VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:77
Behavior list
Basic Information
MD5:845028938a1ad4fccffa89e2f1cbf53f
file type:EXE
Production company:北京海腾时代科技有限公司
version:1.0.3.1001---1.0.3.1001
Shell or compiler information:
Key behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\JisuPdf\dayrun
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Process behavior
Behavior description:创建进程
details:ImagePath = C:\Program Files\JisuPdf\JisuPDF.exe, CmdLine = "C:\Program Files\JisuPdf\JisuPDF.exe"
Behavior description:创建本地线程
details:N/A
Behavior description:进程退出
details:N/A
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\xsandbox.bin.__tmp__
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\temp\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe.__meta__.__tmp__
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\stubexe\0x58492CC0A2D6AF18\JisuPDF.exe.__tmp__
C:\Documents and Settings\Administrator\Local Settings\Temp\SPOON\CACHE\0x6369A60573304378\sxs\Manifests\JisuPDF.exe_0x198a758acb9b838e96a95e534017b69a.1.manifest.__tmp__
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\stat[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\v[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\newtab[1].php
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\temp\@APPDATA@\JisuPDF\JisuPdf.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@APPDATA@\JisuPDF\JisuPdf.dat.__meta__.__tmp__
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\modified\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\stubexe\0x58492CC0A2D6AF18\JisuPDF.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\modified\@APPDATA@\JisuPDF\JisuPdf.dat
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1454923448.036184.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\Program Files\JisuPdf
FileName = C:\Program Files\JisuPdf\JisuPDF.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\stat[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\v[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\newtab[1].php
Behavior description:重命名文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\xsandbox.bin.__tmp__ ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\xsandbox.bin
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\temp\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe.__meta__.__tmp__ ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sand
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\stubexe\0x58492CC0A2D6AF18\JisuPDF.exe.__tmp__ ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0
C:\Documents and Settings\Administrator\Local Settings\Temp\SPOON\CACHE\0x6369A60573304378\sxs\Manifests\JisuPDF.exe_0x198a758acb9b838e96a95e534017b69a.1.manifest.__tmp__ ---> C:\Documents and Settings\Administrator\Local Settings\Temp\SPOON\CACHE\0x6369A60573
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\temp\@APPDATA@\JisuPDF\JisuPdf.dat ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roam
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@APPDATA@\JisuPDF\JisuPdf.dat.__meta__.__tmp__ ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\Jisu
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\xsandbox.bin---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe.__meta__---> Offset = 16
C:\Documents and Settings\Administrator\Local Settings\Temp\SPOON\CACHE\0x6369A60573304378\sxs\Manifests\JisuPDF.exe_0x198a758acb9b838e96a95e534017b69a.1.manifest---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\modified\@APPDATA@\JisuPDF\JisuPdf.dat---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\meta\@APPDATA@\JisuPDF\JisuPdf.dat.__meta__---> Offset = 16
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://tj.jisupdf.com/stat.php?mid=&os=WindowsXP&pid=JisuPDF_Setup.exe&reg=run&soft_id=14&t=2052&version=1.0.3.1001&sign=68c91d9884a00133f651b5c8d6b4ff8a hInternet = 0x00cc0004
InternetOpenUrlA: http://upd.jisupdf.com/v.php?ver=1.0.3.1001&pid=JisuPDF_Setup.exe hInternet = 0x00cc0004
InternetOpenUrlA: http://dl.jisupdf.com/data/newtab.php?ntver=1001&pdfver=1.0.3.1001 hInternet = 0x00cc0004
Behavior description:连接指定站点
details:InternetConnectA: ServerName = start.spoon.net, PORT = 443, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008
InternetConnectA: ServerName = tj.jisupdf.com, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008
InternetConnectA: ServerName = upd.jisupdf.com, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008
InternetConnectA: ServerName = dl.jisupdf.com, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: SpoonVm/1.0, hSession = 0x00cc0004
InternetOpenA: UserAgent: , hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:110.110.110.110:80, SOCKET = 0x00000680
110.110.110.110:80, SOCKET = 0x00000674
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =15360, BytesRead = 15360.
Behavior description:发送HTTP包
details:GET /stat.php?mid=&os=WindowsXP&pid=JisuPDF_Setup.exe&reg=run&soft_id=14&t=2052&version=1.0.3.1001&sign=68c91d9884a00133f651b5c8d6b4ff8a HTTP/1.1 Host: tj.jisupdf.com
GET /v.php?ver=1.0.3.1001&pid=JisuPDF_Setup.exe HTTP/1.1 Host: upd.jisupdf.com
GET /data/newtab.php?ntver=1001&pdfver=1.0.3.1001 HTTP/1.1 Host: dl.jisupdf.com
Behavior description:打开HTTP请求
details:HttpOpenRequestA: start.spoon.net:443/services/1.0/activity/vm-10.4.2491.0/run, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer:
HttpOpenRequestA: tj.jisupdf.com:80/stat.php?mid=&os=windowsxp&pid=jisupdf_setup.exe&reg=run&soft_id=14&t=2052&version=1.0.3.1001&sign=68c91d9884a00133f651b5c8d6b4ff8a, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer:
HttpOpenRequestA: upd.jisupdf.com:80/v.php?ver=1.0.3.1001&pid=jisupdf_setup.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer:
HttpOpenRequestA: dl.jisupdf.com:80/data/newtab.php?ntver=1001&pdfver=1.0.3.1001, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer:
Behavior description:按名称获取主机地址
details:tj.jisupdf.com
upd.jisupdf.com
dl.jisupdf.com
Registry behavior
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\JisuPdf\dayrun
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Spoon\SandboxCache\6369A60573304378\roaming\modified\@HKCU@\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:Local\__VMX_0x00076AED
Global\__VMX_0x00076AED
_xvm_mtx_sandbox_info_0x6369A60573304378
_xvm_mtx_sentinel_0x6369A60573304378
_xvm_mtx_servicesentinel_0x6369A60573304378
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:创建事件对象
details:EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.III.IC
EventName = MSCTF.SendReceiveConection.Event.III.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [RUNMANAGER_JISUPDF,]
NtUserFindWindowEx: [Class,Window] = [ATLWIN_JISUPDF_MIAN,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_INC_BASE_PRIORITY_PRIVILEGE
SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2180, Hwnd=0x140134, Text = 极速PDF阅读器, ClassName = ATLWIN_JISUPDF_MIAN.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\modified\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\stubexe\0x58492CC0A2D6AF18\JisuPDF.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = -1.
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\roaming\modified\@PROGRAMFILESX86@\JisuPdf\JisuPDF.exe ---> 198a758acb9b838e96a95e534017b69a
C:\Documents and Settings\Administrator\Local Settings\Application Data\Spoon\Sandbox\JisuPdf\1.0.3.1001\local\stubexe\0x58492CC0A2D6AF18\JisuPDF.exe ---> 247358a7df7b144ac50aea09bb386822
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号