VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:18
Behavior list
Basic Information
MD5:6f1743d769c5ab082eb24b0193a97912
file type:Autoit
Production company:
version:2.0.0.65---2.0.0.65
Shell or compiler information:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
Subfile information:upx_c_74bfbff0dumpFile / 65e7318aa0979585f22cb51f165cb4ca / EXE
LibGhostHlper.dll / 8975a898d74b4baa57ae8b9a018dd591 / DLL
setacl.exe / acde12fa9a971a254c76c34c0bbe8608 / EXE
AutoItScript / 3ba55f797daa6576a7b61eca8622b114 / Unknown
AutoITdumpFile / bb9485c1e89af6d7e89d6ed06e78fd2c / Unknown
yh.reg / 37232c8b415d5ac527623730a24f8a9b / Unknown
yh2.reg / a0e8a7d30713fea065f3adc89076b0ac / Unknown
FW.cmd / 2350e2762ee803d8c9e3d287a0e0d459 / Unknown
Key behavior
Behavior description:检测自身是否被调试
details:N/A
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Main\Start Page
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,tooltips_class32]
Behavior description:自删除
details:C:\%temp%\1425996563.301349.exe
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\docume~1\admini~1\locals~1\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\docume~1\admini~1\locals~1\temp\vmwarednd\*
FindFirstFileEx: FileName = c:\windows\temp\vmware-system\*.*
FindFirstFileEx: FileName = c:\windows\temp\vmware-system\*
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll"
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c setacl "users\s-1-5-21-1482476501-1645522239-1417001333-500\software\microsoft\protected storage system provider\s-1-5-21-1482476501-1645522239-1417001333-500" /registry /grant everyone /full
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /q /f /s "%userprofile%\recent\*.*"
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /q /f /s "%temp%\*.*"
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /q /f /s "%systemroot%\temp\*.*"
ImagePath = , CmdLine = cmd /c echo y|cacls.exe c:\system~1 /p everyone:f
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c del /f /s /q /a %homedrive%\system~1\*.*
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c rd /q /s %homedrive%\system~1\_resto~1
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c rd /q /s %homedrive%\system~1
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "c:\%temp%\1425996561.992461.exe"
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll"
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = regsvr32 /u /s igfxpph.dll"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c setacl "USERS\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500" /registry /grant e
ImagePath = C:\WINDOWS\regedit.exe, CmdLine = regedit.exe /s C:\WINDOWS\system32\yh2.reg
ImagePath = C:\WINDOWS\regedit.exe, CmdLine = regedit.exe /s C:\WINDOWS\system32\yh.reg
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c DEL /Q /F /S "%USERPROFILE%\Recent\*.*"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c DEL /Q /F /S "%TEMP%\*.*"
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c echo Y|cacls.exe C:\System~1 /P everyone:F
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /S /D /c" echo Y"
ImagePath = C:\WINDOWS\system32\cacls.exe, CmdLine = cacls.exe C:\System~1 /P everyone:F
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c del /f /s /q /a %HOMEDRIVE%\System~1\*.*
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c rd /q /s %HOMEDRIVE%\System~1\_resto~1
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c rd /q /s %HOMEDRIVE%\System~1
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\%temp%\1425996560.178134.exe"
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\system32\setacl.exe, CmdLine = setacl "USERS\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500" /registry /grant everyone /full
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\setacl.exe
C:\WINDOWS\LibGhostHlper.dll
Behavior description:修改文件内容
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut4.tmp---> Offset = 77824
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut5.tmp---> Offset = 0
C:\WINDOWS\system32\yh2.reg---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut6.tmp---> Offset = 0
C:\WINDOWS\system32\yh.reg---> Offset = 4096
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut7.tmp---> Offset = 118784
Behavior description:自删除
details:C:\%temp%\1425996563.301349.exe
Registry behavior
Behavior description:修改注册表_系统右键菜单
details:\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\new\
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\
\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\
Behavior description:修改注册表
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Search Assistant\Actor
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Search Assistant\UsageCount
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Search Assistant\UseAdvancedSearchAlways
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Control Panel\Desktop\MenuShowDelay
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Control Panel\Desktop\HungAppTimeout
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Control Panel\Desktop\WaitToKillAppTimeout
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\WaitToKillServiceTimeout
\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout
\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Control Panel\International\sLongDate
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarGlomming
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Applets\Tour\RunCount
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\CTF\LangBar\ExtraIconsOnMinimized
Behavior description:删除注册表键值_删除启动项
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IgfxTray
Behavior description:删除注册表键
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data\14d96c20-255b-11d1-898f-00c04fb6bfc4\00000000-0000-0000-0000-000000000000
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data\14d96c20-255b-11d1-898f-00c04fb6bfc4
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data\89c39569-6841-11d2-9f59-0000f8085266\cfd7c28a-208c-4447-b3ff-2fdac596c2fd\IdentitiesPass
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data\89c39569-6841-11d2-9f59-0000f8085266\cfd7c28a-208c-4447-b3ff-2fdac596c2fd
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data\89c39569-6841-11d2-9f59-0000f8085266
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data 2\Windows
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500\Data 2
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\FileRenameOperations
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents
\REGISTRY\MACHINE\SOFTWARE\Classes\CompressedFolder\shellex\PropertyHandler
\REGISTRY\MACHINE\SOFTWARE\Classes\CompressedFolder\shellex
\REGISTRY\MACHINE\SOFTWARE\Classes\CompressedFolder
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Compress old files
Behavior description:删除注册表键_系统右键菜单
details:\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New
\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers
Behavior description:修改注册表_安全中心相关属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
Behavior description:修改注册表_IE首页
details:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Main\Start Page
Behavior description:删除注册表键_文件关联
details:\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mspaint.exe\shell\edit\command
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\shimgvw.dll\shell\open\command
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\shimgvw.dll\shell\print\command
\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wordpad.exe\shell\open\command
Other behavior
Behavior description:设置对象安全信息
details:USERS\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1482476501-1645522239-1417001333-500
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
SHIMLIB_LOG_MUTEX
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,tooltips_class32]
Behavior description:检测自身是否被调试
details:N/A
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2664, Hwnd=0x10354, Text = ○ 系统增强优化 驱动服务清理 数字键盘设置 网络环境设置 常用软件安装 , ClassName = Static.
Pid = 2664, Hwnd=0x10352, Text = WINXPSP3安装程序, ClassName = AutoIt v3.
Pid = 2664, Hwnd=0x60354, Text = √ 系统增强优化 √ 驱动服务清理 √ 数字键盘设置 √ 网络环境设置 √ 常用软件安装 , ClassName = Static.
Pid = 2664, Hwnd=0x60352, Text = WINXPSP3安装程序, ClassName = AutoIt v3.
Behavior description:查找文件方式探测VMware
details:FindFirstFileEx: FileName = c:\docume~1\admini~1\locals~1\temp\vmwarednd\*.*
FindFirstFileEx: FileName = c:\docume~1\admini~1\locals~1\temp\vmwarednd\*
FindFirstFileEx: FileName = c:\windows\temp\vmware-system\*.*
FindFirstFileEx: FileName = c:\windows\temp\vmware-system\*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号