VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:636a15307bbabbae8ed1af5a446f978f
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 跨进程写入数据
details: TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240000, Size = 0x00000020
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240020, Size = 0x00000034
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004
Behavior description: 获取TickCount值
details: TickCount = 841109, SleepMilliseconds = 60000.
TickCount = 861734, SleepMilliseconds = 60000.
TickCount = 861750, SleepMilliseconds = 60000.
TickCount = 861765, SleepMilliseconds = 60000.
TickCount = 861781, SleepMilliseconds = 60000.
TickCount = 861796, SleepMilliseconds = 60000.
TickCount = 861812, SleepMilliseconds = 60000.
TickCount = 861828, SleepMilliseconds = 60000.
TickCount = 861843, SleepMilliseconds = 60000.
TickCount = 861875, SleepMilliseconds = 60000.
TickCount = 861906, SleepMilliseconds = 60000.
TickCount = 861921, SleepMilliseconds = 60000.
TickCount = 861937, SleepMilliseconds = 60000.
TickCount = 861953, SleepMilliseconds = 60000.
TickCount = 861968, SleepMilliseconds = 60000.
Behavior description: 查找PE资源信息
details: (FindResourceExExW) hModule = 0x00C90000, ResName: 83(ID), ResType: a(ID)
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0xb201092d.
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 直接获取CPU时钟
details: EAX = 0xb1488e1a, EDX = 0x00000295
EAX = 0xa4c66437, EDX = 0x0000029a
EAX = 0xf1323d82, EDX = 0x0000029a
EAX = 0xf1323dce, EDX = 0x0000029a
EAX = 0xe4e5f372, EDX = 0x0000029b
EAX = 0xea20c22b, EDX = 0x0000029b
EAX = 0x09819951, EDX = 0x0000029c
EAX = 0xf9d12dbe, EDX = 0x0000029b
EAX = 0x0c0968da, EDX = 0x0000029c
EAX = 0x528f29cd, EDX = 0x0000029c
EAX = 0x5516f956, EDX = 0x0000029c

Process behavior

Behavior description: 隐藏窗口创建进程
details: ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, CmdLine = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat"
Behavior description: 跨进程写入数据
details: TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240000, Size = 0x00000020
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240020, Size = 0x00000034
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004
Behavior description: 创建新文件进程
details: ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, CmdLine = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat"

File behavior

Behavior description: 创建文件
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1]
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1]
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config
C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat
C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.boltdb
C:\Users\Administrator\AppData\Roaming\Psiphon3\remote_server_list.part
Behavior description: 创建可执行文件
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe
Behavior description: 覆盖已有文件
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1]
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1]
Behavior description: 查找文件
details: FileName = c:\users
FileName = c:\users\administrator\appdata
FileName = c:\users\administrator\appdata\local
FileName = c:\users\administrator\appdata\local\temp
FileName = c:\users\administrator\appdata\local\%temp%
FileName = c:\users\administrator\appdata\local\%temp%\b70c.exe
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016111520161116\*.*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 修改文件内容
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp ---> Offset = 1024
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp ---> Offset = 2048
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp ---> Offset = 3072
C:\Users\Administrator\AppData\Local\Temp\datEA89.tmp ---> Offset = 4096
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1] ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.boltdb ---> Offset = 0

Network behavior

Behavior description: 打开HTTP连接
details: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), hSession = 0x00cc0004
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: a1****et
GetAddrInfoW: ww****om
GetAddrInfoW: a8****et
GetAddrInfoW: a4****et
GetAddrInfoW: a3****et
GetAddrInfoW: s3****om
GetAddrInfoW: a6****et
GetAddrInfoW: a2****et
GetAddrInfoW: pr****et
GetAddrInfoW: a5****et
GetAddrInfoW: a9****et
GetAddrInfoW: a7****et

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Psiphon3\SkipBrowser
\REGISTRY\USER\S-*\Software\Psiphon3\SkipProxySettings
\REGISTRY\USER\S-*\Software\Psiphon3\SkipAutoConnect
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\USER\S-*\Software\Psiphon3\NativeProxyInfo
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Other behavior

Behavior description: 检测自身是否被调试
details: N/A
Behavior description: 创建互斥体
details: RasPbFile
Global\{B88F6262-9CC8-44EF-887D-FB77DC89BB8C}
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\res://c:\users\administrator\appdata\local\%temp%\b70c.exe/
MSIMGSIZECacheMutex
Local\__DDrawExclMode__
Local\__DDrawCheckExclMode__
Local\DDrawWindowListMutex
Local\DDrawDriverObjectListMutex
Local\ServerListMutex-CoreTransport
DBWinMutex
Behavior description: 创建事件对象
details: EventName = OleDfRootDC1E20B3EC22F5BE
EventName = OleDfRoot2669579B481B29A8
EventName = OleDfRoot8CDCFCDE17D41A04
EventName = OleDfRootE4A0F3F45B1B1993
EventName = OleDfRoot4A1E3F350ED0AAF2
EventName = OleDfRoot5ED81EB2A25A1E40
EventName = OleDfRoot689F623F5A29FD02
EventName = OleDfRoot8C1BE360512F6A73
EventName = OleDfRoot99903461815D6CF8
Behavior description: 直接获取CPU时钟
details: EAX = 0xb1488e1a, EDX = 0x00000295
EAX = 0xa4c66437, EDX = 0x0000029a
EAX = 0xf1323d82, EDX = 0x0000029a
EAX = 0xf1323dce, EDX = 0x0000029a
EAX = 0xe4e5f372, EDX = 0x0000029b
EAX = 0xea20c22b, EDX = 0x0000029b
EAX = 0x09819951, EDX = 0x0000029c
EAX = 0xf9d12dbe, EDX = 0x0000029b
EAX = 0x0c0968da, EDX = 0x0000029c
EAX = 0x528f29cd, EDX = 0x0000029c
EAX = 0x5516f956, EDX = 0x0000029c
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Internet Explorer_Server,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\TabletHardwarePresent
MSFT.VSA.COM.DISABLE.2332
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Behavior description: 获取TickCount值
details: TickCount = 841109, SleepMilliseconds = 60000.
TickCount = 861734, SleepMilliseconds = 60000.
TickCount = 861750, SleepMilliseconds = 60000.
TickCount = 861765, SleepMilliseconds = 60000.
TickCount = 861781, SleepMilliseconds = 60000.
TickCount = 861796, SleepMilliseconds = 60000.
TickCount = 861812, SleepMilliseconds = 60000.
TickCount = 861828, SleepMilliseconds = 60000.
TickCount = 861843, SleepMilliseconds = 60000.
TickCount = 861875, SleepMilliseconds = 60000.
TickCount = 861906, SleepMilliseconds = 60000.
TickCount = 861921, SleepMilliseconds = 60000.
TickCount = 861937, SleepMilliseconds = 60000.
TickCount = 861953, SleepMilliseconds = 60000.
TickCount = 861968, SleepMilliseconds = 60000.
Behavior description: 获取光标位置
details: CursorPos = (90,18467), SleepMilliseconds = 60000.
CursorPos = (6383,26500), SleepMilliseconds = 60000.
CursorPos = (19218,15724), SleepMilliseconds = 60000.
CursorPos = (11527,29358), SleepMilliseconds = 60000.
CursorPos = (27011,24464), SleepMilliseconds = 60000.
CursorPos = (5754,28145), SleepMilliseconds = 60000.
CursorPos = (23330,16827), SleepMilliseconds = 60000.
CursorPos = (10010,491), SleepMilliseconds = 60000.
CursorPos = (3044,11942), SleepMilliseconds = 60000.
CursorPos = (4876,5436), SleepMilliseconds = 60000.
CursorPos = (32440,14604), SleepMilliseconds = 60000.
CursorPos = (3951,153), SleepMilliseconds = 60000.
CursorPos = (341,12382), SleepMilliseconds = 60000.
CursorPos = (17470,18716), SleepMilliseconds = 60000.
CursorPos = (19767,19895), SleepMilliseconds = 60000.
Behavior description: 窗口信息
details: Pid = 2332, Hwnd=0x1f0124, Text = Psiphon 3, ClassName = PSIPHON3.
Behavior description: 查找PE资源信息
details: (FindResourceExExW) hModule = 0x00C90000, ResName: 83(ID), ResType: a(ID)
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0xb201092d.
Behavior description: 可执行文件签名信息
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe(签名验证: 通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
Behavior description: 可执行文件MD5
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe ---> 文件过大!
Behavior description: 打开互斥体
details: RasPbFile
Local\!IETld!Mutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\MSCTF.Asm.MutexDefault1
Behavior description: 加载新释放的文件
details: Image: C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe.