VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:78
Behavior list
Basic Information
MD5:7a3df1b6b8e1c7a8c78e549af091b845
file type:EXE
Production company:BitTorrent Inc.
version:3.5.0.43804---3.5.0.43804
Shell or compiler information:PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser [Overlay] *
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Process behavior
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\Temp\utt66E.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-*\1f91d2d17ea675d4c2c3192e241743f9_2f8e854c-b3b2-42a4-9df2-1e8ea361c12c
C:\Users\Administrator\AppData\Roaming\uTorrent\settings.dat.new
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\index.hta.log
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe
C:\Users\Administrator\AppData\Roaming\uTorrent\updates.dat
Behavior description:创建可执行文件
details:C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe
Behavior description:覆盖已有文件
details:C:\Users\Administrator\AppData\Roaming\uTorrent\updates.dat
Behavior description:复制文件
details:C:\Users\Administrator\AppData\Local\%temp%\b70c.exe ---> C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\Temp\utt66E.tmp
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp
Behavior description:查找文件
details:FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-*\1f91d2d17ea675d4c2c3192e241743f9_*
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\*
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
FileName = C:\Users\Administrator\AppData\Local\Temp
FileName = C:\Users\Administrator\AppData\Local\%temp%
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Windows
FileName = C:\Windows\SYSTEM32
FileName = C:\Windows\SYSTEM32\ntdll.dll
FileName = C:\Windows\system32
FileName = C:\Windows\system32\kernel32.dll
FileName = C:\Windows\system32\USER32.dll
FileName = C:\windows
Behavior description:重命名文件
details:C:\Users\Administrator\AppData\Roaming\uTorrent\settings.dat.new ---> C:\Users\Administrator\AppData\Roaming\uTorrent\settings.dat
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-*\1f91d2d17ea675d4c2c3192e241743f9_2f8e854c-b3b2-42a4-9df2-1e8ea361c12c ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\uTorrent\settings.dat.new ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\uTorrent\settings.dat.new ---> Offset = 57
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\index.hta.log ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip ---> Offset = 4096
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip ---> Offset = 8192
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip ---> Offset = 12288
C:\Users\Administrator\AppData\Local\Temp\HYD3C25.tmp.1495012970\HTA\install.1495012970.zip ---> Offset = 16384
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> Offset = 196608
C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> Offset = 262144
C:\Users\Administrator\AppData\Roaming\uTorrent\updates.dat ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = i-****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: uTorrent/3500, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: i-****om, IP: **.133.40.**:128, SOCKET = 0x0000044c
URL: do****om, IP: **.133.40.**:128, SOCKET = 0x00000460
URL: i-****om, IP: **.133.40.**:128, SOCKET = 0x00000474
URL: i-****om, IP: **.133.40.**:128, SOCKET = 0x0000048c
URL: i-****om, IP: **.133.40.**:80, SOCKET = 0x00000604
Behavior description:发送HTTP包
details:POST /e?i=50 HTTP/1.1 Host: i-****om User-Agent: Hydra HttpRequest Connection: close Content-Length: 234 {"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"13","v":"111258396","cl":"uTorrent","osv":"6.1","l":"zh","pid":"632","h":"aFwtcKBilrtDl6xx","sid":"aFwtcKBilrtDl6xx1495012970","order":"0"}
GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/CN/os-lang/zh/os-ver/6.1/enc-ver/111258396/ HTTP/1.1 Host: do****om User-Agent: Hydra HttpRequest Connection: close Content-Length: 0
POST /e?i=50 HTTP/1.1 Host: i-****om User-Agent: Hydra HttpRequest Connection: close Content-Length: 248 {"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"13","v":"111258396","cl":"uTorrent","osv":"6.1","l":"zh","pid":"632","h":"aFwtcKBilrtDl6xx","sid":"aFwtcKBilrtDl6xx1495012970","order":"1"}
POST /e?i=21 HTTP/1.1 Host: i-****om User-Agent: ut_core BenchHttp (ver:43804) Connection: close Content-Length: 394 {"h":"aFwtcKBilrtDl6xx","cl":"uTorrent","v":111258396,"rev":43804,"l":"zh","cc":0,"pv":"","w":"6.1","cts":1495013005,"eventName":"silent_autoupdate","launched_target":0,"updated":0,"relocated":0,"versions": [{"path":"updates\\3.5.0_43804.exe","version":"111258396","blacklisted":"0","crash_count":"0","opt_out":"0","running":""}], "action":"Initial download", "g_version":111258396, "no_sau":0}
POST /e?i=41 HTTP/1.1 Content-Type: application/octet-stream User-Agent: uTorrent/3500 Host: i-****om Content-Length: 430 Cache-Control: no-cache {"h":"aFwtcKBilrtDl6xx","cl":"uTorrent","v":111258396,"l":"zh","w":"6.1","cts":1495013010,"tsi":1495013010,"eventName":"crash","action":"uTorrent.3.5.00.1.43804","plus":0,"bad_dlls":"","ut":49,"bt":837015,"tid":"NA-3660","ec":"E06D7363","ea":"7595B760","eip":"7595B760","ebx":"02DDBEC4","bs":"00400000","st":"40A401,40A492,40A47A,40A47A,40A47A,40A47A,40A401,40A475,40A528,40A213,455755,455FA7,","os":"6.1.7601.0.0.Service Pack 1"}
Behavior description:打开HTTP请求
details:HttpOpenRequestA: i-****om:80/e?i=41, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x04000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ro****om
gethostbyname: a-PC
GetAddrInfoW: ut****om
GetAddrInfoW: i-****om
GetAddrInfoW: do****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*_CLASSES\FalconBetaAccount\remote_access_client_id
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\b70c.exe
Local\µTorrent4823DF041B09
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [Downloading translations...,Static]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [,CtrlNotifySink]
Behavior description:窗口信息
details:Pid = 632, Hwnd=0x180166, Text = Please choose your language, ClassName = Static.
Pid = 632, Hwnd=0x17016a, Text = Chinese (Simplified), ClassName = ComboBox.
Pid = 632, Hwnd=0x270112, Text = Downloading translations..., ClassName = Static.
Pid = 632, Hwnd=0x802e8, Text = &OK, ClassName = Button.
Pid = 632, Hwnd=0x120298, Text = Cancel, ClassName = Button.
Pid = 632, Hwnd=0x1c01dc, Text = Choose Language, ClassName = #32770.
Behavior description:调整进程token权限
details:SE_MANAGE_VOLUME_PRIVILEGE
SE_SHUTDOWN_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Global\SvcctrlStartEvent_A3752DX
Behavior description:可执行文件签名信息
details:C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe(签名验证: 通过)
Behavior description:可执行文件MD5
details:C:\Users\Administrator\AppData\Roaming\uTorrent\updates\3.5.0_43804.exe ---> 7a3df1b6b8e1c7a8c78e549af091b845
Behavior description:打开互斥体
details:Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\MSCTF.Asm.MutexDefault1
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号