VirSCAN VirSCAN

1, 당신은 모든 파일을 업로드할 수 있지만 최대 20Mb의 용량제한이 있다.
2, Rar/Zip 파일은 자동압축해제를 하지만 내부에 20개 파일보다 적어야 한다.
3, 압축된 파일이 'infected' 또는 'virus'로 암호화된 경우 진단할 수 있다.

언어선택
서비스 로드
Server Load

파일 정보
안전 등급:82
행동 목록
기본 정보
MD5:cbd8b15a6a42543ec47d5231857fc4de
파일 형식 :Rar
생산 회사 :
버전 :
쉘 또는 컴파일러 정보 :COMPILER:UPX 0.80 - 1.24 DLL -> Markus & Laszlo
서브 파일 정보:installerdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
lantern-installer.exe / cd0af658c66a134185b2fdf6ec6e6cce / EXE
주요 행동
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080000, Size = 0x00000020 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080020, Size = 0x00000034 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080000, Size = 0x00000020 TargetPID = 0x00000c58
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080020, Size = 0x00000034 TargetPID = 0x00000c58
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000c58
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000fa0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000fa0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdc238, Size = 0x00000004 TargetPID = 0x00000fa0
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x000007e8
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x000007e8
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x000007e8
동작 설명:常规加载驱动
세부 정보:\??\C:\Windows\ipsec32.sys
동작 설명:获取TickCount值
세부 정보:TickCount = 203421, SleepMilliseconds = 60000.
TickCount = 203437, SleepMilliseconds = 60000.
TickCount = 203453, SleepMilliseconds = 60000.
TickCount = 203656, SleepMilliseconds = 60000.
TickCount = 207984, SleepMilliseconds = 60000.
TickCount = 208000, SleepMilliseconds = 60000.
TickCount = 208078, SleepMilliseconds = 60000.
TickCount = 208109, SleepMilliseconds = 60000.
TickCount = 208125, SleepMilliseconds = 60000.
TickCount = 208140, SleepMilliseconds = 60000.
TickCount = 208171, SleepMilliseconds = 60000.
TickCount = 208203, SleepMilliseconds = 60000.
동작 설명:查找PE资源信息
세부 정보:(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 140(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
동작 설명:在桌面创建文件
세부 정보:C:\Users\Administrator\Desktop\Lantern.lnk
동작 설명:设置特殊文件夹属性
세부 정보:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0xaaa73ed6, EDX = 0x00000077
EAX = 0xaaa73f22, EDX = 0x00000077
EAX = 0xaaa73f6e, EDX = 0x00000077
EAX = 0xad5a3eea, EDX = 0x00000077
동작 설명:创建系统服务
세부 정보:[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
동작 설명:修改注册表_启动项
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Lantern
프로세스 동작
동작 설명:隐藏窗口创建进程
세부 정보:ImagePath = cmd.exe, CmdLine = cmd ver
동작 설명:跨进程写入数据
세부 정보:TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\supporth15.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080000, Size = 0x00000020 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080020, Size = 0x00000034 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000ee8
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080000, Size = 0x00000020 TargetPID = 0x00000c58
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x00080020, Size = 0x00000034 TargetPID = 0x00000c58
TargetProcess = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000c58
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000fa0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000fa0
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdc238, Size = 0x00000004 TargetPID = 0x00000fa0
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x000007e8
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x000007e8
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x000007e8
동작 설명:创建新文件进程
세부 정보:[0x00000e38]ImagePath = C:\Windows\supporth15.exe, CmdLine = "C:\Windows\supporth15.exe"
[0x00000ee8]ImagePath = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, CmdLine = "C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe"
[0x00000c58]ImagePath = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe
[0x000007e8]ImagePath = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe on 127.0.0.1 49210
[0x000008c4]ImagePath = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe show
[0x000009b8]ImagePath = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe wait-and-cleanup 127.0.0.1 49210
동작 설명:枚举进程
세부 정보:N/A
동작 설명:创建进程
세부 정보:[0x00000fa0]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd ver
[0x000008c8]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.DLL",DispatchAPICall 1
[0x000008fc]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler http://127.0.0.1:49184?token=b6ec4c26b7d2cd2f8ef71ccf7b53d5bc&utm_campaign=startup&utm_content=&utm_medium=lantern&utm_source=windows
[0x00000eec]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.DLL",DispatchAPICall 1
파일 동작
동작 설명:创建文件
세부 정보:C:\Windows\libegl.dll
C:\Windows\supporth15.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Windows\ipsec32.sys
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Users\Administrator\AppData\Local\Temp\nsg3DDA.tmp
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.ico
C:\Users\Administrator\AppData\Roaming\Lantern\.packaged-lantern.yaml
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.yaml
C:\Users\Administrator\AppData\Roaming\Lantern\uninstall.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Lantern.lnk
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Uninstall Lantern.lnk
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll
동작 설명:创建可执行文件
세부 정보:C:\Windows\libegl.dll
C:\Windows\supporth15.exe
C:\Windows\ipsec32.sys
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe
C:\Users\Administrator\AppData\Roaming\Lantern\uninstall.exe
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe
C:\Users\Administrator\AppData\Roaming\systray\systray386.dll
C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe
C:\Users\Administrator\AppData\Local\Temp\notifu-notifier881741947\notifu.exe
동작 설명:覆盖已有文件
세부 정보:C:\Users\Administrator\AppData\Roaming\Lantern\settings.yaml
C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
동작 설명:查找文件
세부 정보:FileName = C:\Windows\libegl.zh-CN
FileName = C:\Windows\libegl.zh-Hans
FileName = C:\Windows\libegl.zh
FileName = C:\Windows\libegl.en-US
FileName = C:\Windows\libegl.en
FileName = C:\Windows\libegl.CHS
FileName = C:\Windows\libegl.CH
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows
FileName = C:\Windows\*.*
FileName = C:\Users\Administrator\Desktop\QQ浏览器.lnk
동작 설명:删除文件
세부 정보:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Users\Administrator\AppData\Local\Temp\nsg3DDA.tmp
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll
C:\Users\Administrator\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\cbshandler\state
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\Windows6.1-KB2999226-x86.cab
동작 설명:在桌面创建文件
세부 정보:C:\Users\Administrator\Desktop\Lantern.lnk
동작 설명:重命名文件
세부 정보:C:\Users\Administrator\AppData\Roaming\Lantern\proxystats.csv.tmp ---> C:\Users\Administrator\AppData\Roaming\Lantern\proxystats.csv
동작 설명:设置特殊文件夹属性
세부 정보:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
동작 설명:修改文件内容
세부 정보:C:\Windows\libegl.dll ---> Offset = 0
C:\Windows\supporth15.exe ---> Offset = 0
C:\Windows\ipsec32.sys ---> Offset = 0
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 0
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 393216
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 131072
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 65536
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 98304
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> Offset = 32768
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> Offset = 33930
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> Offset = 66698
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> Offset = 69683
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.ico ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.ico ---> Offset = 32768
네트워크 동작
동작 설명:联网打开网址
세부 정보:InternetOpenUrlA: http://u.****om/gameall/api?a=s&nm=ggggg&q=e22&v=1.0.0&s3=0&m=08-00-27-48-89-80, hInternet = 0x00cc0004, Flags = 0x00000001
동작 설명:打开指定IE网页
세부 정보:http://**.0.0.**:49184?token=b6ec4c26b7d2cd2f8ef71ccf7b53d5bc&utm_campaign=startup&utm_content=&utm_medium=lantern&utm_source=windows
http://**.0.0.**:49184/?token=b6ec4c26b7d2cd2f8ef71ccf7b53d5bc&utm_campaign=startup&utm_content=&utm_medium=lantern&utm_source=windows
동작 설명:打开HTTP连接
세부 정보:InternetOpenA: UserAgent: lantern-installer, hSession = 0x00cc0004
WinHttpOpen: UserAgent: Windows-Update-Agent, hSession = 0x012420e0
동작 설명:建立到一个指定的套接字连接
세부 정보:URL: u.****om, IP: **.133.40.**:80, SOCKET = 0x0000037c
IP: **.32.44.**:10489, SOCKET = 0x000001d8
IP: **.32.44.**:10489, SOCKET = 0x000002e4
IP: **.32.44.**:10489, SOCKET = 0x000002a0
동작 설명:发送HTTP包
세부 정보:GET /gameall/api?a=s&nm=ggggg&q=e22&v=1.0.0&s3=0&m=08-00-27-48-89-80 HTTP/1.1 User-Agent: lantern-installer Host: u.****om
CONNECT globalconfig.flashlightproxy.com:443 HTTP/1.1 Host: gl****om:443 User-Agent: Go-http-client/1.1
GET http://config.getiantem.org/proxies.yaml.gz HTTP/1.1 Host: co****rg User-Agent: Lantern/4.4.0 (windows/386) Connection: close Accept: application/x-gzip Cache-Control: no-cache Accept-Encoding: gzip Connection: close
GET http://geo.getiantem.org/lookup/ HTTP/1.1 Host: ge****rg User-Agent: Lantern/4.4.0 (windows/386) Accept: application/json Accept-Encoding: gzip Connection: close
CONNECT update.getlantern.org:443 HTTP/1.1 Host: up****rg:443 User-Agent: Go-http-client/1.1
CONNECT api.getiantem.org:443 HTTP/1.1 Host: ap****rg:443 User-Agent: Go-http-client/1.1
동작 설명:按名称获取主机地址
세부 정보:GetAddrInfoW: u.****om
GetAddrInfoW: ea****rg
GetAddrInfoW: s3****om
GetAddrInfoW: localhost
GetAddrInfoW: ra****om
레지스트리 동작
동작 설명:修改注册表
세부 정보:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern-installer_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Lantern\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Uninstall\Lantern\DisplayName
동작 설명:删除注册表键值
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\value
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
동작 설명:修改注册表_启动项
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Lantern
동작 설명:修改注册表_IE连接设置
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
동작 설명:删除注册表键
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts\
기타 행동
동작 설명:检测自身是否被调试
세부 정보:IsDebuggerPresent
동작 설명:创建互斥体
세부 정보:Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!IETld!Mutex
Global\Instance0: ESENT Performance Data Schema Version 85
DBWinMutex
동작 설명:创建事件对象
세부 정보:EventName = Global\Go0: ESENT Performance Data Schema Version 85
EventName = Global\Ready0: ESENT Performance Data Schema Version 85
동작 설명:常规加载驱动
세부 정보:\??\C:\Windows\ipsec32.sys
동작 설명:打开互斥体
세부 정보:Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
RasPbFile
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
동작 설명:查找指定窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [SystemTray_Main,]
NtUserFindWindowEx: [Class,Window] = [DDEMLMom,]
동작 설명:启动系统服务
세부 정보:[服务启动成功]: , ipsec32.sys, \??\C:\Windows\ipsec32.sys
동작 설명:窗口信息
세부 정보:Pid = 3128, Hwnd=0x40180, Text = 1:, ClassName = Static.
Pid = 3128, Hwnd=0x40192, Text = load, ClassName = Button.
Pid = 3128, Hwnd=0x401b4, Text = 1, ClassName = Button.
Pid = 3128, Hwnd=0x401b2, Text = 2, ClassName = Button.
Pid = 3128, Hwnd=0x70204, Text = 3, ClassName = Button.
Pid = 3128, Hwnd=0x40196, Text = 4, ClassName = Button.
Pid = 3128, Hwnd=0x601d4, Text = C:\Users\Administrator\Desktop, ClassName = MFCEditBrowse.
동작 설명:获取TickCount值
세부 정보:TickCount = 203421, SleepMilliseconds = 60000.
TickCount = 203437, SleepMilliseconds = 60000.
TickCount = 203453, SleepMilliseconds = 60000.
TickCount = 203656, SleepMilliseconds = 60000.
TickCount = 207984, SleepMilliseconds = 60000.
TickCount = 208000, SleepMilliseconds = 60000.
TickCount = 208078, SleepMilliseconds = 60000.
TickCount = 208109, SleepMilliseconds = 60000.
TickCount = 208125, SleepMilliseconds = 60000.
TickCount = 208140, SleepMilliseconds = 60000.
TickCount = 208171, SleepMilliseconds = 60000.
TickCount = 208203, SleepMilliseconds = 60000.
동작 설명:调整进程token权限
세부 정보:SE_SECURITY_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
SE_AUDIT_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
동작 설명:打开事件
세부 정보:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.3128
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.3640
{A1965210-3A9D-4bca-822B-433645B3F5A2}
동작 설명:查找PE资源信息
세부 정보:(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 140(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
동작 설명:可执行文件签名信息
세부 정보:C:\Windows\libegl.dll(签名验证: 未通过)
C:\Windows\supporth15.exe(签名验证: 未通过)
C:\Windows\ipsec32.sys(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\Lantern\uninstall.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\systray\systray386.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\notifu-notifier881741947\notifu.exe(签名验证: 未通过)
동작 설명:调用Sleep函数
세부 정보:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
동작 설명:隐藏指定窗口
세부 정보:[Window,Class] = [,Button]
[Window,Class] = [,SystrayClass]
동작 설명:可执行文件MD5
세부 정보:C:\Windows\libegl.dll ---> 65b2f8a9e6d8975b740d3653d0b074bd
C:\Windows\supporth15.exe ---> 文件过大!
C:\Windows\ipsec32.sys ---> 41c44e42120549e5222c3c6a2b5ad3b4
C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe ---> 文件过大!
C:\Users\Administrator\AppData\Roaming\Lantern\uninstall.exe ---> 0df0d260e1bb2473e8097b6a4f19e14e
C:\Users\Administrator\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll ---> 86a81b9ab7de83aa01024593a03d1872
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe ---> 10681797356c4ea0e7b71355c686f850
C:\Users\Administrator\AppData\Roaming\systray\systray386.dll ---> ded52422fd6092a1a1f66b4e2c39d88a
C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe ---> e16bc534a7fb4e656461ade3d95fd7af
C:\Users\Administrator\AppData\Local\Temp\notifu-notifier881741947\notifu.exe ---> 47521140556c4307691adb3f85539f16
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0xaaa73ed6, EDX = 0x00000077
EAX = 0xaaa73f22, EDX = 0x00000077
EAX = 0xaaa73f6e, EDX = 0x00000077
EAX = 0xad5a3eea, EDX = 0x00000077
동작 설명:创建系统服务
세부 정보:[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
동작 설명:加载新释放的文件
세부 정보:Image: C:\Windows\libegl.dll.
Image: C:\Windows\supporth15.exe.
Image: C:\Users\Administrator\AppData\Roaming\Lantern\lantern.exe.
Image: C:\Users\Administrator\AppData\Roaming\Lantern\uninstall.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\nsx41E2.tmp\ShellExecAsUser.dll.
Image: C:\Users\Administrator\AppData\Roaming\systray\systray386.dll.
Image: C:\Users\Administrator\AppData\Roaming\byteexec\sysproxy-cmd.exe.
스크린 샷 실행
VirSCAN

VirSCAN 이란 | 개인정책 | 연락 | 친숙한 링크 | 도움지원
거스 (Gus) 번역 (한국)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号