VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:83
Behavior list
Basic Information
MD5:94cd302f6bfa83e93aee224b153a3cd7
file type:EXE
Production company:
version:1.0.1.587---1,0,1,587
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [Overlay] *
Key behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:获取TickCount值
details:TickCount = 1079703, SleepMilliseconds = 5000.
TickCount = 1079734, SleepMilliseconds = 5000.
TickCount = 1079750, SleepMilliseconds = 5000.
TickCount = 1079781, SleepMilliseconds = 5000.
TickCount = 1080000, SleepMilliseconds = 5000.
TickCount = 1080156, SleepMilliseconds = 5000.
TickCount = 1080312, SleepMilliseconds = 5000.
TickCount = 1080328, SleepMilliseconds = 5000.
TickCount = 1080343, SleepMilliseconds = 5000.
TickCount = 1076518, SleepMilliseconds = 50.
TickCount = 1076550, SleepMilliseconds = 50.
TickCount = 1076565, SleepMilliseconds = 50.
TickCount = 1076612, SleepMilliseconds = 50.
TickCount = 1076643, SleepMilliseconds = 50.
TickCount = 1076659, SleepMilliseconds = 50.
Process behavior
Behavior description:创建新文件进程
details:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp18.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp18.exe" /s /t WSbing
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\996E_002456.log
C:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll
C:\Documents and Settings\Administrator\Application Data\iPumper\config.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp17.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\index[1].php
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.exe
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp18.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\amilog2file.*
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6P4O8QNJ\index[1].php
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\996E_002456.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\996E_002456.log ---> Offset = 112
C:\Documents and Settings\Administrator\Local Settings\Temp\996E_002456.log ---> Offset = 236
C:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\iPumper\config.xml ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.exe ---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00db4000, hConnect = 0x00db4100, Flags = 0x00000000
InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010
WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x026a0000, hConnect = 0x026a0100, Flags = 0x00000000
Behavior description:打开HTTP连接
details:WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0), hSession = 0x00db4000
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
WinHttpOpen: UserAgent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0), hSession = 0x026a0000
Behavior description:建立到一个指定的套接字连接
details:URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000065c
URL: wpad, IP: **.133.40.**:128, SOCKET = 0x0000045c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000460
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x00000550
Behavior description:读取网络文件
details:hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
Behavior description:发送HTTP包
details:GET /api/cc HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Host: ww****om Connection: Close
GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /index.php?ts=1464123743&Net1.1=&Net2=3.5.30729.01SP1&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=11549BF9EF235D36623CFD903F4A993F&X64=N&admin=Y&browser=IEXPLORE.EXE&exe=tmp18&lang_DfltSys=0804&lang_DfltUser=0804&s=Y&screen=1920x967&ver=1.1.3.71 HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /api/firstscreenshown/aa0b312221f211e691be7B****28/16454104 HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Host: ww****om Connection: Close
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ww****om:80/api/cc, hConnect = 0x00db4100, hRequest = 0x01c50000, Verb: GET, Referer: , Flags = 0x00000000
HttpOpenRequestA: ww****om:80/index.php?ts=1464123743&net1.1=&net2=3.5.30729.01sp1&net4=4.0.30319&osversion=nt5.1sp3&slv=&sysid=11549bf9ef235d36623cfd903f4a993f&x64=n&admin=y&browser=iexplore.exe&exe=tmp18&lang_dfltsys=0804&lang_dfltuser=0804&s=y&screen=1920x, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010
WinHttpOpenRequest: ww****om:80/api/firstscreenshown/aa0b312221f211e691be7B****28/16454104, hConnect = 0x026a0100, hRequest = 0x026d0000, Verb: GET, Referer: , Flags = 0x00000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ww****om
GetAddrInfoW: computer
GetAddrInfoW: wpad
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Escolade\GUID
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp18.exe
\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\
\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot.1\CLSID\
\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\
\REGISTRY\MACHINE\SOFTWARE\Classes\AmiBs.Boot\CurVer\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\ProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\LocalServer32\ServerExecutable
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\TypeLib\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F04A2CA1-9140-4553-B6C4-03E4139ECA93}\Version\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4ECB13A5-757F-472B-8E54-EE529A450220}\1.0\FLAGS\
Behavior description:删除注册表键值
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\tmp18\DEBUG\Trace Level
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
oleacc-msaa-loaded
{E2AF26F0-6DCC-410c-A24D-ED093DDE1638}
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Global\Am_Bootstrapper_Runing_1
Global\Am_Bootstrapper_Runing_2
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\Am_Bootstrapper_2_Ready
EventName = Global\crypt32LogoffEvent
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MJJ.IC
EventName = MSCTF.SendReceiveConection.Event.MJJ.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取TickCount值
details:TickCount = 1079703, SleepMilliseconds = 5000.
TickCount = 1079734, SleepMilliseconds = 5000.
TickCount = 1079750, SleepMilliseconds = 5000.
TickCount = 1079781, SleepMilliseconds = 5000.
TickCount = 1080000, SleepMilliseconds = 5000.
TickCount = 1080156, SleepMilliseconds = 5000.
TickCount = 1080312, SleepMilliseconds = 5000.
TickCount = 1080328, SleepMilliseconds = 5000.
TickCount = 1080343, SleepMilliseconds = 5000.
TickCount = 1076518, SleepMilliseconds = 50.
TickCount = 1076550, SleepMilliseconds = 50.
TickCount = 1076565, SleepMilliseconds = 50.
TickCount = 1076612, SleepMilliseconds = 50.
TickCount = 1076643, SleepMilliseconds = 50.
TickCount = 1076659, SleepMilliseconds = 50.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2456, Hwnd=0x8031c, Text = Starting..., ClassName = ATL:0044D620.
Pid = 588, Hwnd=0x4036a, Text = 确定, ClassName = Button.
Pid = 588, Hwnd=0x6034a, Text = 取消, ClassName = Button.
Pid = 588, Hwnd=0x80324, Text = "0x0040f1bc" 指令引用的 "0x00000000" 内存。该内存不能为 "read"。 要终止程序,请单击“确定”。 要调试程序,请单击“取消”。, ClassName = Static.
Pid = 588, Hwnd=0x5036c, Text = AXWIN Frame Window: tmp18.exe - 应用程序错误, ClassName = #32770.
Pid = 2456, Hwnd=0x9031c, Text = iPumper setup - 2.0, ClassName = ATL:0044D620.
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.exe(签名验证: 通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 5000.
[2]: MilliSeconds = 5000.
[3]: MilliSeconds = 5000.
[4]: MilliSeconds = 5000.
[5]: MilliSeconds = 5000.
[6]: MilliSeconds = 5000.
[7]: MilliSeconds = 5000.
[1]: MilliSeconds = 60000.
[8]: MilliSeconds = 5000.
[9]: MilliSeconds = 5000.
[2]: MilliSeconds = 60000.
[10]: MilliSeconds = 5000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\htmlayout.dll ---> 7222f8144a764f45b21fbc89e007c4c9
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp18.exe ---> c80d3b60e0d0647cb65ff1b884c7f5cc
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\htmlayout.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号