VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

文件信息
安全评分 :60
基本信息
MD5:7e7546ffb6676e38a661b8af42f43b64
文件类型:Autoit
出品公司:
版本:3.3.6.1---3, 3, 6, 1
壳或编译器信息:PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
子文件信息:upx30_e52e7f27dumpFile / 38d7276f0fd5602278e56dd4ef6a33fe / EXE
AutoItScript / e31f21e5dc24ac28106661ab3ee847f8 / Unknown
omnifs32.exe / be4f869d7b70a9f3059f58509144cdbf / EXE
upx_c_a9778978dumpFile / d30bf7dd2ebe940d2983cb2a36893bc1 / EXE
AutoITdumpFile / 611adc5deaa9296402c538dc6206e916 / Unknown
upx_c_9234a3c1dumpFile / 7611276600d85979496295778c59482a / EXE
SHOWDRIVE.EXE / 9dcc76e36021f25312903377500566e2 / EXE
DSPTW.exe / c3429879521305de064a0952dab5eb6a / EXE
Readme.txt / 0203a1c92ba951e089316bb2987b19b6 / Unknown
关键行为
行为描述:检测自身是否被调试
详情信息:N/A
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,SysListView32]
[Window,Class] = [重建MBR,Button]
[Window,Class] = [口令保护,Button]
[Window,Class] = [禁用IDE,Button]
[Window,Class] = [Ghost32,Button]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [备份,Button]
[Window,Class] = [还原,Button]
[Window,Class] = [DOS,Button]
[Window,Class] = [映像,Static]
[Window,Class] = [D:\Ghost\SYS.GHO,Edit]
[Window,Class] = [..,Button]
[Window,Class] = [-,Button]
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c dsptw.exe /a /pdr /y>dspt.txt
ImagePath = , CmdLine = c:\windows\system32\cmd.exe /c dsptw.exe 1 /find:all /ghoststyle /y>dspt1.txt
行为描述:创建进程
详情信息:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c DSPTW.exe /a /pdr /y>dspt.txt
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = C:\WINDOWS\system32\cmd.exe /c DSPTW.exe 1 /find:all /ghoststyle /y>dspt1.txt
行为描述:创建新文件进程
详情信息:ImagePath = C:\WINDOWS\system32\DSPTW.exe, CmdLine = DSPTW.exe /a /pdr /y
ImagePath = C:\WINDOWS\system32\SHOWDRIVE.EXE, CmdLine = SHOWDRIVE.EXE
ImagePath = C:\WINDOWS\system32\DSPTW.exe, CmdLine = DSPTW.exe 1 /find:all /ghoststyle /y
文件行为
行为描述:创建可执行文件
详情信息:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut3.tmp
C:\WINDOWS\system32\DSPTW.exe
C:\WINDOWS\system32\SHOWDRIVE.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut6.tmp
行为描述:修改文件内容
详情信息:C:\WINDOWS\system32\dspt.txt---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut4.tmp---> Offset = 12288
C:\WINDOWS\system32\dspt1.txt---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aut7.tmp---> Offset = 0
C:\WINDOWS\system32\Readme.txt---> Offset = 0
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\X\BaseClass
其他行为
行为描述:检测自身是否被调试
详情信息:N/A
行为描述:创建互斥体
详情信息:SHIMLIB_LOG_MUTEX
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [AutoIt v3,AutoIt v3]
[Window,Class] = [,SysListView32]
[Window,Class] = [重建MBR,Button]
[Window,Class] = [口令保护,Button]
[Window,Class] = [禁用IDE,Button]
[Window,Class] = [Ghost32,Button]
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [备份,Button]
[Window,Class] = [还原,Button]
[Window,Class] = [DOS,Button]
[Window,Class] = [映像,Static]
[Window,Class] = [D:\Ghost\SYS.GHO,Edit]
[Window,Class] = [..,Button]
[Window,Class] = [-,Button]
行为描述:窗口信息
详情信息:Pid = 1924, Hwnd=0xc01d6, Text = 搜索, ClassName = Button.
Pid = 1924, Hwnd=0xc01c2, Text = *., ClassName = Static.
Pid = 1924, Hwnd=0xb01c6, Text = GHO, ClassName = Edit.
Pid = 1924, Hwnd=0xb0184, Text = 目录深度, ClassName = Static.
Pid = 1924, Hwnd=0xa01aa, Text = 3, ClassName = Edit.
Pid = 1924, Hwnd=0xb01be, Text = 重建MBR, ClassName = Button(CheckBox).
Pid = 1924, Hwnd=0xc01b4, Text = 口令保护, ClassName = Button(CheckBox).
Pid = 1924, Hwnd=0xb0170, Text = 禁用IDE, ClassName = Button(CheckBox).
Pid = 1924, Hwnd=0xb01ce, Text = Ghost32, ClassName = Button(CheckBox).
Pid = 1924, Hwnd=0xd01ac, Text = 启动模块1, ClassName = ComboBox.
Pid = 1924, Hwnd=0xb0192, Text = 启动模块1, ClassName = Edit.
Pid = 1924, Hwnd=0xb016c, Text = 快速压缩, ClassName = ComboBox.
Pid = 1924, Hwnd=0xd0190, Text = 快速压缩, ClassName = Edit.
Pid = 1924, Hwnd=0xc01b6, Text = 不分卷, ClassName = ComboBox.
Pid = 1924, Hwnd=0xb01e0, Text = 不分卷, ClassName = Edit.
行为描述:获取系统权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
行为描述:枚举窗口
详情信息:N/A
行为描述:直接操作物理设备
详情信息:\??\PhysicalDrive0
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号