VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :55
基本信息
MD5:acb97eeb7d51274ec4439418c9eb1430
文件类型:zip
出品公司:
版本:
壳或编译器信息:
子文件信息:yusetup7.exe / b24781be994e2581aeb202ced273e63a / EXE
注册码.txt / 20369290e03903ef7e341ed537370507 / Unknown
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, WriteAddress = 0x0163fffc, Size = 0x00000004 TargetPID = 0x00000c24
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:创建远程线程
详情信息:TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3124, StartAddress = 00000000, Parameter = 00000001
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\NTICE
\??\SIWVID
行为描述:获取TickCount值
详情信息:TickCount = 225329, SleepMilliseconds = 1.
TickCount = 225360, SleepMilliseconds = 1.
TickCount = 225376, SleepMilliseconds = 1.
TickCount = 229718, SleepMilliseconds = 500.
TickCount = 229734, SleepMilliseconds = 500.
TickCount = 229750, SleepMilliseconds = 500.
TickCount = 230515, SleepMilliseconds = 500.
行为描述:屏蔽窗口关闭消息
详情信息:hWnd = 0x00010346, Text = 安装向导, ClassName = TApplication.
行为描述:跨进程写代码段数据
详情信息:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, WriteAddress = 0x00aaac62, Size = 0x00000002 TargetPID = 0x00000c24
行为描述:查找PE资源信息
详情信息:(FindResourceW) hModule = 0x00400000, ResName: SHFOLDERDLL, ResType: a(ID)
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
进程行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, WriteAddress = 0x0163fffc, Size = 0x00000004 TargetPID = 0x00000c24
行为描述:创建新文件进程
详情信息:[0x00000ba8]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-Q1TQQ.tmp\yusetup7.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-Q1TQQ.tmp\yusetup7.tmp" /SL5="$3033C,6221486,246272,C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Your Unin-staller! 7\yusetup7.exe"
[0x00000c1c]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe" -isregistered
[0x00000c24]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe" -isregistered
行为描述:创建远程线程
详情信息:TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3124, StartAddress = 00000000, Parameter = 00000001
行为描述:枚举进程
详情信息:N/A
行为描述:跨进程写代码段数据
详情信息:TargetProcess = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe, WriteAddress = 0x00aaac62, Size = 0x00000002 TargetPID = 0x00000c24
行为描述:创建本地线程
详情信息:TargetProcess: yusetup7.tmp, InheritedFromPID = 2932, ProcessID = 2984, ThreadID = 3012, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: urmain.exe, InheritedFromPID = 2984, ProcessID = 3100, ThreadID = 3128, StartAddress = 00A98B80, Parameter = 00000050
TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3156, StartAddress = 01804EA0, Parameter = 00000000
TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3164, StartAddress = 004058F0, Parameter = 01DC13F8
TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3244, StartAddress = 01804440, Parameter = 00000000
TargetProcess: urmain.exe, InheritedFromPID = 3100, ProcessID = 3108, ThreadID = 3248, StartAddress = 004058F0, Parameter = 01DC143C
TargetProcess: yusetup7.tmp, InheritedFromPID = 2932, ProcessID = 2984, ThreadID = 3332, StartAddress = 4A426B97, Parameter = 0555F000
TargetProcess: yusetup7.tmp, InheritedFromPID = 2932, ProcessID = 2984, ThreadID = 3336, StartAddress = 4A426D10, Parameter = 4A410000
TargetProcess: yusetup7.tmp, InheritedFromPID = 2932, ProcessID = 2984, ThreadID = 3340, StartAddress = 4A426D10, Parameter = 4A410000
文件行为
行为描述:创建文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\_isetup\_shfoldr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vcl70.bpl
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\rtl70.bpl
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vclx70.bpl
C:\Documents and Settings\Administrator\Application Data\URSoft\Your Uninstaller\yu.log
行为描述:创建可执行文件
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\_isetup\_shfoldr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vcl70.bpl
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\rtl70.bpl
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vclx70.bpl
行为描述:修改文件内容
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\_isetup\_shfoldr.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll ---> Offset = 4096
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll ---> Offset = 8192
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> Offset = 262144
行为描述:查找文件
详情信息:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-Q1TQQ.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-Q1TQQ.tmp\yusetup7.tmp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe
行为描述:复制文件
详情信息:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\uruninstaller.ini ---> C:\Documents and Settings\Administrator\Application Data\URSoft\Your Uninstaller\uruninstaller.ini
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\logconf.ini ---> C:\Documents and Settings\Administrator\Application Data\URSoft\Your Uninstaller\logconf.ini
网络行为
行为描述:连接指定站点
详情信息:WinHttpConnect: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x05553100, hConnect = 0x05553200, Flags = 0x00000000
行为描述:打开HTTP连接
详情信息:WinHttpOpen: UserAgent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5), hSession = 0x05553100
行为描述:建立到一个指定的套接字连接
详情信息:IP: **.0.0.**:1031, SOCKET = 0x0000026c
IP: **.0.0.**:1032, SOCKET = 0x0000026c
IP: **.0.0.**:1033, SOCKET = 0x0000026c
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x0000028c
IP: **.0.0.**:1035, SOCKET = 0x00000294
IP: **.0.0.**:1036, SOCKET = 0x00000294
IP: **.0.0.**:1037, SOCKET = 0x00000294
IP: **.0.0.**:1038, SOCKET = 0x00000294
IP: **.0.0.**:1039, SOCKET = 0x00000294
IP: **.0.0.**:1040, SOCKET = 0x00000294
IP: **.0.0.**:1041, SOCKET = 0x000002ac
IP: **.0.0.**:1042, SOCKET = 0x000002ac
IP: **.0.0.**:1043, SOCKET = 0x000002ac
IP: **.0.0.**:1044, SOCKET = 0x000002ac
IP: **.0.0.**:1045, SOCKET = 0x000002ac
行为描述:发送HTTP包
详情信息:GET /sc/versioncheck.php?pid=YU&version=7.5.2014.3 HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ww****om Connection: Keep-Alive
行为描述:打开HTTP请求
详情信息:WinHttpOpenRequest: ww****om:80/sc/versioncheck.php?pid=yu&version=7.5.2014.3, hConnect = 0x05553200, hRequest = 0x055c0000, Verb: GET, Referer: , Flags = 0x00000080
行为描述:按名称获取主机地址
详情信息:GetAddrInfoW: ww****om
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\urmain.exe
\REGISTRY\MACHINE\SOFTWARE\Licenses\{R7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{K7C0DB872A3F777C0}
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\Docobject\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\LocalServer32\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\ProgId\
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\VersionIndependentProgID\
\REGISTRY\MACHINE\SOFTWARE\Licenses\{I1A025C51A1747CC8}
\REGISTRY\MACHINE\SOFTWARE\Licenses\{01A025C51A1747CC8}
行为描述:删除注册表键值
详情信息:\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C02D1C7-B6DC-2D82-8441-B4D41CE548C5}\0
行为描述:查询注册表_检测虚拟机相关
详情信息:\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [安装向导,TApplication]
行为描述:获取光标位置
详情信息:CursorPos = (80,18468), SleepMilliseconds = 1.
行为描述:直接操作物理设备
详情信息:\??\PHYSICALDRIVE0
行为描述:可执行文件签名信息
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\_isetup\_shfoldr.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vcl70.bpl(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\rtl70.bpl(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vclx70.bpl(签名验证: 未通过)
行为描述:加载新释放的文件
详情信息:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-C6T5M.tmp\isxdl.dll.
行为描述:VMWare特殊指令检测虚拟机
详情信息:N/A
行为描述:屏蔽窗口关闭消息
详情信息:hWnd = 0x00010346, Text = 安装向导, ClassName = TApplication.
行为描述:可执行文件MD5
详情信息:C:\Documents and Settings\Administrator\Local Settings\Temp\is-Q1TQQ.tmp\yusetup7.tmp ---> aa875499ccfe90507369f6aeca10db3b
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\_isetup\_shfoldr.dll ---> 92dc6ef532fbb4a5c3201469a5b5eb63
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\isxdl.dll ---> 48ad1a1c893ce7bf456277a0a085ed01
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\urmain.exe ---> 文件过大!
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vcl70.bpl ---> dcbc172616a4ca767d5c81622d7512e7
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\rtl70.bpl ---> e4e90d2fc6c35486683515833d4ecb44
C:\Documents and Settings\Administrator\Local Settings\Temp\is-C6T5M.tmp\vclx70.bpl ---> e12c66ffd510c78731d5400eddecd8c8
行为描述:查找反病毒常用工具窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
行为描述:创建互斥体
详情信息:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
C24::DAF9AED7F1
DILLOCREATE
DILLOOEP
RAL1A025C51
1A025C51::WK
行为描述:尝试打开调试器或监控软件的驱动设备对象
详情信息:\??\SICE
\??\NTICE
\??\SIWVID
行为描述:获取TickCount值
详情信息:TickCount = 225329, SleepMilliseconds = 1.
TickCount = 225360, SleepMilliseconds = 1.
TickCount = 225376, SleepMilliseconds = 1.
TickCount = 229718, SleepMilliseconds = 500.
TickCount = 229734, SleepMilliseconds = 500.
TickCount = 229750, SleepMilliseconds = 500.
TickCount = 230515, SleepMilliseconds = 500.
行为描述:打开事件
详情信息:HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述:查找PE资源信息
详情信息:(FindResourceW) hModule = 0x00400000, ResName: SHFOLDERDLL, ResType: a(ID)
行为描述:探测 Virtual PC是否存在
详情信息:N/A
行为描述:创建事件对象
详情信息:EventName = DINPUTWINMM
EventName = MSCTF.SendReceive.Event.MKL.IC
EventName = MSCTF.SendReceiveConection.Event.MKL.IC
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,Shareware Cheater v 3.0]
NtUserFindWindowEx: [Class,Window] = [ThunderRT6FormDC,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
行为描述:窗口信息
详情信息:Pid = 2984, Hwnd=0x10442, Text = 欢迎使用 Your Uninstaller! 7 安装向导 , ClassName = TNewStaticText.
Pid = 2984, Hwnd=0x10440, Text = 安装向导将在你的电脑上安装 Your Uninstaller! 7。 建议你在继续之前关闭所有其它应用程序。 单击“下一步”继续,或单击“取消”退出安装。, ClassName = TNewStaticText.
Pid = 2984, Hwnd=0x20388, Text = DirEdit, ClassName = TEdit.
Pid = 2984, Hwnd=0x2043e, Text = 下一步(&N) >, ClassName = TNewButton.
Pid = 2984, Hwnd=0x6042e, Text = 取消, ClassName = TNewButton.
Pid = 2984, Hwnd=0x3034e, Text = 安装向导 - Your Uninstaller! 7, ClassName = TWizardForm.
行为描述:调整进程token权限
详情信息:SE_LOAD_DRIVER_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行为描述:枚举窗口
详情信息:N/A
行为描述:调用Sleep函数
详情信息:[1]: MilliSeconds = 100.
[1]: MilliSeconds = 1.
[2]: MilliSeconds = 1.
[3]: MilliSeconds = 1.
[4]: MilliSeconds = 1.
[5]: MilliSeconds = 1.
[6]: MilliSeconds = 1.
[7]: MilliSeconds = 1.
[8]: MilliSeconds = 1.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 1.
[2]: MilliSeconds = 250.
[3]: MilliSeconds = 500.
行为描述:打开互斥体
详情信息:ShimCacheMutex
Local\!IETld!Mutex
C1C::DAF9AED7F1
C24::DAF9AED7F1
DBWinMutex
1A025C51:SIMULATEEXPIRED
C24:DAF
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号