VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

  Main Menu
VirSCAN  HOME VirSCAN  go Virscan.org VirSCAN  Report VirSCAN  Virus report VirSCAN  Behavior report VirSCAN  Help VirSCAN VirSCAN  Submit Bugs VirSCAN  Contact us
  Powered By
a-squared
a-squared
a-squared
 
File information
Safety rating:40
Behavior list
Basic Information
MD5:855ea29ed938ec9b8b8bbed1173961ea
file type:Autoit
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Subfile information:130dumpFile / 5af1055026c10341989c9ec8c0133292 / Autoit
AutoItScript / c3c35b50e5543e22fcce8fdbb7778d79 / Unknown
7za.exe / 9309fcded3bca9e70621ad5ed0c78068 / EXE
back.jpg / f3b23f1fbf14c21924fb52ab71176d1f / Unknown
BatPrep.dll / d076187078eaa5d605abdbceb9232980 / DLL
ntldr.chs / 87774a4506b78e74352de083688ec8d8 / Unknown
ntldr.cht / 87774a4506b78e74352de083688ec8d8 / Unknown
ntldr.eng / 87774a4506b78e74352de083688ec8d8 / Unknown
SetACL.exe / acde12fa9a971a254c76c34c0bbe8608 / EXE
sysprep.2003.exe / 236533bb6c1fa944b36e633425c5988f / EXE
sysprep.xp.exe / ea535672f5a995a271272e3263f1245e / EXE
fldrclnr.dll / 54f35f0c9b6f0c94dc565719c22380dd / DLL
DevCon_x64.exe / 20f619ebb6d10ee6a5c164d7dfd36f32 / EXE
DevCon_x86.exe / c4b470269324517ee838789c7cf5e606 / EXE
Lng.Eng.ini / 6f75158411759708ef0e7c33ac2c638c / Unknown
Lng.Chs.ini / f5ec0bb95ec586c309650b1a883f4bb5 / Unknown
Lng.Cht.ini / 8035bf561c6b14e3e5991fb6727c26fa / Unknown
setupcl.2003.exe / e4837c0abfd10fbcd116ecbdc8e9e8b8 / SYS
setupcl.xp.exe / 1a172820af11fce8c0b526b61448a6cf / SYS
Key behavior
Behavior description:修改注册表_IE首页
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start PAGE
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start PAGE
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00000000, ResName: 83(ID), ResType: EXE
(FindResourceW) hModule = 0x00000000, ResName: 82(ID), ResType: EXE
Behavior description:获取TickCount值
details:TickCount = 232068, SleepMilliseconds = 600.
TickCount = 232084, SleepMilliseconds = 600.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe3\*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe5\*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\help\cmd.exe"
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data1 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data2 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data3 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data4 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data1 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data2 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data3 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data4 /f
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Baidu /va /f
ImagePath = , CmdLine = reg delete HKEY_CURRENT_USER\Software\360\360se5\se6 /va /f
Behavior description:创建进程
details:[0x00000ec4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe3\*"
[0x00000ecc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe5\*"
[0x00000ed4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\help\cmd.exe"
[0x00000ef4]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data1 /f
[0x00000efc]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data2 /f
[0x00000f10]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data3 /f
[0x00000f28]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data4 /f
[0x00000f3c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data1 /f
[0x00000f5c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data2 /f
[0x00000f70]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data3 /f
[0x00000f78]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data4 /f
[0x00000f80]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
[0x00000f88]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
[0x00000f90]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Baidu /va /f
[0x00000fa0]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_CURRENT_USER\Software\360\360se5\se6 /va /f
Behavior description:创建新文件进程
details:[0x00000678]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe"
Behavior description:创建本地线程
details:TargetProcess: MyDeploy.exe, InheritedFromPID = 3768, ProcessID = 1656, ThreadID = 1684, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: MyDeploy.exe, InheritedFromPID = 3768, ProcessID = 1656, ThreadID = 1660, StartAddress = 0044B5E7, Parameter = 01743010
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
C:\WINDOWS\ES3\Language.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
Behavior description:查找文件
details:FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\reg.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\WINDOWS\help\cmd.exe
FileName = C:\WINDOWS\help\*
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*
FileName = C:\Documents and Settings\Administrator\Application Data\KuGou8
FileName = C:\Documents and Settings\Administrator\Application Data\*
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 2
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 38
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp ---> Offset = 4096
C:\WINDOWS\ES3\Language.ini ---> Offset = 0
C:\WINDOWS\ES3\Language.ini ---> Offset = 24576
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\First Home Page
Behavior description:修改注册表_IE关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Behavior description:修改注册表_IE首页
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start PAGE
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start PAGE
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取TickCount值
details:TickCount = 232068, SleepMilliseconds = 600.
TickCount = 232084, SleepMilliseconds = 600.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 1656, Hwnd=0x10344, Text = 确定, ClassName = Button.
Pid = 1656, Hwnd=0x10348, Text = Deploy.exe运行模式不明!放弃继续执行!, ClassName = Static.
Pid = 1656, Hwnd=0x20342, Text = Easy Sysprep, ClassName = #32770.
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00000000, ResName: 83(ID), ResType: EXE
(FindResourceW) hModule = 0x00000000, ResName: 82(ID), ResType: EXE
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 600.
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe ---> ffd4968c8c56de4dea05f7339821b06f
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe ---> 5af1055026c10341989c9ec8c0133292
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

 pol

京公网安备 11010802020746号