VirSCAN VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー

言語
サーバーロード
Server Load

ファイル情報
安全性評価:40
行動リスト
基本情報
MD5:4e1cd4d94226e425a9c192043d137a2b
ファイルタイプ:EXE
制作会社:sdasdasdasda
バージョン:69.46.78.18---69.46.78.18
シェルまたはコンパイラ情報:COMPILER:Microsoft Visual C# / Basic .NET
主な行動
行動の説明:跨进程写入数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00422000, Size = 0x00059e00 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0047c000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000ce8
行動の説明:探测 Virtual PC是否存在
詳細:N/A
行動の説明:查询注册表_检测虚拟机相关
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行動の説明:尝试打开调试器或监控软件的驱动设备对象
詳細:\??\SICE
\??\SIWVID
\??\NTICE
行動の説明:设置线程上下文
詳細:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行動の説明:获取TickCount值
詳細:TickCount = 241284, SleepMilliseconds = 50.
TickCount = 241628, SleepMilliseconds = 50.
TickCount = 243159, SleepMilliseconds = 50.
TickCount = 243190, SleepMilliseconds = 50.
TickCount = 243206, SleepMilliseconds = 50.
TickCount = 243221, SleepMilliseconds = 50.
TickCount = 243378, SleepMilliseconds = 50.
TickCount = 243409, SleepMilliseconds = 50.
TickCount = 243846, SleepMilliseconds = 50.
TickCount = 243909, SleepMilliseconds = 50.
TickCount = 243925, SleepMilliseconds = 50.
TickCount = 244128, SleepMilliseconds = 50.
TickCount = 244190, SleepMilliseconds = 50.
TickCount = 244659, SleepMilliseconds = 50.
TickCount = 244846, SleepMilliseconds = 50.
行動の説明:打开注册表_检测虚拟机相关
詳細:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行動の説明:跨进程写代码段数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00402000, Size = 0x00012600 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0047e000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x006f6000, Size = 0x00182e00 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0087a000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0087c000, Size = 0x00002200 TargetPID = 0x00000ce8
行動の説明:直接获取CPU时钟
詳細:EAX = 0x4fb6ccb4, EDX = 0x000000b7
EAX = 0x4fb6cd00, EDX = 0x000000b7
EAX = 0x5269cc7c, EDX = 0x000000b7
EAX = 0x5269ccc8, EDX = 0x000000b7
EAX = 0x54f19c51, EDX = 0x000000b7
EAX = 0x54f19c9d, EDX = 0x000000b7
EAX = 0xd0f04796, EDX = 0x000000b7
EAX = 0xd0f047e2, EDX = 0x000000b7
EAX = 0xd0f0482e, EDX = 0x000000b7
EAX = 0xd0f0487a, EDX = 0x000000b7
EAX = 0xaec70fe1, EDX = 0x000000c8
EAX = 0xaec7102d, EDX = 0x000000c8
EAX = 0xaec71079, EDX = 0x000000c8
EAX = 0xaec710c5, EDX = 0x000000c8
EAX = 0xaec71111, EDX = 0x000000c8
行動の説明:查找指定内核模块
詳細:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行動の説明:查找反病毒常用工具窗口
詳細:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行動の説明:VMWare特殊指令检测虚拟机
詳細:N/A
プロセスの動作
行動の説明:跨进程写入数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00422000, Size = 0x00059e00 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0047c000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x7ffde008, Size = 0x00000004 TargetPID = 0x00000ce8
行動の説明:创建本地线程
詳細:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2688, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2692, StartAddress = 791F59C0, Parameter = 001B01D0
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2936, StartAddress = 0047EB63, Parameter = 00616194
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2940, StartAddress = 0047EB63, Parameter = 00616BB5
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2944, StartAddress = 0047EB63, Parameter = 00617D20
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2948, StartAddress = 0047EB63, Parameter = 00619DE6
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2952, StartAddress = 0047EB63, Parameter = 0061A795
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2956, StartAddress = 0047EB63, Parameter = 0061B332
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2960, StartAddress = 0047EB63, Parameter = 0061BC27
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2964, StartAddress = 0047EB63, Parameter = 0061C6EF
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2968, StartAddress = 0047EB63, Parameter = 00620C72
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2972, StartAddress = 0047EB63, Parameter = 00621B9C
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2976, StartAddress = 0047EB63, Parameter = 00622C99
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2980, StartAddress = 0047EB63, Parameter = 00623C06
TargetProcess: asd.exe, InheritedFromPID = 2676, ProcessID = 2844, ThreadID = 2984, StartAddress = 0047EB63, Parameter = 00624BFE
行動の説明:设置线程上下文
詳細:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
行動の説明:枚举进程
詳細:N/A
行動の説明:跨进程写代码段数据
詳細:TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x00402000, Size = 0x00012600 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0047e000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x006f6000, Size = 0x00182e00 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0087a000, Size = 0x00000200 TargetPID = 0x00000ce8
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, WriteAddress = 0x0087c000, Size = 0x00002200 TargetPID = 0x00000ce8
行動の説明:创建新文件进程
詳細:[0x00000b1c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe"
[0x00000ce8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe"
ファイルの動作
行動の説明:创建文件
詳細:C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\hs
C:\Documents and Settings\Administrator\Application Data\DCFF734B-BC3F-43CB-8911-9B5D467629CF\run.dat
行動の説明:创建可执行文件
詳細:C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe
行動の説明:修改文件内容
詳細:C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\hs ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\DCFF734B-BC3F-43CB-8911-9B5D467629CF\run.dat ---> Offset = 0
行動の説明:查找文件
詳細:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996E.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
FileName = C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.INI
行動の説明:复制文件
詳細:C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe
レジストリの動作
行動の説明:修改注册表
詳細:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe
行動の説明:打开注册表_检测虚拟机相关
詳細:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行動の説明:查询注册表_检测虚拟机相关
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
その他の動作
行動の説明:检测自身是否被调试
詳細:IsDebuggerPresent
行動の説明:隐藏指定窗口
詳細:[Window,Class] = [,WindowsForms10.Window.8.app.0.378734a]
行動の説明:可执行文件签名信息
詳細:C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe(签名验证: 未通过)
行動の説明:查找指定内核模块
詳細:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行動の説明:VMWare特殊指令检测虚拟机
詳細:N/A
行動の説明:解密数据
詳細:[CryptDecrypt] Data: 0x037B0020, CipherTextLen: 2046464, PlainTextLen: 2046464, Flags: 0x00000000
[CryptDecrypt] Data: 0x001D7DA0, CipherTextLen: 8, PlainTextLen: 8, Flags: 0x00000000
[CryptDecrypt] Data: 0x001D2C60, CipherTextLen: 367960, PlainTextLen: 367960, Flags: 0x00000000
行動の説明:可执行文件MD5
詳細:C:\Documents and Settings\Administrator\Local Settings\Application Data\notepad.exe ---> 88e05f3b2031980a48d458eb78c67659
C:\Documents and Settings\Administrator\Local Settings\Application Data\asd.exe ---> 3cb8722ebf79e6376ac68d32a9ebd768
行動の説明:查找反病毒常用工具窗口
詳細:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行動の説明:创建互斥体
詳細:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.IOH
Global\{49eb0315-4e01-41f1-8049-e08a846c1678}
Global\.net clr networking
行動の説明:尝试打开调试器或监控软件的驱动设备对象
詳細:\??\SICE
\??\SIWVID
\??\NTICE
行動の説明:获取TickCount值
詳細:TickCount = 241284, SleepMilliseconds = 50.
TickCount = 241628, SleepMilliseconds = 50.
TickCount = 243159, SleepMilliseconds = 50.
TickCount = 243190, SleepMilliseconds = 50.
TickCount = 243206, SleepMilliseconds = 50.
TickCount = 243221, SleepMilliseconds = 50.
TickCount = 243378, SleepMilliseconds = 50.
TickCount = 243409, SleepMilliseconds = 50.
TickCount = 243846, SleepMilliseconds = 50.
TickCount = 243909, SleepMilliseconds = 50.
TickCount = 243925, SleepMilliseconds = 50.
TickCount = 244128, SleepMilliseconds = 50.
TickCount = 244190, SleepMilliseconds = 50.
TickCount = 244659, SleepMilliseconds = 50.
TickCount = 244846, SleepMilliseconds = 50.
行動の説明:打开事件
詳細:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
CTF.ThreadMIConnectionEvent.000007E8.00000001.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000001.00000011
行動の説明:搜索kernel32.dll基地址
詳細:Instruction Address = 0x0047fa9d
Instruction Address = 0x0047fa37
行動の説明:直接获取CPU时钟
詳細:EAX = 0x4fb6ccb4, EDX = 0x000000b7
EAX = 0x4fb6cd00, EDX = 0x000000b7
EAX = 0x5269cc7c, EDX = 0x000000b7
EAX = 0x5269ccc8, EDX = 0x000000b7
EAX = 0x54f19c51, EDX = 0x000000b7
EAX = 0x54f19c9d, EDX = 0x000000b7
EAX = 0xd0f04796, EDX = 0x000000b7
EAX = 0xd0f047e2, EDX = 0x000000b7
EAX = 0xd0f0482e, EDX = 0x000000b7
EAX = 0xd0f0487a, EDX = 0x000000b7
EAX = 0xaec70fe1, EDX = 0x000000c8
EAX = 0xaec7102d, EDX = 0x000000c8
EAX = 0xaec71079, EDX = 0x000000c8
EAX = 0xaec710c5, EDX = 0x000000c8
EAX = 0xaec71111, EDX = 0x000000c8
行動の説明:探测 Virtual PC是否存在
詳細:N/A
行動の説明:创建事件对象
詳細:EventName = Global\CPFATE_2676_v4.0.30319
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\CorDBIPCSetupSyncEvent_2844
行動の説明:查找指定窗口
詳細:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行動の説明:加密数据
詳細:[CryptEncrypt] Data: 0x001D1FB8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
[CryptEncrypt] Data: 0x001C48B8, PlainTextLen: 16, CipherTextLen: 16, Flags: 0x00000000
行動の説明:窗口信息
詳細:Pid = 2676, Hwnd=0x30340, Text = asdasdasdasda, ClassName = WindowsForms10.Window.8.app.0.2bf8098_r19_ad1.
Pid = 3304, Hwnd=0x203b4, Text = 确定, ClassName = Button.
Pid = 3304, Hwnd=0x203b2, Text = File corrupted!. This program has been manipulated and maybe it"s infected by a Virus or cracked. This file won"t work anymore., ClassName = Static.
Pid = 3304, Hwnd=0x303f8, Text = Themida, ClassName = #32770.
行動の説明:调整进程token权限
詳細:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行動の説明:调用Sleep函数
詳細:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 20000.
[3]: MilliSeconds = -1.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[7]: MilliSeconds = 1000.
[6]: MilliSeconds = 500.
[8]: MilliSeconds = 50.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
行動の説明:打开互斥体
詳細:ShimCacheMutex
Local\!IETld!Mutex
DBWinMutex
Global\CLR_CASOFF_MUTEX
Global\.net clr networking
行動の説明:导入密钥
詳細:[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001D2EE8, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001C4CA0, DataLen: 20, Flags: 0x00000001
[CryptImportKey] Algorithm: CALG_DES (0x00006601), Data: 0x001C4808, DataLen: 20, Flags: 0x00000001
スクリーンショットを実行する
VirSCAN

VirSCANについて | 免責事項 | コンタクト | フレンドリーなリンク | ヘルプ
コンピュータネットワーク情報セキュリティ研究センター
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号