VirSCAN VirSCAN

1, Вы можете высылать файлы для проверки размером не более 20 мб.
2, VirSCAN поддерживает Rar/Zip сжатия, но не более 20-ти файлов.
3, VirSCAN может проверять сжатые файлы со следующими паролями 'infected' или 'virus'.

Язык
Server load
Server Load

Информация о файле
Рейтинг безопасности:14
Список действий
Основная информация
MD5:807be972cac2963138b3b4b851eff859
Тип файла:EXE
Производственная компания:溶化
Версия:1.0.0.0---1.0.0.0
Информация оболочки или компилятора:PACKER:UPolyX v0.5
Ключевое поведение
Описание поведения:探测 Virtual PC是否存在
Для получения более подробной информации:N/A
Описание поведения:查询注册表_检测虚拟机相关
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Описание поведения:修改注册表_IE首页
Для получения более подробной информации:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Описание поведения:修改注册表_系统防火墙可信进程列表
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Описание поведения:跨进程写入数据
Для получения более подробной информации:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00d90000, Size = 0x00002000
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00da0000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c50000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c60000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01010000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01020000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035f0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03600000, Size = 0x00001000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d20000, Size = 0x00002000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d30000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\taskmgr.exe, WriteAddress = 0x00d80000, Size = 0x00002000
Описание поведения:常规加载驱动
Для получения более подробной информации:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mhriqn.sys
Описание поведения:直接调用系统关键API
Для получения более подробной информации:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x006B32D8
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x006B78A1
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x006B9724
Описание поведения:修改注册表_UAC关键设置
Для получения более подробной информации:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Описание поведения:创建远程线程
Для получения более подробной информации:TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2136, StartAddress = 00D90000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2140, StartAddress = 00DA0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 2148, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 2152, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 2164, StartAddress = 00C50000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 2168, StartAddress = 00C60000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2172, StartAddress = 01010000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2176, StartAddress = 01020000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 2184, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 2188, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 2200, StartAddress = 035F0000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 2204, StartAddress = 03600000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 2212, StartAddress = 00D20000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 2224, StartAddress = 00D30000, Parameter = 00000000
TargetProcess: taskmgr.exe, InheritedFromPID = 1944, ProcessID = 1620, ThreadID = 2228, StartAddress = 00D80000, Parameter = 00000000
Описание поведения:尝试打开调试器或监控软件的驱动设备对象
Для получения более подробной информации:\??\SICE
\??\SIWVID
\??\NTICE
Описание поведения:获取TickCount值
Для получения более подробной информации:TickCount = 5431043, SleepMilliseconds = 12.
TickCount = 5431565, SleepMilliseconds = 50.
TickCount = 5431581, SleepMilliseconds = 50.
TickCount = 5431596, SleepMilliseconds = 50.
TickCount = 5431721, SleepMilliseconds = 50.
TickCount = 5431862, SleepMilliseconds = 50.
TickCount = 5432287, SleepMilliseconds = 256.
TickCount = 5432349, SleepMilliseconds = 256.
TickCount = 5432365, SleepMilliseconds = 256.
TickCount = 5432381, SleepMilliseconds = 256.
TickCount = 5432396, SleepMilliseconds = 256.
TickCount = 5432443, SleepMilliseconds = 256.
TickCount = 5433211, SleepMilliseconds = 1024.
TickCount = 5433320, SleepMilliseconds = 1024.
TickCount = 5433367, SleepMilliseconds = 1024.
Описание поведения:打开注册表_检测虚拟机相关
Для получения более подробной информации:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Описание поведения:创建系统服务
Для получения более подробной информации:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\mhriqn.sys
Описание поведения:设置特殊文件属性
Для получения более подробной информации:C:\qmfuko.pif
C:\DiskD\iqmm.pif
C:\DiskX\drfd.pif
Описание поведения:尝试连接RootKit驱动设备对象
Для получения более подробной информации:\??\amsint32
Описание поведения:在根目录创建自运行文件
Для получения более подробной информации:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Описание поведения:设置特殊文件夹属性
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Описание поведения:直接获取CPU时钟
Для получения более подробной информации:EAX = 0x8025d575, EDX = 0x00001194
EAX = 0x8025d5c1, EDX = 0x00001194
EAX = 0x8025d60d, EDX = 0x00001194
EAX = 0x8025d659, EDX = 0x00001194
EAX = 0x8025d6a5, EDX = 0x00001194
EAX = 0x8025d6f1, EDX = 0x00001194
EAX = 0x8025d73d, EDX = 0x00001194
EAX = 0x8025d789, EDX = 0x00001194
EAX = 0x8025d7d5, EDX = 0x00001194
EAX = 0x8025d821, EDX = 0x00001194
Описание поведения:查找指定内核模块
Для получения более подробной информации:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Описание поведения:查找反病毒常用工具窗口
Для получения более подробной информации:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Описание поведения:VMWare特殊指令检测虚拟机
Для получения более подробной информации:N/A
Поведение процесса
Описание поведения:跨进程写入数据
Для получения более подробной информации:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00d90000, Size = 0x00002000
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x00da0000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c50000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x00c60000, Size = 0x00001000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01010000, Size = 0x00002000
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01020000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x035f0000, Size = 0x00002000
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03600000, Size = 0x00001000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d20000, Size = 0x00002000
TargetProcess = C:\%temp%\****.exe, WriteAddress = 0x00d30000, Size = 0x00001000
TargetProcess = C:\WINDOWS\system32\taskmgr.exe, WriteAddress = 0x00d80000, Size = 0x00002000
Описание поведения:创建本地线程
Для получения более подробной информации:TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 468, StartAddress = 008717E8, Parameter = 00470116
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1012, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 252, StartAddress = 00524223, Parameter = 00686C63
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1204, StartAddress = 00524223, Parameter = 006875F0
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1472, StartAddress = 00524223, Parameter = 00688678
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 564, StartAddress = 00524223, Parameter = 00689293
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1004, StartAddress = 00524223, Parameter = 00689E4B
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 168, StartAddress = 00524223, Parameter = 0068A8F6
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1960, StartAddress = 00524223, Parameter = 0068B443
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1252, StartAddress = 00524223, Parameter = 0068BF72
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 716, StartAddress = 00524223, Parameter = 0069046F
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 412, StartAddress = 00524223, Parameter = 00691530
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1664, StartAddress = 00524223, Parameter = 00692648
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 1188, StartAddress = 00524223, Parameter = 006934B5
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 2012, ThreadID = 484, StartAddress = 00524223, Parameter = 006944FF
Описание поведения:创建远程线程
Для получения более подробной информации:TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2136, StartAddress = 00D90000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2140, StartAddress = 00DA0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 2148, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 1944, ProcessID = 200, ThreadID = 2152, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 2164, StartAddress = 00C50000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 1944, ProcessID = 240, ThreadID = 2168, StartAddress = 00C60000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2172, StartAddress = 01010000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 880, ProcessID = 272, ThreadID = 2176, StartAddress = 01020000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 2184, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 412, ProcessID = 428, ThreadID = 2188, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 2200, StartAddress = 035F0000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 1944, ProcessID = 584, ThreadID = 2204, StartAddress = 03600000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 2212, StartAddress = 00D20000, Parameter = 00000000
TargetProcess: EasyWebSvr.exe, InheritedFromPID = 1944, ProcessID = 660, ThreadID = 2224, StartAddress = 00D30000, Parameter = 00000000
TargetProcess: taskmgr.exe, InheritedFromPID = 1944, ProcessID = 1620, ThreadID = 2228, StartAddress = 00D80000, Parameter = 00000000
Описание поведения:枚举进程
Для получения более подробной информации:N/A
Описание поведения:创建进程
Для получения более подробной информации:[0x00000acc]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
[0x00000bcc]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:79873
Поведение файла
Описание поведения:创建文件
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe
C:\qmfuko.pif
C:\DiskD\iqmm.pif
C:\DiskX\drfd.pif
C:\WINDOWS\system32\drivers\mhriqn.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A6DA3AC6-0958-11E7-91BE-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4F2C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\moykv.exe
Описание поведения:创建可执行文件
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe
C:\qmfuko.pif
C:\DiskD\iqmm.pif
C:\DiskX\drfd.pif
C:\WINDOWS\system32\drivers\mhriqn.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe
Описание поведения:删除文件
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe
C:\WINDOWS\system32\drivers\mhriqn.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF4F2C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe
Описание поведения:查找文件
Для получения более подробной информации:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
FileName = C:\*
FileName = C:\ANALYZECONTROL\*
FileName = D:\*
FileName = E:\*
FileName = C:\DISKD\*
FileName = C:\DISKX\*
FileName = F:\*
FileName = C:\DOCUMENTS AND SETTINGS\*
FileName = C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\*
FileName = G:\*
FileName = C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\*
FileName = I:\*
FileName = C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\ADOBE\*
FileName = J:\*
Описание поведения:内存映射方式修改可执行文件
Для получения более подробной информации:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Описание поведения:设置特殊文件属性
Для получения более подробной информации:C:\qmfuko.pif
C:\DiskD\iqmm.pif
C:\DiskX\drfd.pif
Описание поведения:在根目录创建自运行文件
Для получения более подробной информации:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Описание поведения:设置特殊文件夹属性
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Описание поведения:修改文件内容
Для получения более подробной информации:C:\WINDOWS\system.ini ---> Offset = 231
C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe ---> Offset = 0
C:\autorun.inf ---> Offset = 0
C:\qmfuko.pif ---> Offset = 0
C:\DiskD\autorun.inf ---> Offset = 0
C:\DiskD\iqmm.pif ---> Offset = 0
C:\DiskX\autorun.inf ---> Offset = 0
C:\DiskX\drfd.pif ---> Offset = 0
C:\WINDOWS\system32\drivers\mhriqn.sys ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> Offset = 1024
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> Offset = 2048
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> Offset = 3072
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe ---> Offset = 0
Описание поведения:修改新生成的可执行文件
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe
Сетевое поведение
Описание поведения:联网打开网址
Для получения более подробной информации:InternetOpenUrlA: http://al****rg/images/xs.jpg?52fc8a=48953259, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ww****rg/images/xs.jpg?5370ad=5468333, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ar****iz/xs.jpg?535468=27305480, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://am****om/xs.jpg?535b51=16388595, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ap****in/images/xs.jpg?538921=27372965, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ah****et/xs.jpg?538e23=32855250, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://g2****om/xs.jpg?536a45=43733544, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://am****tr/images/xs2.jpg?538856=32846340, hInternet = 0x00cc0004, Flags = 0x84000000
Описание поведения:下载文件
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\moykv.exe
Описание поведения:连接指定站点
Для получения более подробной информации:InternetConnectA: ServerName = al****rg, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ww****rg, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
WinHttpConnect: ServerName = w6****om, PORT = 80, UserName = , Password = , hSession = 0x074a3100, hConnect = 0x074a3200, Flags = 0x00000000
WinHttpConnect: ServerName = w6****om, PORT = 80, UserName = , Password = , hSession = 0x074a3100, hConnect = 0x074a3300, Flags = 0x00000000
InternetConnectA: ServerName = ar****iz, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = am****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ap****in, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ah****et, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = g2****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
WinHttpConnect: ServerName = w6****om, PORT = 80, UserName = , Password = , hSession = 0x04dd1100, hConnect = 0x04dd1200, Flags = 0x00000000
WinHttpConnect: ServerName = w6****om, PORT = 80, UserName = , Password = , hSession = 0x04dd1100, hConnect = 0x04dd1300, Flags = 0x00000000
InternetConnectA: ServerName = am****tr, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
Описание поведения:打开HTTP连接
Для получения более подробной информации:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727), hSession = 0x00cc0004
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x074a3100
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x04dd1100
Описание поведения:建立到一个指定的套接字连接
Для получения более подробной информации:URL: pt****om, IP: **.133.40.**:80, SOCKET = 0x000005f0
URL: al****rg, IP: **.133.40.**:80, SOCKET = 0x00000694
URL: ww****rg, IP: **.133.40.**:80, SOCKET = 0x00000790
URL: w6****om, IP: **.133.40.**:80, SOCKET = 0x00000710
URL: w6****om, IP: **.133.40.**:80, SOCKET = 0x0000074c
URL: ar****iz, IP: **.133.40.**:80, SOCKET = 0x00000770
URL: w6****om, IP: **.133.40.**:80, SOCKET = 0x0000077c
URL: am****om, IP: **.133.40.**:80, SOCKET = 0x00000784
URL: ap****in, IP: **.133.40.**:80, SOCKET = 0x000007e8
URL: ah****et, IP: **.133.40.**:80, SOCKET = 0x00000808
URL: g2****om, IP: **.133.40.**:80, SOCKET = 0x00000808
URL: w6****om, IP: **.133.40.**:80, SOCKET = 0x0000082c
URL: w6****om, IP: **.133.40.**:80, SOCKET = 0x00000850
URL: am****tr, IP: **.133.40.**:80, SOCKET = 0x00000808
Описание поведения:读取网络文件
Для получения более подробной информации:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Описание поведения:发送HTTP包
Для получения более подробной информации:GET /check_sig?pttype=1&uin=334197872&service=login&nodirect=0&ptsig=xQaFhySqAH9gaV2PyC6Rvcx*Te1xq-DImuyQ*i6x1IQ_&ptsigx=28cd46298408d81a0f48329ff2c3991537b5bbf0402f3d1a702b8d69caf78dac02741ac77f58c75fd5fd351a4c9cd32753e2a0f2b41567a5fd1508b3305fbd64&s_url=http%3A%2F%2Fbbs.lol.qq.com%2Fmember.php%3Fmod%3Dlogging%26action%3Dloginsucc&f_url=&ptlang=2052&ptredirect=100&aid=710032918&daid=196&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0 HTTP/1.1 Host: pt****om Referer: http://ptlogin4.lol.qq.com/check_sig?pttype=1&uin=334197872&service=login&nodirect=0&ptsig=xQaFhySqAH9gaV2PyC6Rvcx*Te1xq-DImuyQ*i6x1IQ_&ptsigx=28cd46298408d81a0f48329ff2c3991537b5bbf0402f3d1a702b8d69caf78dac02741ac77f58c75fd5fd351a4c9cd32753e2a0f2b41567a5fd1508b3305fbd64&s_url=http%3A%2F%2Fbbs.lol.qq.com%2Fmember.php%3Fmod%3Dlogging%26action%3Dloginsucc&f_url=&ptlang=2052&ptredirect=100&aid=710032918&daid=196&j_later=0&low_login_hour=0&regmaster=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded
GET /images/xs.jpg?52fc8a=48953259 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: al****rg Cache-Control: no-cache
GET /images/xs.jpg?5370ad=5468333 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: ww****rg Cache-Control: no-cache
GET /dfg/y.php HTTP/1.1 Referer: http://w666666.sinaapp.com/dfg/y.php Accept: */* Accept-Language: zh-CN Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400) Host: w6****om Connection: Keep-Alive
GET /dfg/x.php?m=2 HTTP/1.1 Referer: http://w666666.sinaapp.com/dfg/x.php?m=2 Accept: */* Accept-Language: zh-CN Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400) Host: w6****om Connection: Keep-Alive
GET /xs.jpg?535468=27305480 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: ar****iz Cache-Control: no-cache
GET /dfg/x.php?m=2 HTTP/1.1 Referer: http://w666666.vipsinaapp.com/dfg/x.php?m=2 Accept: */* Accept-Language: zh-CN Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; qdesk 2.5.1277.202; Windows NT 6.1; WOW64; Trident/6.0; QQBrowser/7.7.28658.400) Host: w6****om Connection: Keep-Alive
GET /xs.jpg?535b51=16388595 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: am****om Cache-Control: no-cache
GET /images/xs.jpg?538921=27372965 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: ap****in Cache-Control: no-cache
GET /xs.jpg?538e23=32855250 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: ah****et Cache-Control: no-cache
GET /xs.jpg?536a45=43733544 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: g2****om Cache-Control: no-cache
GET /images/xs2.jpg?538856=32846340 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: am****tr Cache-Control: no-cache
Описание поведения:打开HTTP请求
Для получения более подробной информации:HttpOpenRequestA: al****rg:80/images/xs.jpg?52fc8a=48953259, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ww****rg:80/images/xs.jpg?5370ad=5468333, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
WinHttpOpenRequest: w6****om:80/dfg/y.php, hConnect = 0x074a3200, hRequest = 0x071b0000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: w6****om:80/dfg/x.php?m=2, hConnect = 0x074a3300, hRequest = 0x071b0000, Verb: GET, Referer: , Flags = 0x00000080
HttpOpenRequestA: ar****iz:80/xs.jpg?535468=27305480, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
WinHttpOpenRequest: w6****om:80/dfg/x.php?m=2, hConnect = 0x074a3200, hRequest = 0x071b0000, Verb: GET, Referer: , Flags = 0x00000080
HttpOpenRequestA: am****om:80/xs.jpg?535b51=16388595, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ap****in:80/images/xs.jpg?538921=27372965, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ah****et:80/xs.jpg?538e23=32855250, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: g2****om:80/xs.jpg?536a45=43733544, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
WinHttpOpenRequest: w6****om:80/dfg/x.php?m=2, hConnect = 0x04dd1200, hRequest = 0x04e10000, Verb: GET, Referer: , Flags = 0x00000080
WinHttpOpenRequest: w6****om:80/dfg/x.php?m=2, hConnect = 0x04dd1300, hRequest = 0x04e10000, Verb: GET, Referer: , Flags = 0x00000080
HttpOpenRequestA: am****tr:80/images/xs2.jpg?538856=32846340, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
Описание поведения:按名称获取主机地址
Для получения более подробной информации:gethostbyname: pt****om
GetAddrInfoW: al****rg
GetAddrInfoW: ww****om
GetAddrInfoW: ww****rg
GetAddrInfoW: w6****om
GetAddrInfoW: ar****iz
GetAddrInfoW: am****om
GetAddrInfoW: ap****in
GetAddrInfoW: ah****et
GetAddrInfoW: g2****om
GetAddrInfoW: am****tr
Реестр
Описание поведения:删除注册表键
Для получения более подробной информации:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
Описание поведения:修改注册表_Explorer文件显示相关属性
Для получения более подробной информации:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Описание поведения:删除注册表键_安全模式启动项
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon\
Описание поведения:修改注册表_UAC关键设置
Для получения более подробной информации:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Описание поведения:修改注册表
Для получения более подробной информации:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_1
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_1
Описание поведения:修改注册表_系统防火墙可信进程列表
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
Описание поведения:修改注册表_安全中心相关属性
Для получения более подробной информации:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Описание поведения:删除注册表键值
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_1
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_1
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_1
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_1
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_2
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_2
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_2
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_2
Описание поведения:修改注册表_IE首页
Для получения более подробной информации:\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page
Описание поведения:查询注册表_检测虚拟机相关
Для получения более подробной информации:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Описание поведения:打开注册表_检测虚拟机相关
Для получения более подробной информации:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Другое поведение
Описание поведения:隐藏指定窗口
Для получения более подробной информации:[Window,Class] = [,Afx:400000:8]
[Window,Class] = [,Afx:400000:b:10011:1900010:0]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,BrowserFrameGripperClass]
Описание поведения:启动系统服务
Для получения более подробной информации:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\mhriqn.sys
Описание поведения:获取光标位置
Для получения более подробной информации:CursorPos = (96,18500), SleepMilliseconds = 512.
Описание поведения:可执行文件签名信息
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe(签名验证: 未通过)
C:\qmfuko.pif(签名验证: 未通过)
C:\DiskD\iqmm.pif(签名验证: 未通过)
C:\DiskX\drfd.pif(签名验证: 未通过)
C:\WINDOWS\system32\drivers\mhriqn.sys(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe(签名验证: 未通过)
Описание поведения:查找指定内核模块
Для получения более подробной информации:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Описание поведения:VMWare特殊指令检测虚拟机
Для получения более подробной информации:N/A
Описание поведения:直接获取CPU时钟
Для получения более подробной информации:EAX = 0x8025d575, EDX = 0x00001194
EAX = 0x8025d5c1, EDX = 0x00001194
EAX = 0x8025d60d, EDX = 0x00001194
EAX = 0x8025d659, EDX = 0x00001194
EAX = 0x8025d6a5, EDX = 0x00001194
EAX = 0x8025d6f1, EDX = 0x00001194
EAX = 0x8025d73d, EDX = 0x00001194
EAX = 0x8025d789, EDX = 0x00001194
EAX = 0x8025d7d5, EDX = 0x00001194
EAX = 0x8025d821, EDX = 0x00001194
Описание поведения:停止系统服务
Для получения более подробной информации:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Описание поведения:尝试连接RootKit驱动设备对象
Для получения более подробной информации:\??\amsint32
Описание поведения:可执行文件MD5
Для получения более подробной информации:C:\Documents and Settings\Administrator\Local Settings\Temp\winblugnl.exe ---> 25aa9bb549ecc7bb6100f8d179452508
C:\qmfuko.pif ---> f0b7b482922bb9a40f1f223ebdea6d12
C:\DiskD\iqmm.pif ---> f0b7b482922bb9a40f1f223ebdea6d12
C:\DiskX\drfd.pif ---> f0b7b482922bb9a40f1f223ebdea6d12
C:\WINDOWS\system32\drivers\mhriqn.sys ---> bf31a8d79f704f488e3dbcb6eea3b3e3
C:\Documents and Settings\Administrator\Local Settings\Temp\winnmkcf.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\mpfn.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winbnfe.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\ycci.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winssed.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winqibnv.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\wincrqv.exe ---> fe1d0ee5901dd167ee9b28eece31786c
Описание поведения:创建系统服务
Для получения более подробной информации:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\mhriqn.sys
Описание поведения:查找反病毒常用工具窗口
Для получения более подробной информации:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Описание поведения:创建互斥体
Для получения более подробной информации:uxJLpe1m
smss.exeM_532_
csrss.exeM_588_
winlogon.exeM_612_
services.exeM_656_
lsass.exeM_668_
lcbxservice.exeM_828_
rtncthlp.exeM_840_
svchost.exeM_880_
svchost.exeM_944_
svchost.exeM_984_
svchost.exeM_1068_
svchost.exeM_1100_
spoolsv.exeM_1240_
lnbpgradehelper.exeM_1504_
Описание поведения:尝试打开调试器或监控软件的驱动设备对象
Для получения более подробной информации:\??\SICE
\??\SIWVID
\??\NTICE
Описание поведения:获取TickCount值
Для получения более подробной информации:TickCount = 5431043, SleepMilliseconds = 12.
TickCount = 5431565, SleepMilliseconds = 50.
TickCount = 5431581, SleepMilliseconds = 50.
TickCount = 5431596, SleepMilliseconds = 50.
TickCount = 5431721, SleepMilliseconds = 50.
TickCount = 5431862, SleepMilliseconds = 50.
TickCount = 5432287, SleepMilliseconds = 256.
TickCount = 5432349, SleepMilliseconds = 256.
TickCount = 5432365, SleepMilliseconds = 256.
TickCount = 5432381, SleepMilliseconds = 256.
TickCount = 5432396, SleepMilliseconds = 256.
TickCount = 5432443, SleepMilliseconds = 256.
TickCount = 5433211, SleepMilliseconds = 1024.
TickCount = 5433320, SleepMilliseconds = 1024.
TickCount = 5433367, SleepMilliseconds = 1024.
Описание поведения:打开事件
Для получения более подробной информации:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
_fCanRegisterWithShellService
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Isolation Signal Registry Event (A6DA3AC3-0958-11E7-91BE-7B****28, 0)
Isolation Signal Registry Event (A6DA3AC4-0958-11E7-91BE-7B****28, 0)
IE_EarlyTabStart_0xad0
MSFT.VSA.COM.DISABLE.2764
MSFT.VSA.IEC.STATUS.6c736db0
MSCTF.SendReceiveConection.Event.MJH.IC
MSCTF.SendReceive.Event.MJH.IC
MSCTF.SendReceiveConection.Event.EIF.IC
MSCTF.SendReceive.Event.EIF.IC
Описание поведения:搜索kernel32.dll基地址
Для получения более подробной информации:Instruction Address = 0x0087117e
Описание поведения:直接调用系统关键API
Для получения более подробной информации:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x006B32D8
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x006B78A1
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x006B9724
Описание поведения:探测 Virtual PC是否存在
Для получения более подробной информации:N/A
Описание поведения:创建事件对象
Для получения более подробной информации:EventName = DINPUTWINMM
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = Isolation Signal Registry Event (A6DA3AC3-0958-11E7-91BE-7B****28, 0)
EventName = IE_EarlyTabStart_0xad0
EventName = Isolation Signal Registry Event (A6DA3AC4-0958-11E7-91BE-7B****28, 0)
EventName = 5037307746961798
EventName = MSCTF.SendReceive.Event.MJH.IC
EventName = MSCTF.SendReceiveConection.Event.MJH.IC
EventName = MSCTF.SendReceive.Event.IIH.IC
EventName = MSCTF.SendReceiveConection.Event.IIH.IC
Описание поведения:常规加载驱动
Для получения более подробной информации:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\mhriqn.sys
Описание поведения:查找指定窗口
Для получения более подробной информации:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Описание поведения:调整进程token权限
Для получения более подробной информации:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Описание поведения:枚举窗口
Для получения более подробной информации:N/A
Описание поведения:调用Sleep函数
Для получения более подробной информации:[1]: MilliSeconds = 12.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 120000.
[4]: MilliSeconds = 1024.
[5]: MilliSeconds = 180000.
[6]: MilliSeconds = 256.
[7]: MilliSeconds = 1024.
[8]: MilliSeconds = 256.
[9]: MilliSeconds = 512.
[10]: MilliSeconds = 256.
[11]: MilliSeconds = 1024.
Описание поведения:打开互斥体
Для получения более подробной информации:DBWinMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\!IETld!Mutex
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
ShimCacheMutex
Local\!BrowserEmulation!SharedMemory!Mutex
Local\c:!documents and settings!administrator!ietldcache!
CtfmonInstMutexDefaultS-*
Запустить снимок экрана
VirSCAN

Информация о VirSCAN | Privacy policy | Обратная связь | Дружественная ссылка | Содействие VirSCAN
Translated by Vit Rusych, Ukraine
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号