VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.
4, If your browser cannot upload files, please download VirSCAN uploader to upload.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

   File information

Virscan.org multi-engine scan report
Behavior analysis report:         Habo file analysis

Basic Information

MD5:3fc8577cf2f066a687beb6d434869c78
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Package names:
Minimum operating environment:
copyright:

Key behavior

Behavior description: 常规加载驱动
details: \??\C:\WINDOWS\system32\drivers\DMRedirect.sys
Behavior description: 获取TickCount值
details: TickCount = 498765, SleepMilliseconds = 10000.
TickCount = 498843, SleepMilliseconds = 10000.
TickCount = 549062, SleepMilliseconds = 60000.
TickCount = 549078, SleepMilliseconds = 60000.
TickCount = 499078, SleepMilliseconds = 10000.
TickCount = 499093, SleepMilliseconds = 10000.
TickCount = 489656, SleepMilliseconds = 500.
TickCount = 489671, SleepMilliseconds = 500.
TickCount = 489175, SleepMilliseconds = 4.
TickCount = 489191, SleepMilliseconds = 4.
TickCount = 489207, SleepMilliseconds = 5000.
TickCount = 494203, SleepMilliseconds = 5000.
TickCount = 1089359, SleepMilliseconds = 600000.
TickCount = 1089281, SleepMilliseconds = 600000.
TickCount = 1089375, SleepMilliseconds = 600000.
Behavior description: 创建系统服务
details: [服务创建成功]: DMRedirect, C:\WINDOWS\system32\drivers\DMRedirect.sys
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0x110103ed.

Process behavior

Behavior description: 创建本地线程
details: TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 2900, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 2984, StartAddress = 10032BD0, Parameter = 1013C378
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 2992, StartAddress = 0143C230, Parameter = 001D1300
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3000, StartAddress = 0143C230, Parameter = 001D13C0
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3016, StartAddress = 10030670, Parameter = 00000000
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3020, StartAddress = 013382EC, Parameter = 001D7288
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3032, StartAddress = 013BBD70, Parameter = 001DECE0
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3036, StartAddress = 013B5450, Parameter = 00000000
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3040, StartAddress = 10039DA0, Parameter = 001C9008
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3052, StartAddress = 100EE03C, Parameter = 00206008
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3056, StartAddress = 10039DA0, Parameter = 001C9208
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3060, StartAddress = 1003ACB0, Parameter = 00000000
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3064, StartAddress = 100EE03C, Parameter = 00214758
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3068, StartAddress = 014BECA0, Parameter = 001C92B0
TargetProcess: ADSafe.exe, InheritedFromPID = 1944, ProcessID = 2884, ThreadID = 3072, StartAddress = 4AEA7456, Parameter = 00000000
Behavior description: 枚举进程
details: N/A

File behavior

Behavior description: 创建文件
details: C:\WINDOWS\system32\drivers\DMRedirect.sys
C:\WINDOWS\system32\drivers\DMProtectEx.sys
C:\Documents and Settings\Administrator\Application Data\ADSafe3\ubd.dat
C:\Documents and Settings\Administrator\Application Data\ADSafe3\ErrorLog.txt
C:\Documents and Settings\Administrator\Application Data\ADSafe3\config.dat
Behavior description: 创建可执行文件
details: C:\WINDOWS\system32\drivers\DMProtectEx.sys
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Application Data\ADSafe3\ErrorLog.txt
C:\Documents and Settings\Administrator\Application Data\ADSafe3\config.dat
Behavior description: 查找文件
details: FileName = C:\WINDOWS\system32\drivers\DMRedirect64.sys
FileName = C:\WINDOWS\system32\drivers\DMRedirect.sys.old
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.252438.exe_7zdump\ADSafe Lite\driver\Win32\WinXP\DMRedirect.sys
FileName = C:\WINDOWS\system32\drivers\DMRedirect.sys
FileName = driver\DMProtectEx.sys
FileName = DMProtectEx.sys
FileName = C:\WINDOWS\system32\drivers\DMProtectEx.sys
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.253637.exe_7zdump\ADSafe Lite\Crash\*.*
FileName = C:\Documents and Settings\Administrator\Application Data\ADSafe3\CdnJsonconfig.dat
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.254261.exe_7zdump\ADSafe Lite\res\whiteproc.dat
FileName = C:\Documents and Settings\Administrator\Application Data\ADSafe3\subscribe1\2001
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.254891.exe_7zdump\ADSafe Lite\res\blkproc.dat
Behavior description: 复制文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.229220.exe_7zdump\ADSafe Lite\driver\Win32\WinXP\DMRedirect.sys ---> C:\WINDOWS\system32\drivers\DMRedirect.sys
DMProtectEx.sys ---> C:\WINDOWS\system32\drivers\DMProtectEx.sys
Behavior description: 修改文件内容
details: C:\WINDOWS\system32\drivers\DMRedirect.sys ---> Offset = 0
C:\WINDOWS\system32\drivers\DMRedirect.sys ---> Offset = 65536
C:\WINDOWS\system32\drivers\DMProtectEx.sys ---> Offset = 0
C:\WINDOWS\system32\drivers\DMProtectEx.sys ---> Offset = 65536
C:\WINDOWS\system32\drivers\DMProtectEx.sys ---> Offset = 131072
C:\WINDOWS\system32\drivers\DMProtectEx.sys ---> Offset = 196608
C:\WINDOWS\system32\drivers\DMRedirect.sys ---> Offset = 4096
C:\WINDOWS\system32\drivers\DMRedirect.sys ---> Offset = 69632
C:\Documents and Settings\Administrator\Application Data\ADSafe3\ErrorLog.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\ADSafe3\config.dat ---> Offset = 0

Network behavior

Behavior description: 建立到一个指定的套接字连接
details: URL: pc**********om, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x000005ac
URL: pc**********om, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x00000588
URL: pc**********om, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x00000558
URL: pc**********om, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x0000055c
URL: pc**********om, IP: <FAKE_SERVER_IP>:128, SOCKET = 0x0000054c
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: pc**********om

Other behavior

Behavior description: 创建互斥体
details: Private_2884_MUTEX_YssShare
Global\ADSafe{23D0387D-2353-4DA0-B3F2-BA7F67359928}Administrator
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IEL
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.IEL.IC
EventName = MSCTF.SendReceiveConection.Event.IEL.IC
Behavior description: 常规加载驱动
details: \??\C:\WINDOWS\system32\drivers\DMRedirect.sys
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 启动系统服务
details: [服务启动成功]: , DMRedirect, \??\C:\WINDOWS\system32\drivers\DMRedirect.sys
Behavior description: 获取TickCount值
details: TickCount = 498765, SleepMilliseconds = 10000.
TickCount = 498843, SleepMilliseconds = 10000.
TickCount = 549062, SleepMilliseconds = 60000.
TickCount = 549078, SleepMilliseconds = 60000.
TickCount = 499078, SleepMilliseconds = 10000.
TickCount = 499093, SleepMilliseconds = 10000.
TickCount = 489656, SleepMilliseconds = 500.
TickCount = 489671, SleepMilliseconds = 500.
TickCount = 489175, SleepMilliseconds = 4.
TickCount = 489191, SleepMilliseconds = 4.
TickCount = 489207, SleepMilliseconds = 5000.
TickCount = 494203, SleepMilliseconds = 5000.
TickCount = 1089359, SleepMilliseconds = 600000.
TickCount = 1089281, SleepMilliseconds = 600000.
TickCount = 1089375, SleepMilliseconds = 600000.
Behavior description: 窗口信息
details: Pid = 2884, Hwnd=0x202a4, Text = CMsgBox, ClassName = DlgMsgBox.
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x00000000, DC = 0x110103ed.
Behavior description: 可执行文件签名信息
details: C:\WINDOWS\system32\drivers\DMProtectEx.sys(签名验证: 通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 10000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 10000.
[4]: MilliSeconds = 500.
[5]: MilliSeconds = 5000.
[6]: MilliSeconds = 600000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 10000.
[9]: MilliSeconds = 500.
[10]: MilliSeconds = 5000.
Behavior description: 可执行文件MD5
details: C:\WINDOWS\system32\drivers\DMProtectEx.sys ---> fc70b48b5862bf35d4bcd503b09d8334
Behavior description: 创建系统服务
details: [服务创建成功]: DMRedirect, C:\WINDOWS\system32\drivers\DMRedirect.sys
Behavior description: 加载新释放的文件
details: Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.237064.exe_7zdump\ADSafe Lite\DuiLib.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.237417.exe_7zdump\ADSafe Lite\AdsCDN.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.237764.exe_7zdump\ADSafe Lite\CrashHandler.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.238116.exe_7zdump\ADSafe Lite\AdsMisc.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.238463.exe_7zdump\ADSafe Lite\AdsWndFilter.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.238817.exe_7zdump\ADSafe Lite\AdsMain.dll.
Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\1461920022.239163.exe_7zdump\ADSafe Lite\adsAction.dll.