1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
| Safety rating:14 |
| Behavior list |
| Basic Information | |
|---|---|
| MD5: | 1dabb8723be7acc0a847e0b665a82f90 |
| file type: | EXE |
| Production company: | Adobe Systems Incorporated |
| version: | 7.0.0.324---7.0.0.324 |
| Shell or compiler information: | |
| Key behavior | |
|---|---|
| Behavior description: | 修改原系统的EXE文件 |
| details: | C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 245760 |
| C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1167360 | |
| Behavior description: | 跨进程写入数据 |
| details: | TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192 |
| C:\WINDOWS\explorer.exe | |
| TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096 | |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096 | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d20000, Size = 8192 | |
| C:\%temp%\1445903303.606335.exe | |
| TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d30000, Size = 4096 | |
| C:\%temp%\1445903303.620324.exe | |
| TargetProcess = taskmgr.exe, WriteAddress = 0x00b60000, Size = 8192 | |
| C:\WINDOWS\system32\taskmgr.exe | |
| Behavior description: | 获取文件属性探测虚拟机 |
| details: | GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe |
| GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe | |
| Behavior description: | 修改注册表_系统防火墙可信进程列表 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445903305.710299.exe |
| Behavior description: | 修改注册表_UAC关键设置 |
| details: | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA |
| Behavior description: | 常规加载驱动 |
| details: | system32\DRIVERS\ipfltdrv.sys |
| \??\C:\WINDOWS\system32\drivers\psrhm.sys | |
| Behavior description: | 创建远程线程 |
| details: | C:\WINDOWS\explorer.exe |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| C:\%temp%\1445903305.811168.exe | |
| C:\%temp%\1445903305.818101.exe | |
| C:\WINDOWS\system32\taskmgr.exe | |
| C:\%temp%\1445903305.838883.exe | |
| C:\%temp%\1445903305.845814.exe | |
| C:\WINDOWS\system32\patchupdate.exe | |
| C:\WINDOWS\system32\tm.exe | |
| C:\Program Files\Internet Explorer\iexplore.exe | |
| Behavior description: | 内存映射方式修改可执行文件 |
| details: | \device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe |
| \device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe | |
| Behavior description: | 设置特殊文件属性 |
| details: | C:\dmap.exe |
| C:\DiskD\qwxl.exe | |
| C:\DiskX\vlkq.pif | |
| C:\Program Files\VMware\VMware Tools\VMwareTray.exe | |
| C:\Program Files\VMware\VMware Tools\VMwareUser.exe | |
| Behavior description: | 停止系统服务 |
| details: | ServiceName = Application Layer Gateway Service |
| ServiceName = Windows Firewall/Internet Connection Sharing (ICS) | |
| ServiceName = Security Center | |
| Behavior description: | 尝试连接RootKit驱动设备对象 |
| details: | \??\amsint32 |
| Behavior description: | 写权限映射文件 |
| details: | hh8geqpHJTkdns6 |
| purity_control_7728 | |
| \DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe | |
| \DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe | |
| Local\UrlZonesSM_Administrator | |
| \DiskD\qwxl.exe | |
| \Program Files\VMware\VMware Tools\VMwareTray.exe | |
| \Program Files\VMware\VMware Tools\VMwareUser.exe | |
| Behavior description: | 在根目录创建自运行文件 |
| details: | C:\autorun.inf |
| C:\DiskD\autorun.inf | |
| C:\DiskX\autorun.inf | |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| Behavior description: | 创建系统服务 |
| details: | [服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys |
| [服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\psrhm.sys | |
| Process behavior | |
|---|---|
| Behavior description: | 跨进程写入数据 |
| details: | TargetProcess = explorer.exe, WriteAddress = 0x02620000, Size = 8192 |
| C:\WINDOWS\explorer.exe | |
| TargetProcess = explorer.exe, WriteAddress = 0x02630000, Size = 4096 | |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| TargetProcess = conime.exe, WriteAddress = 0x00e30000, Size = 4096 | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d20000, Size = 8192 | |
| C:\%temp%\1445903303.606335.exe | |
| TargetProcess = EasyWebSvr.exe, WriteAddress = 0x00d30000, Size = 4096 | |
| C:\%temp%\1445903303.620324.exe | |
| TargetProcess = taskmgr.exe, WriteAddress = 0x00b60000, Size = 8192 | |
| C:\WINDOWS\system32\taskmgr.exe | |
| Behavior description: | 创建远程线程 |
| details: | C:\WINDOWS\explorer.exe |
| C:\WINDOWS\system32\ctfmon.exe | |
| C:\Program Files\Tencent\QQ\Bin\QQ.exe | |
| C:\Program Files\Tencent\QQ\Bin\TXPlatform.exe | |
| C:\WINDOWS\system32\conime.exe | |
| C:\WINDOWS\system32\PersonalBankPortal.exe | |
| C:\%temp%\1445903305.811168.exe | |
| C:\%temp%\1445903305.818101.exe | |
| C:\WINDOWS\system32\taskmgr.exe | |
| C:\%temp%\1445903305.838883.exe | |
| C:\%temp%\1445903305.845814.exe | |
| C:\WINDOWS\system32\patchupdate.exe | |
| C:\WINDOWS\system32\tm.exe | |
| C:\Program Files\Internet Explorer\iexplore.exe | |
| Behavior description: | 枚举进程 |
| details: | N/A |
| Behavior description: | 创建进程 |
| details: | ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/ |
| File behavior | |
|---|---|
| Behavior description: | 修改原系统的EXE文件 |
| details: | C:\Program Files\VMware\VMware Tools\VMwareTray.exe---> Offset = 245760 |
| C:\Program Files\VMware\VMware Tools\VMwareUser.exe---> Offset = 1167360 | |
| Behavior description: | 创建可执行文件 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe |
| C:\WINDOWS\system32\drivers\psrhm.sys | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe | |
| C:\dmap.exe | |
| C:\DiskD\qwxl.exe | |
| C:\DiskX\vlkq.pif | |
| Behavior description: | 查找文件 |
| details: | FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\* |
| FileName = C:\* | |
| FileName = C:\AnalyzeControl\* | |
| FileName = D:\* | |
| FileName = E:\* | |
| FileName = C:\Documents and Settings | |
| FileName = C:\Documents and Settings\Administrator | |
| FileName = C:\Documents and Settings\Administrator\My Documents | |
| FileName = C:\Documents and Settings\All Users | |
| FileName = C:\Documents and Settings\All Users\Documents | |
| FileName = C:\Documents and Settings\Administrator\桌面 | |
| FileName = C:\Documents and Settings\All Users\桌面 | |
| FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE | |
| FileName = C:\Program Files\Internet Explorer\iexplore.exe | |
| FileName = F:\* | |
| Behavior description: | 内存映射方式修改可执行文件 |
| details: | \device\harddiskvolume1\program files\vmware\vmware tools\vmwaretray.exe |
| \device\harddiskvolume1\program files\vmware\vmware tools\vmwareuser.exe | |
| Behavior description: | 设置特殊文件属性 |
| details: | C:\dmap.exe |
| C:\DiskD\qwxl.exe | |
| C:\DiskX\vlkq.pif | |
| C:\Program Files\VMware\VMware Tools\VMwareTray.exe | |
| C:\Program Files\VMware\VMware Tools\VMwareUser.exe | |
| Behavior description: | 写权限映射文件 |
| details: | hh8geqpHJTkdns6 |
| purity_control_7728 | |
| \DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe | |
| \DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe | |
| Local\UrlZonesSM_Administrator | |
| \DiskD\qwxl.exe | |
| \Program Files\VMware\VMware Tools\VMwareTray.exe | |
| \Program Files\VMware\VMware Tools\VMwareUser.exe | |
| Behavior description: | 在根目录创建自运行文件 |
| details: | C:\autorun.inf |
| C:\DiskD\autorun.inf | |
| C:\DiskX\autorun.inf | |
| Behavior description: | 设置特殊文件夹属性 |
| details: | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files |
| C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 | |
| C:\Documents and Settings\Administrator\Local Settings\History | |
| C:\Documents and Settings\Administrator\Local Settings\History\History.IE5 | |
| C:\Documents and Settings\Administrator\Cookies | |
| Behavior description: | 修改文件内容 |
| details: | C:\WINDOWS\76665---> Offset = 0 |
| C:\WINDOWS\system.ini---> Offset = 231 | |
| C:\autorun.inf---> Offset = 0 | |
| C:\DiskD\autorun.inf---> Offset = 0 | |
| C:\DiskX\autorun.inf---> Offset = 0 | |
| Behavior description: | 修改新生成的可执行文件 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dqtvks.exe---> Offset = 66560 |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winixdos.exe---> Offset = 66560 | |
| Network behavior | |
|---|---|
| Behavior description: | 联网打开网址 |
| details: | InternetOpenUrlA: http://slwocfd/sobaka1.gif?78175=984042 hInternet = 0x00000544 |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7833a=492346 hInternet = 0x00000548 | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?78b68=1977760 hInternet = 0x0000051c | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7d9c4=3601500 hInternet = 0x000005ac | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?7962f=1988796 hInternet = 0x000004ec | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?794de=993724 hInternet = 0x000004d8 | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?79d7c=1497204 hInternet = 0x000004d4 | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?79d1b=2993826 hInternet = 0x000004c8 | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?7a5d9=3508463 hInternet = 0x000004f0 | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7a5e8=1002448 hInternet = 0x0000050c | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?7ad58=4528152 hInternet = 0x00000494 | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7d407=2052124 hInternet = 0x00000490 | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?7dbe6=1030092 hInternet = 0x000004a8 | |
| InternetOpenUrlA: http://46.105.103.219/sobakavolos.gif?7dbf6=2575310 hInternet = 0x000004d0 | |
| InternetOpenUrlA: http://slwocfd/sobaka1.gif?7c0e5=2032532 hInternet = 0x00000464 | |
| Behavior description: | 下载文件 |
| details: | C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\eofbm.exe |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winegry.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winymguy.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winhbeks.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vnbhmw.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lxmk.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintelchx.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ccmkc.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uryeg.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wingkwc.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlijdl.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rudfp.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winrihdx.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winthkbhu.exe | |
| C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnvnyg.exe | |
| Behavior description: | 读取网络文件 |
| details: | hFile = 0x00000544, BytesToRead =1024, BytesRead = 1024. |
| hFile = 0x00000548, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x0000051c, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000005ac, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004ec, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004d8, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004d4, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004c8, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004f0, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x0000050c, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x00000494, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x00000490, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004a8, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x000004d0, BytesToRead =1024, BytesRead = 1024. | |
| hFile = 0x00000464, BytesToRead =1024, BytesRead = 1024. | |
| Registry behavior | |
|---|---|
| Behavior description: | 删除注册表键 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046} | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046} | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup | |
| Behavior description: | 修改注册表_Explorer文件显示相关属性 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden |
| Behavior description: | 删除注册表键_安全模式启动项 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot file system | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\CryptSvc | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\DcomLaunch | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmadmin | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmboot.sys | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmio.sys | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmload.sys | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\dmserver | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\EventLog | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\File system | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Filter | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Netlogon | |
| Behavior description: | 修改注册表_UAC关键设置 |
| details: | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA |
| Behavior description: | 删除注册表键值_安全模式启动项 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell |
| Behavior description: | 修改注册表 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions | |
| \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_0 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_0 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_0 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_0 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_1 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_1 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_1 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_1 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A1_2 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A2_2 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A3_2 | |
| \REGISTRY\USER\S-*\Software\Fobvexllmtqkq\A4_2 | |
| Behavior description: | 修改注册表_系统防火墙可信进程列表 |
| details: | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445903305.710299.exe |
| Behavior description: | 修改注册表_安全中心相关属性 |
| details: | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UacDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify | |
| \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify | |
| Behavior description: | 删除注册表键值 |
| details: | \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\LangID |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Microsoft Office\OFFICE11\WinWord.exe | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\NOTEPAD.EXE | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\Cmb_Pb_LiveUpdate.exe | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9216 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2037 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2038 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2039 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2040 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2041 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2042 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2017 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2016 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-2015 | |
| \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\@themeui.dll,-883 | |
| Other behavior | |
|---|---|
| Behavior description: | 创建互斥体 |
| details: | uxJLpe1m |
| smss.exeM_532_ | |
| csrss.exeM_588_ | |
| winlogon.exeM_612_ | |
| services.exeM_656_ | |
| lsass.exeM_668_ | |
| 33oxservice.exeM_828_ | |
| 33acthlp.exeM_840_ | |
| svchost.exeM_880_ | |
| svchost.exeM_944_ | |
| svchost.exeM_984_ | |
| svchost.exeM_1068_ | |
| svchost.exeM_1100_ | |
| spoolsv.exeM_1240_ | |
| 33upgradehelper.exeM_1504_ | |
| Behavior description: | 常规加载驱动 |
| details: | system32\DRIVERS\ipfltdrv.sys |
| \??\C:\WINDOWS\system32\drivers\psrhm.sys | |
| Behavior description: | 查找指定窗口 |
| details: | NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,] |
| NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013] | |
| NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561] | |
| Behavior description: | 启动系统服务 |
| details: | [服务启动成功]: , IP Traffic Filter Driver, system32\DRIVERS\ipfltdrv.sys |
| [服务启动成功]: , amsint32, \??\C:\WINDOWS\system32\drivers\psrhm.sys | |
| Behavior description: | 获取文件属性探测虚拟机 |
| details: | GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe |
| GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwareuser.exe | |
| Behavior description: | 获取系统权限 |
| details: | SE_DEBUG_PRIVILEGE |
| SE_LOAD_DRIVER_PRIVILEGE | |
| Behavior description: | 获取TickCount值 |
| details: | TickCount = 484918, SleepMilliseconds = 12. |
| TickCount = 484949, SleepMilliseconds = 12. | |
| TickCount = 484965, SleepMilliseconds = 12. | |
| TickCount = 488777, SleepMilliseconds = 12. | |
| TickCount = 554021, SleepMilliseconds = 65225. | |
| TickCount = 788843, SleepMilliseconds = 300000. | |
| TickCount = 788859, SleepMilliseconds = 300000. | |
| TickCount = 788875, SleepMilliseconds = 300000. | |
| TickCount = 788890, SleepMilliseconds = 300000. | |
| TickCount = 788906, SleepMilliseconds = 300000. | |
| TickCount = 788921, SleepMilliseconds = 300000. | |
| TickCount = 788968, SleepMilliseconds = 300000. | |
| TickCount = 788984, SleepMilliseconds = 300000. | |
| TickCount = 789000, SleepMilliseconds = 300000. | |
| TickCount = 490371, SleepMilliseconds = 512. | |
| Behavior description: | 枚举窗口 |
| details: | N/A |
| Behavior description: | 停止系统服务 |
| details: | ServiceName = Application Layer Gateway Service |
| ServiceName = Windows Firewall/Internet Connection Sharing (ICS) | |
| ServiceName = Security Center | |
| Behavior description: | 尝试连接RootKit驱动设备对象 |
| details: | \??\amsint32 |
| Behavior description: | 调用Sleep函数 |
| details: | [1]: MilliSeconds = 180000. |
| [2]: MilliSeconds = 120000. | |
| [3]: MilliSeconds = 65225. | |
| [4]: MilliSeconds = 512. | |
| [5]: MilliSeconds = 300000. | |
| [6]: MilliSeconds = 10240. | |
| [7]: MilliSeconds = -1. | |
| [8]: MilliSeconds = -1. | |
| [9]: MilliSeconds = 10000. | |
| [10]: MilliSeconds = 1024. | |
| Behavior description: | 创建系统服务 |
| details: | [服务已存在]: IPFILTERDRIVER, C:\WINDOWS\system32\drivers\ipfltdrv.sys |
| [服务创建成功]: amsint32, C:\WINDOWS\system32\drivers\psrhm.sys | |
| Run screenshot |
|---|
 |
HOME
