VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:42
Behavior list
Basic Information
MD5:f84485719447dfe1614783e292980a7a
file type:Rar
Production company:
version:
Shell or compiler information:COMPILER:Elan
Subfile information:百度手机注册.exedumpFile / 6d8bbce3d35362f26d9559c90a6a992c / EXE
百度手机注册.exe / 6d8bbce3d35362f26d9559c90a6a992c / EXE
Key behavior
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Process behavior
Behavior description:创建本地线程
details:TargetProcess: 百度手机注册.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 1048, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: 百度手机注册.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 744, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: 百度手机注册.exe, InheritedFromPID = 1944, ProcessID = 912, ThreadID = 2044, StartAddress = 7C930230, Parameter = 00000000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\do[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\do[1].php
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016061420160615\*.*
Behavior description:设置特殊文件属性
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\do[1].php
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\do[1].php
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ap****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x00000578
URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x00000570
URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x0000056c
URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x00000568
URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x0000057c
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description:发送HTTP包
details:GET /api/do.php?action=loginIn&name=123456&password=123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
GET /api/do.php?action=loginIn&name=123456&password=123456123456123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456123456123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
GET /api/do.php?action=loginIn&name=123456&password=123456123456123456123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456123456123456123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
GET /api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
GET /api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
GET /api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456123456123456 HTTP/1.1 Referer: http://api.hellotrue.com/api/do.php?action=loginIn&name=123456&password=123456123456123456123456123456123456123456 Accept: */* Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) Host: ap****om Cache-Control: no-cache
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456123456123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456123456123456123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456123456123456123456123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456123456123456123456123456123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
HttpOpenRequestA: ap****om:80/api/do.php?action=loginin&name=123456&password=123456123456123456123456123456123456123456, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80004010
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ap****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x16(565 0)
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.EDC
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.EDC.IC
EventName = MSCTF.SendReceiveConection.Event.EDC.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000042
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000042
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000043
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000043
Behavior description:窗口信息
details:Pid = 912, Hwnd=0x503b8, Text = 线程数量:, ClassName = _EL_Label.
Pid = 912, Hwnd=0x10032e, Text = 等待操作, ClassName = _EL_Label.
Pid = 912, Hwnd=0x1203be, Text = 1, ClassName = Edit.
Pid = 912, Hwnd=0xe02aa, Text = IP更换频率:, ClassName = _EL_Label.
Pid = 912, Hwnd=0x110342, Text = 宽带账号:, ClassName = _EL_Label.
Pid = 912, Hwnd=0xb0398, Text = 宽带密码:, ClassName = _EL_Label.
Pid = 912, Hwnd=0x10034c, Text = 平台账号:, ClassName = _EL_Label.
Pid = 912, Hwnd=0xc03a0, Text = 平台密码:, ClassName = _EL_Label.
Pid = 912, Hwnd=0xb032a, Text = 开启更换IP, ClassName = Button(CheckBox).
Pid = 912, Hwnd=0x7037c, Text = 1, ClassName = Edit.
Pid = 912, Hwnd=0x7038a, Text = 平台登录, ClassName = Button.
Pid = 912, Hwnd=0x1902ce, Text = 密码设置:, ClassName = _EL_Label.
Pid = 912, Hwnd=0x403a2, Text = qweqwe123, ClassName = Edit.
Pid = 912, Hwnd=0x40392, Text = 注册数量:, ClassName = _EL_Label.
Pid = 912, Hwnd=0x703ba, Text = 100, ClassName = Edit.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll(签名验证: 未通过)
Behavior description:隐藏指定窗口
details:[Window,Class] = [开启更换IP,Button]
[Window,Class] = [,Edit]
[Window,Class] = [宽带密码:,_EL_Label]
[Window,Class] = [宽带账号:,_EL_Label]
[Window,Class] = [IP更换频率:,_EL_Label]
[Window,Class] = [1,Edit]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll ---> 147127382e001f495d1842ee7a9e7912
Behavior description:打开互斥体
details:RasPbFile
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Behavior description:加载新释放的文件
details:Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\SkinH_EL.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号