VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

Idioma
Carga do sistema
Server Load

Informação de arquivo
Classificação de segurança:50
Lista de comportamento
Relatório de análise de comportamento:         Relatório de análise de comportamento de arquivos da lista de ameaças
Informação básica
MD5:3669574c28b9798fa8652561c6d67bd0
Tipo de arquivo:EXE
Empresa de produção:Поставщик учетных данных Vault
Versão:88.54.96.78---88.54.96.78
Informações sobre shell ou compilador:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *
Comportamento chave
Descrição do comportamento:跨进程写入数据
Detalhes:TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000978
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000978
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000978
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdb1e8, Size = 0x00000004 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000cdc
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000f14
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000f14
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000f14
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffda1e8, Size = 0x00000004 TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000940
Descrição do comportamento:直接获取CPU时钟
Detalhes:EAX = 0x5d870f08, EDX = 0x0000039d
EAX = 0x5d870f54, EDX = 0x0000039d
EAX = 0x62c1de0d, EDX = 0x0000039d
Descrição do comportamento:获取TickCount值
Detalhes:TickCount = 1165437, SleepMilliseconds = 60000.
TickCount = 1165453, SleepMilliseconds = 60000.
TickCount = 1165468, SleepMilliseconds = 60000.
TickCount = 1165484, SleepMilliseconds = 60000.
TickCount = 1165500, SleepMilliseconds = 60000.
TickCount = 1165578, SleepMilliseconds = 60000.
TickCount = 1165750, SleepMilliseconds = 60000.
TickCount = 1165796, SleepMilliseconds = 60000.
TickCount = 1165859, SleepMilliseconds = 60000.
Descrição do comportamento:获取窗口截图信息
Detalhes:Foreground window Info: HWND = 0x00010010, DC = 0xa501091f.
Descrição do comportamento:设置特殊文件夹属性
Detalhes:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources
Descrição do comportamento:查询注册表_检测虚拟机相关
Detalhes:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
Descrição do comportamento:自删除
Detalhes:C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe
Comportamento de processo
Descrição do comportamento:隐藏窗口创建进程
Detalhes:ImagePath = , CmdLine = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe a -y -mx9 -ssw "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\41646D696E6973747261746F72412D504357494E.7z" "C:\Users\
ImagePath = , CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
ImagePath = C:\Windows\System32\%temp%\****.exe, CmdLine = %temp%\**** --machinereadable -- C:/07c18980de59b70b44f118fe7e28dc64_TagFile.txt
Descrição do comportamento:创建进程
Detalhes:[0x00000978]ImagePath = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe
[0x00000cdc]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
[0x00000940]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
[0x00000828]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000c78]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000d04]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000a18]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x000005f8]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x000008dc]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000e94]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000608]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000ab0]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x000006cc]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x0000099c]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
[0x00000bf0]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib +s +h "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources"
Descrição do comportamento:创建新文件进程
Detalhes:[0x00000f14]ImagePath = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe a -y -mx9 -ssw "C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\41646D696E6973747261746F72412D504357494E.7z" "C:\Users\
Descrição do comportamento:枚举进程
Detalhes:N/A
Descrição do comportamento:跨进程写入数据
Detalhes:TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000978
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000978
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe, WriteAddress = 0x7ffd3238, Size = 0x00000004 TargetPID = 0x00000978
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdb1e8, Size = 0x00000004 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000cdc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000cdc
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000f14
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000f14
TargetProcess = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000f14
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffda1e8, Size = 0x00000004 TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000940
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000940
Comportamento de arquivos
Descrição do comportamento:创建文件
Detalhes:C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\41646D696E6973747261746F72412D504357494E
C:\Users\Administrator\AppData\Local\Temp\autE272.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Information.txt
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\41646D696E6973747261746F72412D504357494E.7z
Descrição do comportamento:创建可执行文件
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe
Descrição do comportamento:覆盖已有文件
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp
C:\Windows\System32\Tasks\P-3-5-32-1067496979-1071465242-1403971446-6860\{4LX1WE13-388F-MHZY-PNKN-YV9UBTE3VSVF}
Descrição do comportamento:复制文件
Detalhes:C:\Users\ADMINI~1\AppData\Local\Temp\autE272.tmp ---> C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll
C:\Users\ADMINI~1\AppData\Local\Temp\autEB9B.tmp ---> C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe
Descrição do comportamento:删除文件
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Information.txt
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg
Descrição do comportamento:查找文件
Detalhes:FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe
FileName = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\
FileName = C:\Users\Administrator\AppData\Roaming
FileName = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\*.*
FileName = C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\41646D696E6973747261746F72412D504357494E.7z
FileName = C:\Users\Administrator\Desktop\*.*
FileName = C:\Users\Administrator\Desktop\*
FileName = C:\Users\Administrator\AppData\Roaming\discord\Local Storage\
FileName = C:\Users\Administrator\AppData\Roaming\Exodus\exodus.wallet\
Descrição do comportamento:重命名文件
Detalhes:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.exe
Descrição do comportamento:设置特殊文件夹属性
Detalhes:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources
Descrição do comportamento:修改文件内容
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> Offset = 131072
C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> Offset = 196608
C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> Offset = 262144
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> Offset = 65536
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> Offset = 131072
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> Offset = 196608
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> Offset = 262144
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg ---> Offset = 4096
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg ---> Offset = 8192
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg ---> Offset = 12288
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\1\Screen.jpg ---> Offset = 16384
Descrição do comportamento:自删除
Detalhes:C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe
Comportamento de rede
Descrição do comportamento:连接指定站点
Detalhes:InternetConnectA: ServerName = ip****co, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
WinHttpConnect: ServerName = ap****rg, PORT = 443, UserName = , Password = , hSession = 0x03598c60, hConnect = 0x03598b78, Flags = 0x00000000
InternetConnectA: ServerName = ap****rg, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
WinHttpConnect: ServerName = ap****rg, PORT = 443, UserName = , Password = , hSession = 0x035e8638, hConnect = 0x035e8720, Flags = 0x00000000
Descrição do comportamento:打开HTTP连接
Detalhes:InternetOpenA: UserAgent: AutoIt, hSession = 0x00cc0004
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x03598c60
WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x035e8638
Descrição do comportamento:建立到一个指定的套接字连接
Detalhes:URL: ip****co, IP: **.133.40.**:443, SOCKET = 0x000003dc
IP: **.142.97.**:65233, SOCKET = 0x00000504
IP: **.142.97.**:65233, SOCKET = 0x000003c0
Descrição do comportamento:发送HTTP包
Detalhes:CONNECT api.telegram.org:443 HTTP/1.0 User-Agent: AutoIt Host: ap****rg:443 Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache
Descrição do comportamento:打开HTTP请求
Detalhes:HttpOpenRequestA: ip****co:443/json, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80803000
WinHttpOpenRequest: ap****rg:443/bot692782084:aah3hvgquw2t-qjofdh_5qwtodx3numooka/getme?, hConnect = 0x03598b78, hRequest = 0x03944340, Verb: GET, Referer: , Flags = 0x00800080
HttpOpenRequestA: ap****rg:443/bot692782084:aah3hvgquw2t-qjofdh_5qwtodx3numooka/getme, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80803000
WinHttpOpenRequest: ap****rg:443/bot692782084:aah3hvgquw2t-qjofdh_5qwtodx3numooka/getme?, hConnect = 0x035e8720, hRequest = 0x0390fb10, Verb: GET, Referer: , Flags = 0x00800080
Descrição do comportamento:按名称获取主机地址
Detalhes:gethostbyname: localhost
GetAddrInfoW: ip****co
Comportamento do registro
Descrição do comportamento:删除注册表键
Detalhes:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake\{63A64A74-9222-4CBF-80F1-F57247A3802C}\
Descrição do comportamento:删除注册表键值
Detalhes:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
Descrição do comportamento:查询注册表_检测虚拟机相关
Detalhes:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
Descrição do comportamento:修改注册表
Detalhes:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\BrowserSettingSync_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Outro comportamento
Descrição do comportamento:检测自身是否被调试
Detalhes:IsDebuggerPresent
Descrição do comportamento:创建互斥体
Detalhes:21253125083909741NKyXSjAFPVo5A2vQsqLZHn75HhXDhKqfJ0xa90089716Cf9B682514C34aD1c5A9255835781Ae41646D696E6973747261746F72412D504357494E
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!IETld!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
Descrição do comportamento:隐藏指定窗口
Detalhes:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe,ConsoleWindowClass]
[Window,Class] = [C:\Windows\system32\attrib.exe,ConsoleWindowClass]
[Window,Class] = [C:\Windows\System32\%temp%\****.exe,ConsoleWindowClass]
Descrição do comportamento:打开互斥体
Detalhes:Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
Descrição do comportamento:获取TickCount值
Detalhes:TickCount = 1165437, SleepMilliseconds = 60000.
TickCount = 1165453, SleepMilliseconds = 60000.
TickCount = 1165468, SleepMilliseconds = 60000.
TickCount = 1165484, SleepMilliseconds = 60000.
TickCount = 1165500, SleepMilliseconds = 60000.
TickCount = 1165578, SleepMilliseconds = 60000.
TickCount = 1165750, SleepMilliseconds = 60000.
TickCount = 1165796, SleepMilliseconds = 60000.
TickCount = 1165859, SleepMilliseconds = 60000.
Descrição do comportamento:调整进程token权限
Detalhes:SE_RESTORE_PRIVILEGE
SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
SE_SECURITY_PRIVILEGE
SE_AUDIT_PRIVILEGE
Descrição do comportamento:打开事件
Detalhes:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.1556
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2424
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.2708
Descrição do comportamento:获取窗口截图信息
Detalhes:Foreground window Info: HWND = 0x00010010, DC = 0xa501091f.
Descrição do comportamento:可执行文件签名信息
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe(签名验证: 未通过)
Descrição do comportamento:调用Sleep函数
Detalhes:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 0.
Descrição do comportamento:创建事件对象
Detalhes:EventName = ConsoleEvent-0x00000FE8
EventName = ConsoleEvent-0x00000DD8
EventName = ConsoleEvent-0x000009A4
EventName = ConsoleEvent-0x00000830
EventName = ConsoleEvent-0x00000490
EventName = ConsoleEvent-0x00000F24
EventName = ConsoleEvent-0x00000BEC
EventName = ConsoleEvent-0x00000C28
EventName = ConsoleEvent-0x00000D18
EventName = ConsoleEvent-0x00000C8C
EventName = ConsoleEvent-0x00000A68
EventName = ConsoleEvent-0x00000838
EventName = ConsoleEvent-0x00000814
EventName = ConsoleEvent-0x00000B88
EventName = ConsoleEvent-0x000009C0
Descrição do comportamento:可执行文件MD5
Detalhes:C:\Users\Administrator\AppData\Local\Temp\autE272.tmp ---> 71000fc34d27d2016846743d1dcce548
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll ---> 71000fc34d27d2016846743d1dcce548
C:\Users\Administrator\AppData\Local\Temp\autEB9B.tmp ---> 965119091c292c96af5011f40dae87a5
C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe ---> 965119091c292c96af5011f40dae87a5
Descrição do comportamento:直接获取CPU时钟
Detalhes:EAX = 0x5d870f08, EDX = 0x0000039d
EAX = 0x5d870f54, EDX = 0x0000039d
EAX = 0x62c1de0d, EDX = 0x0000039d
Descrição do comportamento:加载新释放的文件
Detalhes:Image: C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.sqlite3.module.dll.
Image: C:\Users\Administrator\AppData\Roaming\wow64_microsoft-windows-usbui.resources\BrowserSettingSync.module.exe.
Executar captura de tela
VirSCAN

Sobre o VirSCAN | Política de Privacidade | Contate-nos | Link amigável | Ajude o VirSCAN
Traduzido por Luis A S C Junior, (Brasil)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号