VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 8ae0b498ae95a441cf76b0381672e6cc
file type: zip
Production company:
version:
Shell or compiler information: PACKER:UPolyX v0.5
{$lang.habo.subfile_info}>: EXE1.EXEdumpFile / d6842d526e3c39bcbd784343990cdfa6 / EXE
EXE1.EXEdumpFile / d6842d526e3c39bcbd784343990cdfa6 / EXE

Key behavior

Behavior description: 跨进程写入数据
details: TargetProcess = C:\WINDOWS\system32\regsvr32.exe, WriteAddress = 0x7ffd8008, Size = 0x00000004 TargetPID = 0x00000b54
TargetProcess = C:\WINDOWS\system32\regsvr32.exe, WriteAddress = 0x7ffd6008, Size = 0x00000004 TargetPID = 0x00000b78
TargetProcess = C:\WINDOWS\system32\regsvr32.exe, WriteAddress = 0x7ffd8008, Size = 0x00000004 TargetPID = 0x00000bd4
TargetProcess = C:\WINDOWS\system32\regsvr32.exe, WriteAddress = 0x7ffd3008, Size = 0x00000004 TargetPID = 0x00000c04
Behavior description: 获取文件属性探测虚拟机
details: GetFileAttributes: FileName = C:\WINDOWS\system32\drivers\vmmouse.sys
GetFileAttributes: FileName = C:\WINDOWS\\system32\drivers\vmhgfs.sys
Behavior description: 设置线程上下文
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\EXE1.EXE
C:\WINDOWS\system32\regsvr32.exe
Behavior description: 获取TickCount值
details: TickCount = 221484, SleepMilliseconds = 5000.
TickCount = 216596, SleepMilliseconds = 50.
TickCount = 216659, SleepMilliseconds = 50.
TickCount = 217671, SleepMilliseconds = 1000.
TickCount = 216784, SleepMilliseconds = 50.
TickCount = 217796, SleepMilliseconds = 1000.
TickCount = 216909, SleepMilliseconds = 50.
TickCount = 216971, SleepMilliseconds = 50.
TickCount = 217003, SleepMilliseconds = 50.
Behavior description: 通过内存映射跨进程修改内存
details: TargetProcess = regsvr32.exe
Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Behavior description: 自删除
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\EXE1.EXE
Behavior description: 修改注册表_启动项
details: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\

File behavior

Behavior description: 创建文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\awivy\awivy.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\microsoft_com[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\WindowsXP-KB968930-x86-ENG[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe
Behavior description: 获取文件属性探测虚拟机
details: GetFileAttributes: FileName = C:\WINDOWS\system32\drivers\vmmouse.sys
GetFileAttributes: FileName = C:\WINDOWS\\system32\drivers\vmhgfs.sys
Behavior description: 创建可执行文件
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\awivy\awivy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe
Behavior description: 查找文件
details: FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\regsvr32.exe
FileName = c:\documents and settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
Behavior description: 删除文件
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\microsoft_com[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\WindowsXP-KB968930-x86-ENG[1].exe
Behavior description: 设置特殊文件夹属性
details: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description: 修改文件内容
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\awivy\awivy.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe ---> Offset = 0
Behavior description: 自删除
details: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\EXE1.EXE

Network behavior

Behavior description: 下载文件
details: C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe
Behavior description: 连接指定站点
details: InternetConnectA: ServerName = mi****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = do****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description: 打开HTTP连接
details: InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
Behavior description: 建立到一个指定的套接字连接
details: URL: mi****om, IP: **.133.40.**:80, SOCKET = 0x000002c4
IP: **.41.26.**:443, SOCKET = 0x000002e0
IP: **.201.220.**:443, SOCKET = 0x000002e0
IP: **.102.230.**:80, SOCKET = 0x000002e4
IP: **.245.184.**:80, SOCKET = 0x000002dc
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x00000264
URL: do****om, IP: **.133.40.**:80, SOCKET = 0x000002b4
IP: **.178.225.**:443, SOCKET = 0x000002e4
IP: **.244.190.**:80, SOCKET = 0x000002e0
IP: **.184.213.**:80, SOCKET = 0x000002e0
IP: **.169.97.**:80, SOCKET = 0x000002dc
IP: **.176.170.**:443, SOCKET = 0x000002e4
IP: **.71.87.**:80, SOCKET = 0x000002f0
IP: **.57.146.**:80, SOCKET = 0x000002f0
IP: **.69.170.**:80, SOCKET = 0x000002e8
Behavior description: 读取网络文件
details: hFile = 0x00cc000c, BytesToRead =1024, BytesRead = 1024.
Behavior description: 发送HTTP包
details: GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: mi****om Cache-Control: no-cache
GET /download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: do****om Cache-Control: no-cache
Behavior description: 打开HTTP请求
details: HttpOpenRequestA: do****om:80/download/e/c/e/ece99583-2003-455d-b681-68db610b44a4/windowsxp-kb968930-x86-eng.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x84000700
Behavior description: 按名称获取主机地址
details: GetAddrInfoW: mi****om
GetAddrInfoW: do****om

Registry behavior

Behavior description: 删除注册表键
details: \REGISTRY\MACHINE\SOFTWARE\
\REGISTRY\MACHINE\SOFTWARE\DB3CE71A512DAC5566\
\REGISTRY\MACHINE\SOFTWARE\882ABA110893C93DA554\
Behavior description: 修改注册表_组策略
details: \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DisableOSUpgrade
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade\ReservationsAllowed
Behavior description: 修改注册表
details: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2300
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2300
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\regsvr32.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\iexplore.exe
\REGISTRY\MACHINE\SOFTWARE\qcihyvg\lceyhzpg
\REGISTRY\USER\S-*\Software\qcihyvg\lceyhzpg
\REGISTRY\MACHINE\SOFTWARE\qcihyvg\bprqzqmwbp
\REGISTRY\USER\S-*\Software\qcihyvg\bprqzqmwbp
\REGISTRY\MACHINE\SOFTWARE\qcihyvg\ipeczzwxip
\REGISTRY\USER\S-*\Software\qcihyvg\ipeczzwxip
\REGISTRY\MACHINE\SOFTWARE\qcihyvg\keaktv
Behavior description: 删除注册表键值
details: \REGISTRY\MACHINE\SOFTWARE\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\DB3CE71A512DAC5566\642337DB8AB5D702
\REGISTRY\MACHINE\SOFTWARE\882ABA110893C93DA554\D9777D277A530942
Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Behavior description: 修改注册表_启动项
details: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\

Other behavior

Behavior description: 检测自身是否被调试
details: IsDebuggerPresent
Behavior description: 创建互斥体
details: SHIMLIB_LOG_MUTEX
Global\7187CCB0BE5A66C7
7736DEF6C97AA0E5
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
4E77F1CB30A56703
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Behavior description: 创建事件对象
details: EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description: 获取TickCount值
details: TickCount = 221484, SleepMilliseconds = 5000.
TickCount = 216596, SleepMilliseconds = 50.
TickCount = 216659, SleepMilliseconds = 50.
TickCount = 217671, SleepMilliseconds = 1000.
TickCount = 216784, SleepMilliseconds = 50.
TickCount = 217796, SleepMilliseconds = 1000.
TickCount = 216909, SleepMilliseconds = 50.
TickCount = 216971, SleepMilliseconds = 50.
TickCount = 217003, SleepMilliseconds = 50.
Behavior description: 调整进程token权限
details: SE_LOAD_DRIVER_PRIVILEGE
Behavior description: 打开事件
details: Global\crypt32LogoffEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
HookSwitchHookEnabledEvent
7C2CD7E5F014A46171BD29BB231B8CE4
617B3A8C2E6A99EBAD9AE0D590082BBD
E21E31A49A98E9475C129FCA1DF2AFFF
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
_fCanRegisterWithShellService
Behavior description: 可执行文件签名信息
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\awivy\awivy.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe(签名验证: 未通过)
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 99999999.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 1000.
[4]: MilliSeconds = 5000.
[5]: MilliSeconds = 50.
[6]: MilliSeconds = 50.
[7]: MilliSeconds = 50.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 50.
[10]: MilliSeconds = 50.
Behavior description: 可执行文件MD5
details: C:\Documents and Settings\Administrator\Local Settings\Application Data\awivy\awivy.exe ---> 07ad01ed433373f20740ad3fb6e9bf87
C:\Documents and Settings\Administrator\Local Settings\Temp\WindowsXP-KB968930-x86-ENG.exe ---> fe1d0ee5901dd167ee9b28eece31786c
C:\Documents and Settings\Administrator\Local Settings\Application Data\WindowsXP-KB968930-x86-ENG.exe ---> fe1d0ee5901dd167ee9b28eece31786c
Behavior description: 打开互斥体
details: ShimCacheMutex
4E77F1CB30A56703
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
7736DEF6C97AA0E5
59A95E2B0B0ED5FE

Run screenshot

VirSCAN