VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:80
Behavior list
Basic Information
MD5:9e63f3bc8fff2cd2dec89d7c3139b0f9
file type:EXE
Production company:YoutubeDownloaderHD.com
version:2.9.9.27---2.9.9.27
Shell or compiler information:COMPILER:Borland Delphi 2.0 [Overlay]
Key behavior
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0007033e, Text = Setup, ClassName = TApplication.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:获取TickCount值
details:TickCount = 1076668, SleepMilliseconds = 200.
TickCount = 1086153, SleepMilliseconds = 200.
TickCount = 1086168, SleepMilliseconds = 200.
TickCount = 1086200, SleepMilliseconds = 200.
TickCount = 1086231, SleepMilliseconds = 200.
TickCount = 1086262, SleepMilliseconds = 200.
TickCount = 1086278, SleepMilliseconds = 200.
TickCount = 1086293, SleepMilliseconds = 200.
TickCount = 1086309, SleepMilliseconds = 200.
TickCount = 1086325, SleepMilliseconds = 200.
TickCount = 1086340, SleepMilliseconds = 200.
TickCount = 1086418, SleepMilliseconds = 200.
TickCount = 1086434, SleepMilliseconds = 200.
TickCount = 1086450, SleepMilliseconds = 200.
TickCount = 1086465, SleepMilliseconds = 200.
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = RunDll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-S4BEN.tmp\OCSetupHlp.dll",_RPPID0749RPEng2@16 2412,1DA8DA317E8841F4891AAEE9AFABB483,9F65569D302E45B3AFDF878455483115,D6C10150AAC342FF8CD25C1AD9196F58
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = RunDll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-S4BEN.tmp\OCSetupHlp.dll",_RPPID0749RPEng2@16 2412,1DA8DA317E8841F4891AAEE9AFABB483,9F65569D302E45B3AFDF878455483115,D6C10150AAC342FF8CD25C1AD9196F58
Behavior description:创建本地线程
details:TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2540, StartAddress = 4AEA7456, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2544, StartAddress = 10008B90, Parameter = 0007FA93
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2548, StartAddress = 77E56C7D, Parameter = 000F0858
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2552, StartAddress = 769AE43B, Parameter = 000F3650
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2556, StartAddress = 77E56C7D, Parameter = 000F42B8
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2564, StartAddress = 1005A9B1, Parameter = 0007F910
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2568, StartAddress = 1005A9B1, Parameter = 0007F910
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2576, StartAddress = 1003B9E0, Parameter = 0007FB28
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2580, StartAddress = 10068895, Parameter = 00B34850
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2584, StartAddress = 1006E2B8, Parameter = 00B34850
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2596, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2600, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2604, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2608, StartAddress = 4A426B97, Parameter = 019AC000
TargetProcess: rundll32.exe, InheritedFromPID = 2412, ProcessID = 2528, ThreadID = 2612, StartAddress = 4A426D10, Parameter = 4A410000
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_shfoldr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll
Behavior description:创建可执行文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_RegDLL.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_shfoldr.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> Offset = 262144
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_RegDLL.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_shfoldr.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> Offset = 131072
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> Offset = 196608
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> Offset = 262144
C:\WINDOWS\system32\wbem\Logs\wbemprox.log ---> Offset = 224
C:\WINDOWS\system32\wbem\Logs\wbemprox.log ---> Offset = 300
C:\WINDOWS\system32\wbem\Logs\wbemprox.log ---> Offset = 0
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-U9LN3.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-U9LN3.tmp\996E.tmp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\RunDll32.exe
FileName = C:\WINDOWS\system32\rundll32.exe
FileName = C:\Documents and Settings\Administrator\Local Settings
Network behavior
Behavior description:连接指定站点
details:WinHttpConnect: ServerName = ap****om, PORT = 80, UserName = , Password = , hSession = 0x019a2000, hConnect = 0x019a2100, Flags = 0x00000000
Behavior description:建立到一个指定的套接字连接
details:URL: , IP: **.0.0.**:1031, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1032, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1033, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1034, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1035, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1036, SOCKET = 0x00000370
URL: , IP: **.0.0.**:1037, SOCKET = 0x00000374
URL: ap****om, IP: **.133.40.**:80, SOCKET = 0x00000394
URL: , IP: **.0.0.**:1039, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1040, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1041, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1042, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1043, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1044, SOCKET = 0x00000374
URL: , IP: **.0.0.**:1045, SOCKET = 0x00000374
Behavior description:发送HTTP包
details:GET /?bn=3&bv=8.00.6001.18702&clientv=106&cltzone=480&csk=15474651240595669759-10147274180800376664&language=zh,en&method=get_offers&mstime=0.891&num_offers=2&os=WIN5.1SP3&product_key=7cc8e2ebd63d80495fea84851fb214ea&sohtml=1&sswnt=&tm=2016-06-03%2007:20:04.091&v=1.0&signature=d96ff19a8714cfc260a7e131247efa27 HTTP/1.1 Accept: */* Cache-Control: no-cache Pragma: no-cache Accept-Encoding: gzip Host: ap****om Connection: Keep-Alive
Behavior description:打开HTTP请求
details:WinHttpOpenRequest: ap****om:80/?bn=3&bv=8.00.6001.18702&clientv=106&cltzone=480&csk=15474651240595669759-10147274180800376664&language=zh,en&method=get_offers&mstime=0.891&num_offers=2&os=win5.1sp3&product_key=7cc8e2ebd63d80495fea84851fb214ea&sohtml=1&sswnt=&tm=201, hConnect = 0x019a2100, hRequest = 0x01a10000, Verb: GET, Referer: , Flags = 0x00000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: ap****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8A8FC8F-45DF-4720-B6D9-F8CE7E1483A2}\1.0\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8A8FC8F-45DF-4720-B6D9-F8CE7E1483A2}\1.0\FLAGS\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8A8FC8F-45DF-4720-B6D9-F8CE7E1483A2}\1.0\0\win32\
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8A8FC8F-45DF-4720-B6D9-F8CE7E1483A2}\1.0\HELPDIR\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
13DEBDBC780F43918F86F4A8BDC58FADDEFINED_LoadSDKDLL
13DEBDBC780F43918F86F4A8BDC58FADCRemoteProcApiCalls::m_bShowLoadingScreen
13DEBDBC780F43918F86F4A8BDC58FADCRemoteProcApiCalls::m_nMaxLoadingScreenOffers
Global\426F00E8-A1B3-4EB2-8FF8-0950920F5D6E
95BAD332A5B646569F69A54E373822F7CRemoteProcApiCalls::m_bShowLoadingScreen
95BAD332A5B646569F69A54E373822F7CRemoteProcApiCalls::m_nMaxLoadingScreenOffers
95BAD332A5B646569F69A54E373822F7CSDKApi::m_bSkipAllOffersTriggered
95BAD332A5B646569F69A54E373822F7CSDKApi::m_bDeclineOfferTriggered
95BAD332A5B646569F69A54E373822F7CSDKApi::m_bShowSkipAllButton
Behavior description:隐藏指定窗口
details:[Window,Class] = [,1DA8DA317E8841F4891AAEE9AFABB483]
[Window,Class] = [,995D92B2-4ED9-43A7-9338-8CC7D1746F96]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [1DA8DA317E8841F4891AAEE9AFABB483,]
NtUserFindWindowEx: [Class,Window] = [995D92B2-4ED9-43A7-9338-8CC7D1746F96,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:窗口信息
details:Pid = 2412, Hwnd=0x10398, Text = Welcome to the Youtube Downloader HD Setup Wizard , ClassName = TNewStaticText.
Pid = 2412, Hwnd=0x10396, Text = This will install Youtube Downloader HD v. 2.9.9.27 on your computer. It is recommended that you close all other applications , ClassName = TNewStaticText.
Pid = 2412, Hwnd=0x60362, Text = A. Youtube Downloader HD License B. OpenSSL License C. OpenCandy End User License Agreement (EULA) A. Youtube Downloader HD , ClassName = TRichEditViewer.
Pid = 2412, Hwnd=0x4036c, Text = C:\Program Files\Youtube Downloader HD, ClassName = TEdit.
Pid = 2412, Hwnd=0x10390, Text = &Next >, ClassName = TNewButton.
Pid = 2412, Hwnd=0x1038e, Text = Cancel, ClassName = TNewButton.
Pid = 2412, Hwnd=0x90326, Text = Setup - Youtube Downloader HD, ClassName = TWizardForm.
Behavior description:获取TickCount值
details:TickCount = 1076668, SleepMilliseconds = 200.
TickCount = 1086153, SleepMilliseconds = 200.
TickCount = 1086168, SleepMilliseconds = 200.
TickCount = 1086200, SleepMilliseconds = 200.
TickCount = 1086231, SleepMilliseconds = 200.
TickCount = 1086262, SleepMilliseconds = 200.
TickCount = 1086278, SleepMilliseconds = 200.
TickCount = 1086293, SleepMilliseconds = 200.
TickCount = 1086309, SleepMilliseconds = 200.
TickCount = 1086325, SleepMilliseconds = 200.
TickCount = 1086340, SleepMilliseconds = 200.
TickCount = 1086418, SleepMilliseconds = 200.
TickCount = 1086434, SleepMilliseconds = 200.
TickCount = 1086450, SleepMilliseconds = 200.
TickCount = 1086465, SleepMilliseconds = 200.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x0007033e, Text = Setup, ClassName = TApplication.
Behavior description:枚举窗口
details:N/A
Behavior description:可执行文件签名信息
details:C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_RegDLL.tmp(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_shfoldr.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 200.
[2]: MilliSeconds = 200.
Behavior description:创建事件对象
details:EventName = MSCTF.SendReceive.Event.AHJ.IC
EventName = MSCTF.SendReceiveConection.Event.AHJ.IC
Behavior description:可执行文件MD5
details:C:\Documents and Settings\Administrator\Local Settings\Temp\is-U9LN3.tmp\996E.tmp ---> e51ea3eedbf0065bd0e1b837e6b43086
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_RegDLL.tmp ---> 0ee914c6f0bb93996c75941e1ad629c6
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\_isetup\_shfoldr.dll ---> 92dc6ef532fbb4a5c3201469a5b5eb63
C:\Documents and Settings\Administrator\Local Settings\Temp\is-S4BEN.tmp\OCSetupHlp.dll ---> f73298d77f89d52beb95a25f4dfe14c6
Behavior description:加载新释放的文件
details:Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-S4BEN.tmp\OCSetupHlp.dll.
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号