VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:14
Behavior list
Basic Information
MD5:1dabb8723be7acc0a847e0b665a82f90
file type:EXE
Production company:Adobe Systems Incorporated
version:7.0.0.324---7.0.0.324
Shell or compiler information:
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 245760
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1167360
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096
C:\WINDOWS\system32\PersonalBankPortal.exe
TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d20000, Size = 8192
C:\%temp%\1445903303.606335.exe
TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d30000, Size = 4096
C:\%temp%\1445903303.620324.exe
TargetProcess = taskmgr.exe, WriteAddress = 0x00b60000, Size = 8192
C:\WINDOWS\system32\taskmgr.exe
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445903305.710299.exe
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\psrhm.sys
Behavior description:创建远程线程
details:C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1445903305.811168.exe
C:\%temp%\1445903305.818101.exe
C:\WINDOWS\system32\taskmgr.exe
C:\%temp%\1445903305.838883.exe
C:\%temp%\1445903305.845814.exe
C:\WINDOWS\system32\patchupdate.exe
C:\WINDOWS\system32\tm.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:设置特殊文件属性
details:C:\dmap.exe
C:\DiskD\qwxl.exe
C:\DiskX\vlkq.pif
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:写权限映射文件
details:hh8geqpHJTkdns6
purity_control_7728
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe
Local\UrlZonesSM_Administrator
\DiskD\qwxl.exe
\Program Files\VMware\VMware Tools\VMwareTray.exe
\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\psrhm.sys
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192
C:\WINDOWS\explorer.exe
TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096
C:\WINDOWS\system32\PersonalBankPortal.exe
TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d20000, Size = 8192
C:\%temp%\1445903303.606335.exe
TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d30000, Size = 4096
C:\%temp%\1445903303.620324.exe
TargetProcess = taskmgr.exe, WriteAddress = 0x00b60000, Size = 8192
C:\WINDOWS\system32\taskmgr.exe
Behavior description:创建远程线程
details:C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tencent\QQ\Bin\QQ.exe
C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\PersonalBankPortal.exe
C:\%temp%\1445903305.811168.exe
C:\%temp%\1445903305.818101.exe
C:\WINDOWS\system32\taskmgr.exe
C:\%temp%\1445903305.838883.exe
C:\%temp%\1445903305.845814.exe
C:\WINDOWS\system32\patchupdate.exe
C:\WINDOWS\system32\tm.exe
C:\Program Files\Internet Explorer\iexplore.exe
Behavior description:枚举进程
details:N/A
Behavior description:创建进程
details:ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
File behavior
Behavior description:修改原系统的EXE文件
details:C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 245760
C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1167360
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe
C:\WINDOWS\system32\drivers\psrhm.sys
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe
C:\dmap.exe
C:\DiskD\qwxl.exe
C:\DiskX\vlkq.pif
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*
FileName = C:\*
FileName = C:\AnalyzeControl\*
FileName = D:\*
FileName = E:\*
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = F:\*
Behavior description:内存映射方式修改可执行文件
details:\device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe
\device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:设置特殊文件属性
details:C:\dmap.exe
C:\DiskD\qwxl.exe
C:\DiskX\vlkq.pif
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:写权限映射文件
details:hh8geqpHJTkdns6
purity_control_7728
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe
Local\UrlZonesSM_Administrator
\DiskD\qwxl.exe
\Program Files\VMware\VMware Tools\VMwareTray.exe
\Program Files\VMware\VMware Tools\VMwareUser.exe
Behavior description:在根目录创建自运行文件
details:C:\autorun.inf
C:\DiskD\autorun.inf
C:\DiskX\autorun.inf
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\76665---> Offset = 0
C:\WINDOWS\system.ini---> Offset = 231
C:\autorun.inf---> Offset = 0
C:\DiskD\autorun.inf---> Offset = 0
C:\DiskX\autorun.inf---> Offset = 0
Behavior description:修改新生成的可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe---> Offset = 66560
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe---> Offset = 66560
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://slwocfd/sobaka1.gif?78175=984042 hInternet = 0x00000544
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7833a=492346 hInternet = 0x00000548
InternetOpenUrlA: http://slwocfd/sobaka1.gif?78b68=1977760 hInternet = 0x0000051c
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7d9c4=3601500 hInternet = 0x000005ac
InternetOpenUrlA: http://slwocfd/sobaka1.gif?7962f=1988796 hInternet = 0x000004ec
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?794de=993724 hInternet = 0x000004d8
InternetOpenUrlA: http://slwocfd/sobaka1.gif?79d7c=1497204 hInternet = 0x000004d4
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?79d1b=2993826 hInternet = 0x000004c8
InternetOpenUrlA: http://slwocfd/sobaka1.gif?7a5d9=3508463 hInternet = 0x000004f0
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7a5e8=1002448 hInternet = 0x0000050c
InternetOpenUrlA: http://slwocfd/sobaka1.gif?7ad58=4528152 hInternet = 0x00000494
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7d407=2052124 hInternet = 0x00000490
InternetOpenUrlA: http://slwocfd/sobaka1.gif?7dbe6=1030092 hInternet = 0x000004a8
InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7dbf6=2575310 hInternet = 0x000004d0
InternetOpenUrlA: http://slwocfd/sobaka1.gif?7c0e5=2032532 hInternet = 0x00000464
Behavior description:下载文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eofbm.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winegry.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winymguy.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhbeks.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vnbhmw.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lxmk.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintelchx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ccmkc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uryeg.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingkwc.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlijdl.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rudfp.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrihdx.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winthkbhu.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnvnyg.exe
Behavior description:读取网络文件
details:hFile = 0x00000544, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000548, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000051c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000005ac, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004ec, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004d8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004d4, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004c8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004f0, BytesToRead =1024, BytesRead = 1024.
hFile = 0x0000050c, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000494, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000490, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004a8, BytesToRead =1024, BytesRead = 1024.
hFile = 0x000004d0, BytesToRead =1024, BytesRead = 1024.
hFile = 0x00000464, BytesToRead =1024, BytesRead = 1024.
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
Behavior description:删除注册表键_安全模式启动项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon
Behavior description:修改注册表_UAC关键设置
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
Behavior description:删除注册表键值_安全模式启动项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_0
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_0
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_0
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_0
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_1
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_1
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_1
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_1
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_2
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_2
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_2
\REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_2
Behavior description:修改注册表_系统防火墙可信进程列表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445903305.710299.exe
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\LangID
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Microsoft Office\OFFICE11\WinWord.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\NOTEPAD.EXE
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9216
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2037
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2038
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2039
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2040
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2041
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2042
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2017
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2016
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2015
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-883
Other behavior
Behavior description:创建互斥体
details:uxJLpe1m
smss.exeM_532_
csrss.exeM_588_
winlogon.exeM_612_
services.exeM_656_
lsass.exeM_668_
33oxservice.exeM_828_
33acthlp.exeM_840_
svchost.exeM_880_
svchost.exeM_944_
svchost.exeM_984_
svchost.exeM_1068_
svchost.exeM_1100_
spoolsv.exeM_1240_
33upgradehelper.exeM_1504_
Behavior description:常规加载驱动
details:system32\DRIVERS\ipfltdrv.sys
\??\C:\WINDOWS\system32\drivers\psrhm.sys
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
Behavior description:启动系统服务
details:[服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys
[服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\psrhm.sys
Behavior description:获取文件属性探测虚拟机
details:GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe
Behavior description:获取系统权限
details:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 484918, SleepMilliseconds = 12.
TickCount = 484949, SleepMilliseconds = 12.
TickCount = 484965, SleepMilliseconds = 12.
TickCount = 488777, SleepMilliseconds = 12.
TickCount = 554021, SleepMilliseconds = 65225.
TickCount = 788843, SleepMilliseconds = 300000.
TickCount = 788859, SleepMilliseconds = 300000.
TickCount = 788875, SleepMilliseconds = 300000.
TickCount = 788890, SleepMilliseconds = 300000.
TickCount = 788906, SleepMilliseconds = 300000.
TickCount = 788921, SleepMilliseconds = 300000.
TickCount = 788968, SleepMilliseconds = 300000.
TickCount = 788984, SleepMilliseconds = 300000.
TickCount = 789000, SleepMilliseconds = 300000.
TickCount = 490371, SleepMilliseconds = 512.
Behavior description:枚举窗口
details:N/A
Behavior description:停止系统服务
details:ServiceName = Application Layer Gateway Service
ServiceName = Windows Firewall/Internet Connection Sharing (ICS)
ServiceName = Security Center
Behavior description:尝试连接RootKit驱动设备对象
details:\??\amsint32
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 180000.
[2]: MilliSeconds = 120000.
[3]: MilliSeconds = 65225.
[4]: MilliSeconds = 512.
[5]: MilliSeconds = 300000.
[6]: MilliSeconds = 10240.
[7]: MilliSeconds = -1.
[8]: MilliSeconds = -1.
[9]: MilliSeconds = 10000.
[10]: MilliSeconds = 1024.
Behavior description:创建系统服务
details:[服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys
[服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\psrhm.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号