VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :74
基本信息
MD5:ad6b97fc029c442c94d2272494bfcae8
文件类型:EXE
出品公司:
版本:4.8.0.0---4.8.0.0
壳或编译器信息:COMPILER:.NET executable -> Microsoft *
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f28
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f28
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000f28
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd71e8, Size = 0x00000004 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffde1e8, Size = 0x00000004 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f4c
行为描述:设置特殊文件夹属性
详情信息:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
行为描述:获取TickCount值
详情信息:TickCount = 204531, SleepMilliseconds = 60000.
TickCount = 204562, SleepMilliseconds = 60000.
TickCount = 204718, SleepMilliseconds = 60000.
TickCount = 144717, SleepMilliseconds = -1.
TickCount = 154843, SleepMilliseconds = 10000.
TickCount = 155046, SleepMilliseconds = 10000.
TickCount = 145045, SleepMilliseconds = -1.
TickCount = 155109, SleepMilliseconds = 10000.
TickCount = 155218, SleepMilliseconds = 10000.
TickCount = 155234, SleepMilliseconds = 10000.
TickCount = 155250, SleepMilliseconds = 10000.
TickCount = 155265, SleepMilliseconds = 10000.
TickCount = 155281, SleepMilliseconds = 10000.
TickCount = 155296, SleepMilliseconds = 10000.
TickCount = 155312, SleepMilliseconds = 10000.
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, CmdLine = "C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe" "C:\Users\Administrator\AppData\Local\%temp%\temp/privoxy.conf"
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f28
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f28
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, WriteAddress = 0x7ffda238, Size = 0x00000004 TargetPID = 0x00000f28
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd71e8, Size = 0x00000004 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffd7238, Size = 0x00000004 TargetPID = 0x00000e88
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00050000, Size = 0x000005dc TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffde1e8, Size = 0x00000004 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060000, Size = 0x00000020 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x00060020, Size = 0x00000034 TargetPID = 0x00000f4c
TargetProcess = C:\Windows\System32\rundll32.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f4c
行为描述:创建新文件进程
详情信息:[0x00000f28]ImagePath = C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe, CmdLine = "C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe" "C:\Users\Administrator\AppData\Local\%temp%\temp/privoxy.conf"
行为描述:枚举进程
详情信息:N/A
行为描述:创建进程
详情信息:[0x00000e88]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
[0x00000f4c]ImagePath = C:\Windows\System32\rundll32.exe, CmdLine = "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
文件行为
行为描述:创建文件
详情信息:C:\Users\Administrator\AppData\Local\%temp%\temp\shadowsocks_2017-09.log
C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll
C:\Users\Administrator\AppData\Local\%temp%\temp\privoxy.conf
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
行为描述:创建可执行文件
详情信息:C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll
行为描述:查找文件
详情信息:FileName = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\Windows\Microsoft.NET\Framework\\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Users\Administrator
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\ShadowsocksR\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
FileName = C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
FileName = C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
行为描述:删除文件
详情信息:C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\cbshandler\state
C:\Windows\SoftwareDistribution\Download\49cea37ed490e5126ec9450fc2dd5116\Windows6.1-KB2999226-x86.cab
行为描述:设置特殊文件夹属性
详情信息:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\Low\History.IE5
行为描述:修改文件内容
详情信息:C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> Offset = 4096
C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> Offset = 8192
C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> Offset = 12288
C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> Offset = 16384
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> Offset = 4096
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> Offset = 8192
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> Offset = 12288
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> Offset = 16384
C:\Users\Administrator\AppData\Local\%temp%\temp\privoxy.conf ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\temp\shadowsocks_2017-09.log ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\temp\shadowsocks_2017-09.log ---> Offset = 62
C:\Users\Administrator\AppData\Local\%temp%\temp\shadowsocks_2017-09.log ---> Offset = 124
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 0
网络行为
行为描述:发送HTTP包
详情信息:CONNECT raw.githubusercontent.com:443 HTTP/1.1 Host: ra****om Proxy-Connection: Keep-Alive
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AccountDomainSid
行为描述:修改注册表_IE连接设置
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:Global\ShadowsocksR_1685684626
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Global\Instance0: ESENT Performance Data Schema Version 85
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\_!MSFTHISTORY!_LOW!_
行为描述:创建事件对象
详情信息:EventName = Global\CPFATE_3028_v4.0.30319
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行为描述:获取TickCount值
详情信息:TickCount = 204531, SleepMilliseconds = 60000.
TickCount = 204562, SleepMilliseconds = 60000.
TickCount = 204718, SleepMilliseconds = 60000.
TickCount = 144717, SleepMilliseconds = -1.
TickCount = 154843, SleepMilliseconds = 10000.
TickCount = 155046, SleepMilliseconds = 10000.
TickCount = 145045, SleepMilliseconds = -1.
TickCount = 155109, SleepMilliseconds = 10000.
TickCount = 155218, SleepMilliseconds = 10000.
TickCount = 155234, SleepMilliseconds = 10000.
TickCount = 155250, SleepMilliseconds = 10000.
TickCount = 155265, SleepMilliseconds = 10000.
TickCount = 155281, SleepMilliseconds = 10000.
TickCount = 155296, SleepMilliseconds = 10000.
TickCount = 155312, SleepMilliseconds = 10000.
行为描述:调整进程token权限
详情信息:SE_DEBUG_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
SE_INC_WORKING_SET_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
SE_AUDIT_PRIVILEGE
行为描述:打开事件
详情信息:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.3028
MSFT.VSA.IEC.STATUS.6c736db0
Global\SvcctrlStartEvent_A3752DX
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
行为描述:可执行文件签名信息
详情信息:C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll(签名验证: 未通过)
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = -1.
[3]: MilliSeconds = 10000.
[4]: MilliSeconds = -1.
[5]: MilliSeconds = 10000.
[6]: MilliSeconds = -1.
[7]: MilliSeconds = -1.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [Privoxy,PrivoxyLogWindow]
[Window,Class] = [PrivoxyTrayWindow,PrivoxyTrayWindow]
行为描述:可执行文件MD5
详情信息:C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe ---> cef4a8b646d1c1502c4b38e0d5769777
C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll ---> 90f8887cbfcd2ff300214c70348e19ec
行为描述:打开互斥体
详情信息:Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\_!MSFTHISTORY!_LOW!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!low!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!low!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!low!history.ie5!
RasPbFile
行为描述:加载新释放的文件
详情信息:Image: C:\Users\Administrator\AppData\Local\%temp%\temp\b70c.exe.
Image: C:\Users\Administrator\AppData\Local\%temp%\temp\mgwz.dll.
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号