VirSCAN VirSCAN

1, Ви можете надсилати файли для перевірки розміром не більше 20 мб.
2, VirSCAN перевіряє Rar/Zip файли, але не більше 20-ти файлів.
3, VirSCAN може перевіряти заархівовані файли з наступними паролями 'infected' або 'virus'.

Мова
Завантаження сервера
Server Load

Інформація про файл
Рейтинг безпеки:75
Список поведінки
Основна інформація
MD5:f3c5a450717ab6beafc254ff5355da35
Тип файлу:EXE
Виробнича компанія:Mediaparts Interactive
Версія:0.5.8.0---0.5.8
Інформація оболонки або компілятора:COMPILER:Borland Delphi 6.0 - 7.0 [Overlay]
Ключова поведінка
Опис поведінки:获取TickCount值
Подробиці:TickCount = 5358002, SleepMilliseconds = 2.
TickCount = 5358033, SleepMilliseconds = 2.
TickCount = 5358095, SleepMilliseconds = 2.
TickCount = 5358111, SleepMilliseconds = 2.
TickCount = 5361705, SleepMilliseconds = 2.
TickCount = 5361814, SleepMilliseconds = 2.
TickCount = 5362767, SleepMilliseconds = 2.
TickCount = 5363252, SleepMilliseconds = 2.
TickCount = 5363908, SleepMilliseconds = 2.
TickCount = 5381345, SleepMilliseconds = 2.
TickCount = 5381361, SleepMilliseconds = 2.
TickCount = 5381377, SleepMilliseconds = 2.
TickCount = 5381423, SleepMilliseconds = 2.
Процес поведінки
Опис поведінки:创建本地线程
Подробиці:TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 764, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 1004, StartAddress = 005839C0, Parameter = 0133B028
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 1856, StartAddress = 005839C0, Parameter = 0133B070
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 744, StartAddress = 005839C0, Parameter = 0136E03C
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 2044, StartAddress = 76B2AEAF, Parameter = 00000000
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 1088, StartAddress = 0056A500, Parameter = 013D0D40
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 784, StartAddress = 0056A500, Parameter = 013D0E90
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 1392, StartAddress = 0056A500, Parameter = 013D0E90
TargetProcess: movie.exe, InheritedFromPID = 1396, ProcessID = 1408, ThreadID = 2052, StartAddress = 0056A500, Parameter = 013D0D40
Опис поведінки:创建新文件进程
Подробиці:ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~sfx00000574\movie.exe, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~sfx00000574\movie.exe"
Поведінка файлів
Опис поведінки:创建文件
Подробиці:C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\defaultflipsound.mp3
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\info.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page1.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page13.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page13_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page14.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page14_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page15.swf
Опис поведінки:创建可执行文件
Подробиці:C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\movie.exe
Опис поведінки:覆盖已有文件
Подробиці:C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
Опис поведінки:查找文件
Подробиці:FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\All Users\桌面
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~sfx00000574\movie.exe
FileName = \\?\C:\Documents and Settings\Administrator\Application Data\Adobe\Flash Player\AssetCache\*
FileName = \\?\C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\*
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~sfx00000574\*.*
Опис поведінки:删除文件
Подробиці:C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\defaultflipsound.mp3
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\info.xml
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page1.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page13.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page13_thumbnail.jpg
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page14.swf
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page14_thumbnail.jpg
Опис поведінки:重命名文件
Подробиці:C:\WINDOWS\system32\update.exe ---> C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
Опис поведінки:修改文件内容
Подробиці:C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\defaultflipsound.mp3 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3 ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3 ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3 ---> Offset = 1048576
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3 ---> Offset = 1572864
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\detskie_pesenki_bez_slov_-_strannyj_melnik_(xmusic.me).mp3 ---> Offset = 2097152
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\files\info.xml ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page1.swf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page1.swf ---> Offset = 524288
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10.swf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page10_thumbnail.jpg ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11.swf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page11_thumbnail.jpg ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12.swf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\images\page12_thumbnail.jpg ---> Offset = 0
Реєстр поведінки
Опис поведінки:修改注册表
Подробиці:\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~sfx00000574\movie.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name
\REGISTRY\MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID
Інша поведінка
Опис поведінки:调整进程token权限
Подробиці:SE_LOAD_DRIVER_PRIVILEGE
Опис поведінки:创建互斥体
Подробиці:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MacromediaMutexOmega
DDrawWindowListMutex
DDrawDriverObjectListMutex
__DDrawExclMode__
Опис поведінки:创建事件对象
Подробиці:EventName = Global\crypt32LogoffEvent
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.MCC.IC
EventName = MSCTF.SendReceiveConection.Event.MCC.IC
Опис поведінки:查找指定窗口
Подробиці:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Опис поведінки:打开事件
Подробиці:HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007B4.00000000.0000003F
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.0000003F
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
_fCanRegisterWithShellService
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\crypt32LogoffEvent
Global\SvcctrlStartEvent_A3752DX
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000040
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000040
Опис поведінки:获取TickCount值
Подробиці:TickCount = 5358002, SleepMilliseconds = 2.
TickCount = 5358033, SleepMilliseconds = 2.
TickCount = 5358095, SleepMilliseconds = 2.
TickCount = 5358111, SleepMilliseconds = 2.
TickCount = 5361705, SleepMilliseconds = 2.
TickCount = 5361814, SleepMilliseconds = 2.
TickCount = 5362767, SleepMilliseconds = 2.
TickCount = 5363252, SleepMilliseconds = 2.
TickCount = 5363908, SleepMilliseconds = 2.
TickCount = 5381345, SleepMilliseconds = 2.
TickCount = 5381361, SleepMilliseconds = 2.
TickCount = 5381377, SleepMilliseconds = 2.
TickCount = 5381423, SleepMilliseconds = 2.
Опис поведінки:获取光标位置
Подробиці:CursorPos = (71,18468), SleepMilliseconds = 2.
CursorPos = (6364,26501), SleepMilliseconds = 2.
Опис поведінки:窗口信息
Подробиці:Pid = 1408, Hwnd=0xe035e, Text = Adobe Flash Player 10, ClassName = ShockwaveFlash.
Опис поведінки:可执行文件签名信息
Подробиці:C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\movie.exe(签名验证: 未通过)
Опис поведінки:可执行文件MD5
Подробиці:C:\Documents and Settings\Administrator\Local Settings\Temp\~sfx00000574\movie.exe ---> 文件过大!
Опис поведінки:打开互斥体
Подробиці:ShimCacheMutex
Local\!IETld!Mutex
Запустити знімок екрана
VirSCAN

Інформація про VirSCAN | Privacy policy | Зворотній зв'язок | Дружня посилання | Співпраця з VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号