VirSCAN VirSCAN

1, คุณสามารถอัพโหลดไฟล์ไดๆก็ได้ที่มีขนาดไม่ใหญ่กว่า 20 เมกกะไบต์
2, VirSCAN สามารถสแกนไฟล์ที่ถูกบีบอัดในรูปแบบของ ZIP และ RAR โดยจะต้องมีไฟล์ในนั้นไม่สูงกว่า 20 ไฟล์
3, VirSCAN สามารถสแกนไฟล์บีบอัดที่มีรหัสผ่านด้วยคำว่า 'infected' และ 'virus' ได้

ภาษา
การทำงานของเซิฟเวอร์
Server Load

ข้อมูลไฟล์
การจัดระดับความปลอดภัย:14
รายการพฤติกรรม
ข้อมูลพื้นฐาน
MD5:cf558ee8493397273eed8568fe24c54e
ประเภทไฟล์:EXE
บริษัท ผลิต:
เวอร์ชัน:
ข้อมูลเชลล์หรือคอมไพเลอร์:COMPILER:UPolyX v0.5
ข้อมูลย่อย:dpinst64.exe / be3c79033fa8302002d9d3a6752f2263 / EXE
dpinst32.exe / 30a0afee4aea59772db6434f1c0511ab / EXE
setup.exe / 8827c03b4a6a5fe8c9db9e5121457523 / EXE
emBDA64.sys / 6e65c7c62185b3dd62de048d552729b7 / SYS
emBDA.sys / 9b01ce1eda6ad1acfd4f865d6cb0a790 / SYS
emPRP64.ax / f328de83e0a0b34d02b073ff4ba6bc57 / DLL
emPRP.ax / 09ff2e36f5ab7b2ff560c4bde529e682 / DLL
emPRP.ax / 09ff2e36f5ab7b2ff560c4bde529e682 / DLL
emAudio64.sys / bf9a462ac0d8bad3d4a31a202f30b8ee / SYS
EMBDA64.INF / 8e4438f8efe7443de59d55398c15085d / Unknown
EMBDA.INF / 00676ab96db007803ba411dda3b5f126 / Unknown
emmon.exe / 3a66d67cb1704f1e4a33ecc9ff89d3fc / EXE
emmon.exe / 3a66d67cb1704f1e4a33ecc9ff89d3fc / EXE
emOEM64.sys / 66433b230458aad05f194d5c8aa272b3 / SYS
revdevdll.dll / b23b4a2eeecd76a67eb9c5625db50690 / DLL
infcopy.dll / 48b5396e633840966619bf11f73da36b / DLL
infcopy.dll / 48b5396e633840966619bf11f73da36b / DLL
emOEM.sys / c93e4f6bd1cbd163662e7c9be021b895 / SYS
emAudio.sys / 0613c7cf05dfe81ac70f4a925823c28e / SYS
พฤติกรรมที่สำคัญ
คำอธิบายพฤติกรรม:跨进程写入数据
สำหรับข้อมูลเพิ่มเติม:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x024a0000, Size = 0x00002000 TargetPID = 0x000007d0
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x026b0000, Size = 0x00001000 TargetPID = 0x000007d0
TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00990000, Size = 0x00002000 TargetPID = 0x000000dc
TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00bb0000, Size = 0x00001000 TargetPID = 0x000000dc
TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00bf0000, Size = 0x00002000 TargetPID = 0x000000f0
TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00c00000, Size = 0x00001000 TargetPID = 0x000000f0
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000 TargetPID = 0x000000f8
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000 TargetPID = 0x000000f8
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013e0000, Size = 0x00002000 TargetPID = 0x0000010c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013f0000, Size = 0x00001000 TargetPID = 0x0000010c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01110000, Size = 0x00002000 TargetPID = 0x0000015c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01120000, Size = 0x00001000 TargetPID = 0x0000015c
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000 TargetPID = 0x00000210
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000 TargetPID = 0x00000210
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03a30000, Size = 0x00002000 TargetPID = 0x00000098
คำอธิบายพฤติกรรม:修改注册表_系统防火墙可信进程列表
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
คำอธิบายพฤติกรรม:修改注册表_UAC关键设置
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
คำอธิบายพฤติกรรม:常规加载驱动
สำหรับข้อมูลเพิ่มเติม:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\gmvin.sys
คำอธิบายพฤติกรรม:创建远程线程
สำหรับข้อมูลเพิ่มเติม:TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3812, StartAddress = 024A0000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3816, StartAddress = 026B0000, Parameter = 00000000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3824, StartAddress = 00990000, Parameter = 00000000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3828, StartAddress = 00BB0000, Parameter = 00000000
TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3836, StartAddress = 00BF0000, Parameter = 00000000
TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3848, StartAddress = 00C00000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3852, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3856, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3880, StartAddress = 013E0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3884, StartAddress = 013F0000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3888, StartAddress = 01110000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3900, StartAddress = 01120000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3916, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3920, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 2000, ProcessID = 152, ThreadID = 3924, StartAddress = 03A30000, Parameter = 00000000
คำอธิบายพฤติกรรม:获取TickCount值
สำหรับข้อมูลเพิ่มเติม:TickCount = 217855, SleepMilliseconds = 12.
TickCount = 217871, SleepMilliseconds = 12.
TickCount = 217918, SleepMilliseconds = 12.
TickCount = 218058, SleepMilliseconds = 12.
TickCount = 218121, SleepMilliseconds = 12.
TickCount = 218199, SleepMilliseconds = 12.
TickCount = 398203, SleepMilliseconds = 180000.
TickCount = 218474, SleepMilliseconds = 256.
TickCount = 218730, SleepMilliseconds = 512.
TickCount = 518250, SleepMilliseconds = 300000.
TickCount = 518265, SleepMilliseconds = 300000.
TickCount = 518281, SleepMilliseconds = 300000.
TickCount = 518312, SleepMilliseconds = 300000.
TickCount = 518328, SleepMilliseconds = 300000.
TickCount = 518343, SleepMilliseconds = 300000.
คำอธิบายพฤติกรรม:尝试连接RootKit驱动设备对象
สำหรับข้อมูลเพิ่มเติม:\??\amsint32
คำอธิบายพฤติกรรม:设置特殊文件夹属性
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
คำอธิบายพฤติกรรม:直接获取CPU时钟
สำหรับข้อมูลเพิ่มเติม:EAX = 0x62cf8c34, EDX = 0x000000c0
EAX = 0x75dfb6c3, EDX = 0x000000c0
EAX = 0x7892b63f, EDX = 0x000000c0
คำอธิบายพฤติกรรม:创建系统服务
สำหรับข้อมูลเพิ่มเติม:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\gmvin.sys
พฤติกรรมกระบวนการ
คำอธิบายพฤติกรรม:跨进程写入数据
สำหรับข้อมูลเพิ่มเติม:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x024a0000, Size = 0x00002000 TargetPID = 0x000007d0
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x026b0000, Size = 0x00001000 TargetPID = 0x000007d0
TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00990000, Size = 0x00002000 TargetPID = 0x000000dc
TargetProcess = C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe, WriteAddress = 0x00bb0000, Size = 0x00001000 TargetPID = 0x000000dc
TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00bf0000, Size = 0x00002000 TargetPID = 0x000000f0
TargetProcess = C:\Program Files\Common Files\Java\Java Update\jusched.exe, WriteAddress = 0x00c00000, Size = 0x00001000 TargetPID = 0x000000f0
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009a0000, Size = 0x00002000 TargetPID = 0x000000f8
TargetProcess = C:\WINDOWS\system32\ctfmon.exe, WriteAddress = 0x009b0000, Size = 0x00001000 TargetPID = 0x000000f8
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013e0000, Size = 0x00002000 TargetPID = 0x0000010c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\QQ.exe, WriteAddress = 0x013f0000, Size = 0x00001000 TargetPID = 0x0000010c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01110000, Size = 0x00002000 TargetPID = 0x0000015c
TargetProcess = C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe, WriteAddress = 0x01120000, Size = 0x00001000 TargetPID = 0x0000015c
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00900000, Size = 0x00002000 TargetPID = 0x00000210
TargetProcess = C:\WINDOWS\system32\conime.exe, WriteAddress = 0x00910000, Size = 0x00001000 TargetPID = 0x00000210
TargetProcess = C:\WINDOWS\system32\PersonalBankPortal.exe, WriteAddress = 0x03a30000, Size = 0x00002000 TargetPID = 0x00000098
คำอธิบายพฤติกรรม:创建本地线程
สำหรับข้อมูลเพิ่มเติม:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3736, StartAddress = 004281E8, Parameter = 00026B16
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3764, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3768, StartAddress = 00BDD48E, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3772, StartAddress = 00BD542B, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3776, StartAddress = 00BDE425, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3780, StartAddress = 00BD406C, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3784, StartAddress = 00BD5819, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3788, StartAddress = 00BD1189, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3792, StartAddress = 00BD39D3, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3796, StartAddress = 00BD3E5D, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3832, StartAddress = 024A06D2, Parameter = 0209F000
TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3860, StartAddress = 00BF06D2, Parameter = 007EF000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3864, StartAddress = 009906D2, Parameter = 0058F000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3868, StartAddress = 009A06D2, Parameter = 0059F000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3724, ThreadID = 3872, StartAddress = 00BDDCB7, Parameter = 00000000
คำอธิบายพฤติกรรม:创建远程线程
สำหรับข้อมูลเพิ่มเติม:TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3812, StartAddress = 024A0000, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3816, StartAddress = 026B0000, Parameter = 00000000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3824, StartAddress = 00990000, Parameter = 00000000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3828, StartAddress = 00BB0000, Parameter = 00000000
TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3836, StartAddress = 00BF0000, Parameter = 00000000
TargetProcess: jusched.exe, InheritedFromPID = 2000, ProcessID = 240, ThreadID = 3848, StartAddress = 00C00000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3852, StartAddress = 009A0000, Parameter = 00000000
TargetProcess: ctfmon.exe, InheritedFromPID = 2000, ProcessID = 248, ThreadID = 3856, StartAddress = 009B0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3880, StartAddress = 013E0000, Parameter = 00000000
TargetProcess: QQ.exe, InheritedFromPID = 2000, ProcessID = 268, ThreadID = 3884, StartAddress = 013F0000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3888, StartAddress = 01110000, Parameter = 00000000
TargetProcess: TXPlatform.exe, InheritedFromPID = 872, ProcessID = 348, ThreadID = 3900, StartAddress = 01120000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3916, StartAddress = 00900000, Parameter = 00000000
TargetProcess: conime.exe, InheritedFromPID = 476, ProcessID = 528, ThreadID = 3920, StartAddress = 00910000, Parameter = 00000000
TargetProcess: PersonalBankPortal.exe, InheritedFromPID = 2000, ProcessID = 152, ThreadID = 3924, StartAddress = 03A30000, Parameter = 00000000
คำอธิบายพฤติกรรม:枚举进程
สำหรับข้อมูลเพิ่มเติม:N/A
คำอธิบายพฤติกรรม:创建进程
สำหรับข้อมูลเพิ่มเติม:[0x0000080c]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
[0x000008ec]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:79873
[0x00000b34]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe" -el -s2 "-d" "-p" "-sp"
พฤติกรรมของไฟล์
คำอธิบายพฤติกรรม:创建文件
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe
C:\WINDOWS\system32\drivers\gmvin.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winfmyij.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ecxmp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\yeqiwl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdapyp.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\winrar[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\wincknf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winwgpbds.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\eaor.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winiyeyjd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\vruyj.exe
คำอธิบายพฤติกรรม:创建可执行文件
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe
C:\WINDOWS\system32\drivers\gmvin.sys
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winfmyij.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ecxmp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\yeqiwl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdapyp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincknf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winwgpbds.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\eaor.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winiyeyjd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\vruyj.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\agsxk.exe
คำอธิบายพฤติกรรม:复制文件
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003533E_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\00036D38_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003AD48_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003B5E3_Rar\%temp%\****.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003B77A_Rar\%temp%\****.exe
คำอธิบายพฤติกรรม:内存映射方式修改可执行文件
สำหรับข้อมูลเพิ่มเติม:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
คำอธิบายพฤติกรรม:删除文件
สำหรับข้อมูลเพิ่มเติม:C:\WINDOWS\system32\drivers\gmvin.sys
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\winrar[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF7B03.tmp
คำอธิบายพฤติกรรม:查找文件
สำหรับข้อมูลเพิ่มเติม:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
FileName = C:\Documents and Settings\All Users\桌面\*.*
FileName = C:\*.*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003533E_Rar
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0003533E_Rar\*.*
FileName = C:\Documents and Settings\Administrator\桌面\*.*
FileName = C:\*
FileName = C:\ANALYZECONTROL\*
FileName = D:\*
FileName = E:\*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\root
FileName = F:\*
คำอธิบายพฤติกรรม:设置特殊文件夹属性
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
คำอธิบายพฤติกรรม:修改文件内容
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> Offset = 262144
C:\WINDOWS\system.ini ---> Offset = 231
C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> Offset = 262144
C:\WINDOWS\system32\drivers\gmvin.sys ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe ---> Offset = 1024
พฤติกรรมเครือข่าย
คำอธิบายพฤติกรรม:联网打开网址
สำหรับข้อมูลเพิ่มเติม:InternetOpenUrlA: http://ma****ar/images/logo.gif?36d98=896172, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ro****om/images/logo.gif?384fc=1845216, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ac****et/img/button.gif?3877d=231293, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://te****ar/images/logo.gif?3b1bd=484218, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://sa****om/images/button.gif?38d8e=2328460, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ww****om/logo.gif?3b6ed=243437, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://sm****rg/image/logo.gif?393c8=2109960, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ro****om/images/logo.gif?395eb=2349870, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://an****om/logos.gif?39c1e=2129166, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ma****ar/images/logo.gif?3d821=503874, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ro****om/images/logo.gif?3b3ec=970672, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ac****et/img/button.gif?3b3e3=2183931, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://te****ar/images/logo.gif?3dbf9=252921, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://sa****om/images/button.gif?3b5e6=972696, hInternet = 0x00cc0004, Flags = 0x84000000
InternetOpenUrlA: http://ww****om/logo.gif?3b6e0=973696, hInternet = 0x00cc0004, Flags = 0x84000000
คำอธิบายพฤติกรรม:下载文件
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winfmyij.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ecxmp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\yeqiwl.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdapyp.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wincknf.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winwgpbds.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\eaor.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winiyeyjd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\vruyj.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\agsxk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\aqsuei.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winfyads.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wgasvm.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winlskpo.exe
คำอธิบายพฤติกรรม:连接指定站点
สำหรับข้อมูลเพิ่มเติม:InternetConnectA: ServerName = ma****ar, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ro****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ac****et, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = te****ar, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = sa****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = sm****rg, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = an****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x84000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
คำอธิบายพฤติกรรม:打开HTTP连接
สำหรับข้อมูลเพิ่มเติม:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0010
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
คำอธิบายพฤติกรรม:建立到一个指定的套接字连接
สำหรับข้อมูลเพิ่มเติม:URL: ma****ar, IP: **.133.40.**:80, SOCKET = 0x000005b8
URL: ro****om, IP: **.133.40.**:80, SOCKET = 0x000005e8
URL: ac****et, IP: **.133.40.**:80, SOCKET = 0x0000062c
URL: te****ar, IP: **.133.40.**:80, SOCKET = 0x0000058c
URL: sa****om, IP: **.133.40.**:80, SOCKET = 0x00000658
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000068c
URL: sm****rg, IP: **.133.40.**:80, SOCKET = 0x00000650
URL: ro****om, IP: **.133.40.**:80, SOCKET = 0x00000660
URL: an****om, IP: **.133.40.**:80, SOCKET = 0x000006b0
URL: ma****ar, IP: **.133.40.**:80, SOCKET = 0x00000748
URL: ro****om, IP: **.133.40.**:80, SOCKET = 0x0000074c
URL: ac****et, IP: **.133.40.**:80, SOCKET = 0x00000750
URL: te****ar, IP: **.133.40.**:80, SOCKET = 0x0000075c
URL: sa****om, IP: **.133.40.**:80, SOCKET = 0x00000768
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000758
คำอธิบายพฤติกรรม:读取网络文件
สำหรับข้อมูลเพิ่มเติม:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00cc0018, BytesToRead =8192, BytesRead = 8192.
hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
คำอธิบายพฤติกรรม:发送HTTP包
สำหรับข้อมูลเพิ่มเติม:GET /images/logo.gif?36d98=896172 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ma****ar Cache-Control: no-cache
GET /images/logo.gif?384fc=1845216 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ro****om Cache-Control: no-cache
GET /img/button.gif?3877d=231293 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ac****et Cache-Control: no-cache
GET /images/logo.gif?3b1bd=484218 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: te****ar Cache-Control: no-cache
GET /images/button.gif?38d8e=2328460 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: sa****om Cache-Control: no-cache
GET /js/winrar.gif HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /logo.gif?3b6ed=243437 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ww****om Cache-Control: no-cache
GET /image/logo.gif?393c8=2109960 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: sm****rg Cache-Control: no-cache
GET /images/logo.gif?395eb=2349870 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ro****om Cache-Control: no-cache
GET /logos.gif?39c1e=2129166 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: an****om Cache-Control: no-cache
GET /images/logo.gif?3d821=503874 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ma****ar Cache-Control: no-cache
GET /images/logo.gif?3b3ec=970672 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ro****om Cache-Control: no-cache
GET /img/button.gif?3b3e3=2183931 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: ac****et Cache-Control: no-cache
GET /images/logo.gif?3dbf9=252921 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: te****ar Cache-Control: no-cache
GET /images/button.gif?3b5e6=972696 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.1.50793) Host: sa****om Cache-Control: no-cache
คำอธิบายพฤติกรรม:打开HTTP请求
สำหรับข้อมูลเพิ่มเติม:HttpOpenRequestA: ma****ar:80/images/logo.gif?36d98=896172, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ro****om:80/images/logo.gif?384fc=1845216, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ac****et:80/img/button.gif?3877d=231293, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: te****ar:80/images/logo.gif?3b1bd=484218, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: sa****om:80/images/button.gif?38d8e=2328460, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ww****om:80/js/winrar.gif, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00410000
HttpOpenRequestA: ww****om:80/logo.gif?3b6ed=243437, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: sm****rg:80/image/logo.gif?393c8=2109960, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ro****om:80/images/logo.gif?395eb=2349870, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: an****om:80/logos.gif?39c1e=2129166, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ma****ar:80/images/logo.gif?3d821=503874, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ro****om:80/images/logo.gif?3b3ec=970672, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: ac****et:80/img/button.gif?3b3e3=2183931, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: te****ar:80/images/logo.gif?3dbf9=252921, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
HttpOpenRequestA: sa****om:80/images/button.gif?3b5e6=972696, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000000
คำอธิบายพฤติกรรม:按名称获取主机地址
สำหรับข้อมูลเพิ่มเติม:GetAddrInfoW: ma****ar
GetAddrInfoW: ro****om
GetAddrInfoW: ac****et
GetAddrInfoW: te****ar
GetAddrInfoW: sa****om
GetAddrInfoW: ww****om
GetAddrInfoW: sm****rg
GetAddrInfoW: an****om
ลักษณะการทำงานของรีจิสทรี
คำอธิบายพฤติกรรม:删除注册表键
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\
คำอธิบายพฤติกรรม:修改注册表_Explorer文件显示相关属性
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
คำอธิบายพฤติกรรม:删除注册表键_安全模式启动项
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon\
คำอธิบายพฤติกรรม:修改注册表_UAC关键设置
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
คำอธิบายพฤติกรรม:修改注册表
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1768776769
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-757413758
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\1011363011
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-1514827516
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\253949253
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\-993627007\-503464505
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
\REGISTRY\USER\S-*\SessionInformation\ProgramCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
คำอธิบายพฤติกรรม:修改注册表_系统防火墙可信进程列表
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
คำอธิบายพฤติกรรม:修改注册表_安全中心相关属性
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
คำอธิบายพฤติกรรม:删除注册表键值
สำหรับข้อมูลเพิ่มเติม:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A1_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A2_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A3_0
\REGISTRY\USER\S-*\Software\Aasppapmmxkvs\A4_0
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
พฤติกรรมอื่น ๆ
คำอธิบายพฤติกรรม:获取光标位置
สำหรับข้อมูลเพิ่มเติม:CursorPos = (80,18468), SleepMilliseconds = 128.
CursorPos = (6373,26501), SleepMilliseconds = 2048.
CursorPos = (19208,15725), SleepMilliseconds = 128.
CursorPos = (11517,29359), SleepMilliseconds = 128.
CursorPos = (27001,24465), SleepMilliseconds = 128.
CursorPos = (5744,28146), SleepMilliseconds = 128.
CursorPos = (23320,16828), SleepMilliseconds = 10000.
CursorPos = (10000,492), SleepMilliseconds = 512.
CursorPos = (3034,11943), SleepMilliseconds = 128.
CursorPos = (4866,5437), SleepMilliseconds = 128.
CursorPos = (32430,14605), SleepMilliseconds = 128.
CursorPos = (3941,154), SleepMilliseconds = 128.
CursorPos = (331,12383), SleepMilliseconds = 128.
CursorPos = (17460,18717), SleepMilliseconds = 128.
CursorPos = (19757,19896), SleepMilliseconds = 128.
คำอธิบายพฤติกรรม:创建互斥体
สำหรับข้อมูลเพิ่มเติม:uxJLpe1m
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
smss.exeM_520_
csrss.exeM_584_
winlogon.exeM_608_
services.exeM_652_
lsass.exeM_664_
lcixservice.exeM_820_
rtucthlp.exeM_832_
svchost.exeM_872_
คำอธิบายพฤติกรรม:创建事件对象
สำหรับข้อมูลเพิ่มเติม:EventName = ShellCopyEngineRunning
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = ShellCopyEngineFinished
EventName = DINPUTWINMM
EventName = Isolation Signal Registry Event (818AD015-9DB0-11E7-91C0-7B****28, 0)
EventName = IE_EarlyTabStart_0x818
EventName = Isolation Signal Registry Event (818AD016-9DB0-11E7-91C0-7B****28, 0)
EventName = Global\Microsoft Smart Card Resource Manager Started
EventName = CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
EventName = CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
EventName = MSCTF.SendReceive.Event.IOH.IC
EventName = MSCTF.SendReceiveConection.Event.IOH.IC
EventName = MSCTF.SendReceive.Event.ANB.IC
EventName = MSCTF.SendReceiveConection.Event.ANB.IC
คำอธิบายพฤติกรรม:窗口信息
สำหรับข้อมูลเพิ่มเติม:Pid = 3724, Hwnd=0x10348, Text = TITLE_BMP, ClassName = Static.
Pid = 3724, Hwnd=0x1034a, Text = 版权所有 (C) 驱动天空, ClassName = Static.
Pid = 3724, Hwnd=0x1034c, Text = www.DrvSky.com, ClassName = Static.
Pid = 3724, Hwnd=0x10350, Text = 目标文件夹(&D), ClassName = Static.
Pid = 3724, Hwnd=0x10352, Text = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eMPIA_USB2861, ClassName = ComboBox.
Pid = 3724, Hwnd=0x10356, Text = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eMPIA_USB2861, ClassName = Edit.
Pid = 3724, Hwnd=0x10358, Text = 浏览(&W)..., ClassName = Button.
Pid = 3724, Hwnd=0x1035e, Text = 安装, ClassName = Button.
Pid = 3724, Hwnd=0x10360, Text = 取消, ClassName = Button.
Pid = 3724, Hwnd=0x10344, Text = WinRAR 自解压文件, ClassName = #32770.
Pid = 3724, Hwnd=0x4038c, Text = 您想使用哪个用户帐户运行这个程序?, ClassName = Static.
Pid = 3724, Hwnd=0x30396, Text = 当前用户(&C) (COMPUTER\Administrator), ClassName = Button(RadioButton).
Pid = 3724, Hwnd=0x30374, Text = 保护我的计算机和数据不受未授权程序的活动影响(&P) 这个选项可以保护您的计算机或个人数据不受病毒损害,但是选择这项可能会引起程序工作不正确。, ClassName = Button(CheckBox).
Pid = 3724, Hwnd=0x50392, Text = 下列用户(&F):, ClassName = Button(RadioButton).
Pid = 3724, Hwnd=0x103b8, Text = 用户名(&U):, ClassName = Static.
คำอธิบายพฤติกรรม:常规加载驱动
สำหรับข้อมูลเพิ่มเติม:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\gmvin.sys
คำอธิบายพฤติกรรม:直接获取CPU时钟
สำหรับข้อมูลเพิ่มเติม:EAX = 0x62cf8c34, EDX = 0x000000c0
EAX = 0x75dfb6c3, EDX = 0x000000c0
EAX = 0x7892b63f, EDX = 0x000000c0
คำอธิบายพฤติกรรม:查找指定窗口
สำหรับข้อมูลเพิ่มเติม:NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,GINA Logon]
NtUserFindWindowEx: [Class,Window] = [EDIT,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [Static,]
คำอธิบายพฤติกรรม:启动系统服务
สำหรับข้อมูลเพิ่มเติม:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\gmvin.sys
คำอธิบายพฤติกรรม:打开事件
สำหรับข้อมูลเพิ่มเติม:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
_fCanRegisterWithShellService
Isolation Signal Registry Event (818AD015-9DB0-11E7-91C0-7B****28, 0)
Global\Microsoft Smart Card Resource Manager Started
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
MSFT.VSA.COM.DISABLE.2060
MSFT.VSA.IEC.STATUS.6c736db0
Isolation Signal Registry Event (818AD016-9DB0-11E7-91C0-7B****28, 0)
คำอธิบายพฤติกรรม:获取TickCount值
สำหรับข้อมูลเพิ่มเติม:TickCount = 217855, SleepMilliseconds = 12.
TickCount = 217871, SleepMilliseconds = 12.
TickCount = 217918, SleepMilliseconds = 12.
TickCount = 218058, SleepMilliseconds = 12.
TickCount = 218121, SleepMilliseconds = 12.
TickCount = 218199, SleepMilliseconds = 12.
TickCount = 398203, SleepMilliseconds = 180000.
TickCount = 218474, SleepMilliseconds = 256.
TickCount = 218730, SleepMilliseconds = 512.
TickCount = 518250, SleepMilliseconds = 300000.
TickCount = 518265, SleepMilliseconds = 300000.
TickCount = 518281, SleepMilliseconds = 300000.
TickCount = 518312, SleepMilliseconds = 300000.
TickCount = 518328, SleepMilliseconds = 300000.
TickCount = 518343, SleepMilliseconds = 300000.
คำอธิบายพฤติกรรม:搜索kernel32.dll基地址
สำหรับข้อมูลเพิ่มเติม:Instruction Address = 0x00427b7e
คำอธิบายพฤติกรรม:调整进程token权限
สำหรับข้อมูลเพิ่มเติม:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
คำอธิบายพฤติกรรม:枚举窗口
สำหรับข้อมูลเพิ่มเติม:N/A
คำอธิบายพฤติกรรม:停止系统服务
สำหรับข้อมูลเพิ่มเติม:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
คำอธิบายพฤติกรรม:尝试连接RootKit驱动设备对象
สำหรับข้อมูลเพิ่มเติม:\??\amsint32
คำอธิบายพฤติกรรม:可执行文件签名信息
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe(签名验证: 未通过)
C:\WINDOWS\system32\drivers\gmvin.sys(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winfmyij.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\ecxmp.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\yeqiwl.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdapyp.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\wincknf.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winwgpbds.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\eaor.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\winiyeyjd.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\vruyj.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\agsxk.exe(签名验证: 未通过)
คำอธิบายพฤติกรรม:调用Sleep函数
สำหรับข้อมูลเพิ่มเติม:[1]: MilliSeconds = 12.
[2]: MilliSeconds = 120000.
[3]: MilliSeconds = 1024.
[4]: MilliSeconds = 180000.
[5]: MilliSeconds = 256.
[6]: MilliSeconds = 512.
[7]: MilliSeconds = 300000.
[8]: MilliSeconds = 512.
[9]: MilliSeconds = 1024.
[10]: MilliSeconds = 4096.
คำอธิบายพฤติกรรม:隐藏指定窗口
สำหรับข้อมูลเพิ่มเติม:[Window,Class] = [,ComboLBox]
[Window,Class] = [,RICHEDIT]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [http://www.yixun.com/ - Windows Internet Explorer,IEFrame]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
คำอธิบายพฤติกรรม:可执行文件MD5
สำหรับข้อมูลเพิ่มเติม:C:\Documents and Settings\Administrator\Local Settings\Temp\wingpch.exe ---> 25aa9bb549ecc7bb6100f8d179452508
C:\Documents and Settings\Administrator\Local Settings\Temp\0003533E_Rar\%temp%\****.exe ---> cf558ee8493397273eed8568fe24c54e
C:\Documents and Settings\Administrator\Local Settings\Temp\00036D38_Rar\%temp%\****.exe ---> cf558ee8493397273eed8568fe24c54e
C:\WINDOWS\system32\drivers\gmvin.sys ---> bf31a8d79f704f488e3dbcb6eea3b3e3
C:\Documents and Settings\Administrator\Local Settings\Temp\winqllpi.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winfmyij.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\ecxmp.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\yeqiwl.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winkdapyp.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\wincknf.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winwgpbds.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\eaor.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\winiyeyjd.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\vruyj.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Temp\agsxk.exe ---> fe1d0ee5901dd167ee9b28eece31786c
คำอธิบายพฤติกรรม:打开互斥体
สำหรับข้อมูลเพิ่มเติม:ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
CtfmonInstMutexDefaultS-*
Local\!BrowserEmulation!SharedMemory!Mutex
Local\RSS Eventing Connection Database Mutex 0000080c
Local\c:!documents and settings!administrator!local settings!application data!microsoft!feeds cache!
คำอธิบายพฤติกรรม:创建系统服务
สำหรับข้อมูลเพิ่มเติม:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\gmvin.sys
เรียกใช้ภาพหน้าจอ
VirSCAN

เกี่ยวกับ VirSCAN | ข้อตกลงด้านความเป็นส่วนตัว | ติดต่อเรา | ลิงค์ที่เป็นมิตร | ช่วยเหลือ VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号