VirSCAN VirSCAN

1, Podés SUBIR cualquier archivo de hasta 20MB.
2, VirSCAN soporta descompresión Rar/Zip de hasta 20 archivos.
3, VirSCAN puede escanear archivos comprimidos con la contraseña 'infected' o 'virus'.
4, Si su navegador no puede cargar el archivo, por favor descargue el archivo virscan.

Idioma
Carga del Servidor
Server Load

VirSCAN
VirSCAN

1, Podés SUBIR cualquier archivo de hasta 20MB.
2, VirSCAN soporta descompresión Rar/Zip de hasta 20 archivos.
3, VirSCAN puede escanear archivos comprimidos con la contraseña 'infected' o 'virus'.

   Información del archivo

Informe de escaneo de motores múltiples de Virscan.org
Informe de análisis de comportamiento:         Análisis de archivos Habo

Información básica

MD5:0dae1796256e488d4aff1d816fe21509
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Nombre del paquete:
Ambiente operativo mínimo:
Copyright:

Comportamiento clave

Descripción del comportamiento: 修改原系统的EXE文件
Detalles: C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Descripción del comportamiento: 查询注册表_检测虚拟机相关
Detalles: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Descripción del comportamiento: 获取TickCount值
Detalles: TickCount = 217344, SleepMilliseconds = 1.
TickCount = 217516, SleepMilliseconds = 1.
Descripción del comportamiento: 设置启动项
Detalles: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
Descripción del comportamiento: 设置特殊文件属性
Detalles: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Descripción del comportamiento: 在根目录创建自运行文件
Detalles: C:\DiskX\autorun.inf
Descripción del comportamiento: 设置特殊文件夹属性
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Descripción del comportamiento: 直接调用系统关键API
Detalles: Index = 0x00000115, Name: NtWriteVirtualMemory, Instruction Address = 0x00402B62
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00401B4C
Descripción del comportamiento: 修改注册表_启动项
Detalles: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Comportamiento del proceso

Descripción del comportamiento: 创建进程
Detalles: [0x00000a84]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
[0x00000be8]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:79873
Descripción del comportamiento: 创建本地线程
Detalles: TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2652, ThreadID = 2664, StartAddress = 00428190, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2700, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2736, StartAddress = 2005C63A, Parameter = 00CF0020
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2740, StartAddress = 2005C003, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2744, StartAddress = 2005C1FC, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2748, StartAddress = 2005C3C3, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2752, StartAddress = 2005B0AB, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2652, ProcessID = 2692, ThreadID = 2756, StartAddress = 2005B0C5, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3016, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3020, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3024, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3028, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3032, StartAddress = 77E56C7D, Parameter = 001967A0
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3036, StartAddress = 5DE05ABD, Parameter = 00198598
TargetProcess: iexplore.exe, InheritedFromPID = 2348, ProcessID = 2992, ThreadID = 3040, StartAddress = 5DE05BC0, Parameter = 00194100

Comportamiento del archivo

Descripción del comportamiento: 创建文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat
C:\Program Files\yngitabd\px5.tmp
C:\Program Files\yngitabd\htxueaht.exe
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\TuUKvcZN.exe
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\pVJJYMhr.cpl
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B0A22D8A-8994-11E8-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF1D5F.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0A22D8B-8994-11E8-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF37B3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\yixun_com[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favicon[1].ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Descripción del comportamiento: 内存映射方式修改可执行文件
Detalles: C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Descripción del comportamiento: 创建可执行文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\Program Files\yngitabd\htxueaht.exe
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\TuUKvcZN.exe
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\pVJJYMhr.cpl
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Descripción del comportamiento: 修改原系统的EXE文件
Detalles: C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Descripción del comportamiento: 覆盖已有文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
C:\Program Files\yngitabd\px5.tmp
C:\Program Files\Internet Explorer\dmlconf.dat
Descripción del comportamiento: 复制文件
Detalles: C:\WINDOWS\system32\ntdll.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM3.tmp
C:\WINDOWS\system32\kernel32.dll ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM4.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> C:\Program Files\yngitabd\htxueaht.exe
Descripción del comportamiento: 设置启动项
Detalles: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
Descripción del comportamiento: 设置特殊文件属性
Detalles: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
Descripción del comportamiento: 删除文件
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
C:\Program Files\yngitabd\px5.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF1D5F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF37B3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\favicon[1].ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Descripción del comportamiento: 查找文件
Detalles: FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*
FileName = C:\Documents and Settings\Administrator\.oracle_jre_usage\*.*
FileName = C:\Documents and Settings\Administrator\Application Data\*.*
Descripción del comportamiento: 在根目录创建自运行文件
Detalles: C:\DiskX\autorun.inf
Descripción del comportamiento: 设置特殊文件夹属性
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
C:\Documents and Settings\Administrator\IECompatCache
Descripción del comportamiento: 修改文件内容
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 0
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 8192
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0

Comportamiento de la red

Descripción del comportamiento: 下载文件
Detalles: URLDownloadToFileW: http://ww****om/favicon.ico ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Descripción del comportamiento: 连接指定站点
Detalles: InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ur****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000200
Descripción del comportamiento: 打开HTTP连接
Detalles: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: VCSoapClient, hSession = 0x00cc0010
Descripción del comportamiento: 建立到一个指定的套接字连接
Detalles: URL: go****om, IP: **.133.40.**:80, SOCKET = 0x000000e0
URL: st****om, IP: **.133.40.**:443, SOCKET = 0x000000ec
URL: pr****om, IP: **.133.40.**:443, SOCKET = 0x00000104
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000444
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000578
URL: ur****om, IP: **.133.40.**:443, SOCKET = 0x0000057c
URL: po****om, IP: **.133.40.**:443, SOCKET = 0x00000104
URL: fk****om, IP: **.133.40.**:443, SOCKET = 0x00000108
Descripción del comportamiento: 读取网络文件
Detalles: hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
hFile = 0x00cc0018, BytesToRead =4095, BytesRead = 4095.
Descripción del comportamiento: 发送HTTP包
Detalles: GET / HTTP/1.1 Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Accept-Encoding: gzip, deflate Host: ww****om Connection: Keep-Alive
GET /favicon.ico HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
Descripción del comportamiento: 打开HTTP请求
Detalles: HttpOpenRequestA: ww****om:80/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: ww****om:80/favicon.ico, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00600010
HttpOpenRequestA: ur****om:443/urs.asmx?msurs-client-key=mw9tm/t2utuhh1u5gzt6eq%3d%3d&msurs-patented-lock=x94htvlx4hm%3d, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04880300
Descripción del comportamiento: 按名称获取主机地址
Detalles: gethostbyname: go****om
gethostbyname: st****om
GetAddrInfoW: ww****om
gethostbyname: pr****om
GetAddrInfoW: ur****om
gethostbyname: po****om
gethostbyname: fk****om

Comportamiento del registro

Descripción del comportamiento: 修改注册表
Detalles: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{B0A22D8A-8994-11E8-91C0-7B****28}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Window_Placement
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTime
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Count
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore\Time
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\ThreadingModel
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
Descripción del comportamiento: 删除注册表键值
Detalles: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Descripción del comportamiento: 查询注册表_检测虚拟机相关
Detalles: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Descripción del comportamiento: 删除注册表键
Detalles: \REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBB}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32\
\REGISTRY\USER\S-*_CLASSES\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\
\REGISTRY\USER\S-*_CLASSES\JavaPlugin.1000\CLSID\
Descripción del comportamiento: 修改注册表_启动项
Detalles: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Otro comportamiento

Descripción del comportamiento: 创建互斥体
Detalles: {2872BAEB-CECA-E562-CC5C-4F1A2BD10E1C}
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\!BrowserEmulation!SharedMemory!Mutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
ConnHashTable<2992>_HashTable_Mutex
oleacc-msaa-loaded
Local\ZonesCounterMutex
Descripción del comportamiento: 隐藏指定窗口
Detalles: [Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
[Window,Class] = [http://www.yixun.com/ - Windows Internet Explorer,IEFrame]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
[Window,Class] = [,TabBandClass]
Descripción del comportamiento: 直接调用系统关键API
Detalles: Index = 0x00000115, Name: NtWriteVirtualMemory, Instruction Address = 0x00402B62
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00401B4C
Descripción del comportamiento: 查找指定窗口
Detalles: NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Descripción del comportamiento: 获取TickCount值
Detalles: TickCount = 217344, SleepMilliseconds = 1.
TickCount = 217516, SleepMilliseconds = 1.
Descripción del comportamiento: 调整进程token权限
Detalles: SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Descripción del comportamiento: 打开事件
Detalles: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Isolation Signal Registry Event (B0A22D87-8994-11E8-91C0-7B****28, 0)
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
Isolation Signal Registry Event (B0A22D88-8994-11E8-91C0-7B****28, 0)
IE_EarlyTabStart_0xbb4
MSFT.VSA.COM.DISABLE.2992
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
MSFT.VSA.COM.DISABLE.3048
Local\RSS Eventing Event Event 00000bb0
Global\crypt32LogoffEvent
Local\be8_29
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
Descripción del comportamiento: 修改后的可执行文件签名信息
Detalles: C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe(签名验证: 未通过)
Descripción del comportamiento: 可执行文件签名信息
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp(签名验证: 通过)
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe(签名验证: 未通过)
C:\Program Files\yngitabd\htxueaht.exe(签名验证: 未通过)
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\TuUKvcZN.exe(签名验证: 未通过)
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\pVJJYMhr.cpl(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico(签名验证: 未通过)
Descripción del comportamiento: 调用Sleep函数
Detalles: [1]: MilliSeconds = 1.
Descripción del comportamiento: 创建事件对象
Detalles: EventName = Isolation Signal Registry Event (B0A22D87-8994-11E8-91C0-7B****28, 0)
EventName = IE_EarlyTabStart_0xbb4
EventName = Isolation Signal Registry Event (B0A22D88-8994-11E8-91C0-7B****28, 0)
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Local\RSS Eventing Event Event 00000bb0
EventName = Local\be8_29
EventName = IEFrame.EventCheckDefaultBrowser
EventName = Global\crypt32LogoffEvent
Descripción del comportamiento: 可执行文件MD5
Detalles: C:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp ---> 9e762b21dd4d10695799a9a6e9570b79
C:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp ---> bf1cdaf5792b78d4730727facf307d46
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> 0dae1796256e488d4aff1d816fe21509
C:\Program Files\yngitabd\htxueaht.exe ---> 0dae1796256e488d4aff1d816fe21509
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\TuUKvcZN.exe ---> 0dae1796256e488d4aff1d816fe21509
C:\DiskX\RECYCLER\S-6-8-81-0815240446-4857671237-812487703-8684\pVJJYMhr.cpl ---> 548ffe660c49faf0e43c8c6a4628a451
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> fe1d0ee5901dd167ee9b28eece31786c
Descripción del comportamiento: 打开互斥体
Detalles: DBWinMutex
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!BrowserEmulation!SharedMemory!Mutex
Local\!IETld!Mutex
RasPbFile
CtfmonInstMutexDefaultS-*
Local\RSS Eventing Connection Database Mutex 00000bb0
Local\c:!documents and settings!administrator!local settings!application data!microsoft!feeds cache!
Descripción del comportamiento: 修改后的可执行文件MD5
Detalles: C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\ARPPRODUCTICON.exe ---> 49249a2f1bc9270d2b4d8f3ea89c3fa3
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe ---> 6994c4f3d6f51cc80ebd0537208d4b7c
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe ---> e1bedba2c2b94626770eb8508e3b5123
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe ---> 2355a6d9259c86df9e7935613776f3f7
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe ---> c48cde5797cb9deb7dea83101c78c474
Descripción del comportamiento: 加载新释放的文件
Detalles: Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM3.tmp.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~TM4.tmp.