VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:842d5107a41c9c4ae29634ccee7b6488
file type:zip
Production company:
version:
Shell or compiler information:COMPILER:UPX 0.80 - 1.24 DLL -> Markus & Laszlo
Subfile information:lantern.exe / big file / EXE
lantern-2.2.5.yaml / 18bf88b18a528c7c8dcf9d8ae052dacb / Unknown
lantern.log / 021bb056df461d36651268e6fbc4504d / Unknown
.packaged-lantern.yaml / 2c8b054c8a12515f1a3837c0c29ccf31 / Unknown
lantern.yaml / d784fa8b6d98d27699781bd9a7cf19f0 / Unknown
LDdumpFile / d41d8cd98f00b204e9800998ecf8427e / Unknown
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x00080000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x00080020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x00240000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x00240020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd41e8, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040000, Size = 0x00000020
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040020, Size = 0x00000034
Behavior description:常规加载驱动
details:\??\C:\Windows\ipsec32.sys
Behavior description:获取TickCount值
details:TickCount = 834093, SleepMilliseconds = 60000.
TickCount = 834109, SleepMilliseconds = 60000.
TickCount = 834125, SleepMilliseconds = 60000.
TickCount = 834140, SleepMilliseconds = 60000.
TickCount = 834156, SleepMilliseconds = 60000.
TickCount = 834265, SleepMilliseconds = 60000.
TickCount = 834281, SleepMilliseconds = 60000.
TickCount = 834296, SleepMilliseconds = 60000.
TickCount = 834312, SleepMilliseconds = 60000.
TickCount = 834328, SleepMilliseconds = 60000.
TickCount = 834343, SleepMilliseconds = 60000.
TickCount = 834390, SleepMilliseconds = 60000.
TickCount = 834406, SleepMilliseconds = 60000.
TickCount = 834421, SleepMilliseconds = 60000.
TickCount = 834437, SleepMilliseconds = 60000.
Behavior description:查找PE资源信息
details:(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: a7(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x4a0108d0.
Foreground window Info: HWND = 0x00000000, DC = 0x91010959.
Foreground window Info: HWND = 0x00000000, DC = 0x4001090d.
Foreground window Info: HWND = 0x00000000, DC = 0x4101090d.
Foreground window Info: HWND = 0x00000000, DC = 0x5501090d.
Foreground window Info: HWND = 0x00000000, DC = 0x28010ab6.
Foreground window Info: HWND = 0x00000000, DC = 0xd301028f.
Foreground window Info: HWND = 0x00000000, DC = 0x4f0108d1.
Foreground window Info: HWND = 0x00000000, DC = 0x64010933.
Foreground window Info: HWND = 0x00000000, DC = 0x310109f1.
Foreground window Info: HWND = 0x00000000, DC = 0x1b0109f0.
Foreground window Info: HWND = 0x00000000, DC = 0x02010bcd.
Foreground window Info: HWND = 0x00000000, DC = 0x2f010ae2.
Foreground window Info: HWND = 0x00000000, DC = 0x05010bbb.
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache
Behavior description:直接获取CPU时钟
details:EAX = 0xc1061dcf, EDX = 0x00000280
EAX = 0x76e2075d, EDX = 0x00000281
EAX = 0x76e207a9, EDX = 0x00000281
EAX = 0x76e207f5, EDX = 0x00000281
EAX = 0x76e20841, EDX = 0x00000281
EAX = 0x76e2088d, EDX = 0x00000281
EAX = 0x76e208d9, EDX = 0x00000281
EAX = 0x76e20925, EDX = 0x00000281
EAX = 0x76e20971, EDX = 0x00000281
EAX = 0x76e209bd, EDX = 0x00000281
EAX = 0xc2450b66, EDX = 0x00000283
EAX = 0xc4f80ae2, EDX = 0x00000283
EAX = 0xcf6da808, EDX = 0x00000283
EAX = 0xcf6da854, EDX = 0x00000283
EAX = 0x3b658820, EDX = 0x00000284
Behavior description:创建系统服务
details:[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Lantern
Process behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x00080000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x00080020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x00240000, Size = 0x00000020
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x00240020, Size = 0x00000034
TargetProcess = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd41e8, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdf1e8, Size = 0x00000004
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040000, Size = 0x00000020
TargetProcess = C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00040020, Size = 0x00000034
Behavior description:创建新文件进程
details:ImagePath = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe, CmdLine = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe
ImagePath = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe, CmdLine = C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe on http://127.0.0.1:16823/proxy_on.pac?1482340361963859400
Behavior description:枚举进程
details:N/A
Behavior description:创建进程
details:ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.DLL",DispatchAPICall 1
ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler http://127.0.0.1:16823
ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
ImagePath = C:\Program Files\Internet Explorer\iexplore.exe, CmdLine = "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1764 CREDAT:79873
File behavior
Behavior description:创建文件
details:C:\Windows\libegl.dll
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe
C:\Users\Administrator\AppData\Roaming\systray\systray.dll
C:\Windows\ipsec32.sys
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log
C:\Users\Administrator\AppData\Local\Temp\systray_temp_icon205380803
C:\Users\Administrator\AppData\Roaming\Lantern\lantern-2.2.5.yaml
C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B404712D-C7A0-11E6-949C-080027488980}.dat
C:\Users\Administrator\AppData\Local\Temp\~DF1EC4C9B6D9BC97D8.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\proxy_on[1].pac
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B404712E-C7A0-11E6-949C-080027488980}.dat
C:\Users\Administrator\AppData\Local\Temp\~DF110A6FCBD05EDDA0.TMP
Behavior description:创建可执行文件
details:C:\Windows\libegl.dll
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe
C:\Users\Administrator\AppData\Roaming\systray\systray.dll
C:\Windows\ipsec32.sys
C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Behavior description:覆盖已有文件
details:C:\Users\Administrator\AppData\Roaming\Lantern\lantern-2.2.5.yaml
Behavior description:查找文件
details:FileName = C:\Windows\libegl.zh-CN
FileName = C:\Windows\libegl.zh-Hans
FileName = C:\Windows\libegl.zh
FileName = C:\Windows\libegl.en-US
FileName = C:\Windows\libegl.en
FileName = C:\Windows\libegl.CHS
FileName = C:\Windows\libegl.CH
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Users\Administrator\AppData\Local\Temp\~DF1EC4C9B6D9BC97D8.TMP
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\proxy_on[1].pac
C:\Users\Administrator\AppData\Local\Temp\~DF110A6FCBD05EDDA0.TMP
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.5
Behavior description:重命名文件
details:C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log ---> C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.1
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.1 ---> C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.2
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.2 ---> C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.3
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.3 ---> C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.4
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.4 ---> C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log.5
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache
Behavior description:修改文件内容
details:C:\Windows\libegl.dll ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\systray\systray.dll ---> Offset = 0
C:\Windows\ipsec32.sys ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Lantern\logs\lantern.log ---> Offset = -1
C:\Users\Administrator\AppData\Local\Temp\systray_temp_icon205380803 ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Lantern\lantern-2.2.5.yaml ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe ---> Offset = 0
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 17684
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 17688
C:\Windows\AppCompat\Programs\RecentFileCache.bcf ---> Offset = 16
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B404712D-C7A0-11E6-949C-080027488980}.dat ---> Offset = 512
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B404712D-C7A0-11E6-949C-080027488980}.dat ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\~DF1EC4C9B6D9BC97D8.TMP ---> Offset = 16383
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://u.****om/ltxx/api?a=s&q=xx1&v=1.0.0&m=08-00-27-48-89-80, hInternet = 0x00cc0004, Flags = 0x00000001
InternetOpenUrlA: http://**.0.0.**:16823/proxy_on.pac?1482340361963859400, hInternet = 0x00cc0004, Flags = 0x00000010
Behavior description:下载文件
details:URLDownloadToFileW: http://ww****om/favicon.ico ---> C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Behavior description:打开指定IE网页
details:http://**.0.0.**:16823
http://**.0.0.**:16823/
Behavior description:连接指定站点
details:InternetConnectA: ServerName = **.0.0.**, PORT = 16823, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = ur****om, PORT = 443, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000200
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: lantern, hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), hSession = 0x00cc0004
InternetOpenA: UserAgent: VCSoapClient, hSession = 0x00cc0010
Behavior description:建立到一个指定的套接字连接
details:URL: u.****om, IP: **.133.40.**:80, SOCKET = 0x00000384
URL: , IP: **.0.0.**:16823, SOCKET = 0x000003b4
URL: , IP: **.0.0.**:16823, SOCKET = 0x00000470
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc0018, BytesToRead =4095, BytesRead = 4095.
Behavior description:发送HTTP包
details:GET /ltxx/api?a=s&q=xx1&v=1.0.0&m=08-00-27-48-89-80 HTTP/1.1 User-Agent: lantern Host: u.****om
CONNECT update.getlantern.org:443 HTTP/1.1 Host: up****rg:443 User-Agent: Go-http-client/1.1
GET http://geo.getiantem.org/lookup/ HTTP/1.1 Host: ge****rg User-Agent: Go-http-client/1.1 Accept: application/json Accept-Encoding: gzip Connection: close
GET http://config.getiantem.org/cloud.yaml.gz?696e0fa5-5309-456c-b5ca-0b6cd695a2e1 HTTP/1.1 Host: co****rg User-Agent: Go-http-client/1.1 Connection: close Accept: application/x-gzip Cache-Control: no-cache Accept-Encoding: gzip Connection: close
GET /proxy_on.pac?1482340361963859400 HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.0.0.**:16823
CONNECT logs-01.loggly.com:443 HTTP/1.1 Host: lo****om:443 User-Agent: Go-http-client/1.1
Behavior description:打开HTTP请求
details:HttpOpenRequestA: **.0.0.**:16823/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400000
HttpOpenRequestA: ww****om:80/favicon.ico, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00600010
HttpOpenRequestA: **.0.0.**:16823/, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ur****om:443/urs.asmx?msurs-client-key=mnnosamicyc2j%2bnqka%2b9/w%3d%3d&msurs-patented-lock=e2rlqnrjcka%3d, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: POST, Referer: , Flags = 0x04880300
Behavior description:按名称获取主机地址
details:GetAddrInfoW: u.****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows Script\Settings\JITDebug
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\lantern_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\User_Feed_Synchronization-{DD45CED3-68D4-4258-9DB0-B2D0B36690C9}.job
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\User_Feed_Synchronization-{DD45CED3-68D4-4258-9DB0-B2D0B36690C9}.job.fp
Behavior description:修改注册表_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:修改注册表_启动项
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Lantern
Other behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:创建互斥体
details:RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
ConnHashTable<1764>_HashTable_Mutex
IESQMMUTEX_0_208
Local\Feed Eventing Shared Memory Mutex S-*
Local\RSS Eventing Connection Database Mutex 000006e4
Local\c:!users!administrator!appdata!local!microsoft!feeds cache!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!iecompatcache!
Behavior description:创建事件对象
details:EventName = Isolation Signal Registry Event (B404712B-C7A0-11E6-949C-080027488980, 0)
EventName = IE_EarlyTabStart_0x364
EventName = Isolation Signal Registry Event (B404712C-C7A0-11E6-949C-080027488980, 0)
EventName = OleDfRoot1546DC3687CBBB
EventName = Local\IEDDEExecuteEvent
EventName = OleDfRootDACF13710AA27638
EventName = Local\RSS Eventing Event Event 000006e4
EventName = IEFrame.EventCheckDefaultBrowser
EventName = Local\e84_4823
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2520
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Isolation Signal Registry Event (B404712B-C7A0-11E6-949C-080027488980, 0)
Isolation Signal Registry Event (B404712C-C7A0-11E6-949C-080027488980, 0)
IE_EarlyTabStart_0x364
MSFT.VSA.COM.DISABLE.1764
Global\TabletHardwarePresent
MSFT.VSA.COM.DISABLE.3716
Local\RSS Eventing Event Event 000006e4
Behavior description:常规加载驱动
details:\??\C:\Windows\ipsec32.sys
Behavior description:打开互斥体
details:Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
Local\!BrowserEmulation!SharedMemory!Mutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [IEFrame,]
NtUserFindWindowEx: [Class,Window] = [Static,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Behavior description:启动系统服务
details:[服务启动成功]: , ipsec32.sys, \??\C:\Windows\ipsec32.sys
Behavior description:枚举窗口
details:N/A
Behavior description:获取TickCount值
details:TickCount = 834093, SleepMilliseconds = 60000.
TickCount = 834109, SleepMilliseconds = 60000.
TickCount = 834125, SleepMilliseconds = 60000.
TickCount = 834140, SleepMilliseconds = 60000.
TickCount = 834156, SleepMilliseconds = 60000.
TickCount = 834265, SleepMilliseconds = 60000.
TickCount = 834281, SleepMilliseconds = 60000.
TickCount = 834296, SleepMilliseconds = 60000.
TickCount = 834312, SleepMilliseconds = 60000.
TickCount = 834328, SleepMilliseconds = 60000.
TickCount = 834343, SleepMilliseconds = 60000.
TickCount = 834390, SleepMilliseconds = 60000.
TickCount = 834406, SleepMilliseconds = 60000.
TickCount = 834421, SleepMilliseconds = 60000.
TickCount = 834437, SleepMilliseconds = 60000.
Behavior description:调整进程token权限
details:SE_SECURITY_PRIVILEGE
SE_AUDIT_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2520, Hwnd=0x150128, Text = 1:, ClassName = Static.
Pid = 2520, Hwnd=0x180116, Text = load, ClassName = Button.
Pid = 2520, Hwnd=0xe02ca, Text = 1, ClassName = Button.
Pid = 2520, Hwnd=0x2001c0, Text = 2, ClassName = Button.
Pid = 2520, Hwnd=0x2401de, Text = 3, ClassName = Button.
Pid = 2520, Hwnd=0x1b01dc, Text = 4, ClassName = Button.
Pid = 2520, Hwnd=0x22016c, Text = C:\Users\Administrator\Desktop, ClassName = MFCEditBrowse.
Behavior description:查找PE资源信息
details:(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: a7(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x00000000, DC = 0x4a0108d0.
Foreground window Info: HWND = 0x00000000, DC = 0x91010959.
Foreground window Info: HWND = 0x00000000, DC = 0x4001090d.
Foreground window Info: HWND = 0x00000000, DC = 0x4101090d.
Foreground window Info: HWND = 0x00000000, DC = 0x5501090d.
Foreground window Info: HWND = 0x00000000, DC = 0x28010ab6.
Foreground window Info: HWND = 0x00000000, DC = 0xd301028f.
Foreground window Info: HWND = 0x00000000, DC = 0x4f0108d1.
Foreground window Info: HWND = 0x00000000, DC = 0x64010933.
Foreground window Info: HWND = 0x00000000, DC = 0x310109f1.
Foreground window Info: HWND = 0x00000000, DC = 0x1b0109f0.
Foreground window Info: HWND = 0x00000000, DC = 0x02010bcd.
Foreground window Info: HWND = 0x00000000, DC = 0x2f010ae2.
Foreground window Info: HWND = 0x00000000, DC = 0x05010bbb.
Behavior description:可执行文件签名信息
details:C:\Windows\libegl.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\systray\systray.dll(签名验证: 未通过)
C:\Windows\ipsec32.sys(签名验证: 未通过)
C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 0.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,SystrayClass]
[Window,Class] = [,BrowserFrameGripperClass]
[Window,Class] = [缩放级别,ToolbarWindow32]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [Windows Internet Explorer,IEFrame]
[Window,Class] = [,UniversalSearchBand]
[Window,Class] = [,TravelBand]
[Window,Class] = [,CommandBarClass]
[Window,Class] = [,ReBarWindow32]
[Window,Class] = [,TabBandClass]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
Behavior description:可执行文件MD5
details:C:\Windows\libegl.dll ---> 65b2f8a9e6d8975b740d3653d0b074bd
C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe ---> 文件过大!
C:\Users\Administrator\AppData\Roaming\byteexec\certimporter.exe ---> e32999d868156e98933c934e07af7ee7
C:\Users\Administrator\AppData\Roaming\systray\systray.dll ---> 5c4d9b4aec4a7f9d2f5826483458507e
C:\Windows\ipsec32.sys ---> 8bb3ed3083c60837fa3a2bdf8f375d15
C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe ---> a00b7b6bf652ffb8f5652b599bd0fc41
C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico ---> d0966601ecd6239a9ce0241c9aa21571
Behavior description:直接获取CPU时钟
details:EAX = 0xc1061dcf, EDX = 0x00000280
EAX = 0x76e2075d, EDX = 0x00000281
EAX = 0x76e207a9, EDX = 0x00000281
EAX = 0x76e207f5, EDX = 0x00000281
EAX = 0x76e20841, EDX = 0x00000281
EAX = 0x76e2088d, EDX = 0x00000281
EAX = 0x76e208d9, EDX = 0x00000281
EAX = 0x76e20925, EDX = 0x00000281
EAX = 0x76e20971, EDX = 0x00000281
EAX = 0x76e209bd, EDX = 0x00000281
EAX = 0xc2450b66, EDX = 0x00000283
EAX = 0xc4f80ae2, EDX = 0x00000283
EAX = 0xcf6da808, EDX = 0x00000283
EAX = 0xcf6da854, EDX = 0x00000283
EAX = 0x3b658820, EDX = 0x00000284
Behavior description:创建系统服务
details:[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
Behavior description:加载新释放的文件
details:Image: C:\Windows\libegl.dll.
Image: C:\Users\Administrator\AppData\Local\%temp%\b70c.exe_7zdump\LD\support.exe.
Image: C:\Users\Administrator\AppData\Roaming\systray\systray.dll.
Image: C:\Users\Administrator\AppData\Roaming\byteexec\pac-cmd.exe.
Image: C:\Users\Administrator\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号