VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Language
Server load
Server Load

File information
Safety rating:55
Behavior list
Basic Information
MD5:e74a51f1e83ee44f716b9291d5db5e7c
file type:EXE
Production company:
version:
Shell or compiler information:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation [RAR SFX] *
Subfile information:2.bat / 72e35c1bb4ae94d1be17120439f0c6c7 / Unknown
2.exe / c4d236eb8c21cd440f6a1a6899ca3580 / EXE
Key behavior
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000fec
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000fec
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000fec
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000009c0
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000009c0
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x000009c0
Behavior description:直接获取CPU时钟
details:EAX = 0xeba8db90, EDX = 0x00000075
EAX = 0xf0e3aa49, EDX = 0x00000075
EAX = 0xf396a9c5, EDX = 0x00000075
EAX = 0x64c957fe, EDX = 0x00000076
EAX = 0x64c9584a, EDX = 0x00000076
EAX = 0x64c95896, EDX = 0x00000076
EAX = 0x677c5812, EDX = 0x00000076
EAX = 0x677c585e, EDX = 0x00000076
EAX = 0x677c58aa, EDX = 0x00000076
EAX = 0x677c58f6, EDX = 0x00000076
EAX = 0xda77dca5, EDX = 0x00000076
EAX = 0xdcffac2e, EDX = 0x00000076
EAX = 0xdfb2abaa, EDX = 0x00000076
EAX = 0xe265ab26, EDX = 0x00000076
EAX = 0x340c52de, EDX = 0x00000077
Behavior description:设置启动项
details:C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
Behavior description:设置特殊文件属性
details:C:\System\Go.vbs
C:\System\Hide.bat
C:\System\Hide.vbs
C:\System\1.vbs
Behavior description:设置特殊文件夹属性
details:C:\Program Files\Common Files\System
C:\Program Files\Microsoft Office 2007\Office12\MathType\System
C:\Windows\assembly\GAC_MSIL\System
C:\Windows\assembly\NativeImages_v2.0.50727_32\System
C:\Windows\assembly\NativeImages_v4.0.30319_32\System
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System
C:\Windows\PLA\System
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
C:\Windows\Vss\Writers\System
C:\Windows\system
C:\System
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\UninstallString
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*.*
FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\System
FindFirstFileEx: FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\*.*
FindFirstFileEx: FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\System
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = "C:\System\Go.bat"
ImagePath = , CmdLine = "C:\System\Hide.bat"
ImagePath = , CmdLine = "C:\System\1.bat"
ImagePath = C:\Windows\System32\VBoxService.exe, CmdLine = vbox_stat --machinereadable -- C:/07c18980de59b70b44f118fe7e28dc64_Finished.txt
Behavior description:创建进程
details:[0x00000e38]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c ""C:\Users\ADMINI~1\AppData\Local\Temp\2.bat" "
[0x00000844]ImagePath = C:\Windows\System32\notepad.exe, CmdLine = "C:\Windows\system32\NOTEPAD.EXE" C:\Users\ADMINI~1\AppData\Local\Temp\1.txt
[0x000009c0]ImagePath = C:\Windows\System32\wscript.exe, CmdLine = "C:\Windows\System32\WScript.exe" "C:\System\Hide.vbs"
[0x00000a24]ImagePath = C:\Windows\System32\wscript.exe, CmdLine = "C:\Windows\System32\WScript.exe" "C:\System\Go.vbs"
[0x00000098]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c ""C:\System\Go.bat" "
[0x0000092c]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
[0x00000904]ImagePath = C:\Windows\System32\tasklist.exe, CmdLine = tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
[0x00000fe8]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c ""C:\System\Hide.bat" "
[0x000009f0]ImagePath = C:\Windows\System32\timeout.exe, CmdLine = timeout /t 1 /nobreak
[0x000002bc]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib C:\System +H /S /D
[0x000006b0]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq srvan.exe"
[0x0000062c]ImagePath = C:\Windows\System32\tasklist.exe, CmdLine = tasklist /NH /FI "IMAGENAME eq srvan.exe"
[0x00000634]ImagePath = C:\Windows\System32\wscript.exe, CmdLine = "C:\Windows\System32\WScript.exe" "C:\System\1.vbs"
[0x00000744]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
[0x00000624]ImagePath = C:\Windows\System32\tasklist.exe, CmdLine = tasklist /NH /FI "IMAGENAME eq Taskmgr.exe"
Behavior description:创建新文件进程
details:[0x00000ed4]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, CmdLine = 2.exe -p123 -dC:\Users\ADMINI~1\AppData\Local\Temp
[0x00000fec]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, CmdLine = "C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr" /S
Behavior description:跨进程写入数据
details:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000e38
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000e38
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe, WriteAddress = 0x7ffd4238, Size = 0x00000004 TargetPID = 0x00000ed4
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000fec
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000fec
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000fec
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\notepad.exe, WriteAddress = 0x7ffd8238, Size = 0x00000004 TargetPID = 0x00000844
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000009c0
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000009c0
TargetProcess = C:\Windows\System32\wscript.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x000009c0
File behavior
Behavior description:创建文件
details:C:\Users\Administrator\AppData\Local\Temp\__tmp_rar_sfx_access_check_141171
C:\Users\Administrator\AppData\Local\Temp\2.bat
C:\Users\Administrator\AppData\Local\Temp\2.exe
C:\Users\Administrator\AppData\Local\Temp\__tmp_rar_sfx_access_check_142046
C:\Users\Administrator\AppData\Local\Temp\1.txt
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr
C:\System\__tmp_rar_sfx_access_check_143015
C:\System\cudart64_80.dll
C:\System\equiw200k9.bin
C:\System\Go.bat
C:\System\Go.vbs
C:\System\Hide.bat
C:\System\Hide.vbs
C:\System\msvcp120.dll
C:\System\msvcr120.dll
Behavior description:创建可执行文件
details:C:\Users\Administrator\AppData\Local\Temp\2.exe
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr
C:\System\cudart64_80.dll
C:\System\msvcp120.dll
C:\System\msvcr120.dll
C:\System\srvan.exe
C:\System\cpu_tromp_AVX.dll
C:\System\cpu_tromp_SSE2.dll
C:\System\cuda_tromp.dll
C:\System\cuda_tromp_75.dll
C:\System\cudart64_75.dll
Behavior description:删除文件
details:C:\Users\Administrator\AppData\Local\Temp\__tmp_rar_sfx_access_check_141171
C:\Users\Administrator\AppData\Local\Temp\__tmp_rar_sfx_access_check_142046
C:\System\__tmp_rar_sfx_access_check_143015
Behavior description:修改脚本文件
details:C:\Users\Administrator\AppData\Local\Temp\2.bat ---> Offset = 0
C:\System\Go.bat ---> Offset = 0
C:\System\Go.vbs ---> Offset = 0
C:\System\Hide.bat ---> Offset = 0
C:\System\Hide.vbs ---> Offset = 0
C:\System\1.bat ---> Offset = 0
C:\System\1.vbs ---> Offset = 0
Behavior description:覆盖已有文件
details:C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf
C:\Windows\Prefetch\SVCHOST.EXE-05F624AB.pf
C:\Windows\Prefetch\WMPNETWK.EXE-D9F2A96F.pf
C:\Windows\Prefetch\ATTRIB.EXE-A990CB86.pf
C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf
Behavior description:查找文件
details:FileName = C:\Users\Administrator\AppData\Local\%temp%\b70c.exe
FileName = 2.bat
FileName = \\?\C:\Users\ADMINI~1\AppData\Local\Temp\2.bat
FileName = 2.exe
FileName = \\?\C:\Users\ADMINI~1\AppData\Local\Temp\2.exe
FileName = C:\Users
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Local
FileName = C:\Users\ADMINI~1\AppData\Local\Temp
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\2.bat
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\*.*
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\2.exe
FileName = 1.txt
FileName = \\?\C:\Users\ADMINI~1\AppData\Local\Temp\1.txt
Behavior description:设置启动项
details:C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
Behavior description:设置特殊文件属性
details:C:\System\Go.vbs
C:\System\Hide.bat
C:\System\Hide.vbs
C:\System\1.vbs
Behavior description:设置特殊文件夹属性
details:C:\Program Files\Common Files\System
C:\Program Files\Microsoft Office 2007\Office12\MathType\System
C:\Windows\assembly\GAC_MSIL\System
C:\Windows\assembly\NativeImages_v2.0.50727_32\System
C:\Windows\assembly\NativeImages_v4.0.30319_32\System
C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System
C:\Windows\PLA\System
C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
C:\Windows\Vss\Writers\System
C:\Windows\system
C:\System
Behavior description:修改文件内容
details:C:\Users\Administrator\AppData\Local\Temp\2.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\2.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\2.exe ---> Offset = 131072
C:\Users\Administrator\AppData\Local\Temp\2.exe ---> Offset = 196608
C:\Users\Administrator\AppData\Local\Temp\2.exe ---> Offset = 200448
C:\Users\Administrator\AppData\Local\Temp\1.txt ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> Offset = 131072
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> Offset = 196608
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> Offset = 222208
C:\System\cudart64_80.dll ---> Offset = 0
C:\System\cudart64_80.dll ---> Offset = 65536
C:\System\cudart64_80.dll ---> Offset = 131072
C:\System\cudart64_80.dll ---> Offset = 196608
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFile
\REGISTRY\USER\S-*_CLASSES\Local Settings\MuiCache\2F\AAF68885\@C:\Windows\System32\wshext.dll,-4511
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
Behavior description:查询注册表_检测虚拟机相关
details:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\UninstallString
Other behavior
Behavior description:检测自身是否被调试
details:IsDebuggerPresent
Behavior description:创建互斥体
details:Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Behavior description:隐藏指定窗口
details:[Window,Class] = [,ComboLBox]
[Window,Class] = [&Обзор...,Button]
[Window,Class] = [C:\Users\ADMINI~1\AppData\Local\Temp,ComboBox]
[Window,Class] = [C:\System,ComboBox]
[Window,Class] = [C:\Windows\System32\VBoxService.exe,ConsoleWindowClass]
[Window,Class] = [C:\Windows\System32\cmd.exe,ConsoleWindowClass]
Behavior description:打开互斥体
details:DefaultTabtip-MainUI
Local\MSCTF.Asm.MutexDefault1
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [EDIT,]
Behavior description:调整进程token权限
details:SE_DEBUG_PRIVILEGE
Behavior description:打开事件
details:HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
MSFT.VSA.COM.DISABLE.2496
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.2596
Global\SvcctrlStartEvent_A3752DX
MSFT.VSA.COM.DISABLE.2308
MSFT.VSA.COM.DISABLE.1580
MSFT.VSA.COM.DISABLE.1588
MSFT.VSA.COM.DISABLE.1572
MSFT.VSA.COM.DISABLE.2288
MSFT.VSA.COM.DISABLE.200
Behavior description:可执行文件签名信息
details:C:\Users\Administrator\AppData\Local\Temp\2.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr(签名验证: 未通过)
C:\System\cudart64_80.dll(签名验证: 通过)
C:\System\msvcp120.dll(签名验证: 通过)
C:\System\msvcr120.dll(签名验证: 通过)
C:\System\srvan.exe(签名验证: 未通过)
C:\System\cpu_tromp_AVX.dll(签名验证: 未通过)
C:\System\cpu_tromp_SSE2.dll(签名验证: 未通过)
C:\System\cuda_tromp.dll(签名验证: 未通过)
C:\System\cuda_tromp_75.dll(签名验证: 未通过)
C:\System\cudart64_75.dll(签名验证: 通过)
Behavior description:创建事件对象
details:EventName = ConsoleEvent-0x00000AF8
EventName = ConsoleEvent-0x000000C8
EventName = ConsoleEvent-0x00000DF8
EventName = ConsoleEvent-0x00000F34
EventName = ConsoleEvent-0x000008C0
EventName = ConsoleEvent-0x00000FD0
EventName = ConsoleEvent-0x000008EC
EventName = ConsoleEvent-0x00000948
EventName = ConsoleEvent-0x0000068C
EventName = ConsoleEvent-0x00000A6C
EventName = ConsoleEvent-0x0000046C
EventName = ConsoleEvent-0x00000AB0
EventName = ConsoleEvent-0x00000D58
EventName = ConsoleEvent-0x00000E94
EventName = ConsoleEvent-0x00000F88
Behavior description:可执行文件MD5
details:C:\Users\Administrator\AppData\Local\Temp\2.exe ---> c4d236eb8c21cd440f6a1a6899ca3580
C:\Users\Administrator\AppData\Local\Temp\Read‮txt.scr ---> aa840ad39124924c8a1aa2d576a50651
C:\System\cudart64_80.dll ---> cf198b329fb988983749f891c060245e
C:\System\msvcp120.dll ---> 46060c35f697281bc5e7337aee3722b1
C:\System\msvcr120.dll ---> 9c861c079dd81762b6c54e37597b7712
C:\System\srvan.exe ---> e4a0117ac9367eef38718b6fcda245ba
C:\System\cpu_tromp_AVX.dll ---> f6222106a01b57270a19d4d509a06b78
C:\System\cpu_tromp_SSE2.dll ---> d8c17217de90b4b057a92cc9ed0b61ac
C:\System\cuda_tromp.dll ---> c11ed5384b8a0c6737d3866cf66aa86d
C:\System\cuda_tromp_75.dll ---> 3accfd3c138d1b69319883d236b49920
C:\System\cudart64_75.dll ---> 60ea51e513ffc81a2786b9cca098cab7
Behavior description:直接获取CPU时钟
details:EAX = 0xeba8db90, EDX = 0x00000075
EAX = 0xf0e3aa49, EDX = 0x00000075
EAX = 0xf396a9c5, EDX = 0x00000075
EAX = 0x64c957fe, EDX = 0x00000076
EAX = 0x64c9584a, EDX = 0x00000076
EAX = 0x64c95896, EDX = 0x00000076
EAX = 0x677c5812, EDX = 0x00000076
EAX = 0x677c585e, EDX = 0x00000076
EAX = 0x677c58aa, EDX = 0x00000076
EAX = 0x677c58f6, EDX = 0x00000076
EAX = 0xda77dca5, EDX = 0x00000076
EAX = 0xdcffac2e, EDX = 0x00000076
EAX = 0xdfb2abaa, EDX = 0x00000076
EAX = 0xe265ab26, EDX = 0x00000076
EAX = 0x340c52de, EDX = 0x00000077
Behavior description:加载新释放的文件
details:Image: C:\Users\ADMINI~1\AppData\Local\Temp\2.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\Read‮txt.scr.
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\*.*
FindFirstFileEx: FileName = C:\Program Files\Oracle\VirtualBox Guest Additions\System
FindFirstFileEx: FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\*.*
FindFirstFileEx: FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox Guest Additions\System
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
Translated by Keith Miller, United States
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号