VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:6a44d05d634a902c354aba1d869d2ecc
file type:zip
Production company:
version:
Shell or compiler information:PACKER:UPolyX v0.5
Subfile information:ZCCapCodeTool.exedumpFile / 82b18c3035e8693a8a1d43d2b3c71044 / EXE
ScreenCapTure.dll / 560e026529ef3290f6e83e6eafc4ee4c / DLL
ZCCapCodeTool.exe / 82b18c3035e8693a8a1d43d2b3c71044 / EXE
绿色资源网.url / e3d6c20a95810df0ee07dfd966c11468 / Unknown
Key behavior
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004BB64C
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x004BDD89
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004C0672
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\SIWVID
\??\NTICE
Behavior description:获取TickCount值
details:TickCount = 218800, SleepMilliseconds = 50.
TickCount = 218987, SleepMilliseconds = 50.
TickCount = 219300, SleepMilliseconds = 50.
TickCount = 219315, SleepMilliseconds = 50.
TickCount = 219331, SleepMilliseconds = 50.
TickCount = 219346, SleepMilliseconds = 50.
TickCount = 219550, SleepMilliseconds = 50.
TickCount = 219581, SleepMilliseconds = 50.
TickCount = 219596, SleepMilliseconds = 50.
TickCount = 220018, SleepMilliseconds = 50.
TickCount = 220034, SleepMilliseconds = 50.
TickCount = 280078, SleepMilliseconds = 60000.
TickCount = 280093, SleepMilliseconds = 60000.
TickCount = 280156, SleepMilliseconds = 60000.
TickCount = 280171, SleepMilliseconds = 60000.
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0001034c, Text = 若快验证码万能识别, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Behavior description:直接获取CPU时钟
details:EAX = 0xf0a9de17, EDX = 0x000000b3
EAX = 0xf0a9de63, EDX = 0x000000b3
EAX = 0xf0a9deaf, EDX = 0x000000b3
EAX = 0xf0a9defb, EDX = 0x000000b3
EAX = 0xf0a9df47, EDX = 0x000000b3
EAX = 0xf0a9df93, EDX = 0x000000b3
EAX = 0xf0a9dfdf, EDX = 0x000000b3
EAX = 0xf0a9e02b, EDX = 0x000000b3
EAX = 0xf0a9e077, EDX = 0x000000b3
EAX = 0xf0a9e0c3, EDX = 0x000000b3
Behavior description:查找指定内核模块
details:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.cmdline"
Behavior description:创建进程
details:[0x00000dd0]ImagePath = C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe, CmdLine = "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.cmdline"
Behavior description:创建本地线程
details:TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2848, StartAddress = 004311AF, Parameter = 00489FD0
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2852, StartAddress = 004311AF, Parameter = 0048A864
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2856, StartAddress = 004311AF, Parameter = 0048BAA1
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2860, StartAddress = 004311AF, Parameter = 0048C5FD
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2864, StartAddress = 004311AF, Parameter = 0048D0B7
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2868, StartAddress = 004311AF, Parameter = 0048DB8D
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2872, StartAddress = 004311AF, Parameter = 0048E708
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2876, StartAddress = 004311AF, Parameter = 0048F39B
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2880, StartAddress = 004311AF, Parameter = 00492CD0
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2884, StartAddress = 004311AF, Parameter = 00493E34
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2888, StartAddress = 004311AF, Parameter = 00495005
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2892, StartAddress = 004311AF, Parameter = 00495FE5
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2896, StartAddress = 004311AF, Parameter = 00497C39
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2900, StartAddress = 004311AF, Parameter = 00498DC2
TargetProcess: ZCCapCodeTool.exe, InheritedFromPID = 2000, ProcessID = 2832, ThreadID = 2904, StartAddress = 004311AF, Parameter = 00499F4D
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\error.log
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Config.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.cmdline
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.out
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.err
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.cmdline
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.err
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.out
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\error.log ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs ---> Offset = 12288
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.0.cs ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.cmdline ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.out ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\ruax5rzk.out ---> Offset = 757
Behavior description:查找文件
details:FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ZCCapCodeTool.exe
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\ZCCapCodeTool.INI
FileName = C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
Registry behavior
Behavior description:打开注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Other behavior
Behavior description:直接调用系统关键API
details:Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004BB64C
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x004BDD89
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x004C0672
Behavior description:探测 Virtual PC是否存在
details:N/A
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.EBL
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\CorDBIPCSetupSyncEvent_2832
EventName = MSCTF.SendReceiveConection.Event.EBL.IC
EventName = MSCTF.SendReceive.Event.EBL.IC
Behavior description:打开事件
details:Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2832
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:打开互斥体
details:DBWinMutex
ShimCacheMutex
Global\CLR_CASOFF_MUTEX
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:尝试打开调试器或监控软件的驱动设备对象
details:\??\SICE
\??\SIWVID
\??\NTICE
Behavior description:搜索kernel32.dll基地址
details:Instruction Address = 0x004318ed
Behavior description:获取光标位置
details:CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 60000.
CursorPos = (27001,24465), SleepMilliseconds = 60000.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0001034c, Text = 若快验证码万能识别, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Behavior description:窗口信息
details:Pid = 2832, Hwnd=0x10350, Text = 使用说明, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10352, Text = 若快官网, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10354, Text = 设置教程, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10356, Text = 截码设置, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10358, Text = 3., ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x1035a, Text = 类型表, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x1035c, Text = 验证码类型设置, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x1035e, Text = 2., ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10360, Text = 1., ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10362, Text = 注册打码帐号, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10364, Text = 软件设置, ClassName = WindowsForms10.Window.8.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10366, Text = 类名, ClassName = WindowsForms10.BUTTON.app.0.33c0d9d.
Pid = 2832, Hwnd=0x10368, Text = 标题, ClassName = WindowsForms10.BUTTON.app.0.33c0d9d.
Pid = 2832, Hwnd=0x1036a, Text = 判断方式:, ClassName = WindowsForms10.STATIC.app.0.33c0d9d.
Pid = 2832, Hwnd=0x1036c, Text = 100, ClassName = WindowsForms10.EDIT.app.0.33c0d9d.
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 50.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = -1.
[4]: MilliSeconds = 60000.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
Behavior description:获取TickCount值
details:TickCount = 218800, SleepMilliseconds = 50.
TickCount = 218987, SleepMilliseconds = 50.
TickCount = 219300, SleepMilliseconds = 50.
TickCount = 219315, SleepMilliseconds = 50.
TickCount = 219331, SleepMilliseconds = 50.
TickCount = 219346, SleepMilliseconds = 50.
TickCount = 219550, SleepMilliseconds = 50.
TickCount = 219581, SleepMilliseconds = 50.
TickCount = 219596, SleepMilliseconds = 50.
TickCount = 220018, SleepMilliseconds = 50.
TickCount = 220034, SleepMilliseconds = 50.
TickCount = 280078, SleepMilliseconds = 60000.
TickCount = 280093, SleepMilliseconds = 60000.
TickCount = 280156, SleepMilliseconds = 60000.
TickCount = 280171, SleepMilliseconds = 60000.
Behavior description:直接获取CPU时钟
details:EAX = 0xf0a9de17, EDX = 0x000000b3
EAX = 0xf0a9de63, EDX = 0x000000b3
EAX = 0xf0a9deaf, EDX = 0x000000b3
EAX = 0xf0a9defb, EDX = 0x000000b3
EAX = 0xf0a9df47, EDX = 0x000000b3
EAX = 0xf0a9df93, EDX = 0x000000b3
EAX = 0xf0a9dfdf, EDX = 0x000000b3
EAX = 0xf0a9e02b, EDX = 0x000000b3
EAX = 0xf0a9e077, EDX = 0x000000b3
EAX = 0xf0a9e0c3, EDX = 0x000000b3
Behavior description:查找指定内核模块
details:lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description:查找反病毒常用工具窗口
details:NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description:VMWare特殊指令检测虚拟机
details:N/A
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号