VirSCAN VirSCAN

1, あなた、しかしいずれもファイルする20MbあるUPLOADがファイル.
2, VirSCANがRar/Zip減圧を支持しますが、それが20個未満のファイル.
3, であるに違いない、VirSCAN缶のスキャンがパスワー

言語
サーバーロード
Server Load

ファイル情報
安全性評価:20
行動リスト
基本情報
MD5:e5effcb4247d82b590b750f33bf79511
ファイルタイプ:EXE
制作会社:
バージョン:
シェルまたはコンパイラ情報:PACKER:ASPack 2.x (without poly) -> Alexey Solodovnikov
主な行動
行動の説明:获取文件属性探测虚拟机
詳細:GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Uninstall.lnk
GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Website.lnk
行動の説明:设置消息钩子
詳細:C:\WINDOWS\system32\.dll
行動の説明:获取User基本信息
詳細:Level = 2.
行動の説明:设置启动项
詳細:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\.lnk
行動の説明:更名后删除HOST文件
詳細:C:\WINDOWS\system32\drivers\etc\hosts
行動の説明:进程提权信息
詳細:NT AUTHORITY\SYSTEM
行動の説明:VMWare特殊指令检测虚拟机
詳細:N/A
行動の説明:修改原系统的EXE文件
詳細:C:\WINDOWS\system32\appmgmts.dll
行動の説明:修改注册表_镜像劫持
詳細:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavPFW.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DSMain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.EXE\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\Debugger
行動の説明:直接获取CPU时钟
詳細:EAX = 0xaa4bc752, EDX = 0x000000b4
EAX = 0xaa4bc79e, EDX = 0x000000b4
EAX = 0xaa4bc7ea, EDX = 0x000000b4
EAX = 0xaa4bc836, EDX = 0x000000b4
EAX = 0xaa4bc882, EDX = 0x000000b4
EAX = 0xaa4bc8ce, EDX = 0x000000b4
EAX = 0xaa4bc91a, EDX = 0x000000b4
EAX = 0xaa4bc966, EDX = 0x000000b4
EAX = 0xaa4bc9b2, EDX = 0x000000b4
EAX = 0xaa4bc9fe, EDX = 0x000000b4
EAX = 0xd7701990, EDX = 0x000000bc
行動の説明:查找文件方式探测虚拟机
詳細:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*
行動の説明:设置特殊文件夹属性
詳細:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
C:\Documents and Settings\All Users\「开始」菜单\程序\启动
C:\WINDOWS\system32
行動の説明:尝试打开调试器或监控软件的驱动设备对象
詳細:\??\SICE
\??\SIWVID
\??\NTICE
行動の説明:获取TickCount值
詳細:TickCount = 229504, SleepMilliseconds = 20.
TickCount = 233879, SleepMilliseconds = 20.
TickCount = 237140, SleepMilliseconds = 3000.
TickCount = 237171, SleepMilliseconds = 3000.
TickCount = 237187, SleepMilliseconds = 3000.
TickCount = 237250, SleepMilliseconds = 3000.
TickCount = 237265, SleepMilliseconds = 3000.
TickCount = 237703, SleepMilliseconds = 3000.
TickCount = 237718, SleepMilliseconds = 3000.
TickCount = 237875, SleepMilliseconds = 3000.
TickCount = 237890, SleepMilliseconds = 3000.
TickCount = 237906, SleepMilliseconds = 3000.
TickCount = 237968, SleepMilliseconds = 3000.
TickCount = 238203, SleepMilliseconds = 3000.
TickCount = 238250, SleepMilliseconds = 3000.
行動の説明:修改HOST文件
詳細:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 128
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 256
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 384
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 512
行動の説明:查找PE资源信息
詳細:(FindResourceA) hModule = 0x00000000, ResName: sys, ResType: sysfile
(FindResourceA) hModule = 0x00000000, ResName: dll, ResType: dllfile
行動の説明:在桌面创建文件
詳細:C:\Documents and Settings\Administrator\桌面\Internet Explorer.lnk
行動の説明:在根目录创建自运行文件
詳細:C:\DiskD\AutoRun.inf
C:\AutoRun.inf
行動の説明:直接调用系统关键API
詳細:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004409FD
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0043C0B9
Index = 0x00000061, Name: NtLoadDriver, Instruction Address = 0x0040679E
行動の説明:常规加载驱动
詳細:\??\C:\WINDOWS\system32\drivers\BGS.sys
行動の説明:设置特殊文件属性
詳細:C:\Program Files\mos.exe
C:\WINDOWS\system32\.dll
C:\WINDOWS\system32\wuauolt.exe
C:\DiskD\QGS.exe
C:\QGS.exe
行動の説明:修改注册表_安装输入法项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0010804\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0010804\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040c\Layout Text
プロセスの動作
行動の説明:隐藏窗口创建进程
詳細:ImagePath = , CmdLine = reg export "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts" C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r386a59e9.txt
ImagePath = , CmdLine = reg import C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r386a59e9.txt
行動の説明:创建进程
詳細:[0x00000b64]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg export "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts" C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r386a59e9.txt
[0x00000b6c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg import C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\r386a59e9.txt
[0x00000bd8]ImagePath = C:\WINDOWS\explorer.exe, CmdLine = C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Local Settings\%temp%\996E
[0x00000c4c]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
[0x00000c88]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3148 CREDAT:79873
[0x00000eb0]ImagePath = C:\WINDOWS\system32\verclsid.exe, CmdLine = /S /C {2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
[0x00000f08]ImagePath = C:\WINDOWS\system32\verclsid.exe, CmdLine = /S /C {2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
行動の説明:创建本地线程
詳細:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2740, ThreadID = 2756, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: taskmgr.exe, InheritedFromPID = 2000, ProcessID = 1024, ThreadID = 2936, StartAddress = 00C82008, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 2940, StartAddress = 03B52008, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 2944, StartAddress = 013E2008, Parameter = 00000000
TargetProcess: patchupdate.exe, InheritedFromPID = 2348, ProcessID = 2428, ThreadID = 2948, StartAddress = 00A12008, Parameter = 00000000
TargetProcess: Simulator.exe, InheritedFromPID = 2284, ProcessID = 2348, ThreadID = 2952, StartAddress = 014C2008, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2348, ProcessID = 2408, ThreadID = 2956, StartAddress = 00DF2008, Parameter = 00000000
TargetProcess: tm.exe, InheritedFromPID = 2348, ProcessID = 2484, ThreadID = 2960, StartAddress = 00A12008, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 2964, StartAddress = 009B2008, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 2968, StartAddress = 009A2008, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 2000, ProcessID = 1248, ThreadID = 2972, StartAddress = 00D52008, Parameter = 00000000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 2976, StartAddress = 00AF2008, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 2980, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3068, StartAddress = 75F15339, Parameter = 0014DFF8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2740, ThreadID = 3072, StartAddress = 00416030, Parameter = 00000000
行動の説明:枚举进程
詳細:N/A
行動の説明:创建新文件进程
詳細:[0x00000aec]ImagePath = C:\55741958.exe, CmdLine = C:\55741958.exe
[0x00000c2c]ImagePath = C:\WINDOWS\system32\wuauolt.exe, CmdLine = C:\WINDOWS\system32\wuauolt.exe
行動の説明:进程提权信息
詳細:NT AUTHORITY\SYSTEM
ファイルの動作
行動の説明:创建文件
詳細:C:\55741958.exe
C:\Documents and Settings\Infotmp.txt
C:\WINDOWS\system32\7E4209E4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt
C:\WINDOWS\system32\drivers\BGS.sys
C:\WINDOWS\system32\wuauolt.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{64B7C858-84E9-11E8-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5264.tmp
C:\WINDOWS\Temp\rd271e94.txt
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{64B7C859-84E9-11E8-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF886B.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\yixun_com[1]
C:\Program Files\mos.exe
C:\WINDOWS\system32\.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
行動の説明:修改原系统的EXE文件
詳細:C:\WINDOWS\system32\appmgmts.dll
行動の説明:获取文件属性探测虚拟机
詳細:GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Uninstall.lnk
GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Website.lnk
行動の説明:创建可执行文件
詳細:C:\55741958.exe
C:\WINDOWS\system32\7E4209E4.tmp
C:\WINDOWS\system32\drivers\BGS.sys
C:\WINDOWS\system32\wuauolt.exe
C:\Program Files\mos.exe
C:\WINDOWS\system32\.dll
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\DiskD\QGS.exe
C:\QGS.exe
行動の説明:删除文件
詳細:C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5264.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF886B.tmp
C:\WINDOWS\system32\drivers\BGS.sys
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favicon[1].ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行動の説明:覆盖已有文件
詳細:C:\WINDOWS\system32\drivers\BGS.sys
C:\Documents and Settings\Administrator\桌面\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
行動の説明:查找文件
詳細:FileName = C:\55741958.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\reg.exe
FileName = C:\Documents and Settings\Administrator\桌面\*.*
FileName = C:\Documents and Settings\All Users\桌面\*.*
FileName = C:\*.*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\root
FileName = C:\Documents and Settings\root\My Documents
FileName = C:\SAVEAS\*.*
FileName = C:\WINDOWS\*.*
FileName = C:\WINDOWS\explorer.exe
行動の説明:复制文件
詳細:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\WINDOWS\system32\wuauolt.exe
C:\WINDOWS\system32\wuauolt.exe ---> C:\Program Files\mos.exe
C:\WINDOWS\system32\wuauolt.exe ---> D:\QGS.exe
C:\WINDOWS\system32\.sss ---> D:\AutoRun.inf
C:\WINDOWS\system32\wuauolt.exe ---> C:\QGS.exe
C:\WINDOWS\system32\.sss ---> C:\AutoRun.inf
行動の説明:设置启动项
詳細:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\.lnk
行動の説明:修改HOST文件
詳細:C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 0
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 128
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 256
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 384
C:\WINDOWS\system32\drivers\etc\hosts ---> Offset = 512
行動の説明:设置特殊文件属性
詳細:C:\Program Files\mos.exe
C:\WINDOWS\system32\.dll
C:\WINDOWS\system32\wuauolt.exe
C:\DiskD\QGS.exe
C:\QGS.exe
行動の説明:在桌面创建文件
詳細:C:\Documents and Settings\Administrator\桌面\Internet Explorer.lnk
行動の説明:更名后删除HOST文件
詳細:C:\WINDOWS\system32\drivers\etc\hosts
行動の説明:在根目录创建自运行文件
詳細:C:\DiskD\AutoRun.inf
C:\AutoRun.inf
行動の説明:设置特殊文件夹属性
詳細:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
C:\Documents and Settings\All Users\「开始」菜单\程序\启动
C:\WINDOWS\system32
行動の説明:修改文件内容
詳細:C:\55741958.exe ---> Offset = 0
C:\Documents and Settings\Infotmp.txt ---> Offset = 0
C:\WINDOWS\system32\7E4209E4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt ---> Offset = 2
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt ---> Offset = 1026
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt ---> Offset = 2050
C:\Documents and Settings\Administrator\Local Settings\Temp\r386a59e9.txt ---> Offset = 3074
C:\WINDOWS\system32\appmgmts.dll ---> Offset = 0
C:\WINDOWS\system32\appmgmts.dll ---> Offset = 4096
C:\WINDOWS\system32\appmgmts.dll ---> Offset = 8192
C:\WINDOWS\system32\appmgmts.dll ---> Offset = 12288
C:\WINDOWS\system32\drivers\BGS.sys ---> Offset = 0
C:\WINDOWS\system32\wuauolt.exe ---> Offset = 0
C:\WINDOWS\system32\wuauolt.exe ---> Offset = 65536
ネットワークの動作
行動の説明:下载文件
詳細:URLDownloadToFileW: http://ww****om/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
行動の説明:连接指定站点
詳細:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行動の説明:打开HTTP连接
詳細:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Internal, hSession = 0x00cc0004
行動の説明:建立到一个指定的套接字连接
詳細:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000044c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000588
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000288
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000002b4
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000002d4
行動の説明:读取网络文件
詳細:hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
行動の説明:发送HTTP包
詳細:GET / HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive
GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
行動の説明:打开HTTP请求
詳細:HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ww****om:80/favicon.ico, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00600010
行動の説明:按名称获取主机地址
詳細:GetAddrInfoW: ww****om
レジストリの動作
行動の説明:修改注册表
詳細:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\MRUListEx
\REGISTRY\USER\S-*\SessionInformation\ProgramCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{64B7C858-84E9-11E8-91C0-7B****28}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Window_Placement
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
行動の説明:修改注册表_Explorer文件显示相关属性
詳細:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
行動の説明:修改注册表_镜像劫持
詳細:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavPFW.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DSMain.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVTIMER.EXE\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\Debugger
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe\Debugger
行動の説明:删除注册表键_安全模式启动项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
行動の説明:修改注册表_延迟重命名项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
行動の説明:修改注册表_文件夹关键属性
詳細:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
行動の説明:修改注册表_服务项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\aec\ImagePath
行動の説明:删除注册表键
詳細:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\
行動の説明:修改注册表_安装输入法项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0010804\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0010804\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000407\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000408\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000409\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout Text
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout Display Name
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040a\Layout File
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000040c\Layout Text
行動の説明:删除注册表键值
詳細:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\1\1\0\1\1\MRUList
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\0\1\1\0\1\1\0\MRUList
\REGISTRY\USER\S-*\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1920x973(1)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\Bags\56\Shell\ItemPos1920x973(1)
行動の説明:删除注册表键_安装输入法项
詳細:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0050804\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0040804\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\E0010804\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00040409\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00030409\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00020409\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00010409\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000201a\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000085d\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000809\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000804\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000046e\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\0000041d\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000419\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Keyboard Layouts\00000412\
その他の動作
行動の説明:检测自身是否被调试
詳細:IsDebuggerPresent
行動の説明:隐藏指定窗口
詳細:[Window,Class] = [,ComboLBox]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,ATL:65164288]
[Window,Class] = [「开始」菜单,DV2ControlHost]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [http://www.yixun.com/ - Windows Internet Explorer,IEFrame]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
[Window,Class] = [,TabBandClass]
行動の説明:启动系统服务
詳細:[服务启动成功]: LocalSystem, Application Management, C:\WINDOWS\system32\svchost.exe -k netsvcs
行動の説明:获取User基本信息
詳細:Level = 2.
行動の説明:可执行文件签名信息
詳細:C:\55741958.exe(签名验证: 未通过)
C:\WINDOWS\system32\7E4209E4.tmp(签名验证: 未通过)
C:\WINDOWS\system32\drivers\BGS.sys(签名验证: 未通过)
C:\WINDOWS\system32\wuauolt.exe(签名验证: 未通过)
C:\Program Files\mos.exe(签名验证: 未通过)
C:\WINDOWS\system32\.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico(签名验证: 未通过)
C:\DiskD\QGS.exe(签名验证: 未通过)
C:\QGS.exe(签名验证: 未通过)
行動の説明:加载新释放的文件
詳細:Image: C:\WINDOWS\system32\7E4209E4.tmp.
Image: C:\WINDOWS\system32\.dll.
行動の説明:VMWare特殊指令检测虚拟机
詳細:N/A
行動の説明:直接获取CPU时钟
詳細:EAX = 0xaa4bc752, EDX = 0x000000b4
EAX = 0xaa4bc79e, EDX = 0x000000b4
EAX = 0xaa4bc7ea, EDX = 0x000000b4
EAX = 0xaa4bc836, EDX = 0x000000b4
EAX = 0xaa4bc882, EDX = 0x000000b4
EAX = 0xaa4bc8ce, EDX = 0x000000b4
EAX = 0xaa4bc91a, EDX = 0x000000b4
EAX = 0xaa4bc966, EDX = 0x000000b4
EAX = 0xaa4bc9b2, EDX = 0x000000b4
EAX = 0xaa4bc9fe, EDX = 0x000000b4
EAX = 0xd7701990, EDX = 0x000000bc
行動の説明:修改后的可执行文件签名信息
詳細:C:\WINDOWS\system32\appmgmts.dll(签名验证: 未通过)
行動の説明:可执行文件MD5
詳細:C:\55741958.exe ---> 1ca4226e9e42ac6bdf141e280fd5d557
C:\WINDOWS\system32\7E4209E4.tmp ---> b1f7ad5aa278d948e97e5eb358aef615
C:\WINDOWS\system32\drivers\BGS.sys ---> d5d4c4fe2caf50c5d26db597dfdefafd
C:\WINDOWS\system32\wuauolt.exe ---> e5effcb4247d82b590b750f33bf79511
C:\Program Files\mos.exe ---> e5effcb4247d82b590b750f33bf79511
C:\WINDOWS\system32\.dll ---> 99749e4b6ff24e0249d7da472d252486
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> fe1d0ee5901dd167ee9b28eece31786c
C:\DiskD\QGS.exe ---> e5effcb4247d82b590b750f33bf79511
C:\QGS.exe ---> e5effcb4247d82b590b750f33bf79511
行動の説明:创建互斥体
詳細:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.EHJ
Shell.CMruPidlList
MSCTF.Shared.MUTEX.IOH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!BrowserEmulation!SharedMemory!Mutex
RasPbFile
行動の説明:尝试打开调试器或监控软件的驱动设备对象
詳細:\??\SICE
\??\SIWVID
\??\NTICE
行動の説明:获取TickCount值
詳細:TickCount = 229504, SleepMilliseconds = 20.
TickCount = 233879, SleepMilliseconds = 20.
TickCount = 237140, SleepMilliseconds = 3000.
TickCount = 237171, SleepMilliseconds = 3000.
TickCount = 237187, SleepMilliseconds = 3000.
TickCount = 237250, SleepMilliseconds = 3000.
TickCount = 237265, SleepMilliseconds = 3000.
TickCount = 237703, SleepMilliseconds = 3000.
TickCount = 237718, SleepMilliseconds = 3000.
TickCount = 237875, SleepMilliseconds = 3000.
TickCount = 237890, SleepMilliseconds = 3000.
TickCount = 237906, SleepMilliseconds = 3000.
TickCount = 237968, SleepMilliseconds = 3000.
TickCount = 238203, SleepMilliseconds = 3000.
TickCount = 238250, SleepMilliseconds = 3000.
行動の説明:打开事件
詳細:HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
MSCTF.SendReceiveConection.Event.EHJ.IC
MSCTF.SendReceive.Event.EHJ.IC
Global\SvcctrlStartEvent_A3752DX
_fCanRegisterWithShellService
ExplorerWindowIdle
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Isolation Signal Registry Event (64B7C855-84E9-11E8-91C0-7B****28, 0)
\INSTALLATION_SECURITY_HOLD
Isolation Signal Registry Event (64B7C856-84E9-11E8-91C0-7B****28, 0)
行動の説明:查找PE资源信息
詳細:(FindResourceA) hModule = 0x00000000, ResName: sys, ResType: sysfile
(FindResourceA) hModule = 0x00000000, ResName: dll, ResType: dllfile
行動の説明:查找文件方式探测虚拟机
詳細:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*
行動の説明:直接调用系统关键API
詳細:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004409FD
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0043C0B9
Index = 0x00000061, Name: NtLoadDriver, Instruction Address = 0x0040679E
行動の説明:创建事件对象
詳細:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = Global\{6581F932-EEC4-422e-A5FD-0F78BB508683}
EventName = {C9B0DAEB-A558-432b-AF57-95DF5E9CE639}
EventName = Global\{55E27208-3F4A-4a4b-950B-073D7289BBD2}
EventName = CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
EventName = CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
EventName = MSCTF.SendReceive.Event.IOH.IC
EventName = MSCTF.SendReceiveConection.Event.IOH.IC
EventName = Isolation Signal Registry Event (64B7C855-84E9-11E8-91C0-7B****28, 0)
EventName = IE_EarlyTabStart_0xc50
EventName = Isolation Signal Registry Event (64B7C856-84E9-11E8-91C0-7B****28, 0)
EventName = MSCTF.SendReceive.Event.ENH.IC
EventName = MSCTF.SendReceiveConection.Event.ENH.IC
行動の説明:常规加载驱动
詳細:\??\C:\WINDOWS\system32\drivers\BGS.sys
行動の説明:修改后的可执行文件MD5
詳細:C:\WINDOWS\system32\appmgmts.dll ---> b1f7ad5aa278d948e97e5eb358aef615
行動の説明:调整进程token权限
詳細:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行動の説明:枚举窗口
詳細:N/A
行動の説明:调用Sleep函数
詳細:[1]: MilliSeconds = 20.
[2]: MilliSeconds = 20.
[3]: MilliSeconds = 20.
[4]: MilliSeconds = 20.
[5]: MilliSeconds = 20.
[6]: MilliSeconds = 20.
[7]: MilliSeconds = 20.
[8]: MilliSeconds = 20.
[9]: MilliSeconds = 20.
[10]: MilliSeconds = 20.
行動の説明:打开互斥体
詳細:ShimCacheMutex
EHOQ
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!BrowserEmulation!SharedMemory!Mutex
RasPbFile
CtfmonInstMutexDefaultS-*
Local\RSS Eventing Connection Database Mutex 00000c4c
Local\c:!documents and settings!administrator!local settings!application data!microsoft!feeds cache!
行動の説明:查找指定窗口
詳細:NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [,GINA Logon]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [IEFrame,]
スクリーンショットを実行する
VirSCAN

VirSCANについて | 免責事項 | コンタクト | フレンドリーなリンク | ヘルプ
コンピュータネットワーク情報セキュリティ研究センター
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号