VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:50
Behavior list
Basic Information
MD5:769ba1561c8fa16dd677fea76e874d8b
file type:EXE
Production company:
version:
Shell or compiler information:PACKER:UPolyX v0.5
Key behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0084BF13
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0085E532
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00861CA4
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\SIWVID
\??\NTICE
Behavior description:获取TickCount值
details:TickCount = 220628, SleepMilliseconds = 50.
TickCount = 220643, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 222081, SleepMilliseconds = 50.
TickCount = 222315, SleepMilliseconds = 50.
TickCount = 222331, SleepMilliseconds = 50.
TickCount = 222362, SleepMilliseconds = 50.
TickCount = 222409, SleepMilliseconds = 50.
TickCount = 222487, SleepMilliseconds = 50.
TickCount = 222503, SleepMilliseconds = 50.
TickCount = 223518, SleepMilliseconds = 50.
TickCount = 223768, SleepMilliseconds = 50.
TickCount = 223784, SleepMilliseconds = 50.
TickCount = 223815, SleepMilliseconds = 50.
TickCount = 223878, SleepMilliseconds = 50.
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001036e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010370, DC = 0x01010686.
Foreground window Info: HWND = 0x00010372, DC = 0x01010686.
Foreground window Info: HWND = 0x00010374, DC = 0x01010686.
Foreground window Info: HWND = 0x00010376, DC = 0x01010686.
Foreground window Info: HWND = 0x00010378, DC = 0x01010686.
Foreground window Info: HWND = 0x0001037e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010380, DC = 0x01010686.
Foreground window Info: HWND = 0x00010382, DC = 0x01010686.
Foreground window Info: HWND = 0x00010386, DC = 0x01010686.
Foreground window Info: HWND = 0x00010388, DC = 0x01010686.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:直接获取CPU时钟
details:EAX = 0x614971aa, EDX = 0x000000b6
EAX = 0x614971f6, EDX = 0x000000b6
EAX = 0x61497242, EDX = 0x000000b6
EAX = 0x6149728e, EDX = 0x000000b6
EAX = 0x614972da, EDX = 0x000000b6
EAX = 0x61497326, EDX = 0x000000b6
EAX = 0x61497372, EDX = 0x000000b6
EAX = 0x63fc72ee, EDX = 0x000000b6
EAX = 0x63fc733a, EDX = 0x000000b6
EAX = 0x63fc7386, EDX = 0x000000b6
Behavior description:查找指定内核模块
details:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:创建本地线程
details:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2688, StartAddress = 0067E1C3, Parameter = 008150F7
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2692, StartAddress = 0067E1C3, Parameter = 00815ABE
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2696, StartAddress = 0067E1C3, Parameter = 00816AD2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2700, StartAddress = 0067E1C3, Parameter = 008175D3
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2704, StartAddress = 0067E1C3, Parameter = 008180C6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2708, StartAddress = 0067E1C3, Parameter = 00818AE6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2712, StartAddress = 0067E1C3, Parameter = 00819530
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2716, StartAddress = 0067E1C3, Parameter = 00819F3E
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2720, StartAddress = 0067E1C3, Parameter = 0081FE49
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2724, StartAddress = 0067E1C3, Parameter = 0082243B
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2728, StartAddress = 0067E1C3, Parameter = 00823502
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2732, StartAddress = 0067E1C3, Parameter = 008243E2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2736, StartAddress = 0067E1C3, Parameter = 008254E3
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2740, StartAddress = 0067E1C3, Parameter = 008264A6
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2676, ThreadID = 2744, StartAddress = 0067E1C3, Parameter = 008274BA
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:查找文件
details:FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016091220160913\*.*
Network behavior
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1), hSession = 0x00cc0004
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Other behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0084BF13
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0085E532
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00861CA4
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.IHK
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = 信息
EventName = MSCTF.SendReceive.Event.IHK.IC
EventName = MSCTF.SendReceiveConection.Event.IHK.IC
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
信息
MSFT.VSA.COM.DISABLE.2676
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:打开互斥体
details:DBWinMutex
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\SIWVID
\??\NTICE
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x0067fa68
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
CursorPos = (19208,15725), SleepMilliseconds = 50.
CursorPos = (11517,29359), SleepMilliseconds = 50.
CursorPos = (27001,24465), SleepMilliseconds = 50.
CursorPos = (5744,28146), SleepMilliseconds = 50.
CursorPos = (23320,16828), SleepMilliseconds = 50.
CursorPos = (10000,492), SleepMilliseconds = 50.
CursorPos = (3034,11943), SleepMilliseconds = 50.
CursorPos = (4866,5437), SleepMilliseconds = 60000.
CursorPos = (32430,14605), SleepMilliseconds = 60000.
CursorPos = (3941,154), SleepMilliseconds = 60000.
CursorPos = (331,12383), SleepMilliseconds = 60000.
CursorPos = (17460,18717), SleepMilliseconds = 60000.
CursorPos = (19757,19896), SleepMilliseconds = 60000.
Behavior description:窗口信息
details:Pid = 2676, Hwnd=0x10420, Text = 菜单, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10416, Text = 增加, ClassName = Button.
Pid = 2676, Hwnd=0x1040c, Text = 一键领选中活动, ClassName = Button.
Pid = 2676, Hwnd=0x1040a, Text = G分与聚豆, ClassName = Button.
Pid = 2676, Hwnd=0x10406, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10404, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10402, Text = 0, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10400, Text = 积分, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x103fe, Text = 聚豆, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x103fc, Text = G分, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2676, Hwnd=0x10476, Text = 英雄武器分期付款 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10474, Text = 英雄武器换购 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10472, Text = 引爆枪王福利 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x10470, Text = 新春枪王活动 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Pid = 2676, Hwnd=0x1046e, Text = 2月刮刮卡 >>> 进入活动 <<<, ClassName = _EL_HyperLinker.
Behavior description:获取窗口截图信息
details:Foreground window Info: HWND = 0x0001036e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010370, DC = 0x01010686.
Foreground window Info: HWND = 0x00010372, DC = 0x01010686.
Foreground window Info: HWND = 0x00010374, DC = 0x01010686.
Foreground window Info: HWND = 0x00010376, DC = 0x01010686.
Foreground window Info: HWND = 0x00010378, DC = 0x01010686.
Foreground window Info: HWND = 0x0001037e, DC = 0x01010686.
Foreground window Info: HWND = 0x00010380, DC = 0x01010686.
Foreground window Info: HWND = 0x00010382, DC = 0x01010686.
Foreground window Info: HWND = 0x00010386, DC = 0x01010686.
Foreground window Info: HWND = 0x00010388, DC = 0x01010686.
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [<,AfxWnd42s]
[Window,Class] = [>,AfxWnd42s]
[Window,Class] = [线程登录,_EL_Label]
[Window,Class] = [大区登录,_EL_Label]
[Window,Class] = [,Afx:400000:b:10011:1900010:0]
[Window,Class] = [,Afx:400000:b:10011:0:0]
[Window,Class] = [,CPageControl]
[Window,Class] = [,Button]
[Window,Class] = [剩余天数,_EL_Label]
[Window,Class] = [收益G分,_EL_Label]
[Window,Class] = [按照上方顺序排列,_EL_Label]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [增加,Button]
[Window,Class] = [,_EL_PicBox]
Behavior description:获取TickCount值
details:TickCount = 220628, SleepMilliseconds = 50.
TickCount = 220643, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 222081, SleepMilliseconds = 50.
TickCount = 222315, SleepMilliseconds = 50.
TickCount = 222331, SleepMilliseconds = 50.
TickCount = 222362, SleepMilliseconds = 50.
TickCount = 222409, SleepMilliseconds = 50.
TickCount = 222487, SleepMilliseconds = 50.
TickCount = 222503, SleepMilliseconds = 50.
TickCount = 223518, SleepMilliseconds = 50.
TickCount = 223768, SleepMilliseconds = 50.
TickCount = 223784, SleepMilliseconds = 50.
TickCount = 223815, SleepMilliseconds = 50.
TickCount = 223878, SleepMilliseconds = 50.
Behavior description:直接获取CPU时钟
details:EAX = 0x614971aa, EDX = 0x000000b6
EAX = 0x614971f6, EDX = 0x000000b6
EAX = 0x61497242, EDX = 0x000000b6
EAX = 0x6149728e, EDX = 0x000000b6
EAX = 0x614972da, EDX = 0x000000b6
EAX = 0x61497326, EDX = 0x000000b6
EAX = 0x61497372, EDX = 0x000000b6
EAX = 0x63fc72ee, EDX = 0x000000b6
EAX = 0x63fc733a, EDX = 0x000000b6
EAX = 0x63fc7386, EDX = 0x000000b6
Behavior description:查找指定内核模块
details:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号