VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:33f64dc678fa08e6f4fb42f796cc63a3
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 直接获取CPU时钟
details: EAX = 0x036b16bb, EDX = 0x00001192
EAX = 0x036b1707, EDX = 0x00001192
EAX = 0x036b1753, EDX = 0x00001192
EAX = 0x036b179f, EDX = 0x00001192
EAX = 0x036b17eb, EDX = 0x00001192
EAX = 0x036b1837, EDX = 0x00001192
EAX = 0x036b1883, EDX = 0x00001192
EAX = 0x036b18cf, EDX = 0x00001192
EAX = 0x061e184b, EDX = 0x00001192
EAX = 0x08a5e7d4, EDX = 0x00001192
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0xb001057a.
Foreground window Info: HWND = 0x00000000, DC = 0x6b010511.
Foreground window Info: HWND = 0x00000000, DC = 0xa60101dc.
Foreground window Info: HWND = 0x00000000, DC = 0x3b010677.
Foreground window Info: HWND = 0x00000000, DC = 0x9001058a.
Foreground window Info: HWND = 0x00000000, DC = 0x7001052b.
Foreground window Info: HWND = 0x00000000, DC = 0x7101052b.

Process behavior

Behavior description: 创建进程
details: ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\Windows\System32\setie.bat
ImagePath = C:\WINDOWS\system32\regini.exe, CmdLine = regini.exe c:\regset.ini
Behavior description: 创建本地线程
details: TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 164, ThreadID = 156, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 164, ThreadID = 412, StartAddress = 00578E31, Parameter = 001DC030
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 164, ThreadID = 788, StartAddress = 00408BA6, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 164, ThreadID = 2088, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 1944, ProcessID = 164, ThreadID = 2092, StartAddress = 7C930230, Parameter = 00000000

File behavior

Behavior description: 创建文件
details: C:\WINDOWS\system32\setie.bat
C:\Documents and Settings\Administrator\Local Settings\%temp%\ipseccmd.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\polstore.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\winipsec.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\26430000220167882842196[1]
C:\regset.ini
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\ipseccmd.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\polstore.dll
C:\Documents and Settings\Administrator\Local Settings\%temp%\winipsec.dll
Behavior description: 查找文件
details: FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows
FileName = C:\Windows\System32
FileName = C:\Windows\System32\setie.bat
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\setie.bat
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\regini.exe
Behavior description: 删除文件
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\26430000220167882842196[1]
Behavior description: 修改BAT脚本文件
details: C:\WINDOWS\system32\setie.bat ---> Offset = 0
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\ipseccmd.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\polstore.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\winipsec.dll ---> Offset = 0
C:\regset.ini ---> Offset = 0

Network behavior

Behavior description: 连接指定站点
details: InternetConnectA: ServerName = qq****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description: 打开HTTP连接
details: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc0004
Behavior description: 建立到一个指定的套接字连接
details: URL: qq****om, IP: **.133.40.**:80, SOCKET = 0x00000348
URL: qq****om, IP: **.133.40.**:80, SOCKET = 0x0000034c
URL: qq****om, IP: **.133.40.**:80, SOCKET = 0x00000358
Behavior description: 读取网络文件
details: hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description: 发送HTTP包
details: GET /blog/static/26430000220167882842196/# HTTP/1.1 Accept: */* Referer: http://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/# Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: qq****om Cache-Control: no-cache
Behavior description: 打开HTTP请求
details: HttpOpenRequestA: qq****om:80/blog/static/26430000220167882842196/#, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x80084010
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: qq****om

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Behavior description: 修改注册表_IE连接设置
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Other behavior

Behavior description: 设置对象安全信息
details: CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Behavior description: 创建互斥体
details: RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = 392160618
EventName = Global\userenv: User Profile setup event
Behavior description: 打开互斥体
details: RasPbFile
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 窗口信息
details: Pid = 164, Hwnd=0x1f02fe, Text = ⑺賤.exe, ClassName = Edit.
Pid = 164, Hwnd=0x503b2, Text = 正在为您查找,努力加载中, ClassName = _EL_Label.
Pid = 164, Hwnd=0x40394, Text = 关注官方,每日更新下载最新版, ClassName = _EL_Label.
Pid = 164, Hwnd=0x6037e, Text = 941网站:wWw.941Pojie.coM, ClassName = _EL_Label.
Pid = 164, Hwnd=0x403ca, Text = ↓每日更新三个漏洞服提供大家娱乐↓, ClassName = _EL_Label.
Pid = 164, Hwnd=0xf034a, Text = 点击加群与兄弟并肩作战:, ClassName = _EL_Label.
Pid = 164, Hwnd=0x100320, Text = ⑺賤{坡繲方式壹}, ClassName = Button.
Pid = 164, Hwnd=0x2102bc, Text = 网吧家庭,被劫持(打不开941网站的)点我进备用站, ClassName = Button.
Pid = 164, Hwnd=0xb03ba, Text = 123456, ClassName = Edit.
Pid = 164, Hwnd=0xc038a, Text = 123456, ClassName = Edit.
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000052
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000052
MSCTF.SendReceive.Event.ELH.IC
MSCTF.SendReceiveConection.Event.ELH.IC
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0xb001057a.
Foreground window Info: HWND = 0x00000000, DC = 0x6b010511.
Foreground window Info: HWND = 0x00000000, DC = 0xa60101dc.
Foreground window Info: HWND = 0x00000000, DC = 0x3b010677.
Foreground window Info: HWND = 0x00000000, DC = 0x9001058a.
Foreground window Info: HWND = 0x00000000, DC = 0x7001052b.
Foreground window Info: HWND = 0x00000000, DC = 0x7101052b.
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\ipseccmd.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\polstore.dll(签名验证: 通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\winipsec.dll(签名验证: 未通过)
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,tooltips_class32]
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\ipseccmd.dll ---> 11e5a276a93c4604c175ca3ebce6d77a
C:\Documents and Settings\Administrator\Local Settings\%temp%\polstore.dll ---> 4e50a8a52dc5aac3c9d3e70d792e9e0c
C:\Documents and Settings\Administrator\Local Settings\%temp%\winipsec.dll ---> 24b0db7e532076d5fc17c56cc50140b4
Behavior description: 直接获取CPU时钟
details: EAX = 0x036b16bb, EDX = 0x00001192
EAX = 0x036b1707, EDX = 0x00001192
EAX = 0x036b1753, EDX = 0x00001192
EAX = 0x036b179f, EDX = 0x00001192
EAX = 0x036b17eb, EDX = 0x00001192
EAX = 0x036b1837, EDX = 0x00001192
EAX = 0x036b1883, EDX = 0x00001192
EAX = 0x036b18cf, EDX = 0x00001192
EAX = 0x061e184b, EDX = 0x00001192
EAX = 0x08a5e7d4, EDX = 0x00001192