VirSCAN VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.

Taal
Serverbelasting
Server Load

Bestandsinformatie
Veiligheidsclassificatie:50
Gedragslijst
Basis informatie
MD5:714ba11f18184e4efd838bd830a88044
Bestandstype:EXE
Productie bedrijf:By—瓜皮Tuza
versie:1.0.0.0---1.0.0.0
Shell- of compiler-informatie:COMPILER:Elan
Sleutelgedrag
Gedrag beschrijving:获取文件属性探测虚拟机
Voor meer informatie:GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Uninstall.lnk
GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Website.lnk
Gedrag beschrijving:修改注册表_任务管理器关键属性
Voor meer informatie:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Gedrag beschrijving:设置消息钩子
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll
Gedrag beschrijving:常规加载驱动
Voor meer informatie:\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
Gedrag beschrijving:获取User基本信息
Voor meer informatie:Level = 2.
Gedrag beschrijving:杀掉进程
Voor meer informatie:C:\WINDOWS\explorer.exe
Gedrag beschrijving:屏蔽窗口关闭消息
Voor meer informatie:hWnd = 0x00010346, Text = WannaCry 3.0 ☆ By-B站-瓜皮Tuza ☆, ClassName = WTWindow.
Gedrag beschrijving:设置特殊文件属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll
C:\WINDOWS\fveupdate.exe
C:\DiskD\Top.exe
Gedrag beschrijving:查找文件方式探测虚拟机
Voor meer informatie:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*
Gedrag beschrijving:设置特殊文件夹属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Gedrag beschrijving:创建系统服务
Voor meer informatie:[服务创建成功]: LianXue_SuperKill, C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
[服务已存在]: LianXue_SuperKill, C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
[服务创建成功]: jinfu, C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
[服务已存在]: jinfu, C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
[服务创建成功]: KillFile, C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
Gedrag beschrijving:修改注册表_启动项
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360.
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\%temp%\****.exe
Verwerk gedrag
Gedrag beschrijving:创建进程
Voor meer informatie:[0x00000b70]ImagePath = C:\WINDOWS\explorer.exe, CmdLine = explorer.exe
[0x00000c20]ImagePath = C:\WINDOWS\system32\verclsid.exe, CmdLine = /S /C {2559A1F4-21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
[0x00000c48]ImagePath = C:\WINDOWS\system32\verclsid.exe, CmdLine = /S /C {2559A1F5-21D7-11D4-BDAF-00C04F60B9F0} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
[0x00000d5c]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
[0x00000d9c]ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3420 CREDAT:79873
Gedrag beschrijving:创建本地线程
Voor meer informatie:TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2952, StartAddress = 77E56C7D, Parameter = 000FF6C0
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2956, StartAddress = 769AE43B, Parameter = 00101EE8
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2960, StartAddress = 77F56ED3, Parameter = 0007FDBC
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2968, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2972, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2976, StartAddress = 7C949B6F, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2992, StartAddress = 7D5D9849, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 2996, StartAddress = 77F56ED3, Parameter = 016DF4D4
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 3000, StartAddress = 7D5DAD7C, Parameter = 00000278
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 3028, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 3036, StartAddress = 75F15339, Parameter = 00136880
TargetProcess: explorer.exe, InheritedFromPID = 2648, ProcessID = 2928, ThreadID = 3076, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: verclsid.exe, InheritedFromPID = 2928, ProcessID = 3104, ThreadID = 3112, StartAddress = 01001B29, Parameter = 00000000
TargetProcess: verclsid.exe, InheritedFromPID = 2928, ProcessID = 3104, ThreadID = 3140, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: verclsid.exe, InheritedFromPID = 2928, ProcessID = 3144, ThreadID = 3152, StartAddress = 01001B29, Parameter = 00000000
Gedrag beschrijving:枚举进程
Voor meer informatie:N/A
Gedrag beschrijving:杀掉进程
Voor meer informatie:C:\WINDOWS\explorer.exe
Bestand gedrag
Gedrag beschrijving:创建文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll
C:\tianshideshouhu
C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
C:\tz.ico
C:\WINDOWS\fveupdate.exe
C:\DiskD\Top.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\会玩拯救不开心.bmp
Gedrag beschrijving:获取文件属性探测虚拟机
Voor meer informatie:GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Uninstall.lnk
GetFileAttributesEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\Website.lnk
Gedrag beschrijving:创建可执行文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
C:\WINDOWS\fveupdate.exe
C:\DiskD\Top.exe
Gedrag beschrijving:删除文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\会玩拯救不开心.bmp
Gedrag beschrijving:覆盖已有文件
Voor meer informatie:C:\tz.ico
Gedrag beschrijving:复制文件
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> C:\Windows\fveupdate.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> D:\Top.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> E:\Top.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe ---> F:\Top.exe
Gedrag beschrijving:设置特殊文件属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll
C:\WINDOWS\fveupdate.exe
C:\DiskD\Top.exe
Gedrag beschrijving:查找文件
Voor meer informatie:FileName = c:\tianshideshouhu
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
FileName = C:\WINDOWS
FileName = C:\WINDOWS\explorer.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\*.*
FileName = C:\Program Files
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
Gedrag beschrijving:设置特殊文件夹属性
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Gedrag beschrijving:修改文件内容
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll ---> Offset = 0
C:\tianshideshouhu ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys ---> Offset = 0
C:\tz.ico ---> Offset = 0
C:\tz.ico ---> Offset = 2
C:\tz.ico ---> Offset = 4
C:\tz.ico ---> Offset = 6
C:\tz.ico ---> Offset = 22
C:\WINDOWS\fveupdate.exe ---> Offset = 0
C:\WINDOWS\fveupdate.exe ---> Offset = 65536
C:\WINDOWS\fveupdate.exe ---> Offset = 131072
C:\WINDOWS\fveupdate.exe ---> Offset = 196608
C:\WINDOWS\fveupdate.exe ---> Offset = 262144
Netwerk gedrag
Gedrag beschrijving:打开指定IE网页
Voor meer informatie:http://st****om/
Register gedrag
Gedrag beschrijving:修改注册表_文件关联
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\
\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\
Gedrag beschrijving:修改注册表_组策略
Voor meer informatie:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Gedrag beschrijving:删除注册表键_安全模式启动项
Voor meer informatie:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\PlugPlay\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\
Gedrag beschrijving:修改注册表_任务管理器关键属性
Voor meer informatie:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Gedrag beschrijving:修改注册表
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\
\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\
\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\
\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\
\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\
\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command\
\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\
\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\
\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shell\open\command\
Gedrag beschrijving:删除注册表键值
Voor meer informatie:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\AppMgmt\
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Base\
Gedrag beschrijving:修改注册表_启动项
Voor meer informatie:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360.
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\%temp%\****.exe
Ander gedrag
Gedrag beschrijving:创建互斥体
Voor meer informatie:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
ExplorerIsShellMutex
MSCTF.Shared.MUTEX.MFK
Shell.CMruPidlList
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\ZonesCounterMutex
_SHuassist.mtx
Gedrag beschrijving:创建事件对象
Voor meer informatie:EventName = DINPUTWINMM
EventName = Global\ScmCreatedEvent
EventName = _fCanRegisterWithShellService
EventName = MSCTF.SendReceive.Event.MFK.IC
EventName = MSCTF.SendReceiveConection.Event.MFK.IC
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.EOD.IC
EventName = MSCTF.SendReceiveConection.Event.EOD.IC
EventName = ShellReadyEvent
EventName = CTF.ThreadMarshalInterfaceEvent.00000B90.00000000.00000000
EventName = CTF.ThreadMIConnectionEvent.00000B90.00000000.00000000
EventName = MSCTF.SendReceive.Event.AJL.IC
EventName = MSCTF.SendReceiveConection.Event.AJL.IC
EventName = Local\HotPlug_TaskBarIcon_Event
EventName = HPlugEjectEvent
Gedrag beschrijving:打开事件
Voor meer informatie:HookSwitchHookEnabledEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Global\ScmCreatedEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2928
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
msgina: ShellReadyEvent
ExplorerWindowIdle
Global\crypt32LogoffEvent
CTF.ThreadMIConnectionEvent.00000B90.00000000.00000000
Gedrag beschrijving:常规加载驱动
Voor meer informatie:\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
\??\C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
Gedrag beschrijving:查找指定窗口
Voor meer informatie:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [,DefenderDaemon.exe]
NtUserFindWindowEx: [Class,Window] = [,explorer.exe]
NtUserFindWindowEx: [Class,Window] = [Proxy Desktop,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [BaseBar,ChanApp]
NtUserFindWindowEx: [Class,Window] = [SysListView32,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [SystemTray_Main,]
NtUserFindWindowEx: [Class,Window] = [CSCHiddenWindow,]
NtUserFindWindowEx: [Class,Window] = [,Microsoft Internet Explorer]
Gedrag beschrijving:启动系统服务
Voor meer informatie:[服务启动成功]: , LianXue_SuperKill, \??\C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
[服务启动成功]: , TailList, \??\C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
[服务启动成功]: , KillFile, \??\C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
Gedrag beschrijving:枚举窗口
Voor meer informatie:N/A
Gedrag beschrijving:获取User基本信息
Voor meer informatie:Level = 2.
Gedrag beschrijving:调整进程token权限
Voor meer informatie:SE_DEBUG_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Gedrag beschrijving:屏蔽窗口关闭消息
Voor meer informatie:hWnd = 0x00010346, Text = WannaCry 3.0 ☆ By-B站-瓜皮Tuza ☆, ClassName = WTWindow.
Gedrag beschrijving:窗口信息
Voor meer informatie:Pid = 2648, Hwnd=0x10374, Text = 确定, ClassName = Button.
Pid = 2648, Hwnd=0x10378, Text = 加载驱动失败,您的杀毒软件或防火墙阻止了本程序!, ClassName = Static.
Pid = 2648, Hwnd=0x10372, Text = 提示, ClassName = #32770.
Pid = 2648, Hwnd=0x1036e, Text = https://space.bilibili.com/115067812/#/, ClassName = Edit.
Pid = 2648, Hwnd=0x1036c, Text = How to die, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2648, Hwnd=0x1036a, Text = About 付款方法, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2648, Hwnd=0x10364, Text = Contact Us, ClassName = _EL_HyperLinker.
Pid = 2648, Hwnd=0x10362, Text = Dowload, ClassName = Button.
Pid = 2648, Hwnd=0x10360, Text = Game Payment, ClassName = Button.
Pid = 2648, Hwnd=0x1035e, Text = copy, ClassName = Button.
Pid = 2648, Hwnd=0x10358, Text = Chinese (Simple), ClassName = ComboBox.
Pid = 2648, Hwnd=0x1035c, Text = Chinese (Simple), ClassName = Edit.
Pid = 2648, Hwnd=0x10356, Text = 59, ClassName = _EL_Label.
Pid = 2648, Hwnd=0x10354, Text = 59, ClassName = _EL_Label.
Pid = 2648, Hwnd=0x10352, Text = 05/21/2017 13:14:20, ClassName = _EL_Label.
Gedrag beschrijving:可执行文件签名信息
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys(签名验证: 未通过)
C:\WINDOWS\fveupdate.exe(签名验证: 未通过)
C:\DiskD\Top.exe(签名验证: 未通过)
Gedrag beschrijving:隐藏指定窗口
Voor meer informatie:[Window,Class] = [,ComboLBox]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [类型: Microsoft Office Word 97-2003 文档 作者: chendongli(李晨东) 修改日期: 2017-10-13 14:53 大小: 22.5 KB,tooltips_class32]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,msctls_updown32]
[Window,Class] = [「开始」菜单,DV2ControlHost]
[Window,Class] = [Connections Tray,Connections Tray]
Gedrag beschrijving:可执行文件MD5
Voor meer informatie:C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll ---> 4659f476b80e067bceeaa8e821c3fab8
C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys ---> c0e29f0b32513197fbd550393def8b3a
C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys ---> bbd3798a4b01e80aba5b45888d4c9707
C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys ---> 692ccfcdf7e828c5c095850cfa558f2a
C:\WINDOWS\fveupdate.exe ---> 714ba11f18184e4efd838bd830a88044
C:\DiskD\Top.exe ---> 714ba11f18184e4efd838bd830a88044
Gedrag beschrijving:打开互斥体
Voor meer informatie:ShimCacheMutex
Ie4Setup.Mutext
WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\!BrowserEmulation!SharedMemory!Mutex
RasPbFile
Gedrag beschrijving:创建系统服务
Voor meer informatie:[服务创建成功]: LianXue_SuperKill, C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
[服务已存在]: LianXue_SuperKill, C:\Documents and Settings\Administrator\Local Settings\%temp%\LianXue_SuperKill.sys
[服务创建成功]: jinfu, C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
[服务已存在]: jinfu, C:\Documents and Settings\Administrator\Local Settings\%temp%\jinfu.sys
[服务创建成功]: KillFile, C:\Documents and Settings\Administrator\Local Settings\%temp%\KillFile.sys
Gedrag beschrijving:加载新释放的文件
Voor meer informatie:Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\Hook.dll.
Gedrag beschrijving:查找文件方式探测虚拟机
Voor meer informatie:FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*
Screenshot uitvoeren
VirSCAN

Over VirSCAN | Privacybeleid | Neem contact met ons op | Vriendelijke link | Help VirSCAN
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号