VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:75
Behavior list
Basic Information
MD5:2416cf491f4ff42e0e4ddddd1bc4983c
file type:
Production company:
version:
Shell or compiler information:
Key behavior
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00040340, Text = 掌中宝-周易起名大师-中国最棒的周易起名软件 [V9.5.1体验版], ClassName = Afx:400000:b:10011:6:703df.
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Process behavior
Behavior description:创建本地线程
details:TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3224, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3240, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3244, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3252, StartAddress = 1B112839, Parameter = 01A808F0
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3256, StartAddress = 1B004723, Parameter = 1B120E10
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3260, StartAddress = 1B004723, Parameter = 1B120E10
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3264, StartAddress = 1B004723, Parameter = 1B120E10
TargetProcess: NamedSoft.exe, InheritedFromPID = 2000, ProcessID = 3192, ThreadID = 3292, StartAddress = 00473F2C, Parameter = 00FDC0E0
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\regist[1].do
C:\WINDOWS\named.ini
C:\Documents and Settings\Administrator\Local Settings\Temp\JET6795.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedSoft.ldb
C:\Documents and Settings\Administrator\Local Settings\Temp\JET6850.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedPick.ldb
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\systip[1].do
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\syslog[1].do
Behavior description:修改文件内容
details:C:\WINDOWS\named.ini ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedSoft.ldb ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedPick.ldb ---> Offset = 0
Behavior description:设置特殊文件夹属性
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
C:\Documents and Settings\Administrator\IETldCache
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\regist[1].do
C:\Documents and Settings\Administrator\Local Settings\Temp\JET6795.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\JET6850.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\systip[1].do
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\syslog[1].do
Behavior description:查找文件
details:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedSoft.db
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\周易起名大师9.5.1完美破解版\NamedPick.db
FileName = C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012016091220160913\*.*
Network behavior
Behavior description:打开指定IE网页
details:http://na****cn/named.jsp?aid=1
Behavior description:连接指定站点
details:InternetConnectA: ServerName = so****cn, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Internal, hSession = 0x00cc0004
InternetOpenA: UserAgent: NamedSoft, hSession = 0x00cc0004
Behavior description:建立到一个指定的套接字连接
details:URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x000001e4
URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x0000025c
URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x00000378
URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x00000360
URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x00000368
URL: so****cn, IP: **.133.40.**:80, SOCKET = 0x0000037c
Behavior description:读取网络文件
details:hFile = 0x00cc000c, BytesToRead =1023, BytesRead = 1023.
Behavior description:发送HTTP包
details:POST /regist.do HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* User-Agent: NamedSoft Host: so****cn Content-Length: 90 Cache-Control: no-cache serialno=&harddisk=36C3919704827B****28&version=9.5.1&whichone=1&pid=0&usetype=0&cid=0
POST /systip.do HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* User-Agent: NamedSoft Host: so****cn Content-Length: 44 Cache-Control: no-cache harddisk=36C3919704827B****28&whichone=1
POST /syslog.do HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* User-Agent: NamedSoft Host: so****cn Content-Length: 68 Cache-Control: no-cache harddisk=36C3919704827B****28&serialno=&version=9.5.1&whichone=1
Behavior description:打开HTTP请求
details:HttpOpenRequestA: so****cn:80/regist.do, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x20000000
HttpOpenRequestA: so****cn:80/systip.do, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x20000000
HttpOpenRequestA: so****cn:80/syslog.do, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x20000000
Behavior description:按名称获取主机地址
details:GetAddrInfoW: so****cn
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\NamedSoft\NamedSoft\Settings\UsedMode
\REGISTRY\USER\S-*\Software\NamedSoft\NamedSoft\Settings\CurrPath
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\ProcessId
\REGISTRY\MACHINE\SOFTWARE\ODBC\Brazos volatile counter\VolatileDsnCount
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\DBQ
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\Engines\Jet\Driver
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\DriverId
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\Engines\Jet\ImplicitCommitSync
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\PWD
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\SafeTransactions
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\Engines\Jet\Threads
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\UID
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f4d5c Jet\Engines\Jet\UserCommitSync
\REGISTRY\MACHINE\SOFTWARE\ODBC\Temporary (volatile) Jet DSN for process 0xc78 Thread 0xc7c DBC 0x3f8fc4 Jet\ProcessId
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot
Behavior description:删除注册表键
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\
Other behavior
Behavior description:创建互斥体
details:{1888E764-9681-457f-9CFA-1E06A6F8695C}
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Local\c:!documents and settings!administrator!ietldcache!
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.MHM
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [掌中宝-周易起名大师-中国最棒的周易起名软件 [V9.5.1体验版],Afx:400000:b:10011:6:703df]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:窗口信息
details:Pid = 3192, Hwnd=0x203bc, Text = 知道啦, ClassName = Button.
Pid = 3192, Hwnd=0x10402, Text = MZ恊%isk Totals %115s +--------------------------------------------------------------------------------------------------------, ClassName = Edit.
Pid = 3192, Hwnd=0x303ee, Text = 系统通知, ClassName = #32770.
Pid = 3192, Hwnd=0x10348, Text = 李, ClassName = Edit.
Pid = 3192, Hwnd=0x1034a, Text = 2、名字勿用生僻字, ClassName = Static.
Pid = 3192, Hwnd=0x1034e, Text = 男孩, ClassName = Button(RadioButton).
Pid = 3192, Hwnd=0x10350, Text = 女孩, ClassName = Button(RadioButton).
Pid = 3192, Hwnd=0x10352, Text = 2字, ClassName = ComboBox.
Pid = 3192, Hwnd=0x10356, Text = 不限, ClassName = ComboBox.
Pid = 3192, Hwnd=0x1035a, Text = 公历生日, ClassName = ComboBox.
Pid = 3192, Hwnd=0x1035e, Text = 2018, ClassName = ComboBox.
Pid = 3192, Hwnd=0x10362, Text = 02, ClassName = ComboBox.
Pid = 3192, Hwnd=0x10366, Text = 03, ClassName = ComboBox.
Pid = 3192, Hwnd=0x1036a, Text = 17, ClassName = ComboBox.
Pid = 3192, Hwnd=0x1036e, Text = 猜您喜欢, ClassName = ComboBox.
Behavior description:屏蔽窗口关闭消息
details:hWnd = 0x00040340, Text = 掌中宝-周易起名大师-中国最棒的周易起名软件 [V9.5.1体验版], ClassName = Afx:400000:b:10011:6:703df.
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:创建事件对象
details:EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceiveConection.Event.MHM.IC
EventName = MSCTF.SendReceive.Event.MHM.IC
Behavior description:打开互斥体
details:Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\!IETld!Mutex
Local\c:!documents and settings!administrator!ietldcache!
ShimCacheMutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号