VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :55
基本信息
MD5:b48021fd1d24d855c89d6f51753682f2
文件类型:EXE
出品公司:Atheros Communications, Inc.
版本:2.1.0.18---2.1.0.18
壳或编译器信息:PACKER:UPolyX v0.5
关键行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x005AD2D1
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x005B5D08
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x005BBF6C
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:获取TickCount值
详情信息:TickCount = 223409, SleepMilliseconds = 50.
TickCount = 224018, SleepMilliseconds = 50.
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:直接获取CPU时钟
详情信息:EAX = 0xc3922604, EDX = 0x000000b8
EAX = 0xc3922650, EDX = 0x000000b8
EAX = 0xc392269c, EDX = 0x000000b8
EAX = 0xc39226e8, EDX = 0x000000b8
EAX = 0xc3922734, EDX = 0x000000b8
EAX = 0xc3922780, EDX = 0x000000b8
EAX = 0xc39227cc, EDX = 0x000000b8
EAX = 0xc3922818, EDX = 0x000000b8
EAX = 0xc3922864, EDX = 0x000000b8
EAX = 0xc39228b0, EDX = 0x000000b8
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2812, StartAddress = 00410663, Parameter = 0057A7C2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2816, StartAddress = 00410663, Parameter = 0057B24F
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2820, StartAddress = 00410663, Parameter = 0057C1F2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2824, StartAddress = 00410663, Parameter = 0057D25B
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2828, StartAddress = 00410663, Parameter = 0057DCE8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2832, StartAddress = 00410663, Parameter = 0057E840
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2836, StartAddress = 00410663, Parameter = 0057F242
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2840, StartAddress = 00410663, Parameter = 0057FD94
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2844, StartAddress = 00410663, Parameter = 00583C33
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2848, StartAddress = 00410663, Parameter = 00584BA0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2852, StartAddress = 00410663, Parameter = 00585BFB
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2856, StartAddress = 00410663, Parameter = 00586C8A
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2860, StartAddress = 00410663, Parameter = 00587C97
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2864, StartAddress = 00410663, Parameter = 00588C51
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2764, ThreadID = 2868, StartAddress = 00410663, Parameter = 00589B9C
行为描述:枚举进程
详情信息:N/A
注册表行为
行为描述:删除注册表键
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
行为描述:删除注册表键值
详情信息:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x005AD2D1
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x005B5D08
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x005BBF6C
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
行为描述:打开互斥体
详情信息:DBWinMutex
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [18467-41,]
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:搜索kernel32.dll基地址
详情信息:Instruction Address = 0x00411a90
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 50.
行为描述:获取TickCount值
详情信息:TickCount = 223409, SleepMilliseconds = 50.
TickCount = 224018, SleepMilliseconds = 50.
行为描述:直接获取CPU时钟
详情信息:EAX = 0xc3922604, EDX = 0x000000b8
EAX = 0xc3922650, EDX = 0x000000b8
EAX = 0xc392269c, EDX = 0x000000b8
EAX = 0xc39226e8, EDX = 0x000000b8
EAX = 0xc3922734, EDX = 0x000000b8
EAX = 0xc3922780, EDX = 0x000000b8
EAX = 0xc39227cc, EDX = 0x000000b8
EAX = 0xc3922818, EDX = 0x000000b8
EAX = 0xc3922864, EDX = 0x000000b8
EAX = 0xc39228b0, EDX = 0x000000b8
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号