VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:73372028131bdb3097ce1e5ef294e2e4
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 跨进程写入数据
details: TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f58
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f58
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x7ffd5238, Size = 0x00000004 TargetPID = 0x00000f58
Behavior description: 修改硬盘引导扇区
details: NtWriteFile
Behavior description: 获取TickCount值
details: TickCount = 144703, SleepMilliseconds = 60000.
TickCount = 144718, SleepMilliseconds = 60000.
TickCount = 144734, SleepMilliseconds = 60000.
TickCount = 144750, SleepMilliseconds = 60000.
TickCount = 149109, SleepMilliseconds = 60000.
TickCount = 149140, SleepMilliseconds = 60000.
TickCount = 153281, SleepMilliseconds = 60000.
TickCount = 153296, SleepMilliseconds = 60000.
TickCount = 153312, SleepMilliseconds = 60000.
TickCount = 157109, SleepMilliseconds = 60000.
TickCount = 157125, SleepMilliseconds = 60000.
TickCount = 157140, SleepMilliseconds = 60000.
TickCount = 157187, SleepMilliseconds = 60000.
TickCount = 157203, SleepMilliseconds = 60000.
TickCount = 157234, SleepMilliseconds = 60000.
Behavior description: 查找PE资源信息
details: (FindResourceExExW) hModule = 0x000A0000, ResName: 83(ID), ResType: a(ID)
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 直接获取CPU时钟
details: EAX = 0xe39c9f0e, EDX = 0x00000044
EAX = 0xfdedd76e, EDX = 0x00000044
EAX = 0xfdedd7ba, EDX = 0x00000044
EAX = 0x0dc97340, EDX = 0x00000045
EAX = 0x1da50ec6, EDX = 0x00000045
EAX = 0x1da50f12, EDX = 0x00000045
EAX = 0x1da50f5e, EDX = 0x00000045
EAX = 0x1da50faa, EDX = 0x00000045
EAX = 0x1da50ff6, EDX = 0x00000045
EAX = 0x1da51042, EDX = 0x00000045
EAX = 0x8486f09a, EDX = 0x00000051
EAX = 0x8486f0e6, EDX = 0x00000051
EAX = 0x8486f132, EDX = 0x00000051
EAX = 0x8486f17e, EDX = 0x00000051
EAX = 0x8486f1ca, EDX = 0x00000051

Process behavior

Behavior description: 隐藏窗口创建进程
details: ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, CmdLine = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat"
Behavior description: 跨进程写入数据
details: TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240000, Size = 0x00000020 TargetPID = 0x00000f58
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x00240020, Size = 0x00000034 TargetPID = 0x00000f58
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, WriteAddress = 0x7ffd5238, Size = 0x00000004 TargetPID = 0x00000f58
Behavior description: 创建新文件进程
details: [0x00000f58]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe, CmdLine = C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat"

File behavior

Behavior description: 创建文件
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1]
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1]
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config
C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat
C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.boltdb
C:\Users\Administrator\AppData\Roaming\Psiphon3\osl\osl-registry.part
C:\Users\Administrator\AppData\Roaming\Psiphon3\remote_server_list.part
Behavior description: 创建可执行文件
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe
Behavior description: 覆盖已有文件
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1]
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1]
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1]
Behavior description: 查找文件
details: FileName = c:\users
FileName = c:\users\administrator\appdata
FileName = c:\users\administrator\appdata\local
FileName = c:\users\administrator\appdata\local\temp
FileName = c:\users\administrator\appdata\local\%temp%
FileName = c:\users\administrator\appdata\local\%temp%\b70c.exe
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016022320160224\*.*
FileName = C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016022220160223\*.*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
Behavior description: 设置特殊文件夹属性
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description: 修改文件内容
details: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\main[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\icomoon[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp ---> Offset = 1024
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp ---> Offset = 2048
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp ---> Offset = 3072
C:\Users\Administrator\AppData\Local\Temp\dat4B3C.tmp ---> Offset = 4096
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TLEIP40E\logo-bw[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83EX5K53\flags32[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\banner[1] ---> Offset = 0
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3KY9KWG8\flag_unknown_32[1] ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.config ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\server_list.dat ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Psiphon3\psiphon.boltdb ---> Offset = 0

Network behavior

Behavior description: 打开HTTP连接
details: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0), hSession = 0x00cc0004
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: a4****et
GetAddrInfoW: a1****et
GetAddrInfoW: gl****om
GetAddrInfoW: pr****et
GetAddrInfoW: a3****et
GetAddrInfoW: ww****om
GetAddrInfoW: a9****et
GetAddrInfoW: a6****et
GetAddrInfoW: a2****et
GetAddrInfoW: s3****om

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Psiphon3\SkipBrowser
\REGISTRY\USER\S-*\Software\Psiphon3\SkipProxySettings
\REGISTRY\USER\S-*\Software\Psiphon3\SkipAutoConnect
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\USER\S-*\Software\Psiphon3\NativeProxyInfo
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName

Other behavior

Behavior description: 检测自身是否被调试
details: IsDebuggerPresent
Behavior description: 创建互斥体
details: RasPbFile
Global\{B88F6262-9CC8-44EF-887D-FB77DC89BB8C}
Local\!IETld!Mutex
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Behavior description: 创建事件对象
details: EventName = OleDfRoot9BDBB03469C792E5
EventName = OleDfRoot347D350F0638CA3F
EventName = OleDfRoot4689B62987F7CB2C
EventName = OleDfRootA82D0D21D7594A9D
EventName = OleDfRootA4EB20A6F6F50AD9
EventName = OleDfRoot29DF65986FAA6A7D
EventName = OleDfRootE7B17BAFC1F7FB6F
EventName = OleDfRoot22862A6CD8CC023A
EventName = OleDfRoot242226C39E208010
EventName = OleDfRootE4F02A5F305D7CCB
EventName = OleDfRoot927A32BD5BC3A076
EventName = OleDfRootC7E3CE103E2694DB
EventName = OleDfRoot7766DEEBFAE0248
Behavior description: 打开互斥体
details: Local\!IETld!Mutex
Local\WininetStartupMutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\MSCTF.Asm.MutexDefault1
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Internet Explorer_Server,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 修改硬盘引导扇区
details: NtWriteFile
Behavior description: 窗口信息
details: Pid = 2712, Hwnd=0x60190, Text = Psiphon 3, ClassName = PSIPHON3.
Behavior description: 获取TickCount值
details: TickCount = 144703, SleepMilliseconds = 60000.
TickCount = 144718, SleepMilliseconds = 60000.
TickCount = 144734, SleepMilliseconds = 60000.
TickCount = 144750, SleepMilliseconds = 60000.
TickCount = 149109, SleepMilliseconds = 60000.
TickCount = 149140, SleepMilliseconds = 60000.
TickCount = 153281, SleepMilliseconds = 60000.
TickCount = 153296, SleepMilliseconds = 60000.
TickCount = 153312, SleepMilliseconds = 60000.
TickCount = 157109, SleepMilliseconds = 60000.
TickCount = 157125, SleepMilliseconds = 60000.
TickCount = 157140, SleepMilliseconds = 60000.
TickCount = 157187, SleepMilliseconds = 60000.
TickCount = 157203, SleepMilliseconds = 60000.
TickCount = 157234, SleepMilliseconds = 60000.
Behavior description: 获取光标位置
details: CursorPos = (555,18472), SleepMilliseconds = 60000.
CursorPos = (6848,26505), SleepMilliseconds = 60000.
CursorPos = (19683,15729), SleepMilliseconds = 60000.
CursorPos = (11992,29363), SleepMilliseconds = 60000.
CursorPos = (27476,24469), SleepMilliseconds = 60000.
CursorPos = (6219,28150), SleepMilliseconds = 60000.
CursorPos = (23795,16832), SleepMilliseconds = 60000.
CursorPos = (10475,496), SleepMilliseconds = 60000.
CursorPos = (3509,11947), SleepMilliseconds = 60000.
CursorPos = (5341,5441), SleepMilliseconds = 60000.
CursorPos = (32905,14609), SleepMilliseconds = 60000.
CursorPos = (4416,158), SleepMilliseconds = 60000.
CursorPos = (806,12387), SleepMilliseconds = 60000.
CursorPos = (17935,18721), SleepMilliseconds = 60000.
CursorPos = (20232,19900), SleepMilliseconds = 60000.
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2712
MSFT.VSA.IEC.STATUS.6c736db0
Global\TabletHardwarePresent
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Behavior description: 查找PE资源信息
details: (FindResourceExExW) hModule = 0x000A0000, ResName: 83(ID), ResType: a(ID)
Behavior description: 可执行文件签名信息
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe(签名验证: 通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 0.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 60000.
Behavior description: 可执行文件MD5
details: C:\Users\Administrator\AppData\Local\Temp\psiphon-tunnel-core.exe ---> 文件过大!
Behavior description: 直接获取CPU时钟
details: EAX = 0xe39c9f0e, EDX = 0x00000044
EAX = 0xfdedd76e, EDX = 0x00000044
EAX = 0xfdedd7ba, EDX = 0x00000044
EAX = 0x0dc97340, EDX = 0x00000045
EAX = 0x1da50ec6, EDX = 0x00000045
EAX = 0x1da50f12, EDX = 0x00000045
EAX = 0x1da50f5e, EDX = 0x00000045
EAX = 0x1da50faa, EDX = 0x00000045
EAX = 0x1da50ff6, EDX = 0x00000045
EAX = 0x1da51042, EDX = 0x00000045
EAX = 0x8486f09a, EDX = 0x00000051
EAX = 0x8486f0e6, EDX = 0x00000051
EAX = 0x8486f132, EDX = 0x00000051
EAX = 0x8486f17e, EDX = 0x00000051
EAX = 0x8486f1ca, EDX = 0x00000051
Behavior description: 加载新释放的文件
details: Image: C:\Users\ADMINI~1\AppData\Local\Temp\psiphon-tunnel-core.exe.