VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:81
Behavior list
Basic Information
MD5:7d33c92a0288535627337091b8f6dc35
file type:EXE
Production company:
version:1.0.0.1---7.2.21
Shell or compiler information:COMPILER:Microsoft Visual C++ 6.0
Key behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..JFDHH
MSCTF.MarshalInterface.FileMap.MFF.B.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.C.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.D.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.E.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.F.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.G.JFDHH
MSCTF.Shared.SFM.MFF
Behavior description:隐藏指定窗口
details:[Window,Class] = [无标题 - TTPhoto,AfxFrameOrView42]
Behavior description:创建系统服务
details:[服务创建成功]: D1irectrX jrq, C:\WINDOWS\system32\nehvey.exe
Behavior description:按名称获取主机地址
details:wolf.3389.pw
Process behavior
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\system32\nehvey.exe, CmdLine = C:\WINDOWS\system32\nehvey.exe
Behavior description:枚举进程
details:N/A
File behavior
Behavior description:写权限映射文件
details:CiceroSharedMemDefaultS-*
MSCTF.MarshalInterface.FileMap.MFF..JFDHH
MSCTF.MarshalInterface.FileMap.MFF.B.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.C.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.D.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.E.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.F.JFDHH
MSCTF.MarshalInterface.FileMap.MFF.G.JFDHH
MSCTF.Shared.SFM.MFF
Behavior description:创建可执行文件
details:C:\WINDOWS\system32\nehvey.exe
Network behavior
Behavior description:发送一个已连接的套接字数据
details:SOCKET = 0x00000120, TotalSize = 191, Offset = 0, ReadSize = 191.
SOCKET = 0x00000120, TotalSize = 188, Offset = 0, ReadSize = 188.
SOCKET = 0x00000120, TotalSize = 5, Offset = 0, ReadSize = 5.
Behavior description:建立到一个指定的套接字连接
details:219.133.40.1:215
Behavior description:按名称获取主机地址
details:wolf.3389.pw
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\D1irectrX jrq\Description
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\photosw\Recent File List
Other behavior
Behavior description:创建互斥体
details:C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445402322.580294.exe
C:\WINDOWS\system32\nehvey.exe
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
wolf.3389.pw
MSCTF.Shared.MUTEX.MFF
Behavior description:隐藏指定窗口
details:[Window,Class] = [无标题 - TTPhoto,AfxFrameOrView42]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:启动系统服务
details:[服务启动成功]: LocalSystem, D1irectrX Remover yta for Windows(R)., C:\WINDOWS\system32\nehvey.exe
Behavior description:获取TickCount值
details:TickCount = 488187, SleepMilliseconds = 250.
TickCount = 488281, SleepMilliseconds = 250.
TickCount = 495953, SleepMilliseconds = 250.
TickCount = 495968, SleepMilliseconds = 250.
TickCount = 506562, SleepMilliseconds = 250.
Behavior description:获取光标位置
details:CursorPos = (106,18467), SleepMilliseconds = 250.
Behavior description:窗口信息
details:Pid = 416, Hwnd=0x202b4, Text = 就绪, ClassName = msctls_statusbar32.
Pid = 416, Hwnd=0x202a2, Text = 无标题 - TTPhoto, ClassName = AfxFrameOrView42.
Behavior description:创建系统服务
details:[服务创建成功]: D1irectrX jrq, C:\WINDOWS\system32\nehvey.exe
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号