VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 446583de4df72455eb6cac2792916d69
file type: EXE
Production company:
version: 0.0.0.0
Shell or compiler information: COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *

Key behavior

Behavior description: 检测自身是否被调试
details: N/A
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\Administrator\桌面\淘宝特卖.lnk
Behavior description: 获取TickCount值
details: TickCount = 5416765, SleepMilliseconds = 60000.
TickCount = 5416781, SleepMilliseconds = 60000.
TickCount = 5416843, SleepMilliseconds = 60000.
TickCount = 5416859, SleepMilliseconds = 60000.
TickCount = 5416875, SleepMilliseconds = 60000.
TickCount = 5416890, SleepMilliseconds = 60000.
TickCount = 5416906, SleepMilliseconds = 60000.
TickCount = 5417000, SleepMilliseconds = 60000.
TickCount = 5417078, SleepMilliseconds = 60000.
TickCount = 5417125, SleepMilliseconds = 60000.
TickCount = 5417218, SleepMilliseconds = 60000.
TickCount = 5417328, SleepMilliseconds = 60000.
TickCount = 5417375, SleepMilliseconds = 60000.
TickCount = 5417390, SleepMilliseconds = 60000.
TickCount = 5417421, SleepMilliseconds = 60000.

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4D.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\exit.cmd
C:\SysBoot\mainrun
C:\SysBoot\fwrun
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\淘宝特卖.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll
Behavior description: 覆盖已有文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4D.tmp
Behavior description: 复制文件
details: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut4D.tmp ---> C:\Documents and Settings\Administrator\Local Settings\%temp%\exit.cmd
Behavior description: 在桌面创建快捷方式
details: C:\Documents and Settings\Administrator\桌面\淘宝特卖.lnk
Behavior description: 删除文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4D.tmp
C:\Documents and Settings\Administrator\「开始」菜单\desktop.ini
C:\Documents and Settings\Administrator\「开始」菜单\程序\desktop.ini
C:\Documents and Settings\Administrator\「开始」菜单\程序\Internet Explorer.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\Outlook Express.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\Windows Media Player.lnk
C:\Documents and Settings\All Users\「开始」菜单\desktop.ini
C:\Documents and Settings\All Users\「开始」菜单\Microsoft Update.lnk
C:\Documents and Settings\All Users\「开始」菜单\搜狗高速浏览器.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\Adobe Reader 9.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\desktop.ini
C:\Documents and Settings\All Users\「开始」菜单\程序\招行专业版.lnk
C:\Documents and Settings\All Users\「开始」菜单\设定程序访问和默认值.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\ActiveState ActivePython 2.7 (32-bit)\IDLE (Python GUI).lnk
Behavior description: 查找文件
details: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\exit.cmd
FileName = C:\SysBoot\mainrun
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents.*
FileName = C:\Documents
FileName = C:\Documents and Settings\All Users\桌面\*
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4C.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4D.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\exit.cmd ---> Offset = 0
C:\Documents and Settings\Administrator\桌面\淘宝特卖.lnk ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\淘宝特卖.lnk ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk ---> Offset = 0

Network behavior

Behavior description: 连接指定站点
details: WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x03083100, hConnect = 0x03083200, Flags = 0x00000000
Behavior description: 打开HTTP连接
details: WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x03083100
Behavior description: 建立到一个指定的套接字连接
details: URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000004c0
Behavior description: 发送HTTP包
details: POST /stat/stat_count.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 89 Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ww****om Connection: Keep-Alive exeType=peInstaller&version=professional_6.2.2&mac=0&source=kqidong&excuteType=installWim
Behavior description: 打开HTTP请求
details: WinHttpOpenRequest: ww****om:80/stat/stat_count.php, hConnect = 0x03083200, hRequest = 0x03110000, Verb: POST, Referer: , Flags = 0x00000080
Behavior description: 按名称获取主机地址
details: gethostbyname: localhost
GetAddrInfoW: ww****om

Other behavior

Behavior description: 检测自身是否被调试
details: N/A
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MIG
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = ShellCopyEngineRunning
EventName = Global\crypt32LogoffEvent
EventName = ShellCopyEngineFinished
EventName = MSCTF.SendReceive.Event.MIG.IC
EventName = MSCTF.SendReceiveConection.Event.MIG.IC
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description: 窗口信息
details: Pid = 576, Hwnd=0x1b02fe, Text = 确定, ClassName = Button.
Pid = 576, Hwnd=0x503b0, Text = Line 8926 (File "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"): Error: Variable used without b, ClassName = Static.
Pid = 576, Hwnd=0xf0338, Text = AutoIt Error, ClassName = #32770.
Behavior description: 获取TickCount值
details: TickCount = 5416765, SleepMilliseconds = 60000.
TickCount = 5416781, SleepMilliseconds = 60000.
TickCount = 5416843, SleepMilliseconds = 60000.
TickCount = 5416859, SleepMilliseconds = 60000.
TickCount = 5416875, SleepMilliseconds = 60000.
TickCount = 5416890, SleepMilliseconds = 60000.
TickCount = 5416906, SleepMilliseconds = 60000.
TickCount = 5417000, SleepMilliseconds = 60000.
TickCount = 5417078, SleepMilliseconds = 60000.
TickCount = 5417125, SleepMilliseconds = 60000.
TickCount = 5417218, SleepMilliseconds = 60000.
TickCount = 5417328, SleepMilliseconds = 60000.
TickCount = 5417375, SleepMilliseconds = 60000.
TickCount = 5417390, SleepMilliseconds = 60000.
TickCount = 5417421, SleepMilliseconds = 60000.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
_fCanRegisterWithShellService
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.576
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000003F
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000003F
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description: 隐藏指定窗口
details: [Window,Class] = [AutoIt v3,AutoIt v3]
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll ---> 52f1fd0614e8c290f44c74062382ac18
Behavior description: 打开互斥体
details: ShimCacheMutex
Behavior description: 加载新释放的文件
details: Image: C:\Documents and Settings\Administrator\Local Settings\%temp%\7-zip32.dll.

Run screenshot

VirSCAN