VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:84
Behavior list
Basic Information
MD5:09d13172fb43957c0897c998dd2c032c
file type:Nsis
Production company:三七互娱(上海)科技有限公司
version:3.1.0.0---3.1.0.0
Shell or compiler information:
Subfile information:hdzy.exe / 552d6dc2fc0ca4b6886c4e432d262b50 / EXE
uninst.exe / 1a0a91d01345f6fcbe01c52e92d31c3c / Nsis
modern-wizard.bmp / 0ce9b00487079c7541e57367c1dc904d / Unknown
modern-header.bmp / 878f8334748ec1253083a60904ccb47a / Unknown
[NSIS].nsi / 9f47e4e758e0cf297352655dc565eb4f / Unknown
InstallOptions.dll / 325b008aec81e5aaa57096f05d4212b5 / DLL
System.dll / c17103ae9072a06da581dec998343fc1 / DLL
KillProcDLL.dll / 99f345cf51b6c3c317d20a81acb11012 / DLL
FindProcDLL.dll / 8614c450637267afacad1645e23ba24a / DLL
lander.ini / 31670e73d227debd69320bdb2ceb2256 / Unknown
ioSpecial.ini / e2d5070bc28db1ac745613689ff86067 / Unknown
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.ECI..DIMGH
MSCTF.MarshalInterface.FileMap.ECI.B.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.C.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.D.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.E.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.F.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.G.CJMGH
MSCTF.Shared.SFM.ECI
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.MOI..MPGKH
MSCTF.MarshalInterface.FileMap.MOI.B.LBHKH
MSCTF.MarshalInterface.FileMap.MOI.C.LBHKH
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\37混沌战域.lnk
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [三七互娱(上海)科技有限公司,Static]
[Window,Class] = [三七互娱(上海)科技有限公司 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
[Window,Class] = [37混沌战域 安装 ,#32770]
[Window,Class] = [37混沌战域,37Lander]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Process behavior
Behavior description:创建新文件进程
details:ImagePath = C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe"
ImagePath = C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe, CmdLine = "C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe" /setupsucc
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:在系统敏感位置(如开始菜单等)释放链接或快捷方式
details:C:\Documents and Settings\Administrator\「开始」菜单\程序\37游戏中心\37混沌战域\37混沌战域.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\37游戏中心\37混沌战域\卸载37混沌战域.lnk
Behavior description:创建可执行文件
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\InstallOptions.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\FindProcDLL.dll
C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe
C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\uninst.exe
Behavior description:查找文件
details:FileName = C:\DOCUME~1
FileName = C:\Documents and Settings\ADMINI~1
FileName = C:\Documents and Settings\Administrator\LOCALS~1
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Application Data\hyibs\as\uninst.exe
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445327941.948562.exe
FileName = C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\hdzy.exe
FileName = C:\Documents and Settings\Administrator\桌面\37混沌战域.lnk
FileName = C:\Documents and Settings
Behavior description:在桌面创建快捷方式
details:C:\Documents and Settings\Administrator\桌面\37混沌战域.lnk
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.ECI..DIMGH
MSCTF.MarshalInterface.FileMap.ECI.B.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.C.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.D.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.E.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.F.DIMGH
MSCTF.MarshalInterface.FileMap.ECI.G.CJMGH
MSCTF.Shared.SFM.ECI
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.MOI..MPGKH
MSCTF.MarshalInterface.FileMap.MOI.B.LBHKH
MSCTF.MarshalInterface.FileMap.MOI.C.LBHKH
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Application Data\37游戏\hdzy\lander.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 36
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\modern-wizard.bmp---> Offset = 49152
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 124
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\modern-header.bmp---> Offset = 16384
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 33
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 43
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 60
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 277
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 314
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 369
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 377
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 389
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\ioSpecial.ini---> Offset = 225
Network behavior
Behavior description:连接指定站点
details:InternetConnectA: ServerName = a.clickdata.37wan.com, PORT = 80
InternetConnectA: ServerName = gameapp.37.com, PORT = 80
Behavior description:建立到一个指定的套接字连接
details:127.0.0.1:1034
Behavior description:打开HTTP请求
details:HttpOpenRequestA: a.clickdata.37wan.com:80/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=257&ext_1=2&ext_2=37wancom&ext_3=hdzy&ext_4=48ea97cdc63d44a2a67e5168070316ee&ext_5=523f4706a7f8e5f3df6dbfd4093cf063&ext_6=2&browser_type=3000, hC
HttpOpenRequestA: gameapp.37.com:80/controller/client.php?game_id=257&tpl_type=game1&wd_username=zeroalex&refer=37wancom&uid=hdzy&version=3000&installtime=20151020&runcount=1&curtime=20151020155833&showlogintype=3&regtimes=1&pagetype=1&wd_baidu=1, hConnect =
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\DisplayIcon
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\37混沌战域\NSIS:Languages
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
Behavior description:修改注册表_延迟重命名项
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
Behavior description:删除注册表键值_IE连接设置
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.ECI
Local\!PrivacIE!SharedMemory!Mutex
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Behavior description:隐藏指定窗口
details:[Window,Class] = [,Button]
[Window,Class] = [三七互娱(上海)科技有限公司,Static]
[Window,Class] = [三七互娱(上海)科技有限公司 ,Static]
[Window,Class] = [,Static]
[Window,Class] = [,ComboLBox]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [安装完成,Static]
[Window,Class] = [安装已成功完成。,Static]
[Window,Class] = [37混沌战域 安装 ,#32770]
[Window,Class] = [37混沌战域,37Lander]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
Behavior description:获取系统权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:获取TickCount值
details:TickCount = 502137, SleepMilliseconds = 200.
Behavior description:窗口信息
details:Pid = 2080, Hwnd=0x202cc, Text = 下一步(&N) >, ClassName = Button.
Pid = 2080, Hwnd=0x202b4, Text = 取消(&C), ClassName = Button.
Pid = 2080, Hwnd=0x202d6, Text = 三七互娱(上海)科技有限公司 , ClassName = Static.
Pid = 2080, Hwnd=0x202d8, Text = 三七互娱(上海)科技有限公司, ClassName = Static.
Pid = 2080, Hwnd=0x202b0, Text = 欢迎使用“37混沌战域”安装向导, ClassName = Static.
Pid = 2080, Hwnd=0x202ae, Text = 这个向导将指引你完成“37混沌战域”安装过程 安装之前请先关闭已经打开的“37混沌战域”, 保证安装的成功。 单击【下一步(N), ClassName = Static.
Pid = 2080, Hwnd=0x202a4, Text = 37混沌战域 安装, ClassName = #32770.
Pid = 2080, Hwnd=0x202cc, Text = 我接受(&I), ClassName = Button.
Pid = 2080, Hwnd=0x302ae, Text = 按 [PgDn] 阅读“授权协议”的其余部分。, ClassName = Static.
Pid = 2080, Hwnd=0x402b8, Text = 如果你接受协议中的条款,单击 [我接受(I)] 继续安装。如果你选定 [取消(C)] ,安装程序将会关闭。必须接受协议才能安装“37混沌战域”。, ClassName = Static.
Pid = 2080, Hwnd=0x202cc, Text = 安装(&I), ClassName = Button.
Pid = 2080, Hwnd=0x160142, Text = 自定义, ClassName = ComboBox.
Pid = 2080, Hwnd=0x502da, Text = 选定安装的组件: , ClassName = Static.
Pid = 2080, Hwnd=0x402b0, Text = 所需空间: 1.1MB, ClassName = Static.
Pid = 2080, Hwnd=0x402ae, Text = 勾选你想要安装的组件,并解除勾选你不希望安装的组件。 单击 [安装(I)] 开始安装进程。, ClassName = Static.
Behavior description:直接操作物理设备
details:\??\PhysicalDrive0
Behavior description:打开图片文件
details:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\modern-wizard.bmp
\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss6.tmp\modern-header.bmp
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号