VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :55
基本信息
MD5:ad882d924c7c976e109838bcf399e111
文件类型:EXE
出品公司:Oreans Technologies
版本:2.4.6.30---2.4.6.30
壳或编译器信息:COMPILER:Microsoft Visual C++ 8.0
关键行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x015DADEE
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x015E2501
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x015E9E9D
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00AA1E50
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:获取TickCount值
详情信息:TickCount = 231971, SleepMilliseconds = 50.
TickCount = 232050, SleepMilliseconds = 50.
TickCount = 232143, SleepMilliseconds = 50.
TickCount = 232175, SleepMilliseconds = 50.
TickCount = 239550, SleepMilliseconds = 50.
TickCount = 239643, SleepMilliseconds = 50.
TickCount = 239721, SleepMilliseconds = 50.
TickCount = 239815, SleepMilliseconds = 50.
TickCount = 239878, SleepMilliseconds = 50.
TickCount = 242596, SleepMilliseconds = 50.
TickCount = 242659, SleepMilliseconds = 50.
TickCount = 245612, SleepMilliseconds = 50.
TickCount = 245909, SleepMilliseconds = 50.
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:直接获取CPU时钟
详情信息:EAX = 0xba8bf68b, EDX = 0x000000bf
EAX = 0xba8bf6d7, EDX = 0x000000bf
EAX = 0xba8bf723, EDX = 0x000000bf
EAX = 0xba8bf76f, EDX = 0x000000bf
EAX = 0xba8bf7bb, EDX = 0x000000bf
EAX = 0xba8bf807, EDX = 0x000000bf
EAX = 0xba8bf853, EDX = 0x000000bf
EAX = 0xba8bf89f, EDX = 0x000000bf
EAX = 0xba8bf8eb, EDX = 0x000000bf
EAX = 0xba8bf937, EDX = 0x000000bf
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
进程行为
行为描述:创建本地线程
详情信息:TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2940, StartAddress = 008B2F0F, Parameter = 00A79C97
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2944, StartAddress = 008B2F0F, Parameter = 00A7A645
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2948, StartAddress = 008B2F0F, Parameter = 00A7B89B
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2952, StartAddress = 008B2F0F, Parameter = 00A7DB66
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2956, StartAddress = 008B2F0F, Parameter = 00A7E5BA
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2960, StartAddress = 008B2F0F, Parameter = 00A7F0AC
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2964, StartAddress = 008B2F0F, Parameter = 00A7FA9D
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2968, StartAddress = 008B2F0F, Parameter = 00A80773
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2972, StartAddress = 008B2F0F, Parameter = 00A83AF2
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2976, StartAddress = 008B2F0F, Parameter = 00A8496A
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2980, StartAddress = 008B2F0F, Parameter = 00A85A67
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2984, StartAddress = 008B2F0F, Parameter = 00A86C40
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2988, StartAddress = 008B2F0F, Parameter = 00A89673
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2992, StartAddress = 008B2F0F, Parameter = 00A8A81E
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2776, ThreadID = 2996, StartAddress = 008B2F0F, Parameter = 00A8B903
行为描述:枚举进程
详情信息:N/A
文件行为
行为描述:创建文件
详情信息:C:\Documents and Settings\All Users\Application Data\mntemp
行为描述:修改文件内容
详情信息:C:\Documents and Settings\All Users\Application Data\mntemp ---> Offset = 0
注册表行为
行为描述:打开注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
其他行为
行为描述:直接调用系统关键API
详情信息:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x015DADEE
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x015E2501
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x015E9E9D
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x00AA1E50
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MNK
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MNK.IC
EventName = MSCTF.SendReceiveConection.Event.MNK.IC
行为描述:打开互斥体
详情信息:DBWinMutex
ShimCacheMutex
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\SIWVID
\??\NTICE
行为描述:获取TickCount值
详情信息:TickCount = 231971, SleepMilliseconds = 50.
TickCount = 232050, SleepMilliseconds = 50.
TickCount = 232143, SleepMilliseconds = 50.
TickCount = 232175, SleepMilliseconds = 50.
TickCount = 239550, SleepMilliseconds = 50.
TickCount = 239643, SleepMilliseconds = 50.
TickCount = 239721, SleepMilliseconds = 50.
TickCount = 239815, SleepMilliseconds = 50.
TickCount = 239878, SleepMilliseconds = 50.
TickCount = 242596, SleepMilliseconds = 50.
TickCount = 242659, SleepMilliseconds = 50.
TickCount = 245612, SleepMilliseconds = 50.
TickCount = 245909, SleepMilliseconds = 50.
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述:窗口信息
详情信息:Pid = 2776, Hwnd=0x10416, Text = 确定, ClassName = Button.
Pid = 2776, Hwnd=0x1041a, Text = Sorry, Themida cannot run without a valid license key (TMLicenseA1.dat) Please, contact info@oreans.com, ClassName = Static.
Pid = 2776, Hwnd=0x20412, Text = WinLicense, ClassName = #32770.
Pid = 2776, Hwnd=0x2041a, Text = 确定, ClassName = Button.
Pid = 2776, Hwnd=0x20416, Text = Loading Error. Please, reinstall the application again., ClassName = Static.
Pid = 2776, Hwnd=0x303cc, Text = WinLicense, ClassName = #32770.
行为描述:直接操作物理设备
详情信息:\??\PhysicalDrive0
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
行为描述:直接获取CPU时钟
详情信息:EAX = 0xba8bf68b, EDX = 0x000000bf
EAX = 0xba8bf6d7, EDX = 0x000000bf
EAX = 0xba8bf723, EDX = 0x000000bf
EAX = 0xba8bf76f, EDX = 0x000000bf
EAX = 0xba8bf7bb, EDX = 0x000000bf
EAX = 0xba8bf807, EDX = 0x000000bf
EAX = 0xba8bf853, EDX = 0x000000bf
EAX = 0xba8bf89f, EDX = 0x000000bf
EAX = 0xba8bf8eb, EDX = 0x000000bf
EAX = 0xba8bf937, EDX = 0x000000bf
行为描述:查找指定内核模块
详情信息:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号