VirSCAN VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。
4, 如果您的浏览器无法上传文件,请下载Virscan Uploader进行上传。

选择语言
服务器负载
Server Load

VirSCAN
VirSCAN

1, 你可以上传任何文件,但是文件的尺寸不能超过20兆。
2, 我们支持RAR或ZIP格式的自动解压缩,但压缩文件中不能包含超过20个文件。
3, 我们可以识别并检测密码为 'infected' 或 'virus' 的压缩文件包。

   文件信息

virscan.org多引擎扫描报告
行为分析报告:         哈勃文件分析

基本信息

MD5:3480e8a8ec1c98089223ef7b0c4a4cbd
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
包名:
最低运行环境:
版权:

关键行为

行为描述: 探测 Virtual PC是否存在
详细信息: N/A
行为描述: 直接获取CPU时钟
详细信息: EAX = 0x4a285889, EDX = 0x000000b7
EAX = 0x4a2858d5, EDX = 0x000000b7
EAX = 0x4a285921, EDX = 0x000000b7
EAX = 0x4a28596d, EDX = 0x000000b7
EAX = 0x549df693, EDX = 0x000000b7
EAX = 0x549df6df, EDX = 0x000000b7
EAX = 0x549df72b, EDX = 0x000000b7
EAX = 0x549df777, EDX = 0x000000b7
EAX = 0x549df7c3, EDX = 0x000000b7
EAX = 0x549df80f, EDX = 0x000000b7
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详细信息: \??\NTICE
行为描述: 获取TickCount值
详细信息: TickCount = 228271, SleepMilliseconds = 100.
TickCount = 288218, SleepMilliseconds = 60000.
TickCount = 288234, SleepMilliseconds = 60000.
TickCount = 288828, SleepMilliseconds = 60000.
TickCount = 290562, SleepMilliseconds = 60000.
TickCount = 290593, SleepMilliseconds = 60000.
TickCount = 290609, SleepMilliseconds = 60000.
TickCount = 290625, SleepMilliseconds = 60000.
TickCount = 291640, SleepMilliseconds = 60000.
TickCount = 291671, SleepMilliseconds = 60000.
TickCount = 291703, SleepMilliseconds = 60000.
TickCount = 291750, SleepMilliseconds = 60000.
TickCount = 291765, SleepMilliseconds = 60000.
TickCount = 291796, SleepMilliseconds = 60000.
TickCount = 292750, SleepMilliseconds = 60000.
行为描述: 直接调用系统关键API
详细信息: Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0090DE8C
Index = 0x0000009B, Name: NtQueryInformationThread, Instruction Address = 0x008A86FC
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008DCC3D
行为描述: 查找反病毒常用工具窗口
详细信息: NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
行为描述: VMWare特殊指令检测虚拟机
详细信息: N/A

进程行为

行为描述: 创建本地线程
详细信息: TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2784, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2892, StartAddress = 0086F8DD, Parameter = 0019CA10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2896, StartAddress = 0086F8DD, Parameter = 0019CA20
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2900, StartAddress = 0086F8DD, Parameter = 0019CA10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2904, StartAddress = 0086F8DD, Parameter = 0019CA10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2908, StartAddress = 0086F8DD, Parameter = 0019CA10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2912, StartAddress = 0086F8DD, Parameter = 0019CA10
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2940, StartAddress = 77E56C7D, Parameter = 0025BBC0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 2944, StartAddress = 769AE43B, Parameter = 0025E480
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2748, ThreadID = 3068, StartAddress = 719CD33A, Parameter = 00287998

网络行为

行为描述: 连接指定站点
详细信息: WinHttpConnect: ServerName = ww****hk, PORT = 80, UserName = , Password = , hSession = 0x03345000, hConnect = 0x03345100, Flags = 0x00000000
行为描述: 建立到一个指定的套接字连接
详细信息: URL: ww****hk, IP: **.133.40.**:80, SOCKET = 0x00000278
行为描述: 发送HTTP包
详细信息: HEAD / HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: text/html, application/xhtml+xml, */* Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Host: ww****hk Connection: Keep-Alive
行为描述: 打开HTTP请求
详细信息: WinHttpOpenRequest: ww****hk:80/, hConnect = 0x03345100, hRequest = 0x03370000, Verb: HEAD, Referer: , Flags = 0x00000000
行为描述: 按名称获取主机地址
详细信息: GetAddrInfoW: ww****hk

注册表行为

行为描述: 删除注册表键
详细信息: \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
行为描述: 删除注册表键值
详细信息: \REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot

其他行为

行为描述: 直接调用系统关键API
详细信息: Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0090DE8C
Index = 0x0000009B, Name: NtQueryInformationThread, Instruction Address = 0x008A86FC
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x008DCC3D
行为描述: 探测 Virtual PC是否存在
详细信息: N/A
行为描述: 创建互斥体
详细信息: RasPbFile
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
行为描述: 创建事件对象
详细信息: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
行为描述: 打开互斥体
详细信息: RasPbFile
ShimCacheMutex
行为描述: 查找指定窗口
详细信息: NtUserFindWindowEx: [Class,Window] = [4823-00000029,]
NtUserFindWindowEx: [Class,Window] = [18467-41,]
行为描述: 尝试打开调试器或监控软件的驱动设备对象
详细信息: \??\NTICE
行为描述: 获取TickCount值
详细信息: TickCount = 228271, SleepMilliseconds = 100.
TickCount = 288218, SleepMilliseconds = 60000.
TickCount = 288234, SleepMilliseconds = 60000.
TickCount = 288828, SleepMilliseconds = 60000.
TickCount = 290562, SleepMilliseconds = 60000.
TickCount = 290593, SleepMilliseconds = 60000.
TickCount = 290609, SleepMilliseconds = 60000.
TickCount = 290625, SleepMilliseconds = 60000.
TickCount = 291640, SleepMilliseconds = 60000.
TickCount = 291671, SleepMilliseconds = 60000.
TickCount = 291703, SleepMilliseconds = 60000.
TickCount = 291750, SleepMilliseconds = 60000.
TickCount = 291765, SleepMilliseconds = 60000.
TickCount = 291796, SleepMilliseconds = 60000.
TickCount = 292750, SleepMilliseconds = 60000.
行为描述: 打开事件
详细信息: HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2748
MSFT.VSA.IEC.STATUS.6c736db0
行为描述: 调用Sleep函数
详细信息: [1]: MilliSeconds = 100.
[2]: MilliSeconds = 60000.
行为描述: 隐藏指定窗口
详细信息: [Window,Class] = [,ComboLBox]
行为描述: 直接获取CPU时钟
详细信息: EAX = 0x4a285889, EDX = 0x000000b7
EAX = 0x4a2858d5, EDX = 0x000000b7
EAX = 0x4a285921, EDX = 0x000000b7
EAX = 0x4a28596d, EDX = 0x000000b7
EAX = 0x549df693, EDX = 0x000000b7
EAX = 0x549df6df, EDX = 0x000000b7
EAX = 0x549df72b, EDX = 0x000000b7
EAX = 0x549df777, EDX = 0x000000b7
EAX = 0x549df7c3, EDX = 0x000000b7
EAX = 0x549df80f, EDX = 0x000000b7
行为描述: 查找反病毒常用工具窗口
详细信息: NtUserFindWindowEx: [Class,Window] = [Regmonclass,]
NtUserFindWindowEx: [Class,Window] = [Filemonclass,]
行为描述: VMWare特殊指令检测虚拟机
详细信息: N/A