VirSCAN VirSCAN

1, Puteți ÎNCĂRCA orice tip de fișier, însă limita este de 20Mb per fișier.
2, VirSCAN suportă decompresie Rar/Zip, însă arhiva nu trebuie să conțină mai mult de 20 fișiere.
3, VirSCAN poate scana fișiere arhivate cu parola 'infected' sau 'virus'

Limba
Nivelul de încărcare a serverului
Server Load

Informații despre fișiere
Evaluarea siguranței:79
Listă de comportamente
Informații de bază
MD5:02ae075da4fb2a6d38ce06f8f40e397e
Tip fișier:RTF文档
Compania producatoare:
Versiune:
Shell sau informații despre compilator:
Comportamentul cheie
Descrierea comportamentului:打开注册表_检测虚拟机相关
Pentru mai multe informații:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Comportamentul procesului
Descrierea comportamentului:创建本地线程
Pentru mai multe informații:TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2616, StartAddress = 77E56C7D, Parameter = 001A6630
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2620, StartAddress = 769AE43B, Parameter = 001A8EF0
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2632, StartAddress = 77E56C7D, Parameter = 001AA5A0
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2712, StartAddress = 326138F8, Parameter = 03723780
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2728, StartAddress = 3BE7617C, Parameter = 00000000
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2748, StartAddress = 3264B7DB, Parameter = 00000000
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 2904, StartAddress = 314AB3EA, Parameter = 320FDEB0
TargetProcess: WINWORD.EXE, InheritedFromPID = 2000, ProcessID = 2492, ThreadID = 3064, StartAddress = 314AB3EA, Parameter = 320FDEB0
Fișier comportament
Descrierea comportamentului:创建文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{F333B72E-2E8D-4D4D-8966-A18DB4BCBE98}.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.rtf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{1302382E-1EE0-4ACC-9FD0-026020A3B9CC}.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRF{668F112B-3340-473F-B480-3491A7696EFA}.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\46AB8C0.wmf
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\%temp%\****.rtf.LNK
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\%temp%.LNK
Descrierea comportamentului:覆盖已有文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\46AB8C0.wmf
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip
Descrierea comportamentului:查找文件
Pentru mai multe informații:FileName = C:\Program Files
FileName = C:\Program Files\Microsoft Office 2007
FileName = C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
FileName = C:\WINDOWS\Microsoft.NET\Framework\\*
FileName = C:\Program Files\Microsoft Office 2007\Office12\Normal.dotm
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator\Application Data
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates
FileName = C:\Documents and Settings\Administrator\My Documents
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\All Users\Documents
Descrierea comportamentului:删除文件
Pentru mai multe informații:C:\Documents and Settings\Administrator\Local Settings\%temp%\****.rtf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{1302382E-1EE0-4ACC-9FD0-026020A3B9CC}.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{F333B72E-2E8D-4D4D-8966-A18DB4BCBE98}.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\46AB8C0.wmf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRF{668F112B-3340-473F-B480-3491A7696EFA}.tmp
Descrierea comportamentului:复制文件
Pentru mai multe informații:C:\Program Files\Microsoft Office 2007\Office12\OPA12.BAK ---> C:\Program Files\Microsoft Office 2007\Office12\opa12.dat
Descrierea comportamentului:修改文件内容
Pentru mai multe informații:C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm ---> Offset = 54
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{F333B72E-2E8D-4D4D-8966-A18DB4BCBE98}.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.rtf ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.rtf ---> Offset = 54
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{1302382E-1EE0-4ACC-9FD0-026020A3B9CC}.tmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{1302382E-1EE0-4ACC-9FD0-026020A3B9CC}.tmp ---> Offset = 512
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.MSO\46AB8C0.wmf ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\%temp%\****.rtf.LNK ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat ---> Offset = 28
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\%temp%.LNK ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip ---> Offset = 12
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip ---> Offset = 112
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip ---> Offset = 120
Înregistrare comportament
Descrierea comportamentului:修改注册表
Pentru mai multe informații:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\d=-
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\ProductFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\2052
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\LanguageResources\EnabledLanguages\1033
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109030000000000000000F01FEC\Usage\WORDFiles
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\MTTT
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\#*-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\<.-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\00-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\~0-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\f1-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\32-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\`2-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Common\ReviewCycle\ReviewToken
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 1
Descrierea comportamentului:删除注册表键值
Pentru mai multe informații:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\#*-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\<.-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\00-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\~0-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\f1-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\32-
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Max Display
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 1
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 2
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 3
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 4
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 5
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 6
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 7
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\File MRU\Item 8
Descrierea comportamentului:打开注册表_检测虚拟机相关
Pentru mai multe informații:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
Descrierea comportamentului:删除注册表键
Pentru mai multe informații:\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\StartupItems\
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\DocumentRecovery\38128\
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\DocumentRecovery\
\REGISTRY\USER\S-*\Software\Microsoft\Office\12.0\Word\Resiliency\
Alt comportament
Descrierea comportamentului:创建互斥体
Pentru mai multe informații:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.GCompartListMUTEX.DefaultS-*
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
MSCTF.Shared.MUTEX.IOH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.AMJ
Descrierea comportamentului:创建事件对象
Pentru mai multe informații:EventName = Local\PrimaryWord12Mutex_S-*
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.AMJ.IC
EventName = MSCTF.SendReceiveConection.Event.AMJ.IC
Descrierea comportamentului:打开事件
Pentru mai multe informații:HookSwitchHookEnabledEvent
MSFT.VSA.COM.DISABLE.2492
MSFT.VSA.IEC.STATUS.6c736db0
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.0000000F
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.0000000F
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
Descrierea comportamentului:查找指定窗口
Pentru mai multe informații:NtUserFindWindowEx: [Class,Window] = [mspim_wnd32,]
NtUserFindWindowEx: [Class,Window] = [MSOBALLOON,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp10,]
NtUserFindWindowEx: [Class,Window] = [AgentAnim,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MsoHelp11,]
Descrierea comportamentului:窗口信息
Pentru mai multe informații:Pid = 2492, Hwnd=0x10360, Text = MsoDockTop, ClassName = MsoCommandBarDock.
Pid = 2492, Hwnd=0x10366, Text = Ribbon, ClassName = MsoCommandBar.
Pid = 2492, Hwnd=0x10364, Text = MsoDockBottom, ClassName = MsoCommandBarDock.
Pid = 2492, Hwnd=0x10368, Text = 状态栏, ClassName = MsoCommandBar.
Pid = 2492, Hwnd=0x10382, Text = 状态栏, ClassName = MsoWorkPane.
Pid = 2492, Hwnd=0x10356, Text = MsoWorkPane, ClassName = MsoWorkPane.
Pid = 2492, Hwnd=0x1036a, Text = MsoWorkPane, ClassName = MsoWorkPane.
Pid = 2492, Hwnd=0x40342, Text = Microsoft Word, ClassName = OpusApp.
Pid = 2492, Hwnd=0x20394, Text = Ribbon, ClassName = MsoWorkPane.
Pid = 2492, Hwnd=0x2039a, Text = %temp%\****.rtf, ClassName = _WwB.
Pid = 2492, Hwnd=0x103a8, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2492, Hwnd=0x103aa, Text = MSO Generic Control Container, ClassName = MsoCommandBar.
Pid = 2492, Hwnd=0x203a0, Text = Microsoft Word 文档, ClassName = _WwG.
Pid = 2492, Hwnd=0x103a2, Text = 垂直, ClassName = NUIScrollbar.
Pid = 2492, Hwnd=0x40342, Text = %temp%\****.rtf - Microsoft Word, ClassName = OpusApp.
Descrierea comportamentului:调整进程token权限
Pentru mai multe informații:SE_LOAD_DRIVER_PRIVILEGE
Descrierea comportamentului:枚举窗口
Pentru mai multe informații:N/A
Descrierea comportamentului:隐藏指定窗口
Pentru mai multe informații:[Window,Class] = [,ThunderRT6Main]
[Window,Class] = [,_WwB]
Descrierea comportamentului:打开互斥体
Pentru mai multe informații:ShimCacheMutex
Local\MU_ACBPIDS09_S-1-5-5-0-52227
CtfmonInstMutexDefaultS-*
Global\MTX_MSO_Formal1_S-*
Global\MTX_MSO_AdHoc1_S-*
Local\!IETld!Mutex
Rulați captura de ecran
VirSCAN

Despre VirSCAN | Politica de confidențialitate | Contact | Linie prietenoasă | Ajută VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号