VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 47 AntiVirus Engines!

Main Menu

File information

Safety rating:55

Behavior list

Behavior analysis report: Threatbook file behavior analysis report

Basic Information
MD5:	937a6e1f64a8d3997bf32f9e2c532622
file type:	EXE
Production company:
version:
Shell or compiler information:	COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *

Key behavior
Behavior description:	设置特殊文件夹属性
details:	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
	C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
Behavior description:	VMWare特殊指令检测虚拟机
details:	N/A

Process behavior
Behavior description:	枚举进程
details:	N/A

File behavior
Behavior description:	设置特殊文件夹属性
details:	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
	C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
	C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
Behavior description:	查找文件
details:	FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
	FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
	FileName = C:\Windows\system32\Ras\*.pbk
	FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
	FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk

Network behavior
Behavior description:	连接指定站点
details:	InternetConnectA: ServerName = ic****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:	打开HTTP连接
details:	InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36, hSession = 0x00cc0004
Behavior description:	建立到一个指定的套接字连接
details:	URL: ic**cn, IP: .133.40.**:80, SOCKET = 0x000002ac
Behavior description:	读取网络文件
details:	hFile = 0x00cc000c, BytesToRead =2047, BytesRead = 2047.
Behavior description:	发送HTTP包
details:	GET /api/infoc/mb?d=eyJkdHlwZSI6InBjIiwidGFiIjoidW5rbndvbl9wdXNoX3J1biIsInRhYmRhdCI6eyJjaGFubmVsIjowLCJjbWQ1IjoiIiwiZGV0YWlsIjoxLCJlbnYiOiJwdXJlIiwiZXhwIjoiQzpcXFVzZXJzXFxBZG1pbmlzdHJhdG9yXFxBcHBEYXRhXFxMb2NhbFxcVGVtcFxcRUI5M0E2XFxiNzBjLmV4ZSIsImZyb20iOi0xLCJpZGVudGl0eSI6IiIsImluY2hhbm5lbCI6MCwiaW5zdGFsbGRheSI6MTc2ODcsIml2IjoyMDAwMSwibW1kNSI6IjkzN2E2ZTFmNjRhOGQzOTk3YmYzMmY5ZTJjNTMyNjIyIiwibW5hbWUiOiJiNzBjIiwibXYiOjIsIm9zdiI6IldpbjdfMzIiLCJwZGF0ZSI6IiIsInBoYXNlIjoxLCJwbmFtZSI6IiIsInByb2R1Y3QiOiJ1bmtud29uIiwicmVhc29uIjo4LCJzY2VuZSI6IiIsInVpZCI6IkM2NTgwODNCODgwOUE4MTkwQUFEM0YyNTRFQjQ3RDlDIn19 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Host: ic****cn Cache-Control: no-cache
	GET /api/infoc/mb?d=eyJkdHlwZSI6InBjIiwidGFiIjoidW5rbndvbl9wdXNoX3J1biIsInRhYmRhdCI6eyJjaGFubmVsIjowLCJjbWQ1IjoiIiwiZGV0YWlsIjoxLCJlbnYiOiJwdXJlIiwiZXhwIjoicHVyZSIsImZyb20iOi0xLCJpZGVudGl0eSI6IiIsImluY2hhbm5lbCI6MCwiaW5zdGFsbGRheSI6MTc2ODcsIml2IjoyMDAwMSwibW1kNSI6IjkzN2E2ZTFmNjRhOGQzOTk3YmYzMmY5ZTJjNTMyNjIyIiwibW5hbWUiOiJiNzBjIiwibXYiOjIsIm9zdiI6IldpbjdfMzIiLCJwZGF0ZSI6IiIsInBoYXNlIjo1LCJwbmFtZSI6IiIsInByb2R1Y3QiOiJ1bmtud29uIiwicmVhc29uIjowLCJzY2VuZSI6IiIsInVpZCI6IkM2NTgwODNCODgwOUE4MTkwQUFEM0YyNTRFQjQ3RDlDIn19 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Host: ic****cn Cache-Control: no-cache
Behavior description:	打开HTTP请求
details:	HttpOpenRequestA: ic****cn:80/api/infoc/mb?d=eyjkdhlwzsi6inbjiiwidgfiijoidw5rbndvbl9wdxnox3j1biisinrhymrhdci6eyjjagfubmvsijowlcjjbwq1ijoiiiwizgv0ywlsijoxlcjlbnyioijwdxjliiwizxhwijoiqzpcxfvzzxjzxfxbzg1pbmlzdhjhdg9yxfxbchbeyxrhxfxmb2nhbfxcvgvtcfxcrui5m0e2xfxinzbjlmv4zsisi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84200000
	HttpOpenRequestA: ic****cn:80/api/infoc/mb?d=eyjkdhlwzsi6inbjiiwidgfiijoidw5rbndvbl9wdxnox3j1biisinrhymrhdci6eyjjagfubmvsijowlcjjbwq1ijoiiiwizgv0ywlsijoxlcjlbnyioijwdxjliiwizxhwijoichvyzsisimzyb20ioi0xlcjpzgvudgl0esi6iiisimluy2hhbm5lbci6mcwiaw5zdgfsbgrhesi6mtc2odcsiml2i, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84200000
Behavior description:	按名称获取主机地址
details:	GetAddrInfoW: ic****cn

Registry behavior
Behavior description:	修改注册表
details:	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3635496-1D9E-4b21-8D56-04CAAD0064CB}\raid
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:	删除注册表键值
details:	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
	\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Other behavior
Behavior description:	创建互斥体
details:	Global\C:/Users/Administrator/AppData/Local/Temp/EB93A6/log/ra.b70c.exe.log
	Local\_!MSFTHISTORY!_
	Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
	Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
	Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
	Local\WininetStartupMutex
	Local\WininetConnectionMutex
	Local\WininetProxyRegistryMutex
	RasPbFile
	Local\ZonesCounterMutex
	Local\ZoneAttributeCacheCounterMutex
	Local\ZonesCacheCounterMutex
	Local\ZonesLockedCacheCounterMutex
	Local\!IETld!Mutex
	Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Behavior description:	打开互斥体
details:	Local\_!MSFTHISTORY!_
	Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
	Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
	Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
	Local\WininetStartupMutex
	Local\WininetConnectionMutex
	Local\WininetProxyRegistryMutex
	Local\!IETld!Mutex
	Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Behavior description:	打开事件
details:	HookSwitchHookEnabledEvent
	\SECURITY\LSA_AUTHENTICATION_INITIALIZED
	Global\SvcctrlStartEvent_A3752DX
Behavior description:	VMWare特殊指令检测虚拟机
details:	N/A

Run screenshot