VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:70
Behavior list
Basic Information
MD5:89d22c750470de8c52a1a630f52ced15
file type:zip
Production company:
version:
Shell or compiler information:
Subfile information:make.dlldumpFile / 5b952531acb9a4194a6b16c997fc1a0f / DLL
make.dll / 5b952531acb9a4194a6b16c997fc1a0f / DLL
caishen.dlldumpFile / 034023fc64dc865e354ce32689b41f66 / DLL
caishen.dll / 034023fc64dc865e354ce32689b41f66 / DLL
RS扫号器.exedumpFile / f3f3e31b3057e02a1b67d56f88457731 / EXE
RS扫号器.exe / f3f3e31b3057e02a1b67d56f88457731 / EXE
Usp10.dlldumpFile / ffa9f739d8b9f067e5411238bd17fadd / DLL
Usp10.dll / ffa9f739d8b9f067e5411238bd17fadd / DLL
RS说明.txtdumpFile / c94c5d1c0003a54a7dc07eb9da9b79d1 / Unknown
RS说明.txt / c94c5d1c0003a54a7dc07eb9da9b79d1 / Unknown
Key behavior
Behavior description:设置特殊文件属性
details:C:\AnalyzeControl\Usp10.dll
C:\monitor\Usp10.dll
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Lpk.dll
C:\Program Files\e\setup\Lpk.dll
C:\Program Files\Microsoft Office 2007\Office12\MathType\Usp10.dll
C:\StaticAnalyze\peid0.94\Usp10.dll
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\documents and settings\all users\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\root\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\program files\common files\vmware\*.*
FindFirstFileEx: FileName = c:\program files\vmware\*.*
Behavior description:写权限映射文件
details:Global\Cor_Private_IPCBlock_2700
Global\Cor_Public_IPCBlock_2700
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Global\NLS_00000804_Exception_Table_3_2
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
\WINDOWS\system32\zh-cn\ieframe.dll.mui
MSCTF.MarshalInterface.FileMap.AJK..KFEIF
MSCTF.MarshalInterface.FileMap.AJK.B.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.C.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.D.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.E.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.F.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.G.KGEIF
Internet Explorer Immutable Application State (00000C4C-0000-0000-0000-000000000000)
ie_lcie_LogonMedium
Behavior description:在QQ目录下创建PE文件
details:C:\Program Files\Tencent\QQ\Bin\Ark\Lpk.dll
C:\Program Files\Tencent\QQ\Bin\Lpk.dll
C:\Program Files\Tencent\QQ\Bin\SetupEx\Lpk.dll
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:按名称获取主机地址
details:mail.lx360.cn
www.x0086.com
info.cnbb.com.cn
www.powerise.com.cn
etop-dalts.com
ent.sooyuu.com
www.tqtravel.com
www.hfi163.com
222.231.3.71
www.fongfeifei.com.cn
www.reg114.com
www.zhengtai.org
www.fdsa432fsat432Os.com
www.fdsa432asat432Os.com
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd.exe /c c:\progra~1\winrar\rar.exe a -inul -y -ep2 -o+ "c:\analyzecontrol.rar" "\%temp%\1430962324.839483.exe\..\usp10.dll"
ImagePath = , CmdLine = cmd.exe /c c:\progra~1\winrar\rar.exe a -inul -y -ep2 -o+ "c:\monitor.rar" "\%temp%\1430962324.859737.exe\..\usp10.dll"
ImagePath = , CmdLine = cmd.exe /c c:\progra~1\winrar\rar.exe a -inul -y -ep2 -o+ "c:\staticanalyze.rar" "\%temp%\1430962324.917940.exe\..\usp10.dll"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\analyzecontrol.rar" >"c:\analyzecontrol.rar.log"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\analyzecontrol.rar"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\analyzecontrol.rar" "\%temp%\1430962323.272206.exe\..\Usp10.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\analyzecontrol.rar" "\%temp%\1430962323.301759.exe\..\Usp10.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\monitor.rar" >"c:\monitor.rar.log"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\monitor.rar"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\monitor.rar" "\%temp%\1430962323.381047.exe\..\Usp10.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\monitor.rar" "\%temp%\1430962323.410644.exe\..\Usp10.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\staticanalyze.rar" >"c:\staticanalyze.rar.log"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe vb -ibck -y -p- "c:\staticanalyze.rar"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd.exe /c C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\staticanalyze.rar" "\%temp%\1430962323.527871.exe\..\Usp10.dll"
ImagePath = C:\PROGRA~1\WinRAR\Rar.exe, CmdLine = C:\PROGRA~1\WinRAR\rar.exe a -inul -y -ep2 -o+ "c:\staticanalyze.rar" "\%temp%\1430962323.557458.exe\..\Usp10.dll"
File behavior
Behavior description:创建可执行文件
details:C:\WINDOWS\Usp10.dll
C:\Program Files\Internet Explorer\Usp10.dll
C:\222c25ed\IE8-Setup-Full\Lpk.dll
C:\AnalyzeControl\Usp10.dll
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\STemp\SetupEx~0\Usp10.dll
C:\EasyWebSvr\demo\Lpk.dll
C:\monitor\Usp10.dll
C:\Program Files\Adobe\Reader 9.0\Reader\Usp10.dll
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Lpk.dll
C:\Program Files\Common Files\Microsoft Shared\DW\Lpk.dll
C:\Program Files\Common Files\Microsoft Shared\Speech\Usp10.dll
C:\Program Files\Common Files\Tencent\QQDownload\107\Lpk.dll
C:\Program Files\e\setup\Lpk.dll
C:\Program Files\e\tools\Usp10.dll
C:\Program Files\Microsoft Office\OFFICE11\Lpk.dll
Behavior description:设置特殊文件属性
details:C:\AnalyzeControl\Usp10.dll
C:\monitor\Usp10.dll
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Lpk.dll
C:\Program Files\e\setup\Lpk.dll
C:\Program Files\Microsoft Office 2007\Office12\MathType\Usp10.dll
C:\StaticAnalyze\peid0.94\Usp10.dll
Behavior description:在QQ目录下创建PE文件
details:C:\Program Files\Tencent\QQ\Bin\Ark\Lpk.dll
C:\Program Files\Tencent\QQ\Bin\Lpk.dll
C:\Program Files\Tencent\QQ\Bin\SetupEx\Lpk.dll
Behavior description:写权限映射文件
details:Global\Cor_Private_IPCBlock_2700
Global\Cor_Public_IPCBlock_2700
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Global\NLS_00000804_Exception_Table_3_2
\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
\WINDOWS\system32\zh-cn\ieframe.dll.mui
MSCTF.MarshalInterface.FileMap.AJK..KFEIF
MSCTF.MarshalInterface.FileMap.AJK.B.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.C.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.D.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.E.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.F.KGEIF
MSCTF.MarshalInterface.FileMap.AJK.G.KGEIF
Internet Explorer Immutable Application State (00000C4C-0000-0000-0000-000000000000)
ie_lcie_LogonMedium
Behavior description:重命名文件
details:C:\%temp%\1430962291.959975.exe_7zdump\Usp10.dll ---> C:\%temp%\1430962291.959975.exe_7zdump\Usp10.dll
C:\%temp%\1430962291.989515.exe_7zdump\__rar_96.184 ---> C:\analyzecontrol.rar
C:\Program Files\Internet Explorer\Usp10.dll ---> C:\Program Files\Internet Explorer\Usp10.dll
C:\%temp%\1430962292.048551.exe_7zdump\__rar_33.184 ---> C:\monitor.rar
C:\Program Files\Microsoft Office 2007\Office12\USP10.DLL ---> C:\Program Files\Microsoft Office 2007\Office12\Thumbss.db
C:\PROGRA~1\WinRAR\Usp10.dll ---> C:\PROGRA~1\WinRAR\Lpk.dll
C:\PROGRA~1\WinRAR\Lpk.dll ---> C:\PROGRA~1\WinRAR\Lpk.dll
C:\%temp%\1430962292.166548.exe_7zdump\__rar_42.4391184 ---> C:\staticanalyze.rar
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\222c25ed\installer.zip---> Offset = 18108883
C:\analyzecontrol.rar.log---> Offset = 62
C:\%temp%\1430962292.255010.exe_7zdump\__rar_96.184---> Offset = 20
C:\analyzecontrol.rar---> Offset = 78025
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\Error404.zip---> Offset = 12726
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\PassportLogin.zip---> Offset = 70706
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\LocalPage\WKInspector.zip---> Offset = 593797
C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\TxApp\100001\100001.zip---> Offset = 503949
C:\Documents and Settings\All Users\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\Documents and Settings\Default User\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\Documents and Settings\LocalService\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\Documents and Settings\NetworkService\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\Documents and Settings\root\Application Data\SogouExplorer\LocalPage\MyFavorStartPage.zip---> Offset = 285164
C:\monitor.rar.log---> Offset = 51
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x000005e4, TotalSize = 380, Offset = 0, ReadSize = 380.
SOCKET = 0x000005e4, TotalSize = 383, Offset = 0, ReadSize = 383.
SOCKET = 0x000005e4, TotalSize = 386, Offset = 0, ReadSize = 386.
SOCKET = 0x000005e4, TotalSize = 381, Offset = 0, ReadSize = 381.
SOCKET = 0x000005e0, TotalSize = 381, Offset = 0, ReadSize = 381.
SOCKET = 0x000005e0, TotalSize = 383, Offset = 0, ReadSize = 383.
SOCKET = 0x000005e0, TotalSize = 379, Offset = 0, ReadSize = 379.
SOCKET = 0x000005e0, TotalSize = 388, Offset = 0, ReadSize = 388.
SOCKET = 0x000005e0, TotalSize = 391, Offset = 0, ReadSize = 391.
SOCKET = 0x0000176c, TotalSize = 380, Offset = 0, ReadSize = 380.
SOCKET = 0x0000176c, TotalSize = 383, Offset = 0, ReadSize = 383.
SOCKET = 0x0000176c, TotalSize = 386, Offset = 0, ReadSize = 386.
SOCKET = 0x0000176c, TotalSize = 381, Offset = 0, ReadSize = 381.
SOCKET = 0x0000176c, TotalSize = 379, Offset = 0, ReadSize = 379.
SOCKET = 0x0000176c, TotalSize = 388, Offset = 0, ReadSize = 388.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:80
Behavior description:枚举网络共享资源
details:N/A
Behavior description:按名称获取主机地址
details:mail.lx360.cn
www.x0086.com
info.cnbb.com.cn
www.powerise.com.cn
etop-dalts.com
ent.sooyuu.com
www.tqtravel.com
www.hfi163.com
222.231.3.71
www.fongfeifei.com.cn
www.reg114.com
www.zhengtai.org
www.fdsa432fsat432Os.com
www.fdsa432asat432Os.com
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchSystemDirs
Other behavior
Behavior description:创建互斥体
details:hxlchuuana
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.AJK
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2700, Hwnd=0x103a8, Text = 登录, ClassName = WindowsForms10.BUTTON.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103aa, Text = Stay Hungry, Stay Foolish, ClassName = WindowsForms10.EDIT.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103ac, Text = 乔布斯:, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103a6, Text = 启动窗口, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\documents and settings\all users\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\root\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\program files\common files\vmware\*.*
FindFirstFileEx: FileName = c:\program files\vmware\*.*
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Abnormal crash
Behavior description:创建互斥体
details:hxlchuuana
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.AJK
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2700, Hwnd=0x103a8, Text = 登录, ClassName = WindowsForms10.BUTTON.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103aa, Text = Stay Hungry, Stay Foolish, ClassName = WindowsForms10.EDIT.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103ac, Text = 乔布斯:, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2700, Hwnd=0x103a6, Text = 启动窗口, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\administrator\local settings\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\documents and settings\all users\application data\vmware\*.*
FindFirstFileEx: FileName = c:\documents and settings\root\local settings\application data\vmware\*.*
FindFirstFileEx: FileName = c:\program files\common files\vmware\*.*
FindFirstFileEx: FileName = c:\program files\vmware\*.*
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号