VirSCAN VirSCAN

1, 당신은 모든 파일을 업로드할 수 있지만 최대 20Mb의 용량제한이 있다.
2, Rar/Zip 파일은 자동압축해제를 하지만 내부에 20개 파일보다 적어야 한다.
3, 압축된 파일이 'infected' 또는 'virus'로 암호화된 경우 진단할 수 있다.

언어선택
서비스 로드
Server Load

파일 정보
안전 등급:14
행동 목록
기본 정보
MD5:4f578604f573ed37683217413b4c8f17
파일 형식 :zip
생산 회사 :
버전 :
쉘 또는 컴파일러 정보 :
서브 파일 정보:电脑100%不中毒的方法.url / f157fee5c5a2e8b552201911e943e93a / Unknown
荒野行动镜头飞天.exe / 06d781353e9c27fbf064bcad77427d1d / EXE
주요 행동
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00310000, Size = 0x00000233 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00320000, Size = 0x000000df TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00330000, Size = 0x00000030 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00340000, Size = 0x00000084 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03e80000, Size = 0x00000233 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03eb0000, Size = 0x000000df TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03ec0000, Size = 0x00000030 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03ed0000, Size = 0x00000084 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e40000, Size = 0x00000233 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010d0000, Size = 0x000000df TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010e0000, Size = 0x00000030 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010f0000, Size = 0x00000084 TargetPID = 0x00000260
동작 설명:创建远程线程
세부 정보:TargetProcess: smss.exe, InheritedFromPID = 4, ProcessID = 520, ThreadID = 3044, StartAddress = 00340000, Parameter = 00330000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3056, StartAddress = 03ED0000, Parameter = 03EC0000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3068, StartAddress = 010F0000, Parameter = 010E0000
TargetProcess: services.exe, InheritedFromPID = 608, ProcessID = 652, ThreadID = 3080, StartAddress = 00BD0000, Parameter = 00BC0000
TargetProcess: lsass.exe, InheritedFromPID = 608, ProcessID = 664, ThreadID = 3092, StartAddress = 00DE0000, Parameter = 00DD0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3104, StartAddress = 025D0000, Parameter = 025C0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 936, ThreadID = 3112, StartAddress = 00E90000, Parameter = 00E80000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 976, ThreadID = 3120, StartAddress = 05AB0000, Parameter = 05AA0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1060, ThreadID = 3136, StartAddress = 007D0000, Parameter = 007C0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1092, ThreadID = 3156, StartAddress = 01150000, Parameter = 01140000
TargetProcess: spoolsv.exe, InheritedFromPID = 652, ProcessID = 1180, ThreadID = 3188, StartAddress = 015C0000, Parameter = 015B0000
TargetProcess: jqs.exe, InheritedFromPID = 652, ProcessID = 1304, ThreadID = 3248, StartAddress = 013D0000, Parameter = 013C0000
TargetProcess: alg.exe, InheritedFromPID = 652, ProcessID = 1624, ThreadID = 3272, StartAddress = 00D80000, Parameter = 00CB0000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3304, StartAddress = 03410000, Parameter = 03400000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3328, StartAddress = 00AD0000, Parameter = 00AC0000
동작 설명:设置线程上下文
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天.exe
동작 설명:获取TickCount值
세부 정보:TickCount = 224875, SleepMilliseconds = 5000.
동작 설명:设置启动项
세부 정보:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
동작 설명:设置特殊文件属性
세부 정보:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
동작 설명:插入APC(异步过程调用)
세부 정보:C:\Program Files\Internet Explorer\iexplore.exe
동작 설명:在根目录创建自运行文件
세부 정보:C:\DiskX\autorun.inf
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
프로세스 동작
동작 설명:创建进程
세부 정보:[0x00000bb0]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
[0x00000bb8]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
[0x00000bcc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe
[0x00000cf4]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
[0x00000e64]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3316 CREDAT:79873
[0x00000e90]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.yixun.com/
동작 설명:创建新文件进程
세부 정보:[0x00000ba8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe"
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00310000, Size = 0x00000233 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00320000, Size = 0x000000df TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00330000, Size = 0x00000030 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00340000, Size = 0x00000084 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03e80000, Size = 0x00000233 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03eb0000, Size = 0x000000df TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03ec0000, Size = 0x00000030 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03ed0000, Size = 0x00000084 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x20060000, Size = 0x0000b000 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e40000, Size = 0x00000233 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010d0000, Size = 0x000000df TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010e0000, Size = 0x00000030 TargetPID = 0x00000260
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x010f0000, Size = 0x00000084 TargetPID = 0x00000260
동작 설명:创建远程线程
세부 정보:TargetProcess: smss.exe, InheritedFromPID = 4, ProcessID = 520, ThreadID = 3044, StartAddress = 00340000, Parameter = 00330000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3056, StartAddress = 03ED0000, Parameter = 03EC0000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3068, StartAddress = 010F0000, Parameter = 010E0000
TargetProcess: services.exe, InheritedFromPID = 608, ProcessID = 652, ThreadID = 3080, StartAddress = 00BD0000, Parameter = 00BC0000
TargetProcess: lsass.exe, InheritedFromPID = 608, ProcessID = 664, ThreadID = 3092, StartAddress = 00DE0000, Parameter = 00DD0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3104, StartAddress = 025D0000, Parameter = 025C0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 936, ThreadID = 3112, StartAddress = 00E90000, Parameter = 00E80000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 976, ThreadID = 3120, StartAddress = 05AB0000, Parameter = 05AA0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1060, ThreadID = 3136, StartAddress = 007D0000, Parameter = 007C0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1092, ThreadID = 3156, StartAddress = 01150000, Parameter = 01140000
TargetProcess: spoolsv.exe, InheritedFromPID = 652, ProcessID = 1180, ThreadID = 3188, StartAddress = 015C0000, Parameter = 015B0000
TargetProcess: jqs.exe, InheritedFromPID = 652, ProcessID = 1304, ThreadID = 3248, StartAddress = 013D0000, Parameter = 013C0000
TargetProcess: alg.exe, InheritedFromPID = 652, ProcessID = 1624, ThreadID = 3272, StartAddress = 00D80000, Parameter = 00CB0000
TargetProcess: explorer.exe, InheritedFromPID = 1932, ProcessID = 2000, ThreadID = 3304, StartAddress = 03410000, Parameter = 03400000
TargetProcess: reader_sl.exe, InheritedFromPID = 2000, ProcessID = 220, ThreadID = 3328, StartAddress = 00AD0000, Parameter = 00AC0000
동작 설명:设置线程上下文
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天.exe
동작 설명:枚举进程
세부 정보:N/A
동작 설명:创建本地线程
세부 정보:TargetProcess: 荒野行动镜头飞天.exe, InheritedFromPID = 2000, ProcessID = 2932, ThreadID = 2968, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 3000, ThreadID = 3008, StartAddress = 20057268, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 3000, ThreadID = 3012, StartAddress = 20057195, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 3000, ThreadID = 3016, StartAddress = 2005716E, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3028, StartAddress = 2005CA82, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3032, StartAddress = 2005CC7B, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3036, StartAddress = 2005C193, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3040, StartAddress = 2005CE8F, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3048, StartAddress = 2005A485, Parameter = 00000000
TargetProcess: iexplore.exe, InheritedFromPID = 2984, ProcessID = 2992, ThreadID = 3052, StartAddress = 2005A49F, Parameter = 00000000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3060, StartAddress = 20067268, Parameter = 00000000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3064, StartAddress = 20067195, Parameter = 00000000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3072, StartAddress = 20067268, Parameter = 00000000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3076, StartAddress = 20067195, Parameter = 00000000
TargetProcess: services.exe, InheritedFromPID = 608, ProcessID = 652, ThreadID = 3084, StartAddress = 20067268, Parameter = 00000000
파일 동작
동작 설명:创建文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe
C:\Program Files\Internet Explorer\dmlconf.dat
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\cMrGOuZk.exe
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\sIbHyBhM.cpl
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CDF0F4EE-F861-11E7-91C0-7B****28}.dat
C:\WINDOWS\system32\d3dt.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5C7E.tmp
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CDF0F4EF-F861-11E7-91C0-7B****28}.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF81E5.tmp
동작 설명:创建可执行文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\cMrGOuZk.exe
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\sIbHyBhM.cpl
C:\WINDOWS\system32\d3dt.dll
동작 설명:删除文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5C7E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF81E5.tmp
동작 설명:覆盖已有文件
세부 정보:C:\Program Files\Internet Explorer\dmlconf.dat
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
동작 설명:复制文件
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe ---> C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
동작 설명:设置启动项
세부 정보:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
동작 설명:设置特殊文件属性
세부 정보:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe
동작 설명:查找文件
세부 정보:FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = www.bibis.cc .*
FileName = C:\WINDOWS\system32\www.bibis.cc .*
FileName = C:\WINDOWS\System\www.bibis.cc .*
FileName = C:\WINDOWS\www.bibis.cc .*
FileName = C:\Python27\www.bibis.cc .*
FileName = C:\Python27\Scripts\www.bibis.cc .*
FileName = C:\WINDOWS\System32\Wbem\www.bibis.cc .*
FileName = %APPDATA%\Python\Scripts\www.bibis.cc .*
동작 설명:在根目录创建自运行文件
세부 정보:C:\DiskX\autorun.inf
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
동작 설명:修改文件内容
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe ---> Offset = 0
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 0
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 4096
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> Offset = 8192
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\cMrGOuZk.exe ---> Offset = 0
C:\DiskX\autorun.inf ---> Offset = 0
C:\DiskX\autorun.inf ---> Offset = 3
C:\DiskX\autorun.inf ---> Offset = 4903
C:\DiskX\autorun.inf ---> Offset = 5244
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\sIbHyBhM.cpl ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CDF0F4EE-F861-11E7-91C0-7B****28}.dat ---> Offset = 512
C:\WINDOWS\system32\d3dt.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CDF0F4EE-F861-11E7-91C0-7B****28}.dat ---> Offset = 0
네트워크 동작
동작 설명:打开指定IE网页
세부 정보:ww****cc
http://ww****cc/
동작 설명:建立到一个指定的套接字连接
세부 정보:URL: su****om, IP: **.133.40.**:447, SOCKET = 0x000000bc
URL: go****om, IP: **.133.40.**:80, SOCKET = 0x000000c4
URL: tv****om, IP: **.133.40.**:447, SOCKET = 0x000000f8
동작 설명:按名称获取主机地址
세부 정보:gethostbyname: su****om
gethostbyname: go****om
gethostbyname: tv****om
GetAddrInfoW: ww****om
레지스트리 동작
동작 설명:修改注册表
세부 정보:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed
\REGISTRY\MACHINE\SAM\SAM\Domains\Account\Users\000001F4\F
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
\REGISTRY\USER\S-*\SessionInformation\ProgramCount
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Recovery\Active\{CDF0F4EE-F861-11E7-91C0-7B****28}
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\Enable
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32\
동작 설명:删除注册表键值
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
동작 설명:删除注册表键
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\
\REGISTRY\USER\S-*\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\
기타 행동
동작 설명:创建互斥体
세부 정보:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
{2872BAEB-CECA-E562-CC5C-4F1A2BD10E1C}
{2872C6F9-CECA-E562-CC5C-4F1A37810E1C}
{2872C6F9-CECA-E562-CC5C-4F1A37890E1C}
{2872C0E2-CECA-E562-CC5C-4F1A2BD10E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2BD10E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2BD50E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2DD90E1C}
{2872CC2C-CECA-E562-CC5C-4F1A2E190E1C}
동작 설명:创建事件对象
세부 정보:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Isolation Signal Registry Event (CDF0F4EB-F861-11E7-91C0-7B****28, 0)
EventName = IE_EarlyTabStart_0xcf8
EventName = Isolation Signal Registry Event (CDF0F4EC-F861-11E7-91C0-7B****28, 0)
EventName = Local\IEDDEExecuteEvent
EventName = MSCTF.SendReceive.Event.ENH.IC
EventName = MSCTF.SendReceive.Event.EOD.IC
EventName = MSCTF.SendReceiveConection.Event.ENH.IC
EventName = MSCTF.SendReceiveConection.Event.EOD.IC
EventName = MSCTF.SendReceive.Event.ANB.IC
EventName = MSCTF.SendReceive.Event.MLE.IC
EventName = MSCTF.SendReceiveConection.Event.ANB.IC
EventName = MSCTF.SendReceiveConection.Event.MLE.IC
EventName = MSCTF.SendReceive.Event.MJ.IC
동작 설명:查找指定窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [,Microsoft Internet Explorer]
NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [TXGuiFoundation,QQ2013]
NtUserFindWindowEx: [Class,Window] = [CTXOPConntion_Class,OP_2269840561]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [IEFrame,]
동작 설명:打开事件
세부 정보:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Isolation Signal Registry Event (CDF0F4EB-F861-11E7-91C0-7B****28, 0)
_fCanRegisterWithShellService
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.3316
MSFT.VSA.IEC.STATUS.6c736db0
MSCTF.SendReceiveConection.Event.IDK.IC
MSCTF.SendReceive.Event.IDK.IC
MSCTF.SendReceiveConection.Event.ENH.IC
MSCTF.SendReceive.Event.ENH.IC
MSCTF.SendReceiveConection.Event.EOD.IC
MSCTF.SendReceive.Event.EOD.IC
MSCTF.SendReceiveConection.Event.ANB.IC
동작 설명:获取TickCount值
세부 정보:TickCount = 224875, SleepMilliseconds = 5000.
동작 설명:调整进程token权限
세부 정보:SE_DEBUG_PRIVILEGE
SE_AUDIT_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
SE_CHANGE_NOTIFY_PRIVILEGE
동작 설명:枚举窗口
세부 정보:N/A
동작 설명:插入APC(异步过程调用)
세부 정보:C:\Program Files\Internet Explorer\iexplore.exe
동작 설명:可执行文件签名信息
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe(签名验证: 未通过)
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\cMrGOuZk.exe(签名验证: 未通过)
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\sIbHyBhM.cpl(签名验证: 未通过)
C:\WINDOWS\system32\d3dt.dll(签名验证: 未通过)
동작 설명:调用Sleep函数
세부 정보:[1]: MilliSeconds = 5000.
동작 설명:隐藏指定窗口
세부 정보:[Window,Class] = [,BrowserFrameGripperClass]
동작 설명:可执行文件MD5
세부 정보:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\荒野行动镜头飞天mgr.exe ---> dfb5daabb95dcfad1a5faf9ab1437076
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\htxueaht.exe ---> dfb5daabb95dcfad1a5faf9ab1437076
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\cMrGOuZk.exe ---> dfb5daabb95dcfad1a5faf9ab1437076
C:\DiskX\RECYCLER\S-0-3-01-0264443200-5181433861-240485580-4507\sIbHyBhM.cpl ---> 13a4135b4b144cd9371dbc8ba09a440a
C:\WINDOWS\system32\d3dt.dll ---> e6361f483cac005b29c200ed7b419e42
동작 설명:打开互斥体
세부 정보:RasPbFile
{2872BAEB-CECA-E562-CC5C-4F1A2BD10E1C}
ShimCacheMutex
{2872C0E2-CECA-E562-CC5C-4F1A2BD10E1C}
{2872BDC8-CECA-E562-CC5C-4F1A2BD10E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2BD10E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2BD50E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2DD90E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2E190E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2E310E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2E5D0E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2E690E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2F050E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2F110E1C}
{2872C6F9-CECA-E562-CC5C-4F1A2F390E1C}
동작 설명:加载新释放的文件
세부 정보:Image: C:\WINDOWS\system32\d3dt.dll.
스크린 샷 실행
VirSCAN

VirSCAN 이란 | 개인정책 | 연락 | 친숙한 링크 | 도움지원
Translated by Gus (south korea)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号