VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:58
Behavior list
Basic Information
MD5:96be8db469cbeca82af44ec10ec0f64f
file type:zip
Production company:
version:
Shell or compiler information:
Subfile information:闫志宏个人简历.doc / 569b25fc48c9e4f44c64c57478f24112 / Compound
人物生涯访谈(张媛媛)(修改一).pptx / 0bd8c3ee8025b39b9e6ad532529fc637 / zip
人物生涯访谈(张媛媛)(修改一).doc / 25c5aa6205a987bfa7f62da06dc7bebd / Compound
1.gif / ef30c3631b2781a3251e30b72a894899 / Unknown
2.png / af0d6c036d2aae95ab82b93cdc0ae1b6 / Unknown
xh.png / af0d6c036d2aae95ab82b93cdc0ae1b6 / Unknown
1.png / 2c20a505321f4217eb0e8e4143546259 / Unknown
5.jpg / 40f2a654133d1e1931e92cbb1e7d6859 / Unknown
3.jpg / 79367e2d941fa2df788e8bf9e27be414 / Unknown
大学生职业生涯规划.html / b53251848944080adb727ae53bf7bc07 / Unknown
4.jpg / 3c295ce052fdf7826c3e77a0fee530a9 / Unknown
1.jpg / 2a0ad639146fb203a19324f19b9d1651 / Unknown
2.jpg / e50ca73ca4c8c6cf9c675c6ef48bcf09 / Unknown
Process behavior
Behavior description:创建本地线程
details:TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3080, StartAddress = 77E56C7D, Parameter = 001BAC00
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3084, StartAddress = 769AE43B, Parameter = 001BD548
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3148, StartAddress = 30D54A2E, Parameter = 00E6D7C8
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3240, StartAddress = 30D5F014, Parameter = 0025A700
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2952, ThreadID = 3532, StartAddress = 30072FB7, Parameter = 30AEA990
File behavior
Behavior description:创建文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~DF91F.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\~$志宏个人简历.doc
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\~DF91F.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\~$志宏个人简历.doc
Behavior description:修改文件内容
details:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\~$志宏个人简历.doc ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\~$志宏个人简历.doc ---> Offset = 54
Behavior description:查找文件
details:FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office
FileName = C:\Program Files\Microsoft Office\OFFICE11\Normal.dot
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dot
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Normal.dot
FileName = C:\WINDOWS
FileName = C:\WINDOWS\WinSxS
FileName = C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\闫志宏个人简历.doc
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
Behavior description:复制文件
details:C:\Program Files\Microsoft Office\OFFICE11\opa11.bak ---> C:\Program Files\Microsoft Office\OFFICE11\opa11.dat
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\e
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\Aj
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\Wl
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\el
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\om
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\[n
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\p
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Common\Toolbars\Settings\Microsoft Office Word
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\Aj
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\Wl
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\el
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\om
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\[n
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\p
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\e
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\WordName
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\
Other behavior
Behavior description:创建互斥体
details:Local\Mutex_MSOSharedMem
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
Local\Mso97SharedDg19211108221Mutex
Local\Mso97SharedDg20321108221Mutex
MSCTF.GCompartListMUTEX.DefaultS-*
OfficeAssistantStateMutex
Local\Mso97SharedDg19521108221Mutex
Local\Mso97SharedDg19531108221Mutex
Local\Mso97SharedDg19541108221Mutex
MSCTF.Shared.MUTEX.IOH
Behavior description:创建事件对象
details:EventName = Local\MsoTestEvent_b7bd87b1-ab8f-4b13-9d20-013da173d85b
EventName = PrimaryWord11Mutex
EventName = Global\WatsonDataAccess
EventName = MSCTF.SendReceive.Event.MIL.IC
EventName = MSCTF.SendReceiveConection.Event.MIL.IC
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp11,]
NtUserFindWindowEx: [Class,Window] = [OleMainThreadWndClass,]
Behavior description:打开事件
details:Global\MsoTestEvent_b7bd87b1-ab8f-4b13-9d20-013da173d85b
MSFT.VSA.COM.DISABLE.2952
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:窗口信息
details:Pid = 2952, Hwnd=0x50348, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 2952, Hwnd=0x30354, Text = 格式, ClassName = MsoCommandBar.
Pid = 2952, Hwnd=0x5034a, Text = 常用, ClassName = MsoCommandBar.
Pid = 2952, Hwnd=0x20358, Text = 菜单栏, ClassName = MsoCommandBar.
Pid = 2952, Hwnd=0x1034e, Text = Microsoft Word, ClassName = OpusApp.
Pid = 2952, Hwnd=0x40342, Text = 确定, ClassName = Button.
Pid = 2952, Hwnd=0x1037e, Text = Word 无法读取文档,文档可能损坏。 请尝试下列方法: * 打开并修复文件。 * 用文本恢复转换器打开文件。, ClassName = MSOUNISTAT.
Pid = 2952, Hwnd=0x40368, Text = Microsoft Office Word, ClassName = #32770.
Pid = 2952, Hwnd=0x3037e, Text = 文档 1, ClassName = _WwB.
Pid = 2952, Hwnd=0x8036e, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2952, Hwnd=0x70364, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2952, Hwnd=0x3037c, Text = Microsoft Word 文档, ClassName = _WwG.
Pid = 2952, Hwnd=0x1034e, Text = 文档 1 - Microsoft Word, ClassName = OpusApp.
Pid = 2952, Hwnd=0x40380, Text = 确定, ClassName = Button.
Pid = 2952, Hwnd=0x70366, Text = 您正试图运行的函数包含有宏或需要宏语言支持的内容。而在安装此软件时,您(或您的管理员)选择了不安装宏或控件的支持功能。, ClassName = MSOUNISTAT.
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ThunderRT6Main]
Behavior description:打开互斥体
details:ShimCacheMutex
Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211108221Mutex
Local\Mso97SharedDg20321108221Mutex
Local\MU_ACBPIDS08
CtfmonInstMutexDefaultS-*
OfficeAssistantStateMutex
Local\Mso97SharedDg19521108221Mutex
Local\Mso97SharedDg19531108221Mutex
Local\Mso97SharedDg19541108221Mutex
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号