VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

VirSCAN
VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

File information

Basic Information

MD5: 9698876cf6253a0c6d33b25179988a5b
file type: EXE
Production company:
version: 1.0.0.0---1.0.0.0
Shell or compiler information: PACKER:UPolyX v0.5

Key behavior

Behavior description: 直接调用系统关键API
details: Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x008E42C0
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008E98D2
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x008EE006
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x00414D15
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x004027ED
Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\SIWVID
\??\NTICE
Behavior description: 获取TickCount值
details: TickCount = 220018, SleepMilliseconds = 50.
TickCount = 220909, SleepMilliseconds = 50.
TickCount = 221003, SleepMilliseconds = 50.
TickCount = 221034, SleepMilliseconds = 50.
TickCount = 221065, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 221253, SleepMilliseconds = 50.
TickCount = 221456, SleepMilliseconds = 50.
TickCount = 221581, SleepMilliseconds = 50.
Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Behavior description: 直接获取CPU时钟
details: EAX = 0xe21ffb7c, EDX = 0x000000b5
EAX = 0xe21ffbc8, EDX = 0x000000b5
EAX = 0xe21ffc14, EDX = 0x000000b5
EAX = 0xe21ffc60, EDX = 0x000000b5
EAX = 0xe21ffcac, EDX = 0x000000b5
EAX = 0xe21ffcf8, EDX = 0x000000b5
EAX = 0xe21ffd44, EDX = 0x000000b5
EAX = 0xe21ffd90, EDX = 0x000000b5
EAX = 0xe21ffddc, EDX = 0x000000b5
EAX = 0xe21ffe28, EDX = 0x000000b5
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description: VMWare特殊指令检测虚拟机
details: N/A

Registry behavior

Behavior description: 打开注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Behavior description: 查询注册表_检测虚拟机相关
details: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Other behavior

Behavior description: 直接调用系统关键API
details: Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x008E42C0
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008E98D2
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x008EE006
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x00414D15
Index = 0x00000011, Name: NtAllocateVirtualMemory, Instruction Address = 0x004027ED
Behavior description: 探测 Virtual PC是否存在
details: N/A
Behavior description: 创建互斥体
details: CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Behavior description: 创建事件对象
details: EventName = DINPUTWINMM
Behavior description: 打开事件
details: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description: 打开互斥体
details: DBWinMutex
ShimCacheMutex
Behavior description: 查找指定窗口
details: NtUserFindWindowEx: [Class,Window] = [18467-41,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description: 尝试打开调试器或监控软件的驱动设备对象
details: \??\SICE
\??\SIWVID
\??\NTICE
Behavior description: 搜索kernel32.dll基地址
details: Instruction Address = 0x00757a43
Behavior description: 获取光标位置
details: CursorPos = (80,18468), SleepMilliseconds = 50.
Behavior description: 窗口信息
details: Pid = 2672, Hwnd=0x10380, Text = 确定, ClassName = Button.
Pid = 2672, Hwnd=0x10384, Text = 运行时出错! 错误信息:无法找到指定DLL库文件“tf.dll”中的输出命令“初始化” , ClassName = Static.
Pid = 2672, Hwnd=0x1037e, Text = 错误, ClassName = #32770.
Behavior description: 调用Sleep函数
details: [1]: MilliSeconds = 50.
Behavior description: 隐藏指定窗口
details: [Window,Class] = [,Button]
[Window,Class] = [天罚全图-购买续费-请联系管理员,_EL_HyperLinker]
[Window,Class] = [充值,Button]
[Window,Class] = [卡号,_EL_Label]
[Window,Class] = [账号,_EL_Label]
[Window,Class] = [,Edit]
Behavior description: 获取TickCount值
details: TickCount = 220018, SleepMilliseconds = 50.
TickCount = 220909, SleepMilliseconds = 50.
TickCount = 221003, SleepMilliseconds = 50.
TickCount = 221034, SleepMilliseconds = 50.
TickCount = 221065, SleepMilliseconds = 50.
TickCount = 221237, SleepMilliseconds = 50.
TickCount = 221253, SleepMilliseconds = 50.
TickCount = 221456, SleepMilliseconds = 50.
TickCount = 221581, SleepMilliseconds = 50.
Behavior description: 直接获取CPU时钟
details: EAX = 0xe21ffb7c, EDX = 0x000000b5
EAX = 0xe21ffbc8, EDX = 0x000000b5
EAX = 0xe21ffc14, EDX = 0x000000b5
EAX = 0xe21ffc60, EDX = 0x000000b5
EAX = 0xe21ffcac, EDX = 0x000000b5
EAX = 0xe21ffcf8, EDX = 0x000000b5
EAX = 0xe21ffd44, EDX = 0x000000b5
EAX = 0xe21ffd90, EDX = 0x000000b5
EAX = 0xe21ffddc, EDX = 0x000000b5
EAX = 0xe21ffe28, EDX = 0x000000b5
Behavior description: 查找指定内核模块
details: lstrcmpiA: ntice.sys <------> ntkrnlpa.exe Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> hal.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> KDCOM.DLL Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BOOTVID.dll Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ACPI.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> WMILIB.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> pci.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> isapnp.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> compbatt.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> BATTC.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> intelide.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> PCIIDEX.SYS Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> MountMgr.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> ftdisk.sys Des: SoftICE驱动
lstrcmpiA: ntice.sys <------> dmload.sys Des: SoftICE驱动
Behavior description: 查找反病毒常用工具窗口
details: NtUserFindWindowEx: [Class,Window] = [OLLYDBG,]
NtUserFindWindowEx: [Class,Window] = [GBDYLLO,]
NtUserFindWindowEx: [Class,Window] = [pediy06,]
NtUserFindWindowEx: [Class,Window] = [FilemonClass,]
NtUserFindWindowEx: [Class,Window] = [,File Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
NtUserFindWindowEx: [Class,Window] = [,Process Monitor - Sysinternals: www.sysinternals.com]
NtUserFindWindowEx: [Class,Window] = [RegmonClass,]
NtUserFindWindowEx: [Class,Window] = [,Registry Monitor - Sysinternals: www.sysinternals.com]
Behavior description: VMWare特殊指令检测虚拟机
details: N/A

Run screenshot

VirSCAN