VirSCAN VirSCAN

1, 당신은 모든 파일을 업로드할 수 있지만 최대 20Mb의 용량제한이 있다.
2, Rar/Zip 파일은 자동압축해제를 하지만 내부에 20개 파일보다 적어야 한다.
3, 압축된 파일이 'infected' 또는 'virus'로 암호화된 경우 진단할 수 있다.

언어선택
서비스 로드
Server Load

파일 정보
안전 등급:20
행동 목록
기본 정보
MD5:416174ca973e9138ae407804f59adee8
파일 형식 :zip
생산 회사 :
버전 :
쉘 또는 컴파일러 정보 :
서브 파일 정보:microkms vip.exe / 404d398fb5b5169b8b558a1f5112490d / Autoit
주요 행동
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e30000, Size = 0x00002800 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e40000, Size = 0x000002b4 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00d30000, Size = 0x00002800 TargetPID = 0x00000368
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00d40000, Size = 0x000002b4 TargetPID = 0x00000368
동작 설명:修改注册表_安全模式启动项
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\.Winhlpsvr\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\.Winhlpsvr\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipnpf.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipnpf.sys\
동작 설명:探测 Virtual PC是否存在
세부 정보:N/A
동작 설명:常规加载驱动
세부 정보:\??\C:\WINDOWS\system32\drivers\tfsfltdrv.sys
동작 설명:查询注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0000\DriverDesc
동작 설명:创建远程线程
세부 정보:TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3488, StartAddress = 00E30000, Parameter = 00E40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3980, StartAddress = 00D30000, Parameter = 00D40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 4012, StartAddress = 00D30000, Parameter = 00D40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 1940, StartAddress = 00D30000, Parameter = 00D40000
동작 설명:获取TickCount值
세부 정보:TickCount = 220822, SleepMilliseconds = 10.
TickCount = 223421, SleepMilliseconds = 1000.
TickCount = 222978, SleepMilliseconds = 10.
TickCount = 224875, SleepMilliseconds = 1000.
TickCount = 224968, SleepMilliseconds = 1000.
TickCount = 225234, SleepMilliseconds = 1000.
TickCount = 225250, SleepMilliseconds = 1000.
TickCount = 225781, SleepMilliseconds = 1000.
TickCount = 226000, SleepMilliseconds = 1000.
TickCount = 226093, SleepMilliseconds = 1000.
TickCount = 226140, SleepMilliseconds = 1000.
TickCount = 226171, SleepMilliseconds = 1000.
TickCount = 226187, SleepMilliseconds = 1000.
TickCount = 226265, SleepMilliseconds = 1000.
TickCount = 226281, SleepMilliseconds = 1000.
동작 설명:打开注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMWARE_PHYSICAL_DISK_HELPER_SERVICE
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0
동작 설명:查找PE资源信息
세부 정보:(FindResourceExExW) hModule = 0x00400000, ResName: 81(ID), ResType: RT_KERNEL
동작 설명:进程提权信息
세부 정보:NT AUTHORITY\SYSTEM
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\temp
C:\WINDOWS\system32\Ocular
C:\WINDOWS\system32\Ocular\Mails
C:\WINDOWS\system32\Ocular\Files
C:\WINDOWS\system32\Ocular\Temp
C:\WINDOWS\system32\Ocular\WinPatch
C:\WINDOWS\system32\Ocular\Deploy
C:\WINDOWS\system32\Ocular\Dump
C:\WINDOWS\system32\Ocular\PrintData
C:\WINDOWS\system32\Ocular\Screen
C:\WINDOWS\system32\Ocular\Data
C:\WINDOWS\system32\Ocular\Asset
C:\WINDOWS\system32\Ocular\TSafeDoc
C:\WINDOWS\system32\Ocular\SurvData
C:\WINDOWS\system32\Ocular\ExData
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0x9d0e5747, EDX = 0x000000b8
EAX = 0x9d0e5793, EDX = 0x000000b8
EAX = 0x9f96271c, EDX = 0x000000b8
EAX = 0x9f962768, EDX = 0x000000b8
EAX = 0x9f9627b4, EDX = 0x000000b8
EAX = 0x9f962800, EDX = 0x000000b8
EAX = 0x9f96284c, EDX = 0x000000b8
EAX = 0x9f962898, EDX = 0x000000b8
EAX = 0x37edc0ea, EDX = 0x000000bb
EAX = 0x37edc136, EDX = 0x000000bb
동작 설명:创建系统服务
세부 정보:[服务创建成功]: .Winhlpsvr, "C:\Program Files\Common Files\System\winrdgv3.exe"
[服务创建成功]: TFsfltdrv, C:\WINDOWS\system32\drivers\tfsfltdrv.sys
동작 설명:VMWare特殊指令检测虚拟机
세부 정보:N/A
프로세스 동작
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e30000, Size = 0x00002800 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e40000, Size = 0x000002b4 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00d30000, Size = 0x00002800 TargetPID = 0x00000368
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00d40000, Size = 0x000002b4 TargetPID = 0x00000368
동작 설명:创建本地线程
세부 정보:TargetProcess: microkms vip.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2748, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: microkms vip.exe, InheritedFromPID = 2000, ProcessID = 2720, ThreadID = 2760, StartAddress = 0044B5E7, Parameter = 01673010
TargetProcess: svchost.exe, InheritedFromPID = 2720, ProcessID = 2824, ThreadID = 2832, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2720, ProcessID = 2824, ThreadID = 2836, StartAddress = 0044B5E7, Parameter = 01663010
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2840, StartAddress = 792A741C, Parameter = 00000000
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2844, StartAddress = 791F59C0, Parameter = 001AFF78
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2852, StartAddress = 791F59C0, Parameter = 001C85D0
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2856, StartAddress = 791F59C0, Parameter = 001C85D0
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2920, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2924, StartAddress = 791F59C0, Parameter = 001D7798
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2928, StartAddress = 791F59C0, Parameter = 001D4670
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2932, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2972, StartAddress = 791F59C0, Parameter = 001F0B70
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2976, StartAddress = 77E56C7D, Parameter = 001F5EB8
TargetProcess: microkms.exe, InheritedFromPID = 2720, ProcessID = 2816, ThreadID = 2980, StartAddress = 769AE43B, Parameter = 001ED9A0
동작 설명:创建远程线程
세부 정보:TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3488, StartAddress = 00E30000, Parameter = 00E40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3980, StartAddress = 00D30000, Parameter = 00D40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 4012, StartAddress = 00D30000, Parameter = 00D40000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 1940, StartAddress = 00D30000, Parameter = 00D40000
동작 설명:枚举进程
세부 정보:N/A
동작 설명:创建新文件进程
세부 정보:[0x00000b00]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\microkms.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\microkms.exe
[0x00000b08]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\svchost.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\svchost.exe
[0x00000b50]ImagePath = C:\WINDOWS\system32\Ocular\Agent.exe, CmdLine = C:\WINDOWS\system32\Ocular\Agent.exe
[0x00000b60]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IPGASKERNEL20190519224336\AKernel3.exe, CmdLine = -Unpack-logDir"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AgentInstall"
[0x00000d44]ImagePath = C:\Program Files\Common Files\System\systecv3.exe, CmdLine = "C:\Program Files\Common Files\system\systecv3.exe"綨I
[0x00000d6c]ImagePath = C:\Program Files\Common Files\System\winrdgv3.exe, CmdLine = "C:\Program Files\Common Files\System\winrdgv3.exe"
[0x00000dd4]ImagePath = C:\WINDOWS\system32\winrdlv3.exe, CmdLine = C:\WINDOWS\system32\winrdlv3.exe winwdgv3.dll,RunMonitor32
[0x00000df0]ImagePath = C:\WINDOWS\system32\winrdlv3.exe, CmdLine = C:\WINDOWS\system32\winrdlv3.exe winoav3.dll,RunAgent32
동작 설명:进程提权信息
세부 정보:NT AUTHORITY\SYSTEM
파일 동작
동작 설명:创建文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp
C:\WINDOWS\system32\Ocular\Agent.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\aut6.tmp
C:\WINDOWS\system32\Ocular\OAgent.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\AgentInstall\Installation.log
C:\Documents and Settings\Administrator\Local Settings\Temp\IPGASKERNEL20190519224336\SetupData.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\IPGASKERNEL20190519224336\AKernel3.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp
동작 설명:创建可执行文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\svchost.exe
C:\WINDOWS\system32\Ocular\Agent.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\IPGASKERNEL20190519224336\AKernel3.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file005.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file006.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file007.tmp
C:\Program Files\Common Files\System\systecv3.exe
C:\WINDOWS\bakstec3.sys
동작 설명:覆盖已有文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut6.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Program Files\Common Files\System\winrdgv3.exe
C:\WINDOWS\system32\winwdgv3.dll
C:\WINDOWS\system32\winrdlv3.exe
동작 설명:复制文件
세부 정보:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut4.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut6.tmp ---> C:\WINDOWS\system32\Ocular\OAgent.ini
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp ---> C:\Program Files\Common Files\system\systecv3.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp ---> C:\WINDOWS\bakstec3.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp ---> C:\Program Files\Common Files\system\winrdgv3.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp ---> C:\WINDOWS\bakrdgv3.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp ---> C:\WINDOWS\system32\winwdgv3.dll
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp ---> C:\WINDOWS\bakwdgv3.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp ---> C:\WINDOWS\system32\winoav3.dll
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp ---> C:\WINDOWS\bakoav3.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp ---> C:\WINDOWS\system32\winrdlv3.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp ---> C:\WINDOWS\bakrdlv3.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file005.tmp ---> C:\WINDOWS\bakwdgv364.sys
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file006.tmp ---> C:\WINDOWS\LInstSvr.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file007.tmp ---> C:\WINDOWS\system32\WFirewallV.dll
동작 설명:删除文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut6.tmp
C:\WINDOWS\LInstSvr.exe
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file005.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file006.tmp
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file007.tmp
동작 설명:查找文件
세부 정보:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\microkms vip.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\microkms.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp\svchost.exe
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\temp
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
동작 설명:重命名文件
세부 정보:C:\WINDOWS\system32\Ocular\msolbase2.dat ---> C:\WINDOWS\system32\Ocular\msolbase2_up.dat
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\temp
C:\WINDOWS\system32\Ocular
C:\WINDOWS\system32\Ocular\Mails
C:\WINDOWS\system32\Ocular\Files
C:\WINDOWS\system32\Ocular\Temp
C:\WINDOWS\system32\Ocular\WinPatch
C:\WINDOWS\system32\Ocular\Deploy
C:\WINDOWS\system32\Ocular\Dump
C:\WINDOWS\system32\Ocular\PrintData
C:\WINDOWS\system32\Ocular\Screen
C:\WINDOWS\system32\Ocular\Data
C:\WINDOWS\system32\Ocular\Asset
C:\WINDOWS\system32\Ocular\TSafeDoc
C:\WINDOWS\system32\Ocular\SurvData
C:\WINDOWS\system32\Ocular\ExData
동작 설명:修改文件内容
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\aut3.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 262144
네트워크 동작
동작 설명:建立到一个指定的套接字连接
세부 정보:URL: ww****cn, IP: **.133.40.**:80, SOCKET = 0x00000368
동작 설명:发送HTTP包
세부 정보:GET /go/microkms/microkms_dingzhi.html HTTP/1.1 Host: ww****cn Connection: Keep-Alive
동작 설명:按名称获取主机地址
세부 정보:gethostbyname: ww****cn
gethostbyname: na****cn
레지스트리 동작
동작 설명:打开注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMWARE_PHYSICAL_DISK_HELPER_SERVICE
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0
동작 설명:修改注册表_服务项
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\Start
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\ImagePath
동작 설명:修改注册表_安全模式启动项
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\.Winhlpsvr\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\.Winhlpsvr\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipnpf.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipnpf.sys\
동작 설명:删除注册表键
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Network\NetCfgLockHolder\
동작 설명:修改注册表
세부 정보:\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\InstallParams
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\InstallTime
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\RunAs
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\Type
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\ErrorControl
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\Group
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\DisplayName
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\DependOnGroup
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\TPacket\DependOnService
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\INJWdgMod
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Network\NetCfgLockHolder\
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\AgentProcID
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\OAgent\EventMessageFile
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\OAgent\TypesSupported
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\MemoryClear
동작 설명:删除注册表键值
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\CrashTickCount
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\SDCenterPID
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\SDAgentS0PID
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\SDHelperS0PID
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\MEMORYINFOWMI
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\MEMORYINFOBIOS
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\MEMORYINFOSPD
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\SdHwInfo
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\ASNPID
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\InstallTime
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFFAEF68-CDC5-4aad-9D3F-997C0D55927B}\ProgID\ASN2
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\ServerSpareServerName
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\InstallParams
\REGISTRY\MACHINE\SOFTWARE\TEC\Ocular.3\Agent\SafeInstallParams
동작 설명:查询注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0000\DriverDesc
기타 행동
동작 설명:检测自身是否被调试
세부 정보:IsDebuggerPresent
동작 설명:隐藏指定窗口
세부 정보:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,TEC_OCULAR_AGENT_V3_WINDOW_FOR_WIN_MESSAGE]
동작 설명:启动系统服务
세부 정보:[服务启动成功]: LocalSystem, Windows Helper Service, "C:\Program Files\Common Files\System\winrdgv3.exe"
[服务启动成功]: , TFsfltdrv, \??\C:\WINDOWS\system32\drivers\tfsfltdrv.sys
동작 설명:获取光标位置
세부 정보:CursorPos = (80,18468), SleepMilliseconds = 1000.
CursorPos = (6373,26501), SleepMilliseconds = 1000.
CursorPos = (19208,15725), SleepMilliseconds = 1000.
CursorPos = (11517,29359), SleepMilliseconds = 1000.
CursorPos = (27001,24465), SleepMilliseconds = 1000.
CursorPos = (5744,28146), SleepMilliseconds = 1000.
CursorPos = (23320,16828), SleepMilliseconds = 1000.
CursorPos = (10000,492), SleepMilliseconds = 1000.
CursorPos = (3034,11943), SleepMilliseconds = 1000.
CursorPos = (4866,5437), SleepMilliseconds = 1000.
CursorPos = (32430,14605), SleepMilliseconds = 1000.
CursorPos = (3941,154), SleepMilliseconds = 1000.
CursorPos = (331,12383), SleepMilliseconds = 1000.
CursorPos = (17460,18717), SleepMilliseconds = 1000.
CursorPos = (19757,19896), SleepMilliseconds = 1000.
동작 설명:直接操作物理设备
세부 정보:\??\PhysicalDrive0
동작 설명:可执行文件签名信息
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\svchost.exe(签名验证: 未通过)
C:\WINDOWS\system32\Ocular\Agent.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\IPGASKERNEL20190519224336\AKernel3.exe(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp(签名验证: 未通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file005.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file006.tmp(签名验证: 通过)
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file007.tmp(签名验证: 通过)
C:\Program Files\Common Files\System\systecv3.exe(签名验证: 通过)
C:\WINDOWS\bakstec3.sys(签名验证: 通过)
동작 설명:加载新释放的文件
세부 정보:Image: C:\WINDOWS\system32\winwdgv3.dll.
Image: C:\WINDOWS\system32\winoav3.dll.
Image: C:\WINDOWS\system32\WFirewallV.dll.
동작 설명:VMWare特殊指令检测虚拟机
세부 정보:N/A
동작 설명:可执行文件MD5
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\temp\microkms.exe ---> 2953749015da2e00e05cc5a65465c04d
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\temp\svchost.exe ---> 文件过大!
C:\WINDOWS\system32\Ocular\Agent.exe ---> e9854f0cc3436eab10cfe1ad1ee339b7
C:\Documents and Settings\Administrator\Local Settings\Temp\IPGASKERNEL20190519224336\AKernel3.exe ---> d5b56a4190af126a78a749cb47d73e16
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file000.tmp ---> 597d3fee7330083552fe180d0e80a6f9
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file001.tmp ---> 99ef43890a66a5ad9f8dff54237c0b7c
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file002.tmp ---> db4e3096daef8e326b6db72a5435f875
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file003.tmp ---> 文件过大!
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file004.tmp ---> 849f50eb5298458bdb9e305294469802
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file005.tmp ---> cbc75f096ff1ed117cc4ae402ef4505b
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file006.tmp ---> 982960773f1cb473618aba7f8107d7bd
C:\Documents and Settings\All Users\IPGASZIP20190519224307\file007.tmp ---> c03d06502269127acc2b7182d6099e46
C:\Program Files\Common Files\System\systecv3.exe ---> 597d3fee7330083552fe180d0e80a6f9
C:\WINDOWS\bakstec3.sys ---> 597d3fee7330083552fe180d0e80a6f9
동작 설명:创建系统服务
세부 정보:[服务创建成功]: .Winhlpsvr, "C:\Program Files\Common Files\System\winrdgv3.exe"
[服务创建成功]: TFsfltdrv, C:\WINDOWS\system32\drivers\tfsfltdrv.sys
동작 설명:创建互斥体
세부 정보:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
MSCTF.Shared.MUTEX.IOH
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINRDG32
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_2
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_3
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVR
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_1
SECURITYUDISK_LOG_MUTEX
Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENT
동작 설명:获取TickCount值
세부 정보:TickCount = 220822, SleepMilliseconds = 10.
TickCount = 223421, SleepMilliseconds = 1000.
TickCount = 222978, SleepMilliseconds = 10.
TickCount = 224875, SleepMilliseconds = 1000.
TickCount = 224968, SleepMilliseconds = 1000.
TickCount = 225234, SleepMilliseconds = 1000.
TickCount = 225250, SleepMilliseconds = 1000.
TickCount = 225781, SleepMilliseconds = 1000.
TickCount = 226000, SleepMilliseconds = 1000.
TickCount = 226093, SleepMilliseconds = 1000.
TickCount = 226140, SleepMilliseconds = 1000.
TickCount = 226171, SleepMilliseconds = 1000.
TickCount = 226187, SleepMilliseconds = 1000.
TickCount = 226265, SleepMilliseconds = 1000.
TickCount = 226281, SleepMilliseconds = 1000.
동작 설명:打开事件
세부 정보:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2816
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
MSFT.VSA.COM.DISABLE.3568
Global\TEC_OCULAR__AGENT_V3_EVENT_NotifyMediaInsert
Global\TEC_OCULAR__AGENT_V3_EVENT_NotifyMediaRemove
동작 설명:查找PE资源信息
세부 정보:(FindResourceExExW) hModule = 0x00400000, ResName: 81(ID), ResType: RT_KERNEL
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0x9d0e5747, EDX = 0x000000b8
EAX = 0x9d0e5793, EDX = 0x000000b8
EAX = 0x9f96271c, EDX = 0x000000b8
EAX = 0x9f962768, EDX = 0x000000b8
EAX = 0x9f9627b4, EDX = 0x000000b8
EAX = 0x9f962800, EDX = 0x000000b8
EAX = 0x9f96284c, EDX = 0x000000b8
EAX = 0x9f962898, EDX = 0x000000b8
EAX = 0x37edc0ea, EDX = 0x000000bb
EAX = 0x37edc136, EDX = 0x000000bb
동작 설명:探测 Virtual PC是否存在
세부 정보:N/A
동작 설명:创建事件对象
세부 정보:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\CPFATE_2816_v4.0.30319
EventName = Global\TEC_OCULAR__AGENT_V3_EVENT_WDGSVR_STOP
EventName = Global\TEC_OCULAR__V3_EVENT_AUTO_NOTIFY
EventName = Global\TEC_OCULAR__V3_EVENT_AUTO_NOTIFY_CANCEL
EventName = TEC_OCULAR__AGENT_V3_EVENT_SDHWINFO_NOTIFY_GET
EventName = ShellCopyEngineRunning
EventName = ShellCopyEngineFinished
EventName = Global\crypt32LogoffEvent
동작 설명:常规加载驱动
세부 정보:\??\C:\WINDOWS\system32\drivers\tfsfltdrv.sys
동작 설명:查找指定窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
동작 설명:窗口信息
세부 정보:Pid = 2816, Hwnd=0x10362, Text = 确定, ClassName = Button.
Pid = 2816, Hwnd=0x10364, Text = 请检查网络是否畅通,确保网络正常后重新运行本程序, 否则激活功能将受到影响。, ClassName = Static.
Pid = 2816, Hwnd=0x20360, Text = 提示, ClassName = #32770.
동작 설명:调整进程token权限
세부 정보:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_TCB_PRIVILEGE
동작 설명:调用Sleep函数
세부 정보:[1]: MilliSeconds = 10.
[1]: MilliSeconds = 1000.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 1000.
[5]: MilliSeconds = 1000.
[6]: MilliSeconds = 1000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 500.
[1]: MilliSeconds = 5000.
[2]: MilliSeconds = 5000.
[1]: MilliSeconds = 500.
[3]: MilliSeconds = 5000.
동작 설명:打开互斥体
세부 정보:ShimCacheMutex
RasPbFile
Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENT
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDGSVR
Global\TEC_OCULAR__AGENT_V3_MUTEX_WINWDG32_1
Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENTUSER_0
Global\TEC_OCULAR__AGENT_V3_MUTEX_AGENTU64_0
스크린 샷 실행
VirSCAN

VirSCAN 이란 | 개인정책 | 연락 | 친숙한 링크 | 도움지원
거스 (Gus) 번역 (한국)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号