VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:73
Behavior list
Basic Information
MD5:bad9f09648c6c1712c86970a8cfb779d
file type:Rar
Production company:
version:
Shell or compiler information:PACKER:ASProtect 2.1x SKE -> Alexey Solodovnikov [Overlay]
Subfile information:玄神网吧奖励.exe / 506fed88f6708406e1c97993a5cdf779 / EXE
aspr.ske.2.x_71faca34dumpFile / big file / EXE
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
DfSharedHeap3D46B0
DFMap0-4015814
DfRoot0003D46B0
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\WINDOWS\system32\zh-cn\wshom.ocx.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
MSCTF.MarshalInterface.FileMap.MGF..AAKHH
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.MarshalInterface.FileMap.MGF.B.INNHH
MSCTF.MarshalInterface.FileMap.MGF.C.INNHH
MSCTF.MarshalInterface.FileMap.MGF.D.INNHH
MSCTF.MarshalInterface.FileMap.MGF.E.INNHH
MSCTF.MarshalInterface.FileMap.MGF.F.INNHH
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:隐藏指定窗口
details:[Window,Class] = [Form10,ThunderRT6FormDC]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [玄神网吧奖励+网游加速器『永久免费』 v 9.3,ThunderRT6FormDC]
[Window,Class] = [Form3,ThunderRT6FormDC]
[Window,Class] = [,ComboLBox ]
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0101038b, DC = 0x0101038b.
Foreground window Info: HWND = 0x1d0104fb, DC = 0x1d0104fb.
Foreground window Info: HWND = 0x01010055, DC = 0x01010055.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd /c rasdial 玄神代理 /disconnect
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c rasdial 玄神代理 /disconnect
ImagePath = C:\WINDOWS\system32\rasdial.exe, CmdLine = rasdial 玄神代理 /disconnect
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\SkinH.dll
C:\WINDOWS\system32\COMDLG32.OCX
C:\WINDOWS\system32\TABCTL32.OCX
C:\WINDOWS\system32\MSINET.OCX
C:\WINDOWS\system32\MSCOMCTL.OCX
C:\WINDOWS\system32\COMCTL32.OCX
Behavior description:查找文件
details:FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1446279546.415702.exe_7zdump\aspr_keys.ini
FileName = C:\WINDOWS\system32\SkinH备份.dll
FileName = C:\WINDOWS\system32\aero备份.she
FileName = C:\WINDOWS\system32\COMDLG32备份.OCX
FileName = C:\WINDOWS\system32\TABCTL32备份.OCX
FileName = C:\WINDOWS\system32\MSINET备份.OCX
FileName = C:\WINDOWS\system32\MSCOMCTL备份.OCX
FileName = C:\WINDOWS\system32\COMCTL32备份.OCX
FileName = C:\WINDOWS\system32\SkinH.dll
FileName = C:\WINDOWS\system32\aero.she
FileName = C:\WINDOWS\system32\COMDLG32.OCX
FileName = C:\WINDOWS\system32\TABCTL32.OCX
FileName = C:\WINDOWS\system32\MSINET.OCX
FileName = C:\WINDOWS\system32\MSCOMCTL.OCX
FileName = C:\WINDOWS\system32\COMCTL32.OCX
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
DfSharedHeap3D46B0
DFMap0-4015814
DfRoot0003D46B0
\WINDOWS\system32\zh-cn\ieframe.dll.mui
\WINDOWS\system32\zh-cn\wshom.ocx.mui
Local\UrlZonesSM_Administrator
Local\!PrivacIE!SharedMem!Counter
MSCTF.MarshalInterface.FileMap.MGF..AAKHH
\WINDOWS\system32\zh-cn\mshtml.dll.mui
MSCTF.MarshalInterface.FileMap.MGF.B.INNHH
MSCTF.MarshalInterface.FileMap.MGF.C.INNHH
MSCTF.MarshalInterface.FileMap.MGF.D.INNHH
MSCTF.MarshalInterface.FileMap.MGF.E.INNHH
MSCTF.MarshalInterface.FileMap.MGF.F.INNHH
Behavior description:重命名文件
details:C:\WINDOWS\system32\comdlg32.ocx ---> C:\WINDOWS\system32\COMDLG32备份.OCX
C:\WINDOWS\system32\mscomctl.ocx ---> C:\WINDOWS\system32\MSCOMCTL备份.OCX
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\WINDOWS\system32\aero.she---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dnserrordiagoff_webOC[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[1]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\bullet[2]---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[1]---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = beipay.xuanshenjp.com, PORT = 80
InternetConnectA: ServerName = pay.xuanshenjp.com, PORT = 80
Behavior description:联网打开网址
details:InternetOpenUrlA: http://pay.xuanshenjp.com/xuanshen/zongheban/gx.txt hInternet = 0x000004c0
Behavior description:建立到一个指定的套接字连接
details:127.0.0.1:1031
Behavior description:读取网络文件
details:hFile = 0x000004c0, BytesToRead =65536, BytesRead = 65536.
Behavior description:打开HTTP请求
details:HttpOpenRequestA: beipay.xuanshenjp.com:80/xuanshen/zongheban/wenti.html, hConnect = 0x000003f0
HttpOpenRequestA: pay.xuanshenjp.com:80/tj/cuowu.html?007, hConnect = 0x00000498
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\
\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\!PrivacIE!SharedMemory!Mutex
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MGF
SHIMLIB_LOG_MUTEX
Behavior description:内联HOOK
details:C:\WINDOWS\system32\GDI32.dll--->ExtTextOutA Offset = 0x0
C:\WINDOWS\system32\GDI32.dll--->ExtTextOutW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongA Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->SetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowLongW Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->BeginPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->EndPaint Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetWindowDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->ReleaseDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->WindowFromDC Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollInfo Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollPos Offset = 0x0
C:\WINDOWS\system32\USER32.dll--->GetScrollRange Offset = 0x0
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [wndclass_desked_gsk,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:启动系统服务
details:[服务已运行]: LocalSystem, Network Connections, C:\WINDOWS\System32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Telephony, C:\WINDOWS\System32\svchost.exe -k netsvcs
[服务已运行]: LocalSystem, Remote Access Connection Manager, C:\WINDOWS\system32\svchost.exe -k netsvcs
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\NTICE
\??\SIWVID
Behavior description:窗口信息
details:Pid = 1856, Hwnd=0x202c4, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x202c6, Text = 活动信息(90秒), ClassName = ThunderRT6Frame.
Pid = 1856, Hwnd=0x202d2, Text = 1, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102e0, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102e2, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102e4, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102e6, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102e8, Text = Text6, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102ea, Text = Text1, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102ec, Text = Text1, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102ee, Text = Text2, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102f0, Text = Text7, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102f2, Text = Text8, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102f4, Text = Text9, ClassName = ThunderRT6TextBox.
Pid = 1856, Hwnd=0x102f8, Text = Text3, ClassName = ThunderRT6TextBox.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0101038b, DC = 0x0101038b.
Foreground window Info: HWND = 0x1d0104fb, DC = 0x1d0104fb.
Foreground window Info: HWND = 0x01010055, DC = 0x01010055.
Behavior description:隐藏指定窗口
details:[Window,Class] = [Form10,ThunderRT6FormDC]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [玄神网吧奖励+网游加速器『永久免费』 v 9.3,ThunderRT6FormDC]
[Window,Class] = [Form3,ThunderRT6FormDC]
[Window,Class] = [,ComboLBox ]
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号