VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:40
Behavior list
Basic Information
MD5:855ea29ed938ec9b8b8bbed1173961ea
file type:Autoit
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Subfile information:130dumpFile / 5af1055026c10341989c9ec8c0133292 / Autoit
AutoItScript / c3c35b50e5543e22fcce8fdbb7778d79 / Unknown
7za.exe / 9309fcded3bca9e70621ad5ed0c78068 / EXE
back.jpg / f3b23f1fbf14c21924fb52ab71176d1f / Unknown
BatPrep.dll / d076187078eaa5d605abdbceb9232980 / DLL
ntldr.chs / 87774a4506b78e74352de083688ec8d8 / Unknown
ntldr.cht / 87774a4506b78e74352de083688ec8d8 / Unknown
ntldr.eng / 87774a4506b78e74352de083688ec8d8 / Unknown
SetACL.exe / acde12fa9a971a254c76c34c0bbe8608 / EXE
sysprep.2003.exe / 236533bb6c1fa944b36e633425c5988f / EXE
sysprep.xp.exe / ea535672f5a995a271272e3263f1245e / EXE
fldrclnr.dll / 54f35f0c9b6f0c94dc565719c22380dd / DLL
DevCon_x64.exe / 20f619ebb6d10ee6a5c164d7dfd36f32 / EXE
DevCon_x86.exe / c4b470269324517ee838789c7cf5e606 / EXE
Lng.Eng.ini / 6f75158411759708ef0e7c33ac2c638c / Unknown
Lng.Chs.ini / f5ec0bb95ec586c309650b1a883f4bb5 / Unknown
Lng.Cht.ini / 8035bf561c6b14e3e5991fb6727c26fa / Unknown
setupcl.2003.exe / e4837c0abfd10fbcd116ecbdc8e9e8b8 / SYS
setupcl.xp.exe / 1a172820af11fce8c0b526b61448a6cf / SYS
Key behavior
Behavior description:修改注册表_IE首页
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start PAGE
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start PAGE
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00000000, ResName: 83(ID), ResType: EXE
(FindResourceW) hModule = 0x00000000, ResName: 82(ID), ResType: EXE
Behavior description:获取TickCount值
details:TickCount = 232068, SleepMilliseconds = 600.
TickCount = 232084, SleepMilliseconds = 600.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe3\*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe5\*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\WINDOWS\help\cmd.exe"
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data1 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data2 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data3 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data4 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data1 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data2 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data3 /f
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data4 /f
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
ImagePath = , CmdLine = cmd /C del /f /s /q "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
ImagePath = , CmdLine = reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Baidu /va /f
ImagePath = , CmdLine = reg delete HKEY_CURRENT_USER\Software\360\360se5\se6 /va /f
Behavior description:创建进程
details:[0x00000ec4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe3\*"
[0x00000ecc]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\oobe5\*"
[0x00000ed4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\WINDOWS\help\cmd.exe"
[0x00000ef4]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data1 /f
[0x00000efc]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data2 /f
[0x00000f10]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data3 /f
[0x00000f28]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C15DA109-D87B-43ac-BAF9-F7F84D7A0B0C} /v Data4 /f
[0x00000f3c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data1 /f
[0x00000f5c]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data2 /f
[0x00000f70]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data3 /f
[0x00000f78]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{B79B56CE-777B-4232-8F7E-9923EBAF2723} /v Data4 /f
[0x00000f80]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
[0x00000f88]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /C del /f /s /q "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*"
[0x00000f90]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Baidu /va /f
[0x00000fa0]ImagePath = C:\WINDOWS\system32\reg.exe, CmdLine = reg delete HKEY_CURRENT_USER\Software\360\360se5\se6 /va /f
Behavior description:创建新文件进程
details:[0x00000678]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe"
Behavior description:创建本地线程
details:TargetProcess: MyDeploy.exe, InheritedFromPID = 3768, ProcessID = 1656, ThreadID = 1684, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: MyDeploy.exe, InheritedFromPID = 3768, ProcessID = 1656, ThreadID = 1660, StartAddress = 0044B5E7, Parameter = 01743010
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
C:\WINDOWS\ES3\Language.ini
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe
Behavior description:覆盖已有文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
Behavior description:查找文件
details:FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\cmd.exe
FileName = C:\WINDOWS\system32\reg.exe
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\WINDOWS\help\cmd.exe
FileName = C:\WINDOWS\help\*
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*
FileName = C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*
FileName = C:\Documents and Settings\Administrator\Application Data\KuGou8
FileName = C:\Documents and Settings\Administrator\Application Data\*
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 2
C:\Documents and Settings\Administrator\Local Settings\Temp\VerTemp.txt ---> Offset = 38
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp ---> Offset = 4096
C:\WINDOWS\ES3\Language.ini ---> Offset = 0
C:\WINDOWS\ES3\Language.ini ---> Offset = 24576
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\First Home Page
Behavior description:修改注册表_IE关键属性
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
Behavior description:修改注册表_IE首页
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start PAGE
\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start PAGE
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:获取TickCount值
details:TickCount = 232068, SleepMilliseconds = 600.
TickCount = 232084, SleepMilliseconds = 600.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 1656, Hwnd=0x10344, Text = 确定, ClassName = Button.
Pid = 1656, Hwnd=0x10348, Text = Deploy.exe运行模式不明!放弃继续执行!, ClassName = Static.
Pid = 1656, Hwnd=0x20342, Text = Easy Sysprep, ClassName = #32770.
Behavior description:查找PE资源信息
details:(FindResourceW) hModule = 0x00000000, ResName: 83(ID), ResType: EXE
(FindResourceW) hModule = 0x00000000, ResName: 82(ID), ResType: EXE
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 600.
Behavior description:隐藏指定窗口
details:[Window,Class] = [AutoIt v3,AutoIt v3]
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\Deploy.exe ---> ffd4968c8c56de4dea05f7339821b06f
C:\Documents and Settings\Administrator\Local Settings\%temp%\MyDeploy.exe ---> 5af1055026c10341989c9ec8c0133292
Behavior description:打开互斥体
details:ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号