VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :50
基本信息
MD5:769ba1561c8fa16dd677fea76e874d8b
文件类型:EXE
出品公司:
版本:
壳或编译器信息:PACKER:UPolyX v0.5
关键行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0084BF13
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0085E532
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00861CA4
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:获取TickCount值
详情信息:TickCount = 220628, SleepMilliseconds = 50.
TickCount = 220643, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 222081, SleepMilliseconds = 50.
TickCount = 222315, SleepMilliseconds = 50.
TickCount = 222331, SleepMilliseconds = 50.
TickCount = 222362, SleepMilliseconds = 50.
TickCount = 222409, SleepMilliseconds = 50.
TickCount = 222487, SleepMilliseconds = 50.
TickCount = 222503, SleepMilliseconds = 50.
TickCount = 223518, SleepMilliseconds = 50.
TickCount = 223768, SleepMilliseconds = 50.
TickCount = 223784, SleepMilliseconds = 50.
TickCount = 223815, SleepMilliseconds = 50.
TickCount = 223878, SleepMilliseconds = 50.
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:获取窗口截图信息
详情信息:Foreground window Info: HWND = 0x0001036e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010370, DC = 0x01010686.
Foreground window Info: HWND = 0x00010372, DC = 0x01010686.
Foreground window Info: HWND = 0x00010374, DC = 0x01010686.
Foreground window Info: HWND = 0x00010376, DC = 0x01010686.
Foreground window Info: HWND = 0x00010378, DC = 0x01010686.
Foreground window Info: HWND = 0x0001037e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010380, DC = 0x01010686.
Foreground window Info: HWND = 0x00010382, DC = 0x01010686.
Foreground window Info: HWND = 0x00010386, DC = 0x01010686.
Foreground window Info: HWND = 0x00010388, DC = 0x01010686.
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:直接获取CPU时钟
详情信息:EAX = 0x614971aa, EDX = 0x000000b6
EAX = 0x614971f6, EDX = 0x000000b6
EAX = 0x61497242, EDX = 0x000000b6
EAX = 0x6149728e, EDX = 0x000000b6
EAX = 0x614972da, EDX = 0x000000b6
EAX = 0x61497326, EDX = 0x000000b6
EAX = 0x61497372, EDX = 0x000000b6
EAX = 0x63fc72ee, EDX = 0x000000b6
EAX = 0x63fc733a, EDX = 0x000000b6
EAX = 0x63fc7386, EDX = 0x000000b6
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2688, StartAddress = 0067E1C3, Parameter = 008150F7
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2692, StartAddress = 0067E1C3, Parameter = 00815ABE
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2696, StartAddress = 0067E1C3, Parameter = 00816AD2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2700, StartAddress = 0067E1C3, Parameter = 008175D3
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2704, StartAddress = 0067E1C3, Parameter = 008180C6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2708, StartAddress = 0067E1C3, Parameter = 00818AE6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2712, StartAddress = 0067E1C3, Parameter = 00819530
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2716, StartAddress = 0067E1C3, Parameter = 00819F3E
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2720, StartAddress = 0067E1C3, Parameter = 0081FE49
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2724, StartAddress = 0067E1C3, Parameter = 0082243B
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2728, StartAddress = 0067E1C3, Parameter = 00823502
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2732, StartAddress = 0067E1C3, Parameter = 008243E2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2736, StartAddress = 0067E1C3, Parameter = 008254E3
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2740, StartAddress = 0067E1C3, Parameter = 008264A6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2744, StartAddress = 0067E1C3, Parameter = 008274BA
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:设置特殊文件夹属性
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:查找文件
详情信息:FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016091220160913\*.*
网络行为
行为描述:打开HTTP连接
详情信息:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc0004
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0084BF13
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0085E532
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00861CA4
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.IHK
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = 信息
EventName = MSCTF.SendReceive.Event.IHK.IC
EventName = MSCTF.SendReceiveConection.Event.IHK.IC
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
信息
MSFT.VSA.COM.DISABLE.2676
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述:打开互斥体
详情信息:DBWinMutex
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:搜索kernel32.dll基地址
详情信息:Instruction Address = 0x0067fa68
行为描述:获取光标位置
详情信息:CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
CursorPos = (19208,15725), SleepMilliseconds = 50.
CursorPos = (11517,29359), SleepMilliseconds = 50.
CursorPos = (27001,24465), SleepMilliseconds = 50.
CursorPos = (5744,28146), SleepMilliseconds = 50.
CursorPos = (23320,16828), SleepMilliseconds = 50.
CursorPos = (10000,492), SleepMilliseconds = 50.
CursorPos = (3034,11943), SleepMilliseconds = 50.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
行为描述:窗口信息
详情信息:Pid = 2676, Hwnd=0x10420, Text = 菜单, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10416, Text = 增加, ClassName = Button.
Pid = 2676, Hwnd=0x1040c, Text = 一键领选中活动, ClassName = Button.
Pid = 2676, Hwnd=0x1040a, Text = G分与聚豆, ClassName = Button.
Pid = 2676, Hwnd=0x10406, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10404, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10402, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10400, Text = 积分, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x103fe, Text = 聚豆, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x103fc, Text = G分, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10476, Text = 英雄武器分期付款 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10474, Text = 英雄武器换购 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10472, Text = 引爆枪王福利 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10470, Text = 新春枪王活动 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x1046e, Text = 2月刮刮卡 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
行为描述:获取窗口截图信息
详情信息:Foreground window Info: HWND = 0x0001036e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010370, DC = 0x01010686.
Foreground window Info: HWND = 0x00010372, DC = 0x01010686.
Foreground window Info: HWND = 0x00010374, DC = 0x01010686.
Foreground window Info: HWND = 0x00010376, DC = 0x01010686.
Foreground window Info: HWND = 0x00010378, DC = 0x01010686.
Foreground window Info: HWND = 0x0001037e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010380, DC = 0x01010686.
Foreground window Info: HWND = 0x00010382, DC = 0x01010686.
Foreground window Info: HWND = 0x00010386, DC = 0x01010686.
Foreground window Info: HWND = 0x00010388, DC = 0x01010686.
行为描述:直接操作物理设备
详情信息:\??\PhysicalDrive0
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,ComboLBox]
[Window,Class] = [<,AfxWnd42s]
[Window,Class] = [>,AfxWnd42s]
[Window,Class] = [线程登录,_EL_Label]
[Window,Class] = [大区登录,_EL_Label]
[Window,Class] = [,Afx:400000:b:10011:1900010:0]
[Window,Class] = [,Afx:400000:b:10011:0:0]
[Window,Class] = [,CPageControl]
[Window,Class] = [,Button]
[Window,Class] = [剩余天数,_EL_Label]
[Window,Class] = [收益G分,_EL_Label]
[Window,Class] = [按照上方顺序排列,_EL_Label]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [增加,Button]
[Window,Class] = [,_EL_PicBox]
行为描述:获取TickCount值
详情信息:TickCount = 220628, SleepMilliseconds = 50.
TickCount = 220643, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 222081, SleepMilliseconds = 50.
TickCount = 222315, SleepMilliseconds = 50.
TickCount = 222331, SleepMilliseconds = 50.
TickCount = 222362, SleepMilliseconds = 50.
TickCount = 222409, SleepMilliseconds = 50.
TickCount = 222487, SleepMilliseconds = 50.
TickCount = 222503, SleepMilliseconds = 50.
TickCount = 223518, SleepMilliseconds = 50.
TickCount = 223768, SleepMilliseconds = 50.
TickCount = 223784, SleepMilliseconds = 50.
TickCount = 223815, SleepMilliseconds = 50.
TickCount = 223878, SleepMilliseconds = 50.
行为描述:直接获取CPU时钟
详情信息:EAX = 0x614971aa, EDX = 0x000000b6
EAX = 0x614971f6, EDX = 0x000000b6
EAX = 0x61497242, EDX = 0x000000b6
EAX = 0x6149728e, EDX = 0x000000b6
EAX = 0x614972da, EDX = 0x000000b6
EAX = 0x61497326, EDX = 0x000000b6
EAX = 0x61497372, EDX = 0x000000b6
EAX = 0x63fc72ee, EDX = 0x000000b6
EAX = 0x63fc733a, EDX = 0x000000b6
EAX = 0x63fc7386, EDX = 0x000000b6
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号