VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 47 AntiVirus Engines!

Main Menu

File information

Safety rating:81

Behavior list

Basic Information
MD5:	7d33c92a0288535627337091b8f6dc35
file type:	EXE
Production company:
version:	1.0.0.1---7.2.21
Shell or compiler information:	COMPILER:Microsoft Visual C++ 6.0

Key behavior
Behavior description:	写权限映射文件
details:	CiceroSharedMemDefaultS-*
	MSCTF.MarshalInterface.FileMap.MFF..JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.B.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.C.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.D.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.E.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.F.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.G.JFDHH
	MSCTF.Shared.SFM.MFF
Behavior description:	隐藏指定窗口
details:	[Window,Class] = [无标题 - TTPhoto,AfxFrameOrView42]
Behavior description:	创建系统服务
details:	[服务创建成功]: D1irectrX jrq, C:\WINDOWS\system32\nehvey.exe
Behavior description:	按名称获取主机地址
details:	wolf.3389.pw

Process behavior
Behavior description:	创建新文件进程
details:	ImagePath = C:\WINDOWS\system32\nehvey.exe, CmdLine = C:\WINDOWS\system32\nehvey.exe
Behavior description:	枚举进程
details:	N/A

File behavior
Behavior description:	写权限映射文件
details:	CiceroSharedMemDefaultS-*
	MSCTF.MarshalInterface.FileMap.MFF..JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.B.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.C.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.D.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.E.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.F.JFDHH
	MSCTF.MarshalInterface.FileMap.MFF.G.JFDHH
	MSCTF.Shared.SFM.MFF
Behavior description:	创建可执行文件
details:	C:\WINDOWS\system32\nehvey.exe

Network behavior
Behavior description:	发送一个已连接的套接字数据
details:	SOCKET = 0x00000120, TotalSize = 191, Offset = 0, ReadSize = 191.
	SOCKET = 0x00000120, TotalSize = 188, Offset = 0, ReadSize = 188.
	SOCKET = 0x00000120, TotalSize = 5, Offset = 0, ReadSize = 5.
Behavior description:	建立到一个指定的套接字连接
details:	219.133.40.1:215
Behavior description:	按名称获取主机地址
details:	wolf.3389.pw

Registry behavior
Behavior description:	修改注册表
details:	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\D1irectrX jrq\Description
Behavior description:	删除注册表键
details:	\REGISTRY\USER\S-*\Software\Local AppWizard-Generated Applications\photosw\Recent File List

Other behavior
Behavior description:	创建互斥体
details:	C:\DOCUME~1\ADMINI~1\LOCALS~1\%temp%\1445402322.580294.exe
	C:\WINDOWS\system32\nehvey.exe
	CTF.LBES.MutexDefaultS-*
	CTF.Compart.MutexDefaultS-*
	CTF.Asm.MutexDefaultS-*
	CTF.Layouts.MutexDefaultS-*
	CTF.TMD.MutexDefaultS-*
	CTF.TimListCache.FMPDefaultS-MUTEX.DefaultS-
	MSCTF.Shared.MUTEX.ELH
	wolf.3389.pw
	MSCTF.Shared.MUTEX.MFF
Behavior description:	隐藏指定窗口
details:	[Window,Class] = [无标题 - TTPhoto,AfxFrameOrView42]
Behavior description:	查找指定窗口
details:	NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
	NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
	NtUserFindWindowEx: [Class,Window] = [MS_WINHELP,]
Behavior description:	启动系统服务
details:	[服务启动成功]: LocalSystem, D1irectrX Remover yta for Windows(R)., C:\WINDOWS\system32\nehvey.exe
Behavior description:	获取TickCount值
details:	TickCount = 488187, SleepMilliseconds = 250.
	TickCount = 488281, SleepMilliseconds = 250.
	TickCount = 495953, SleepMilliseconds = 250.
	TickCount = 495968, SleepMilliseconds = 250.
	TickCount = 506562, SleepMilliseconds = 250.
Behavior description:	获取光标位置
details:	CursorPos = (106,18467), SleepMilliseconds = 250.
Behavior description:	窗口信息
details:	Pid = 416, Hwnd=0x202b4, Text = 就绪, ClassName = msctls_statusbar32.
	Pid = 416, Hwnd=0x202a2, Text = 无标题 - TTPhoto, ClassName = AfxFrameOrView42.
Behavior description:	创建系统服务
details:	[服务创建成功]: D1irectrX jrq, C:\WINDOWS\system32\nehvey.exe

Run screenshot