VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:71
Behavior list
Basic Information
MD5:9d80dd0fcfa12715a3cc0ab4c69481af
file type:Rar
Production company:
version:
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Subfile information:WINCRIS.EXEdumpFile / 8d04b45b891db0f83102935402750305 / EXE
WINCRIS.EXE / 8d04b45b891db0f83102935402750305 / EXE
upx_c_45522ee2dumpFile / 4cfb1d8b90b6ac0b87b2c6f1e46eacf1 / EXE
upx_c_91f19f1fdumpFile / 4cfb1d8b90b6ac0b87b2c6f1e46eacf1 / EXE
PHLASH16.EXEdumpFile / 0b1d52056e828accd4d0a94ec5913313 / Unknown
PHLASH16.EXE / 0b1d52056e828accd4d0a94ec5913313 / Unknown
lpk.dlldumpFile / e25e7101cc8995a11f22041f923d069a / DLL
lpk.dll / e25e7101cc8995a11f22041f923d069a / DLL
CRISBOOT.BINdumpFile / ec01422f5f9396a65643ecd84a12d5c9 / Unknown
CRISBOOT.BIN / ec01422f5f9396a65643ecd84a12d5c9 / Unknown
CRISDISK.BATdumpFile / 3743fdc4537e5c03471764080087bcef / Unknown
CRISDISK.BAT / 3743fdc4537e5c03471764080087bcef / Unknown
MAKEBOOT.EXEdumpFile / 5a30b3d66575443d8b178f184e914c06 / Unknown
MAKEBOOT.EXE / 5a30b3d66575443d8b178f184e914c06 / Unknown
WINCRIS.HLPdumpFile / f5e78df9aadafb5925ecc84b901a50cb / Unknown
WINCRIS.HLP / f5e78df9aadafb5925ecc84b901a50cb / Unknown
MINIDOS.SYSdumpFile / a970de2f71fedd4c61db338bceaeb67f / Unknown
MINIDOS.SYS / a970de2f71fedd4c61db338bceaeb67f / Unknown
Instructions.txtdumpFile / 89d981bbb9b18a4ba107cd282a16aa32 / Unknown
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffdf008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 57344
Behavior description:隐藏指定窗口
details:[Window,Class] = [TF_FloatingLangBar_WndTitle,CiceroUIWndFrame]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [「开始」菜单,DV2ControlHost]
[Window,Class] = [MCI Program Com Application,#32770]
[Window,Class] = [Connections Tray,Connections Tray]
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\dnsq.dll
Behavior description:常规加载驱动
details:\??\C:\NetApi000.sys
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\svchost.exe
Behavior description:杀掉进程
details:RavMon.exe
Behavior description:设置特殊文件属性
details:C:\NetApi000.sys
C:\222c25ed\IE8-Setup-Full\lpk.dll
C:\WINDOWS\system32\Com\smss.exe
C:\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAF5C.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAF5C.tmp\ANALYZ~1\lpk.dll
C:\%temp%\1429367747.590728.exe_7zdump\wincris.exe.log
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\lpk.dll
C:\WINDOWS\system32\Com\netcfg.000
C:\WINDOWS\system32\Com\netcfg.dll
C:\037589.log
C:\WINDOWS\system32\Com\lsass.exe
C:\WINDOWS\system32\dnsq.dll
C:\pagefile.pif
Behavior description:自删除
details:C:\%temp%\1429367752.327240.exe_7zdump\WINCRIS.EXE
Behavior description:对敏感窗口发送关闭消息
details:N/A
Behavior description:停止系统服务
details:ServiceName = NetApi000
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.IHP..DOJKF
MSCTF.MarshalInterface.FileMap.IHP.B.DOJKF
MSCTF.Shared.SFM.EHI
MSCTF.MarshalInterface.FileMap.IHP.C.DOJKF
MSCTF.MarshalInterface.FileMap.IHP.D.DOJKF
MSCTF.MarshalInterface.FileMap.IHP.E.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.F.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.G.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.H.DPJKF
MSCTF.MarshalInterface.FileMap.EHI..DPJKF
MSCTF.MarshalInterface.FileMap.EHI.B.DPJKF
MSCTF.MarshalInterface.FileMap.EHI.C.DPJKF
Behavior description:在根目录创建自运行文件
details:C:\AUTORUN.INF
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\LocalService\Local Settings\History
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5
C:\Documents and Settings\LocalService\Cookies
C:\WINDOWS\system32\Com\bak
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description:创建系统服务
details:[服务创建成功]: 6AY2Vbkb2, C:\WINDOWS\system32\qqycqg.exe
[服务创建成功]: NetApi000, C:\NetApi000.sys
Behavior description:按名称获取主机地址
details:fwqyz.3322.org
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd.exe /c echo ok
ImagePath = c:\windows\system32\cacls.exe, CmdLine = "c:\windows\system32\cacls.exe" c:\windows\system32\com /e /t /g administrator:f
ImagePath = c:\windows\system32\cacls.exe, CmdLine = "c:\windows\system32\cacls.exe" c:\windows\system32\com /e /t /g everyone:f
ImagePath = , CmdLine = cmd /c c:\progra~1\winrar\rar.exe vb "c:\222c25ed\installer.zip" lpk.dll|find /i "lpk.dll"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\222c25ed\installer.zip" *.exe "c:\windows\temp\iraf5c.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\iraf5c.tmp" "c:\222c25ed\installer.zip" "c:\windows\temp\iraf5c.tmp\lpk.dll"
ImagePath = , CmdLine = cmd /c rd /s /q "c:\windows\temp\iraf5c.tmp"
ImagePath = , CmdLine = cmd /c c:\progra~1\winrar\rar.exe vb "c:\analyzecontrol.rar" lpk.dll|find /i "lpk.dll"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" x "c:\analyzecontrol.rar" *.exe "c:\windows\temp\iraf5c.tmp\"
ImagePath = , CmdLine = "c:\progra~1\winrar\rar.exe" a -r -ep1"c:\windows\temp\iraf5c.tmp" "c:\analyzecontrol.rar" "c:\windows\temp\iraf5c.tmp\lpk.dll"
ImagePath = c:\windows\system32\cacls.exe, CmdLine = "c:\windows\system32\cacls.exe" c:\windows\system32\com\smss.exe /e /t /g administrator:f
ImagePath = c:\windows\system32\cacls.exe, CmdLine = "c:\windows\system32\cacls.exe" c:\windows\system32\com\smss.exe /e /t /g everyone:f
ImagePath = , CmdLine = cmd.exe /c rd /s /q "c:\windows\system32\com\smss.exe"
ImagePath = , CmdLine = cmd.exe /c del /f /q "c:\windows\system32\com\lsass.exe"
ImagePath = c:\%temp%\1429367724.737205.exe_7zdump\wincris.exe, CmdLine = "c:\%temp%\1429367724.737205.exe_7zdump\wincris.exe"
Behavior description:跨进程写入数据
details:TargetProcess = svchost.exe, WriteAddress = 0x7ffdf008, Size = 4
TargetProcess = svchost.exe, WriteAddress = 0x00400000, Size = 57344
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl5.tmp, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl5.tmp
ImagePath = C:\WINDOWS\system32\qqycqg.exe, CmdLine = C:\WINDOWS\system32\qqycqg.exe
ImagePath = c:\%temp%\1429367719.871555.exe_7zdump\wincris.exe.log, CmdLine = "c:\%temp%\1429367719.871555.exe_7zdump\wincris.exe.log"
ImagePath = C:\WINDOWS\system32\com\lsass.exe, CmdLine = "C:\WINDOWS\system32\com\lsass.exe"
ImagePath = C:\WINDOWS\system32\com\lsass.exe, CmdLine = ^c:\%temp%\1429367719.931525.exe_7zdump\wincris.exe.log
ImagePath = C:\WINDOWS\system32\com\smss.exe, CmdLine = C:\Documents and Settings\All Users\「开始」菜单\程序\启动\~.exe
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\svchost.exe, CmdLine = svchost.exe
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c echo ok
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\cacls.exe" C:\WINDOWS\system32\com /e /t /g Administrator:F
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\cacls.exe" C:\WINDOWS\system32\com /e /t /g Everyone:F
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\PROGRA~1\WinRAR\rar.exe vb "C:\222c25ed\installer.zip" lpk.dll|find /i "lpk.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb "C:\222c25ed\installer.zip" lpk.dll
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find /i "lpk.dll"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\222c25ed\installer.zip" *.exe "C:\WINDOWS\TEMP\IRAF5C.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" a -r -ep1"C:\WINDOWS\TEMP\IRAF5C.tmp" "C:\222c25ed\installer.zip" "C:\WINDOWS\TEMP\IRAF5C.tmp\lpk.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c RD /s /q "C:\WINDOWS\TEMP\IRAF5C.tmp"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\PROGRA~1\WinRAR\rar.exe vb "C:\AnalyzeControl.rar" lpk.dll|find /i "lpk.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb "C:\AnalyzeControl.rar" lpk.dll
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" x "C:\AnalyzeControl.rar" *.exe "C:\WINDOWS\TEMP\IRAF5C.tmp\"
ImagePath = C:\PROGRA~1\WinRAR\rar.exe, CmdLine = "C:\PROGRA~1\WinRAR\rar.exe" a -r -ep1"C:\WINDOWS\TEMP\IRAF5C.tmp" "C:\AnalyzeControl.rar" "C:\WINDOWS\TEMP\IRAF5C.tmp\lpk.dll"
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = "C:\WINDOWS\system32\cacls.exe" C:\WINDOWS\system32\com\smss.exe /e /t /g Administrator:F
Behavior description:设置线程上下文
details:C:\WINDOWS\system32\svchost.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:RavMon.exe
File behavior
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl5.tmp
C:\WINDOWS\system32\qqycqg.exe
C:\WINDOWS\system32\hra33.dll
C:\RCX6.tmp
C:\NetApi000.sys
C:\222c25ed\IE8-Setup-Full\lpk.dll
C:\WINDOWS\system32\Com\smss.exe
C:\%temp%\1429367719.062910.exe_7zdump\wincris.exe.log
C:\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAF5C.tmp\%temp%\1429367719.132706.exe
C:\WINDOWS\Temp\IRAF5C.tmp\AnalyzeControl\lpk.dll
C:\%temp%\1429367719.242564.exe_7zdump\wincris.~
C:\WINDOWS\system32\Com\lsass.exe
C:\%temp%\1429367719.302432.exe_7zdump\WINCRIS.EXE
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
Behavior description:设置特殊文件属性
details:C:\NetApi000.sys
C:\222c25ed\IE8-Setup-Full\lpk.dll
C:\WINDOWS\system32\Com\smss.exe
C:\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAF5C.tmp\AnalyzeControl\lpk.dll
C:\WINDOWS\Temp\IRAF5C.tmp\ANALYZ~1\lpk.dll
C:\%temp%\1429367747.590728.exe_7zdump\wincris.exe.log
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\lpk.dll
C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\lpk.dll
C:\WINDOWS\system32\Com\netcfg.000
C:\WINDOWS\system32\Com\netcfg.dll
C:\037589.log
C:\WINDOWS\system32\Com\lsass.exe
C:\WINDOWS\system32\dnsq.dll
C:\pagefile.pif
Behavior description:在根目录创建自运行文件
details:C:\AUTORUN.INF
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.IHP..DOJKF
MSCTF.MarshalInterface.FileMap.IHP.B.DOJKF
MSCTF.Shared.SFM.EHI
MSCTF.MarshalInterface.FileMap.IHP.C.DOJKF
MSCTF.MarshalInterface.FileMap.IHP.D.DOJKF
MSCTF.MarshalInterface.FileMap.IHP.E.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.F.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.G.DPJKF
MSCTF.MarshalInterface.FileMap.IHP.H.DPJKF
MSCTF.MarshalInterface.FileMap.EHI..DPJKF
MSCTF.MarshalInterface.FileMap.EHI.B.DPJKF
MSCTF.MarshalInterface.FileMap.EHI.C.DPJKF
Behavior description:重命名文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl5.tmp ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG
C:\RCX6.tmp ---> C:\WINDOWS\system32\hra33.dll
C:\WINDOWS\system32\__rar_42.4371232 ---> C:\AnalyzeControl.rar
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\LocalService\Local Settings\History
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5
C:\Documents and Settings\LocalService\Cookies
C:\WINDOWS\system32\Com\bak
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache
Behavior description:修改文件内容
details:C:\WINDOWS\system32\__rar_42.4371232---> Offset = 20
C:\AUTORUN.INF---> Offset = 0
C:\DiskD\AUTORUN.INF---> Offset = 0
Behavior description:自删除
details:C:\%temp%\1429367752.327240.exe_7zdump\WINCRIS.EXE
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x000001a0, TotalSize = 364, Offset = 0, ReadSize = 364.
SOCKET = 0x00000558, TotalSize = 1, Offset = 0, ReadSize = 1.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:8000
Behavior description:联网打开网址
details:InternetOpenUrlA: hInternet = 0x00000190
InternetOpenUrlA: hInternet = 0x0000019c
InternetOpenUrlA: hInternet = 0x0000011c
InternetOpenUrlA: hInternet = 0x000001a8
InternetOpenUrlA: hInternet = 0x00000194
InternetOpenUrlA: hInternet = 0x000001a4
InternetOpenUrlA: hInternet = 0x000001a0
InternetOpenUrlA: hInternet = 0x0000016c
InternetOpenUrlA: hInternet = 0x000001b0
InternetOpenUrlA: hInternet = 0x000001bc
InternetOpenUrlA: hInternet = 0x000001b4
InternetOpenUrlA: hInternet = 0x000001ac
Behavior description:读取网络文件
details:hFile = 0x00000190, BytesToRead =1999, BytesRead = 1999.
hFile = 0x0000019c, BytesToRead =1999, BytesRead = 1999.
hFile = 0x0000011c, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001a8, BytesToRead =1999, BytesRead = 1999.
hFile = 0x00000194, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001a4, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001a0, BytesToRead =1999, BytesRead = 1999.
hFile = 0x0000016c, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001b0, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001bc, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001b4, BytesToRead =1999, BytesRead = 1999.
hFile = 0x000001ac, BytesToRead =1999, BytesRead = 1999.
Behavior description:按名称获取主机地址
details:fwqyz.3322.org
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\6AY2Vbkb2\Description
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Type
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\cacls.exe
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\system32\regsvr32.exe
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid\
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\
Behavior description:修改注册表_Explorer文件显示相关属性
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
Behavior description:删除注册表键_安全模式启动项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
Behavior description:删除注册表键_组策略
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software\Microsoft\Windows\CurrentVersion\Policies
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software\Microsoft\Windows\CurrentVersion
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software\Microsoft\Windows
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software\Microsoft
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User\Software
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}User
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{4E828BFE-5F63-40F2-8632-447543EB198C}Machine
Behavior description:删除注册表键_删除启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0\Expiration
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1\Expiration
Other behavior
Behavior description:创建驱动文件镜像
details:C:\NetApi000.sys
Behavior description:创建互斥体
details:6AY2Vbkb2
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
cmonitorsampleexe_7zdumpwincrisexecmonitorsampleexe_7zdumpwincrisexe
SHIMLIB_LOG_MUTEX
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
xcgucvnzn
cmonitorsampleexe_7zdumpwincrisexelog
Behavior description:内联HOOK
details:C:\WINDOWS\system32\PSAPI.DLL--->EnumProcessModules Offset = 0x0
C:\WINDOWS\system32\kernel32.dll--->OpenProcess Offset = 0x0
C:\WINDOWS\system32\kernel32.dll--->CloseHandle Offset = 0x0
Behavior description:设置消息钩子
details:C:\WINDOWS\system32\dnsq.dll
Behavior description:常规加载驱动
details:\??\C:\NetApi000.sys
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [XOR,MSCTFIME SMSS]
NtUserFindWindowEx: [Class,Window] = [,SREng 介绍]
NtUserFindWindowEx: [Class,Window] = [,@@升级]
NtUserFindWindowEx: [Class,Window] = [,扫描]
NtUserFindWindowEx: [Class,Window] = [gg,ff]
NtUserFindWindowEx: [Class,Window] = [fg,gg]
NtUserFindWindowEx: [Class,Window] = [#32770,MCI Program Com Application]
NtUserFindWindowEx: [Class,Window] = [dd,gg]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [BaseBar,ChanApp]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [XOR,MSICTFIME SMSS]
NtUserFindWindowEx: [Class,Window] = [SystemTray_Main,]
NtUserFindWindowEx: [Class,Window] = [CSCHiddenWindow,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, KI46qoFnFDMR6b, C:\WINDOWS\system32\qqycqg.exe
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:对敏感窗口发送关闭消息
details:N/A
Behavior description:停止系统服务
details:ServiceName = NetApi000
Behavior description:隐藏指定窗口
details:[Window,Class] = [TF_FloatingLangBar_WndTitle,CiceroUIWndFrame]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [「开始」菜单,DV2ControlHost]
[Window,Class] = [MCI Program Com Application,#32770]
[Window,Class] = [Connections Tray,Connections Tray]
Behavior description:创建系统服务
details:[服务创建成功]: 6AY2Vbkb2, C:\WINDOWS\system32\qqycqg.exe
[服务创建成功]: NetApi000, C:\NetApi000.sys
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号