VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.
4, Não FOI possível enviar, por favor use o upload VirSCAN

Idioma
Carga do sistema
Server Load

VirSCAN
VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

   Informação de arquivo

Relatório de verificação multi-motor do Virscan.org
Relatório de análise de comportamento:         Análise do arquivo Habo

Informação básica

MD5:5a54beffc04578fc17577f7c9881dc26
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Nome do pacote:
Ambiente operacional mínimo:
Direitos autorais:

Comportamento chave

Descrição do comportamento: 屏蔽窗口关闭消息
Detalhes: hWnd = 0x000901e2, Text = ‪欢迎使用全新的 Office!‬, ClassName = Click2RunSplashScreen.
Descrição do comportamento: 设置特殊文件夹属性
Detalhes: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Descrição do comportamento: 直接获取CPU时钟
Detalhes: EAX = 0xe770d289, EDX = 0x0000039c
EAX = 0xea23d205, EDX = 0x0000039c
EAX = 0xf2119fee, EDX = 0x0000039c
EAX = 0xf9ff6dd7, EDX = 0x0000039c
EAX = 0xf9ff6e23, EDX = 0x0000039c
EAX = 0xf9ff6e6f, EDX = 0x0000039c
EAX = 0xf9ff6ebb, EDX = 0x0000039c
EAX = 0xfc873e44, EDX = 0x0000039c
EAX = 0xfc873e90, EDX = 0x0000039c
EAX = 0xfc873edc, EDX = 0x0000039c
Descrição do comportamento: 获取窗口截图信息
Detalhes: Foreground window Info: HWND = 0x000901e2, DC = 0xd70106d5.
Descrição do comportamento: 获取TickCount值
Detalhes: TickCount = 1166218, SleepMilliseconds = 60000.
TickCount = 1166250, SleepMilliseconds = 60000.
TickCount = 1166265, SleepMilliseconds = 60000.
TickCount = 1166281, SleepMilliseconds = 60000.
TickCount = 1166296, SleepMilliseconds = 60000.
TickCount = 1166312, SleepMilliseconds = 60000.
TickCount = 1166328, SleepMilliseconds = 60000.
TickCount = 1166343, SleepMilliseconds = 60000.
TickCount = 1166703, SleepMilliseconds = 60000.
TickCount = 1167062, SleepMilliseconds = 60000.
TickCount = 1167218, SleepMilliseconds = 60000.
TickCount = 1167234, SleepMilliseconds = 60000.
TickCount = 1107475, SleepMilliseconds = 100.
TickCount = 1167500, SleepMilliseconds = 60000.
TickCount = 1107740, SleepMilliseconds = 100.

Comportamento de arquivos

Descrição do comportamento: 创建文件
Detalhes: C:\Users\Administrator\AppData\Local\Temp\A-PC-20181108-2145.log
Descrição do comportamento: 覆盖已有文件
Detalhes: C:\Users\Administrator\AppData\Local\Temp\A-PC-20181108-2145.log
Descrição do comportamento: 设置特殊文件夹属性
Detalhes: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
Descrição do comportamento: 修改文件内容
Detalhes: C:\Users\Administrator\AppData\Local\Temp\A-PC-20181108-2145.log ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\A-PC-20181108-2145.log ---> Offset = 57524
Descrição do comportamento: 查找文件
Detalhes: FileName = C:\Users\Administrator
FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll
FileName =
FileName = C:\Users\Administrator\AppData\Local\%temp%\v32.cab
FileName = C:\Users\Administrator\AppData\Local\%temp%\Data\v32.cab
FileName = C:\Users\Administrator\AppData\Local\%temp%\Office\Data\v32.cab
FileName = C:\Users\*
FileName = C:\Users\a\AppData\Local\Microsoft\Office\Spw\Telespaces\*.xss
FileName = OfficeClickToRun.exe
FileName = C:\Users\Administrator\AppData\Local\Microsoft\Office\Spw\Telespaces\*.xss
FileName = C:\Users\All Users\AppData\Local\Microsoft\Office\Spw\Telespaces\*.xss
FileName = C:\Users\Default\AppData\Local\Microsoft\Office\Spw\Telespaces\*.xss
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk

Comportamento de rede

Descrição do comportamento: 连接指定站点
Detalhes: WinHttpConnect: ServerName = co****om, PORT = 443, UserName = , Password = , hSession = 0x02836188, hConnect = 0x02842e30, Flags = 0x00000000
WinHttpConnect: ServerName = mr****om, PORT = 443, UserName = , Password = , hSession = 0x0283bba8, hConnect = 0x0281a038, Flags = 0x00000000
WinHttpConnect: ServerName = cl****et, PORT = 443, UserName = , Password = , hSession = 0x02836188, hConnect = 0x0281a948, Flags = 0x00000000
WinHttpConnect: ServerName = mr****om, PORT = 443, UserName = , Password = , hSession = 0x0283bba8, hConnect = 0x0047ea18, Flags = 0x00000000
WinHttpConnect: ServerName = of****om, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0280f520, Flags = 0x00000000
WinHttpConnect: ServerName = of****om, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cb10, Flags = 0x00000000
WinHttpConnect: ServerName = of****om, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cbf8, Flags = 0x00000000
WinHttpConnect: ServerName = of****om, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cce0, Flags = 0x00000000
WinHttpConnect: ServerName = of****om, PORT = 80, UserName = , Password = , hSession = 0x0286cce0, hConnect = 0x0286cdc8, Flags = 0x00000000
WinHttpConnect: ServerName = a-****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cce0, Flags = 0x00000000
WinHttpConnect: ServerName = a-****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cdc8, Flags = 0x00000000
WinHttpConnect: ServerName = a-****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286ceb0, Flags = 0x00000000
WinHttpConnect: ServerName = a-****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cf98, Flags = 0x00000000
WinHttpConnect: ServerName = e1****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286cf98, Flags = 0x00000000
WinHttpConnect: ServerName = e1****et, PORT = 80, UserName = , Password = , hSession = 0x0281f768, hConnect = 0x0286d080, Flags = 0x00000000
Descrição do comportamento: 打开HTTP连接
Detalhes: WinHttpOpen: UserAgent: Microsoft Office 2014, hSession = 0x02836188
WinHttpOpen: UserAgent: Microsoft Office/16.0 (Windows NT 6.1; 16.0.10827; Pro), hSession = 0x0283bba8
WinHttpOpen: UserAgent: ClickToRun Http Transport, hSession = 0x0281f768
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x0286cce0
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x0286d508
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x02889cf8
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x0289a8c0
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x0289b0e8
WinHttpOpen: UserAgent: ClickToRun, hSession = 0x0289b3a0
Descrição do comportamento: 打开HTTP请求
Detalhes: WinHttpOpenRequest: co****om:443/config/v1/office/16.0.10827.20150?&clientid=%7b151eb206-d67f-4a5e-8596-3d5aa4950b73%7d&application=officeclicktorun&platform=win32&version=16.0.10827.20150&msoversion=16.0.10827.20150&audience=other&build=ship&architecture=x86&channe, hConnect = 0x02842e30, hRequest = 0x0281a3c0, Verb: GET, Referer: , Flags = 0x00800000
WinHttpOpenRequest: cl****et:443/ab?, hConnect = 0x0281a948, hRequest = 0x0281c2a0, Verb: GET, Referer: , Flags = 0x00800000
WinHttpOpenRequest: mr****om:443/mrodevicemgrsvc/api/v2/c2rreleasedata?audienceffn=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&prids=o365homepremretail.16_zh-cn_x-none&osver=client|6.1.7601&bit=x86&tid=&omid=9e2632681100fc409153059c6554228c&susid=41793d07-e473-4, hConnect = 0x0281a038, hRequest = 0x0281ae80, Verb: GET, Referer: , Flags = 0x00800000
WinHttpOpenRequest: mr****om:443/mrodevicemgrsvc/api/v2/c2rreleasedata?audienceffn=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&prids=o365homepremretail.16_zh-cn_x-none&osver=client|6.1.7601&bit=x86&tid=&omid=9e2632681100fc409153059c6554228c&susid=41793d07-e473-4, hConnect = 0x0047ea18, hRequest = 0x0281c228, Verb: GET, Referer: , Flags = 0x00800000
WinHttpOpenRequest: mr****om:443/mrodevicemgrsvc/api/v2/c2rreleasedata?audienceffn=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&prids=o365homepremretail.16_zh-cn_x-none&osver=client|6.1.7601&bit=x86&tid=&omid=9e2632681100fc409153059c6554228c&susid=41793d07-e473-4, hConnect = 0x0047ea18, hRequest = 0x02843d48, Verb: GET, Referer: , Flags = 0x00800000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0280f520, hRequest = 0x02843d48, Verb: HEAD, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0280f520, hRequest = 0x02843000, Verb: GET, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cb10, hRequest = 0x028437f8, Verb: HEAD, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cb10, hRequest = 0x02843d48, Verb: GET, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cbf8, hRequest = 0x02843aa0, Verb: HEAD, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cbf8, hRequest = 0x028437f8, Verb: GET, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cce0, hRequest = 0x02844298, Verb: HEAD, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cce0, hRequest = 0x02843aa0, Verb: GET, Referer: , Flags = 0x00000000
WinHttpOpenRequest: of****om:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cdc8, hRequest = 0x02843d48, Verb: GET, Referer: , Flags = 0x00000000
WinHttpOpenRequest: a-****et:80/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab, hConnect = 0x0286cce0, hRequest = 0x02844298, Verb: HEAD, Referer: , Flags = 0x00000000
Descrição do comportamento: 按名称获取主机地址
Detalhes: GetAddrInfoW: cl****et
GetAddrInfoW: mr****om
GetAddrInfoW: co****om
GetAddrInfoW: of****om
GetAddrInfoW: a-****et
GetAddrInfoW: e1****et

Comportamento do registro

Descrição do comportamento: 修改注册表
Detalhes: \REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun\FirstSessionTriggered
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\UIFallbackLanguages
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\HelpLanguageTag
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\PreferredEditingLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\PreviousPreferredEditingLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\WordChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\WordMailChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\XLChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\PPTChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\AccessChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\OutlookChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\PublisherChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\ProjectChangeInstallLanguage
\REGISTRY\USER\S-*\Software\Microsoft\Office\16.0\Common\LanguageResources\InfoPathChangeInstallLanguage
Descrição do comportamento: 删除注册表键值
Detalhes: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL

Outro comportamento

Descrição do comportamento: 检测自身是否被调试
Detalhes: IsDebuggerPresent
Descrição do comportamento: 创建互斥体
Detalhes: Local\ZonesCounterMutex
Local\!IETld!Mutex
Local\ZonesCacheCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
Local\O365HomePremRetail_zh-cn
Descrição do comportamento: 打开互斥体
Detalhes: Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\MSCTF.Asm.MutexDefault1
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Descrição do comportamento: 窗口信息
Detalhes: Pid = 4060, Hwnd=0xa0198, Text = ‪即将准备就绪‬, ClassName = Static.
Pid = 4060, Hwnd=0x901e2, Text = ‪欢迎使用全新的 Office!‬, ClassName = Click2RunSplashScreen.
Pid = 4060, Hwnd=0xe01ee, Text = ‪最小化‬, ClassName = Button.
Pid = 4060, Hwnd=0x1201b4, Text = ‪关闭‬, ClassName = Button.
Pid = 4060, Hwnd=0xa0290, Text = ‪关闭(&C)‬, ClassName = Button.
Pid = 4060, Hwnd=0xd0282, Text = ‪无法安装‬, ClassName = C2RCustomWindow.
Descrição do comportamento: 获取TickCount值
Detalhes: TickCount = 1166218, SleepMilliseconds = 60000.
TickCount = 1166250, SleepMilliseconds = 60000.
TickCount = 1166265, SleepMilliseconds = 60000.
TickCount = 1166281, SleepMilliseconds = 60000.
TickCount = 1166296, SleepMilliseconds = 60000.
TickCount = 1166312, SleepMilliseconds = 60000.
TickCount = 1166328, SleepMilliseconds = 60000.
TickCount = 1166343, SleepMilliseconds = 60000.
TickCount = 1166703, SleepMilliseconds = 60000.
TickCount = 1167062, SleepMilliseconds = 60000.
TickCount = 1167218, SleepMilliseconds = 60000.
TickCount = 1167234, SleepMilliseconds = 60000.
TickCount = 1107475, SleepMilliseconds = 100.
TickCount = 1167500, SleepMilliseconds = 60000.
TickCount = 1107740, SleepMilliseconds = 100.
Descrição do comportamento: 屏蔽窗口关闭消息
Detalhes: hWnd = 0x000901e2, Text = ‪欢迎使用全新的 Office!‬, ClassName = Click2RunSplashScreen.
Descrição do comportamento: 打开事件
Detalhes: HookSwitchHookEnabledEvent
\KernelObjects\LowMemoryCondition
\KernelObjects\HighMemoryCondition
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.4060
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
Global\SvcctrlStartEvent_A3752DX
Descrição do comportamento: 获取窗口截图信息
Detalhes: Foreground window Info: HWND = 0x000901e2, DC = 0xd70106d5.
Descrição do comportamento: 调用Sleep函数
Detalhes: [1]: MilliSeconds = 0.
[2]: MilliSeconds = 0.
[3]: MilliSeconds = 0.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 0.
[8]: MilliSeconds = 0.
[9]: MilliSeconds = 0.
[10]: MilliSeconds = 0.
Descrição do comportamento: 直接获取CPU时钟
Detalhes: EAX = 0xe770d289, EDX = 0x0000039c
EAX = 0xea23d205, EDX = 0x0000039c
EAX = 0xf2119fee, EDX = 0x0000039c
EAX = 0xf9ff6dd7, EDX = 0x0000039c
EAX = 0xf9ff6e23, EDX = 0x0000039c
EAX = 0xf9ff6e6f, EDX = 0x0000039c
EAX = 0xf9ff6ebb, EDX = 0x0000039c
EAX = 0xfc873e44, EDX = 0x0000039c
EAX = 0xfc873e90, EDX = 0x0000039c
EAX = 0xfc873edc, EDX = 0x0000039c