VirSCAN VirSCAN

1, Você pode enviar qualquer arquivo, porém com um limite de 20Mb por arquivo.
2, VirSCAN suporta arquivos Rar/Zip, porém ele deve conter menos que 20 arquivos.
3, VirSCAN consegue verificar arquivos compactados com senha 'infected' ou 'virus'.

Idioma
Carga do sistema
Server Load

Informação de arquivo
Classificação de segurança:50
Lista de comportamento
Informação básica
MD5:cc209b097c691d0018bd1f64688e70d7
Tipo de arquivo:Microsoft Office Word(doc)文档
Empresa de produção:
Versão:
Informações sobre shell ou compilador:
Comportamento chave
Descrição do comportamento:获取窗口截图信息
Detalhes:Foreground window Info: HWND = 0x000201d2, DC = 0x0c0109f2.
Comportamento de arquivos
Descrição do comportamento:创建文件
Detalhes:C:\Users\Administrator\AppData\Local\Temp\~DF28C0BDA901AC23DF.TMP
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\Temp\~DF91EE383221E6D4C3.TMP
C:\Users\Administrator\AppData\Local\%temp%\****.doc
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK
C:\Users\Administrator\AppData\Local\Temp\~WRS0001.tmp
Descrição do comportamento:覆盖已有文件
Detalhes:C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip
Descrição do comportamento:查找文件
Detalhes:FileName = C:\Program Files\Common Files\Microsoft Shared\office11
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll
FileName = C:\Program Files\Common Files\Microsoft Shared\office11\*.*
FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\Normal.dot
FileName = C:\Program Files\Microsoft Office\OFFICE11\Normal.dot
FileName = C:\Windows
FileName = C:\Windows\WinSxS
FileName = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
FileName = C:\Users\Administrator\AppData\Local\%temp%\****.doc
FileName = C:\Users\Administrator
FileName = C:\PROGRA~1
FileName = C:\PROGRA~1\COMMON~1
FileName = C:\PROGRA~1\COMMON~1\MICROS~1
Descrição do comportamento:删除文件
Detalhes:C:\Users\Administrator\AppData\Local\Temp\~DF28C0BDA901AC23DF.TMP
C:\Users\Administrator\AppData\Local\Temp\~DF91EE383221E6D4C3.TMP
C:\Users\Administrator\AppData\Local\%temp%\****.doc
C:\Users\Administrator\AppData\Local\Temp\~WRS0001.tmp
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot
C:\Users\Administrator\AppData\Local\Temp\~WRF0000.tmp
Descrição do comportamento:复制文件
Detalhes:C:\PROGRA~2\MICROS~1\OFFICE\DATA\OPA11.BAK ---> C:\PROGRA~2\MICROS~1\OFFICE\DATA\opa11.dat
Descrição do comportamento:修改文件内容
Detalhes:C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dot ---> Offset = 54
C:\Users\Administrator\AppData\Local\%temp%\****.doc ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\****.doc ---> Offset = 54
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%\****.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 124
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\%temp%.LNK ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\index.dat ---> Offset = 60
C:\Users\Administrator\AppData\Local\Temp\~WRS0001.tmp ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip ---> Offset = 0
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip ---> Offset = 12
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip ---> Offset = 112
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip ---> Offset = 1428
C:\Users\Administrator\AppData\Roaming\Microsoft\Office\Word11.pip ---> Offset = 1680
Comportamento do registro
Descrição do comportamento:修改注册表
Detalhes:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\=
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDFiles
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\+ 
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\VBAFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Common\ReviewCycle\ReviewToken
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\28E4D\28E4D
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WordEngWizDotFiles2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4080110900063D11C8EF10054038389C\Usage\WORDHelpFiles
\REGISTRY\USER\S-*\Software\Microsoft\GDIPlus\FontCachePath
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
Descrição do comportamento:删除注册表键值
Detalhes:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\+ 
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\ 
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\=
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\28E4D\28E4D
\REGISTRY\USER\S-*\Software\Microsoft\Office\Common\Assistant\CurrAsstState
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\MTTT
Descrição do comportamento:删除注册表键
Detalhes:\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\28E4D\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\DocumentRecovery\
\REGISTRY\USER\S-*\Software\Microsoft\Office\11.0\Word\Resiliency\
Outro comportamento
Descrição do comportamento:检测自身是否被调试
Detalhes:IsDebuggerPresent
Descrição do comportamento:创建互斥体
Detalhes:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\Mso97SharedDg19521105606Mutex
Skd5yLHImeSCMutextCfgPersist_H_S-*
Local\Mso97SharedDg19531105606Mutex
Local\SqmSysTray
OfficeAssistantStateMutex
LocalMutex2341MSPYhld23qwe2527
GlobalUserFileMappingEudcMSPYhld23qwe_lock_SYNCROOT
_lock_SYNCROOT
GlobalUserFileMappingEudpMSPYhld23qwe_lock_SYNCROOT
PAdministratorLx.DAT!_SYNCROOT
Descrição do comportamento:创建事件对象
Detalhes:EventName = PrimaryWord11Mutex
EventName = OleDfRootDC485F392CDCDDA2
EventName = OleDfRootA7DACE7B0553AB9D
EventName = OleDfRootD440EB85FEAB8807
EventName = MSPY Non-PC softkbd
Descrição do comportamento:查找指定窗口
Detalhes:NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Descrição do comportamento:窗口信息
Detalhes:Pid = 2656, Hwnd=0x101bc, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 2656, Hwnd=0x101c4, Text = 格式, ClassName = MsoCommandBar.
Pid = 2656, Hwnd=0x101c2, Text = 常用, ClassName = MsoCommandBar.
Pid = 2656, Hwnd=0x101c6, Text = 菜单栏, ClassName = MsoCommandBar.
Pid = 2656, Hwnd=0x201ae, Text = b70c - Microsoft Word, ClassName = OpusApp.
Pid = 2656, Hwnd=0x301d0, Text = b70c, ClassName = _WwB.
Pid = 2656, Hwnd=0x101d8, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2656, Hwnd=0x101dc, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2656, Hwnd=0x201d2, Text = Microsoft Word 文档, ClassName = _WwG.
Descrição do comportamento:打开事件
Detalhes:Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2656
MSFT.VSA.IEC.STATUS.6c736db0
Global\TermSrvReadyEvent
MSPY Non-PC softkbd
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Descrição do comportamento:获取窗口截图信息
Detalhes:Foreground window Info: HWND = 0x000201d2, DC = 0x0c0109f2.
Descrição do comportamento:隐藏指定窗口
Detalhes:[Window,Class] = [,_WwB]
Descrição do comportamento:打开互斥体
Detalhes:Local\Mutex_MSOSharedMem
Local\Mso97SharedDg19211105606Mutex
Local\Mso97SharedDg20321105606Mutex
Local\MU_ACBPIDS08
Local\MSCTF.Asm.MutexDefault1
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\Mso97SharedDg19521105606Mutex
Local\Mso97SharedDg19531105606Mutex
Local\SqmSysTray
OfficeAssistantStateMutex
Executar captura de tela
VirSCAN

Sobre o VirSCAN | Política de Privacidade | Contate-nos | Link amigável | Ajude o VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号