VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 436c338ea3f07bac40f8e0dde9e2bf1c
file type: EXE
Production company:
version:
Shell or compiler information: COMPILER:Microsoft Visual C++ 6.0 [Overlay]
{$lang.habo.subfile_info}>: molebox_a_1b2f1bbfdumpFile / 87410b184d47ece64dfb8589ac6bf4b4 / EXE
molebox_a_1b2f1bbfdumpFile / 87410b184d47ece64dfb8589ac6bf4b4 / EXE

Key behavior

Behavior description: 直接获取CPU时钟
details: EAX = 0x99bbcf20, EDX = 0x000000b6
Behavior description: 获取TickCount值
details: TickCount = 218315, SleepMilliseconds = 50.
TickCount = 218956, SleepMilliseconds = 50.
TickCount = 218971, SleepMilliseconds = 50.
TickCount = 218987, SleepMilliseconds = 50.
TickCount = 219003, SleepMilliseconds = 50.
TickCount = 219018, SleepMilliseconds = 50.
TickCount = 219081, SleepMilliseconds = 50.
TickCount = 219534, SleepMilliseconds = 50.
TickCount = 219721, SleepMilliseconds = 50.
TickCount = 219737, SleepMilliseconds = 50.
TickCount = 219753, SleepMilliseconds = 50.
TickCount = 219784, SleepMilliseconds = 50.
TickCount = 219800, SleepMilliseconds = 50.
TickCount = 219815, SleepMilliseconds = 50.
TickCount = 219893, SleepMilliseconds = 50.
Behavior description: 屏蔽窗口关闭消息
details: hWnd = 0x00010340, Text = 996e, ClassName = TApplication.
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x000203fe, DC = 0x01010057.
Foreground window Info: HWND = 0x000203fe, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00040374, DC = 0x01010055.
Foreground window Info: HWND = 0x000203e2, DC = 0x01010057.
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Behavior description: VMWare特殊指令检测虚拟机
details: N/A

File behavior

Behavior description: 创建文件
details: C:\china-drm\pdfreadersts.ini
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin
Behavior description: 删除文件
details: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal ---> Offset = 1023
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal ---> Offset = 1024
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal ---> Offset = 1028
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents-journal ---> Offset = 2052
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents ---> Offset = 1024
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin ---> Offset = 4096
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin ---> Offset = 8192
C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin ---> Offset = 12288
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\%temp%\*.*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Application Data\Adobe
FileName = C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat
FileName = C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0
FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data

Registry behavior

Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AVGeneral\bLastExitNormal
Behavior description: 删除注册表键
details: \REGISTRY\MACHINE\SYSTEM\Acrobatviewercpp304\
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Behavior description: 删除注册表键值
details: \REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\MaxDoc
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\MaxApp
\REGISTRY\USER\S-*\Software\Adobe\Acrobat Reader\9.0\AdobeViewer\PrintToFile

Other behavior

Behavior description: 获取光标位置
details: CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
CursorPos = (19208,15725), SleepMilliseconds = 50.
CursorPos = (11517,29359), SleepMilliseconds = 50.
CursorPos = (27001,24465), SleepMilliseconds = 50.
CursorPos = (5744,28146), SleepMilliseconds = 50.
CursorPos = (23320,16828), SleepMilliseconds = 50.
CursorPos = (10000,492), SleepMilliseconds = 50.
CursorPos = (3034,11943), SleepMilliseconds = 50.
CursorPos = (4866,5437), SleepMilliseconds = 50.
CursorPos = (32430,14605), SleepMilliseconds = 50.
CursorPos = (3941,154), SleepMilliseconds = 50.
CursorPos = (331,12383), SleepMilliseconds = 50.
CursorPos = (17460,18717), SleepMilliseconds = 50.
CursorPos = (19757,19896), SleepMilliseconds = 50.
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
2AC1A572DB6944B0A65C38C4140AF2F4a880655310C
Acrobat Instance Mutex
Global\AcrobatViewerIsRunning
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MIK
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.MIK.IC
EventName = MSCTF.SendReceiveConection.Event.MIK.IC
Behavior description: 窗口信息
details: Pid = 2696, Hwnd=0x30376, Text = OK, ClassName = TButton.
Pid = 2696, Hwnd=0x203fe, Text = 996e, ClassName = TMessageForm.
Behavior description: 打开互斥体
details: ShimCacheMutex
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [STATIC,acroT_win_2696]
NtUserFindWindowEx: [Class,Window] = [AdobeAcrobatSpeedLaunchCmdWnd,]
NtUserFindWindowEx: [Class,Window] = [AdobeReaderSpeedLaunchCmdWnd,]
NtUserFindWindowEx: [Class,Window] = [Acrobat Instance Window Class,Acrobat Instance Window]
NtUserFindWindowEx: [Class,Window] = [JFWUI2,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [AcrobatTimerWnd,]
NtUserFindWindowEx: [Class,Window] = [Acrobat IEHelper Object,]
NtUserFindWindowEx: [Class,Window] = [AcrobatSDIWindow,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description: 获取TickCount值
details: TickCount = 218315, SleepMilliseconds = 50.
TickCount = 218956, SleepMilliseconds = 50.
TickCount = 218971, SleepMilliseconds = 50.
TickCount = 218987, SleepMilliseconds = 50.
TickCount = 219003, SleepMilliseconds = 50.
TickCount = 219018, SleepMilliseconds = 50.
TickCount = 219081, SleepMilliseconds = 50.
TickCount = 219534, SleepMilliseconds = 50.
TickCount = 219721, SleepMilliseconds = 50.
TickCount = 219737, SleepMilliseconds = 50.
TickCount = 219753, SleepMilliseconds = 50.
TickCount = 219784, SleepMilliseconds = 50.
TickCount = 219800, SleepMilliseconds = 50.
TickCount = 219815, SleepMilliseconds = 50.
TickCount = 219893, SleepMilliseconds = 50.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 屏蔽窗口关闭消息
details: hWnd = 0x00010340, Text = 996e, ClassName = TApplication.
Behavior description: 枚举窗口
details: N/A
Behavior description: 获取窗口截图信息
details: Foreground window Info: HWND = 0x000203fe, DC = 0x01010057.
Foreground window Info: HWND = 0x000203fe, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x00040374, DC = 0x01010055.
Foreground window Info: HWND = 0x000203e2, DC = 0x01010057.
Behavior description: 直接操作物理设备
details: \??\PhysicalDrive0
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
[3]: MilliSeconds = 50.
[4]: MilliSeconds = 250.
[5]: MilliSeconds = 50.
[6]: MilliSeconds = 50.
[7]: MilliSeconds = 50.
[8]: MilliSeconds = 50.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,Edit]
[Window,Class] = [,TWScrollbar]
[Window,Class] = [文档浏览,TForm1]
[Window,Class] = [Adobe Reader,AcrobatSDIWindow]
[Window,Class] = [AVToolBarHostView,AVL_AVView]
Behavior description: 直接获取CPU时钟
details: EAX = 0x99bbcf20, EDX = 0x000000b6
Behavior description: VMWare特殊指令检测虚拟机
details: N/A

Run screenshot

VirSCAN