VirSCAN VirSCAN

1, 당신은 모든 파일을 업로드할 수 있지만 최대 20Mb의 용량제한이 있다.
2, Rar/Zip 파일은 자동압축해제를 하지만 내부에 20개 파일보다 적어야 한다.
3, 압축된 파일이 'infected' 또는 'virus'로 암호화된 경우 진단할 수 있다.

언어선택
서비스 로드
Server Load

파일 정보
안전 등급:50
행동 목록
기본 정보
MD5:f81bccbb9b18888d7deef8bc7461f467
파일 형식 :Rar
생산 회사 :
버전 :
쉘 또는 컴파일러 정보 :
서브 파일 정보:PCF PCM 加密视频批量提取器.exe / 7c3563219452398d2a61fc9525cbce9b / EXE
Decrypt.dll / 704c3d3677f20bcf30f979cbf13b872d / DLL
JiaMi.dll / 3110d0d7046bf6c4c80b5671bced3aca / DLL
说明.txt / 3e832c6a26209ca80d2ee811cdd1edc4 / Unknown
极光下载站-xz7.com.url / 07f4c9f16ba0370b184e48ec27b1b589 / Unknown
주요 행동
동작 설명:直接调用系统关键API
세부 정보:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x007BD523
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x007CE0BD
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x007D94E5
동작 설명:探测 Virtual PC是否存在
세부 정보:N/A
동작 설명:查询注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
동작 설명:尝试打开调试器或监控软件的驱动设备对象
세부 정보:\??\SICE
\??\SIWVID
\??\NTICE
동작 설명:获取TickCount值
세부 정보:TickCount = 222675, SleepMilliseconds = 50.
TickCount = 222800, SleepMilliseconds = 50.
TickCount = 222909, SleepMilliseconds = 50.
TickCount = 223065, SleepMilliseconds = 50.
TickCount = 224206, SleepMilliseconds = 50.
TickCount = 224315, SleepMilliseconds = 50.
TickCount = 224331, SleepMilliseconds = 50.
TickCount = 224378, SleepMilliseconds = 50.
TickCount = 224503, SleepMilliseconds = 50.
TickCount = 224518, SleepMilliseconds = 50.
동작 설명:打开注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0x68c63e85, EDX = 0x000000b8
EAX = 0x68c63ed1, EDX = 0x000000b8
EAX = 0x68c63f1d, EDX = 0x000000b8
EAX = 0x68c63f69, EDX = 0x000000b8
EAX = 0x68c63fb5, EDX = 0x000000b8
EAX = 0x68c64001, EDX = 0x000000b8
EAX = 0x68c6404d, EDX = 0x000000b8
EAX = 0x68c64099, EDX = 0x000000b8
EAX = 0x68c640e5, EDX = 0x000000b8
EAX = 0x68c64131, EDX = 0x000000b8
동작 설명:查找指定内核模块
세부 정보:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
동작 설명:查找反病毒常用工具窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
동작 설명:VMWare特殊指令检测虚拟机
세부 정보:N/A
프로세스 동작
동작 설명:创建本地线程
세부 정보:TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3036, StartAddress = 006046BB, Parameter = 0078B53A
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3040, StartAddress = 006046BB, Parameter = 0078BEF2
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3044, StartAddress = 006046BB, Parameter = 0078CF4A
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3048, StartAddress = 006046BB, Parameter = 0078DA0E
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3052, StartAddress = 006046BB, Parameter = 0078E547
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3056, StartAddress = 006046BB, Parameter = 0078EF20
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3060, StartAddress = 006046BB, Parameter = 0078F9F8
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3064, StartAddress = 006046BB, Parameter = 0079054B
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3068, StartAddress = 006046BB, Parameter = 00795FEB
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3072, StartAddress = 006046BB, Parameter = 00796EFF
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3076, StartAddress = 006046BB, Parameter = 007980D1
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3080, StartAddress = 006046BB, Parameter = 00799169
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3084, StartAddress = 006046BB, Parameter = 0079A2A1
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3088, StartAddress = 006046BB, Parameter = 0079B26B
TargetProcess: PCF PCM 加密视频批量提取器.exe, InheritedFromPID = 2000, ProcessID = 3020, ThreadID = 3092, StartAddress = 006046BB, Parameter = 0079C264
동작 설명:枚举进程
세부 정보:N/A
파일 동작
동작 설명:设置特殊文件夹属性
세부 정보:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
동작 설명:查找文件
세부 정보:FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
네트워크 동작
동작 설명:连接指定站点
세부 정보:WinHttpConnect: ServerName = bl****cn, PORT = 80, UserName = , Password = , hSession = 0x037e3100, hConnect = 0x037e3200, Flags = 0x00000000
동작 설명:打开HTTP连接
세부 정보:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x037e3100
동작 설명:建立到一个指定的套接字连接
세부 정보:URL: bl****cn, IP: **.133.40.**:80, SOCKET = 0x000003dc
동작 설명:发送HTTP包
세부 정보:GET /s/blog_8eee69e90102wa2a.html HTTP/1.1 Referer: http://blog.sina.com.cn/s/blog_8eee69e90102wa2a.html Accept: */* Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-Type: application/x-www-form-urlencoded Host: bl****cn Connection: Keep-Alive
동작 설명:打开HTTP请求
세부 정보:WinHttpOpenRequest: bl****cn:80/s/blog_8eee69e90102wa2a.html, hConnect = 0x037e3200, hRequest = 0x03870000, Verb: GET, Referer: , Flags = 0x00000080
동작 설명:按名称获取主机地址
세부 정보:GetAddrInfoW: bl****cn
레지스트리 동작
동작 설명:修改注册表
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
동작 설명:删除注册表键值
세부 정보:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
동작 설명:打开注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
동작 설명:查询注册表_检测虚拟机相关
세부 정보:\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
기타 행동
동작 설명:直接调用系统关键API
세부 정보:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x007BD523
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x007CE0BD
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x007D94E5
동작 설명:探测 Virtual PC是否存在
세부 정보:N/A
동작 설명:创建互斥体
세부 정보:RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
52pojie.cn
MSCTF.Shared.MUTEX.IOH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
MSCTF.Shared.MUTEX.ANL
동작 설명:创建事件对象
세부 정보:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.ANL.IC
EventName = MSCTF.SendReceiveConection.Event.ANL.IC
동작 설명:窗口信息
세부 정보:Pid = 3020, Hwnd=0x10372, Text = 本程序仅供个人测试学习交流之用,不得商用或非法用途!视频等资源版权归视频原作者所有,下载后请在24小时内删除,如因此造成的后果与本软件无关,软件作者概不负任何法律责任。 本工具完全免费,如果您在任何地方采用购买的方式获得此软件,请找卖家投诉!, ClassName = Edit.
Pid = 3020, Hwnd=0x1037c, Text = 确定, ClassName = Button.
Pid = 3020, Hwnd=0x10380, Text = 网络超时,检测版本失败,请稍候重试, ClassName = Static.
Pid = 3020, Hwnd=0x1037a, Text = 提示, ClassName = #32770.
동작 설명:打开互斥体
세부 정보:DBWinMutex
RasPbFile
ShimCacheMutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
동작 설명:查找指定窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
동작 설명:尝试打开调试器或监控软件的驱动设备对象
세부 정보:\??\SICE
\??\SIWVID
\??\NTICE
동작 설명:搜索kernel32.dll基地址
세부 정보:Instruction Address = 0x00604a80
동작 설명:获取光标位置
세부 정보:CursorPos = (80,18468), SleepMilliseconds = 50.
CursorPos = (6373,26501), SleepMilliseconds = 50.
동작 설명:打开事件
세부 정보:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
동작 설명:调用Sleep函数
세부 정보:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 50.
동작 설명:隐藏指定窗口
세부 정보:[Window,Class] = [,_EL_Timer]
[Window,Class] = [ 本程序仅供个人测试学习交流之用,不得商用或非法用途!视频等资源版权归视频原作者所有,下载后请在24小时内删除,如因此造成的后果与本软件无关,软件作者概不负任何法律责任。,Afx:400000:b:10011:1900015:0]
[Window,Class] = [,_EL_PicBox]
[Window,Class] = [,_EL_CommonDlg]
[Window,Class] = [,Afx:400000:b:10011:1900010:0]
동작 설명:获取TickCount值
세부 정보:TickCount = 222675, SleepMilliseconds = 50.
TickCount = 222800, SleepMilliseconds = 50.
TickCount = 222909, SleepMilliseconds = 50.
TickCount = 223065, SleepMilliseconds = 50.
TickCount = 224206, SleepMilliseconds = 50.
TickCount = 224315, SleepMilliseconds = 50.
TickCount = 224331, SleepMilliseconds = 50.
TickCount = 224378, SleepMilliseconds = 50.
TickCount = 224503, SleepMilliseconds = 50.
TickCount = 224518, SleepMilliseconds = 50.
동작 설명:直接获取CPU时钟
세부 정보:EAX = 0x68c63e85, EDX = 0x000000b8
EAX = 0x68c63ed1, EDX = 0x000000b8
EAX = 0x68c63f1d, EDX = 0x000000b8
EAX = 0x68c63f69, EDX = 0x000000b8
EAX = 0x68c63fb5, EDX = 0x000000b8
EAX = 0x68c64001, EDX = 0x000000b8
EAX = 0x68c6404d, EDX = 0x000000b8
EAX = 0x68c64099, EDX = 0x000000b8
EAX = 0x68c640e5, EDX = 0x000000b8
EAX = 0x68c64131, EDX = 0x000000b8
동작 설명:查找指定内核模块
세부 정보:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
동작 설명:查找反病毒常用工具窗口
세부 정보:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
동작 설명:VMWare特殊指令检测虚拟机
세부 정보:N/A
스크린 샷 실행
VirSCAN

VirSCAN 이란 | 개인정책 | 연락 | 친숙한 링크 | 도움지원
거스 (Gus) 번역 (한국)
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号