrlA: http://www.careerdesk.org/images/xs.jpg?5af81=1117827 hInternet = 0x00000620
InternetOpenUrlA: http://arthur.niria.biz/xs.jpg?5afbf=1490684 hInternet = 0x00000620
InternetOpenUrlA: http://amsamex.com/xs.jpg?5affe=1863670 hInternet = 0x00000620
InternetOpenUrlA: http://apple-pie.in/images/xs.jpg?5b02d=1118343 hInternet = 0x00000620
InternetOpenUrlA: http://ahmediye.net/xs.jpg?5b06b=2982744 hInternet = 0x00000620
InternetOpenUrlA: http://g2.arrowhitech.com/xs.jpg?5b08b=2610125 hInternet = 0x00000620
Behavior description:下载文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjhcid.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyrif.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwwli.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwnqd.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adrygo.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jjoeow.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winppsv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqlvt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsaal.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rmcnfv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eukfs.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtioo.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kyhpyq.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hvanhg.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kukcv.exe
Behavior description:读取网络文件
details:hFile = 0x0000057c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000620, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000574, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000564, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000548, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000578, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000006ec, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000530, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000052c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000520, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000510, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000508, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004fc, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000528, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000500, BytesToRead =1024, BytesRead = 1024.
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\%temp%\1424762736.712899.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A4_0
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Aasppapmmxkvs\A4_0
Other behavior
Behavior description:创建驱动文件镜像
details:C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_540_
csrss.exeM_596_
winlogon.exeM_620_
services.exeM_664_
lsass.exeM_676_
vboxservice.exeM_836_
33acthlp.exeM_848_
svchost.exeM_892_
svchost.exeM_956_
svchost.exeM_996_
svchost.exeM_1080_
svchost.exeM_1144_
spoolsv.exeM_1236_
33upgradehelper.exeM_1516_
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\mmjhq.sys
Abnormal crash
Behavior description:创建驱动文件镜像
details:C:\WINDOWS\system32\drivers\ipfltdrv.sys
C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_540_
csrss.exeM_596_
winlogon.exeM_620_
services.exeM_664_
lsass.exeM_676_
vboxservice.exeM_836_
33acthlp.exeM_848_
svchost.exeM_892_
svchost.exeM_956_
svchost.exeM_996_
svchost.exeM_1080_
svchost.exeM_1144_
spoolsv.exeM_1236_
33upgradehelper.exeM_1516_
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\mmjhq.sys
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:获取文件属性探测VMware
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\mmjhq.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号