VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:9ec52fd0a6cf3de10f76e769eec037c2
file type:Microsoft Office Excel(xls)文档
Production company:
version:
Shell or compiler information:
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\Temp\~DFA2037E5D8A033484.TMP
C:\Users\Administrator\AppData\Local\Temp\F771.tmp
C:\Users\Administrator\AppData\Local\Temp\~DF1E6FEF94C4683BE0.TMP
C:\Users\Administrator\AppData\Local\Temp\VBF792.tmp
C:\Users\Administrator\Documents\VBF793.tmp
C:\Users\Administrator\AppData\Local\Temp\VBF794.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\08F01000
C:\Users\Administrator\AppData\Local\Temp\~DFF475317E3FB99E66.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\XLSTART.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\NEGS.LNK
Behavior description:覆盖已有文件
details:C:\Users\Administrator\Documents\VBF793.tmp
C:\Users\Administrator\AppData\Local\Temp\VBF794.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel11.pip
Behavior description:查找文件
details:FileName = C:\Program Files\Common Files\Microsoft Shared\office11
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\*.*
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\*.*
FileName = C:\Program Files\Microsoft Office\OFFICE11\xlstart\*.*
FileName = C:\Users\Administrator\AppData\Local\%temp%\****.xls
FileName = C:\Users\Administrator
FileName = C:\PROGRA~1
FileName = C:\PROGRA~1\COMMON~1
FileName = C:\PROGRA~1\COMMON~1\MICROS~1
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6
FileName = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\Temp\~DFA2037E5D8A033484.TMP
C:\Users\Administrator\AppData\Local\Temp\F771.tmp
C:\Users\Administrator\AppData\Local\Temp\~DF1E6FEF94C4683BE0.TMP
C:\Users\Administrator\AppData\Local\Temp\VBF792.tmp
C:\Users\Administrator\AppData\Local\Temp\VBF794.tmp
C:\Users\Administrator\AppData\Local\Temp\~DFF475317E3FB99E66.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\XLSTART.LNK
Behavior description:复制文件
details:C:\PROGRA~2\MICROS~1\OFFICE\DATA\OPA11.BAK ---> C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa11.dat
Behavior description:重命名文件
details:C:\Users\Administrator\Documents\VBF793.tmp ---> C:\Users\ADMINI~1\AppData\Local\Temp\VBF792.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\08F01000 ---> C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\NEGS.XLS
Behavior description:修改文件内容
details:C:\Users\Administrator\Documents\VBF793.tmp ---> Offset = 0
C:\Users\Administrator\Documents\VBF793.tmp ---> Offset = 1024
C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\08F01000 ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Excel\XLSTART\08F01000 ---> Offset = 4096
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 124
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 60
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\XLSTART.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 74
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\NEGS.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 172
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel11.pip ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel11.pip ---> Offset = 12
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Excel11.pip ---> Offset = 112
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\m
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\EXCELFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F0CB\10F0CB
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\VBAFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Common\ReviewCycle\ReviewToken
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F427\10F427
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\Ut
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\ut
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\t
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109110000000000000000F01FEC\Usage\ProductNonBootFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10FD7D\10FD7D
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Options\Pos
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\m
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F0CB\10F0CB
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\Ut
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\ut
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\t
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F427\10F427
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10FD7D\10FD7D
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\MTTT
Behavior description:删除注册表键
details:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F0CB\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10F427\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery\10FD7D\
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\Mso97SharedDg19521105606Mutex
Local\Mso97SharedDg19531105606Mutex
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
DBWinMutex
OfficeAssistantStateMutex
Local\SqmSysTray
Local\MU_ACBPIDS08
Local\MU_ACB08
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [,ThunderRT6Main]
[Window,Class] = [Microsoft Excel,XLMAIN]
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp11,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
Behavior description:窗口信息
details:Pid = 3928, Hwnd=0x90216, Text = 格式, ClassName = MsoCommandBar.
Pid = 3928, Hwnd=0xb021c, Text = 常用, ClassName = MsoCommandBar.
Pid = 3928, Hwnd=0x16017a, Text = 工作表菜单栏, ClassName = MsoCommandBar.
Pid = 3928, Hwnd=0xd0240, Text = b70c, ClassName = EXCEL7.
Pid = 3928, Hwnd=0xc02e0, Text = Microsoft Excel - b70c, ClassName = XLMAIN.
Pid = 3928, Hwnd=0x1201b4, Text = 123456, ClassName = ComboBox.
Pid = 3928, Hwnd=0x8020c, Text = 123456, ClassName = Edit.
Pid = 3928, Hwnd=0xf0264, Text = NEGS, ClassName = EXCEL7.
Pid = 3928, Hwnd=0x25017c, Text = b70c, ClassName = MS-SDIa.
Pid = 3928, Hwnd=0x1201b4, Text = 23456, ClassName = ComboBox.
Pid = 3928, Hwnd=0x8020c, Text = 23456, ClassName = Edit.
Behavior description:打开事件
details:\KernelObjects\MaximumCommitCondition
Global\TermSrvReadyEvent
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
MSFT.VSA.COM.DISABLE.3928
MSFT.VSA.IEC.STATUS.6c736db0
Global\ShutdownMSIDLLv327680.498156650
Global\RestartMSIDLLv327680.498156650
Behavior description:创建事件对象
details:EventName = OleDfRoot6AF63BF4033C2A47
EventName = OleDfRoot426028B130663A81
EventName = OleDfRoot1F5CB5C114D979EA
EventName = OleDfRoot9F2FD45EE325313F
Behavior description:打开互斥体
details:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\MU_ACBPIDS08
Local\MSCTF.Asm.MutexDefault1
Local\Mso97SharedDg19521105606Mutex
Local\Mso97SharedDg19531105606Mutex
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
OfficeAssistantStateMutex
Local\SqmSysTray
Local\MU_ACB08
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号