VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Behavior analysis report:         Threatbook file behavior analysis report
Basic Information
MD5:937a6e1f64a8d3997bf32f9e2c532622
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\IETldCache
Behavior description:查找文件
details:FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ic****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ic****cn, IP: **.133.40.**:80, SOCKET = 0x000002ac
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =2047, BytesRead = 2047.
Behavior description:发送HTTP包
details:GET /api/infoc/mb?d=eyJkdHlwZSI6InBjIiwidGFiIjoidW5rbndvbl9wdXNoX3J1biIsInRhYmRhdCI6eyJjaGFubmVsIjowLCJjbWQ1IjoiIiwiZGV0YWlsIjoxLCJlbnYiOiJwdXJlIiwiZXhwIjoiQzpcXFVzZXJzXFxBZG1pbmlzdHJhdG9yXFxBcHBEYXRhXFxMb2NhbFxcVGVtcFxcRUI5M0E2XFxiNzBjLmV4ZSIsImZyb20iOi0xLCJpZGVudGl0eSI6IiIsImluY2hhbm5lbCI6MCwiaW5zdGFsbGRheSI6MTc2ODcsIml2IjoyMDAwMSwibW1kNSI6IjkzN2E2ZTFmNjRhOGQzOTk3YmYzMmY5ZTJjNTMyNjIyIiwibW5hbWUiOiJiNzBjIiwibXYiOjIsIm9zdiI6IldpbjdfMzIiLCJwZGF0ZSI6IiIsInBoYXNlIjoxLCJwbmFtZSI6IiIsInByb2R1Y3QiOiJ1bmtud29uIiwicmVhc29uIjo4LCJzY2VuZSI6IiIsInVpZCI6IkM2NTgwODNCODgwOUE4MTkwQUFEM0YyNTRFQjQ3RDlDIn19 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Host: ic****cn Cache-Control: no-cache
GET /api/infoc/mb?d=eyJkdHlwZSI6InBjIiwidGFiIjoidW5rbndvbl9wdXNoX3J1biIsInRhYmRhdCI6eyJjaGFubmVsIjowLCJjbWQ1IjoiIiwiZGV0YWlsIjoxLCJlbnYiOiJwdXJlIiwiZXhwIjoicHVyZSIsImZyb20iOi0xLCJpZGVudGl0eSI6IiIsImluY2hhbm5lbCI6MCwiaW5zdGFsbGRheSI6MTc2ODcsIml2IjoyMDAwMSwibW1kNSI6IjkzN2E2ZTFmNjRhOGQzOTk3YmYzMmY5ZTJjNTMyNjIyIiwibW5hbWUiOiJiNzBjIiwibXYiOjIsIm9zdiI6IldpbjdfMzIiLCJwZGF0ZSI6IiIsInBoYXNlIjo1LCJwbmFtZSI6IiIsInByb2R1Y3QiOiJ1bmtud29uIiwicmVhc29uIjowLCJzY2VuZSI6IiIsInVpZCI6IkM2NTgwODNCODgwOUE4MTkwQUFEM0YyNTRFQjQ3RDlDIn19 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Host: ic****cn Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ic****cn:80/api/infoc/mb?d=eyjkdhlwzsi6inbjiiwidgfiijoidw5rbndvbl9wdxnox3j1biisinrhymrhdci6eyjjagfubmvsijowlcjjbwq1ijoiiiwizgv0ywlsijoxlcjlbnyioijwdxjliiwizxhwijoiqzpcxfvzzxjzxfxbzg1pbmlzdhjhdg9yxfxbchbeyxrhxfxmb2nhbfxcvgvtcfxcrui5m0e2xfxinzbjlmv4zsisi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84200000
HttpOpenRequestA: ic****cn:80/api/infoc/mb?d=eyjkdhlwzsi6inbjiiwidgfiijoidw5rbndvbl9wdxnox3j1biisinrhymrhdci6eyjjagfubmvsijowlcjjbwq1ijoiiiwizgv0ywlsijoxlcjlbnyioijwdxjliiwizxhwijoichvyzsisimzyb20ioi0xlcjpzgvudgl0esi6iiisimluy2hhbm5lbci6mcwiaw5zdgfsbgrhesi6mtc2odcsiml2i, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84200000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ic****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B3635496-1D9E-4b21-8D56-04CAAD0064CB}\raid
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Other behavior
Behavior description:创建互斥体
details:Global\C:/Users/Administrator/AppData/Local/Temp/EB93A6/log/ra.b70c.exe.log
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!IETld!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Behavior description:打开互斥体
details:Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\c:!users!administrator!appdata!roaming!microsoft!windows!ietldcache!
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号