VirSCAN VirSCAN

1, U kunt elk bestandstype UPLOADEN, bestandsgrootte max. 20 Mb.
2, VirSCAN ondersteunt Rar/Zip decompressie, max. 20 bestanden per Rar/Zip
3, VirSCAN kan Rar/Zip bestanden scannen die beveiligd zijn met wachtwoord 'infected' of 'virus'.

Taal
Serverbelasting
Server Load

Bestandsinformatie
Veiligheidsclassificatie:77
Gedragslijst
Gedragsanalyse rapport:         Threatbook file behaviour analysis report
Basis informatie
MD5:6ae8fcbab16ff4f7dd23474aaac4f694
Bestandstype:EXE
Productie bedrijf:好系统激活工具
versie:1.0.1.1---1.0.1.1
Shell- of compiler-informatie:COMPILER:Microsoft Visual Studio .NET 2005 -- 2008 -> Microsoft Corporation *
Sleutelgedrag
Gedrag beschrijving:跨进程写入数据
Voor meer informatie:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x0000092c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x0000092c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x0000092c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x000009c8
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x000009c8
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x000009c8
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000220
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000220
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000220
Gedrag beschrijving:获取TickCount值
Voor meer informatie:TickCount = 1170593, SleepMilliseconds = 60000.
TickCount = 1170609, SleepMilliseconds = 60000.
TickCount = 1170625, SleepMilliseconds = 60000.
TickCount = 1170640, SleepMilliseconds = 60000.
TickCount = 1170656, SleepMilliseconds = 60000.
TickCount = 1170906, SleepMilliseconds = 60000.
TickCount = 1172750, SleepMilliseconds = 60000.
TickCount = 1173062, SleepMilliseconds = 60000.
TickCount = 1173078, SleepMilliseconds = 60000.
TickCount = 1173375, SleepMilliseconds = 60000.
TickCount = 1173687, SleepMilliseconds = 60000.
TickCount = 1174000, SleepMilliseconds = 60000.
TickCount = 1174312, SleepMilliseconds = 60000.
TickCount = 1174625, SleepMilliseconds = 60000.
TickCount = 1174937, SleepMilliseconds = 60000.
Gedrag beschrijving:屏蔽窗口关闭消息
Voor meer informatie:hWnd = 0x001201e8, Text = 好系统激活工具-Windows, ClassName = #32770.
Gedrag beschrijving:获取窗口截图信息
Voor meer informatie:Foreground window Info: HWND = 0x000e0254, DC = 0x99010951.
Foreground window Info: HWND = 0x000e0254, DC = 0xab01019b.
Foreground window Info: HWND = 0x000e0254, DC = 0x8c010713.
Gedrag beschrijving:修改VBR
Voor meer informatie:NtWriteFile DriverName = \Driver\volmgr, Offset HighPart = 0x00000000, LowPart = 0x00000000, Length = 0x00002000
Gedrag beschrijving:直接获取CPU时钟
Voor meer informatie:EAX = 0x040f91f2, EDX = 0x000003a2
EAX = 0x094a60ab, EDX = 0x000003a2
EAX = 0x110cfea1, EDX = 0x000003a2
EAX = 0xd293b758, EDX = 0x000003a2
EAX = 0x4c39adc6, EDX = 0x000003a6
Gedrag beschrijving:关机或重启
Voor meer informatie:InitiateSystemShutdownExW
Verwerk gedrag
Gedrag beschrijving:隐藏窗口创建进程
Voor meer informatie:ImagePath = , CmdLine = C:\Users\ADMINI~1\AppData\Local\Temp\win7\win7.cmd
Gedrag beschrijving:创建进程
Voor meer informatie:[0x0000092c]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd /c C:\Users\ADMINI~1\AppData\Local\Temp\win7\win7.cmd
[0x000006ac]ImagePath = C:\Windows\System32\cscript.exe, CmdLine = cscript C:\Windows\system32\slmgr.vbs -ilc files\Certificate.xrm-ms
[0x00000ea8]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
[0x00000220]ImagePath = C:\Windows\System32\reg.exe, CmdLine = REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
[0x0000072c]ImagePath = C:\Windows\System32\reg.exe, CmdLine = REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
[0x00000cc4]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /S /D /c" type sysname "
[0x00000424]ImagePath = C:\Windows\System32\find.exe, CmdLine = find "7"
[0x00000838]ImagePath = C:\Windows\System32\find.exe, CmdLine = find /i "Ultimate"
[0x00000a18]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /S /D /c" type sysname "
[0x00000da0]ImagePath = C:\Windows\System32\find.exe, CmdLine = find "7"
[0x00000e94]ImagePath = C:\Windows\System32\find.exe, CmdLine = find /i "Professional"
[0x00000ac8]ImagePath = C:\Windows\System32\attrib.exe, CmdLine = attrib E:\w7ldr +h +s +r
[0x00000d34]ImagePath = C:\Windows\System32\cscript.exe, CmdLine = cscript C:\Windows\system32\slmgr.vbs -ilc files\Certificate.xrm-ms
[0x00000d14]ImagePath = C:\Windows\System32\cscript.exe, CmdLine = cscript C:\Windows\system32\slmgr.vbs -ipk YKHFT-KW986-GK4PY-FDWYH-7TP9F
[0x00000d80]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = C:\Windows\system32\cmd.exe /c Shutdown.exe /r /t 0
Gedrag beschrijving:创建新文件进程
Voor meer informatie:[0x000009c8]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, CmdLine = files\showdrive.exe
[0x00000210]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootinst.exe, CmdLine = files\bootinst /nt60 E:
[0x00000ed4]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, CmdLine = files\showdrive.exe
[0x000004dc]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootinst.exe, CmdLine = files\bootinst /nt60 E:
[0x00000cac]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, CmdLine = files\showdrive.exe
[0x00000f34]ImagePath = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootinst.exe, CmdLine = files\bootinst /nt60 E:
Gedrag beschrijving:跨进程写入数据
Voor meer informatie:TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x0000092c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x0000092c
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x0000092c
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x00140000, Size = 0x00000020 TargetPID = 0x000009c8
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x00140020, Size = 0x00000034 TargetPID = 0x000009c8
TargetProcess = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x000009c8
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x00040000, Size = 0x00000020 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x00040020, Size = 0x00000034 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cscript.exe, WriteAddress = 0x7ffd9238, Size = 0x00000004 TargetPID = 0x000006ac
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffdf238, Size = 0x00000004 TargetPID = 0x00000ea8
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x00000220
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x00000220
TargetProcess = C:\Windows\System32\reg.exe, WriteAddress = 0x7ffd6238, Size = 0x00000004 TargetPID = 0x00000220
Bestand gedrag
Gedrag beschrijving:创建文件
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\Certificate.xrm-ms
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\w7ldr
C:\Users\Administrator\AppData\Local\Temp\win7\msg.vbs
C:\Users\Administrator\AppData\Local\Temp\win7\Win7.cmd
C:\Users\Administrator\AppData\Local\Temp\win7\sysname
\\?\Volume{21405764-cb87-11e4-8598-806e6f6e6963}\w7ldr
Gedrag beschrijving:创建可执行文件
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe
Gedrag beschrijving:修改脚本文件
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\msg.vbs ---> Offset = 0
Gedrag beschrijving:覆盖已有文件
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\Certificate.xrm-ms
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe
C:\Users\Administrator\AppData\Local\Temp\win7\files\w7ldr
C:\Users\Administrator\AppData\Local\Temp\win7\msg.vbs
C:\Users\Administrator\AppData\Local\Temp\win7\Win7.cmd
\\?\Volume{21405764-cb87-11e4-8598-806e6f6e6963}\w7ldr
Gedrag beschrijving:复制文件
Voor meer informatie:files\w7ldr ---> E:\w7ldr
Gedrag beschrijving:删除文件
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\sysname
Gedrag beschrijving:查找文件
Voor meer informatie:FileName = C:\Users
FileName = C:\Users\ADMINI~1
FileName = C:\Users\ADMINI~1\AppData
FileName = C:\Users\ADMINI~1\AppData\Local
FileName = C:\Users\ADMINI~1\AppData\Local\Temp
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\win7.cmd
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\*.*
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\Win7.cmd
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\*.*
FileName = C:\Windows\system32\slmgr.vbs
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootinst.exe
FileName = C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootrest.exe
Gedrag beschrijving:修改文件内容
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> Offset = 16384
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> Offset = 32768
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> Offset = 49152
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> Offset = 16384
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> Offset = 32768
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> Offset = 49152
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> Offset = 65536
C:\Users\Administrator\AppData\Local\Temp\win7\files\Certificate.xrm-ms ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe ---> Offset = 16384
C:\Users\Administrator\AppData\Local\Temp\win7\files\w7ldr ---> Offset = 0
C:\Users\Administrator\AppData\Local\Temp\win7\files\w7ldr ---> Offset = 16384
Netwerk gedrag
Gedrag beschrijving:建立到一个指定的套接字连接
Voor meer informatie:URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000210
URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000134
URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000214
URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000230
URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000238
URL: t.****om, IP: **.133.40.**:80, SOCKET = 0x00000244
Gedrag beschrijving:发送HTTP包
Voor meer informatie:GET /api/soft/jihuo/windows/update/?ver=1111 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host:t.baiseyun.com Connection:Close
GET /api/soft/jihuo/windows/?mac=NULL&os=5&x64=0&pid=1111&flag=open&ver=1.0 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host:t.baiseyun.com Connection:Close
GET /api/soft/jihuo/windows/?mac=NULL&os=5&x64=0&pid=1111&flag=click&ver=1.0 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host:t.baiseyun.com Connection:Close
GET /api/soft/jihuo/windows/?mac=NULL&os=5&x64=0&pid=1111&flag=active&ver=1.0 HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host:t.baiseyun.com Connection:Close
Gedrag beschrijving:按名称获取主机地址
Voor meer informatie:gethostbyname: t.****om
Ander gedrag
Gedrag beschrijving:检测自身是否被调试
Voor meer informatie:IsDebuggerPresent
Gedrag beschrijving:打开互斥体
Voor meer informatie:Local\MSCTF.Asm.MutexDefault1
Gedrag beschrijving:窗口信息
Voor meer informatie:Pid = 2788, Hwnd=0xa0198, Text = 32位 专业版, ClassName = Static.
Pid = 2788, Hwnd=0xa023e, Text = Windows 7, ClassName = Static.
Pid = 2788, Hwnd=0x10022e, Text = 本工具支持Win7,Win8,Win10全系列, ClassName = Static.
Pid = 2788, Hwnd=0x901e2, Text = 已激活, ClassName = Static.
Pid = 2788, Hwnd=0xa0282, Text = 取消, ClassName = Button.
Pid = 2788, Hwnd=0xe0254, Text = 激活, ClassName = Button.
Pid = 2788, Hwnd=0x1201e8, Text = 好系统激活工具-Windows, ClassName = #32770.
Pid = 2788, Hwnd=0x10022e, Text = 正在激活,请勿进行其他操作!, ClassName = Static.
Pid = 2788, Hwnd=0x14028c, Text = 是(&Y), ClassName = Button.
Pid = 2788, Hwnd=0xc02ca, Text = 否(&N), ClassName = Button.
Pid = 2788, Hwnd=0x800ce, Text = 激活成功,是否立即重启?, ClassName = Static.
Pid = 2788, Hwnd=0xf020c, Text = 成功, ClassName = #32770.
Pid = 2788, Hwnd=0x1a028c, Text = 是(&Y), ClassName = Button.
Pid = 2788, Hwnd=0x14020c, Text = 否(&N), ClassName = Button.
Pid = 2788, Hwnd=0x1300ce, Text = 激活成功,是否立即重启?, ClassName = Static.
Gedrag beschrijving:获取TickCount值
Voor meer informatie:TickCount = 1170593, SleepMilliseconds = 60000.
TickCount = 1170609, SleepMilliseconds = 60000.
TickCount = 1170625, SleepMilliseconds = 60000.
TickCount = 1170640, SleepMilliseconds = 60000.
TickCount = 1170656, SleepMilliseconds = 60000.
TickCount = 1170906, SleepMilliseconds = 60000.
TickCount = 1172750, SleepMilliseconds = 60000.
TickCount = 1173062, SleepMilliseconds = 60000.
TickCount = 1173078, SleepMilliseconds = 60000.
TickCount = 1173375, SleepMilliseconds = 60000.
TickCount = 1173687, SleepMilliseconds = 60000.
TickCount = 1174000, SleepMilliseconds = 60000.
TickCount = 1174312, SleepMilliseconds = 60000.
TickCount = 1174625, SleepMilliseconds = 60000.
TickCount = 1174937, SleepMilliseconds = 60000.
Gedrag beschrijving:调整进程token权限
Voor meer informatie:SE_SHUTDOWN_PRIVILEGE
SE_REMOTE_SHUTDOWN_PRIVILEGE
Gedrag beschrijving:屏蔽窗口关闭消息
Voor meer informatie:hWnd = 0x001201e8, Text = 好系统激活工具-Windows, ClassName = #32770.
Gedrag beschrijving:打开事件
Voor meer informatie:HookSwitchHookEnabledEvent
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2788
MSFT.VSA.IEC.STATUS.6c736db0
MSFT.VSA.COM.DISABLE.1708
MSFT.VSA.COM.DISABLE.3380
MSFT.VSA.COM.DISABLE.3348
MSFT.VSA.COM.DISABLE.904
MSFT.VSA.COM.DISABLE.1168
MSFT.VSA.COM.DISABLE.2388
MSFT.VSA.COM.DISABLE.2128
Gedrag beschrijving:获取窗口截图信息
Voor meer informatie:Foreground window Info: HWND = 0x000e0254, DC = 0x99010951.
Foreground window Info: HWND = 0x000e0254, DC = 0xab01019b.
Foreground window Info: HWND = 0x000e0254, DC = 0x8c010713.
Gedrag beschrijving:直接操作物理设备
Voor meer informatie:\??\PhysicalDrive0
Gedrag beschrijving:可执行文件签名信息
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe(签名验证: 未通过)
Gedrag beschrijving:调用Sleep函数
Voor meer informatie:[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 60000.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
Gedrag beschrijving:修改VBR
Voor meer informatie:NtWriteFile DriverName = \Driver\volmgr, Offset HighPart = 0x00000000, LowPart = 0x00000000, Length = 0x00002000
Gedrag beschrijving:可执行文件MD5
Voor meer informatie:C:\Users\Administrator\AppData\Local\Temp\win7\files\bootinst.exe ---> a841800dbc71eb00bf7b841738c48b92
C:\Users\Administrator\AppData\Local\Temp\win7\files\bootrest.exe ---> e1921dea226b244f83ac5f59681d48a2
C:\Users\Administrator\AppData\Local\Temp\win7\files\showdrive.exe ---> 23bee4b5b4d117c63d8650080c690d2e
Gedrag beschrijving:直接获取CPU时钟
Voor meer informatie:EAX = 0x040f91f2, EDX = 0x000003a2
EAX = 0x094a60ab, EDX = 0x000003a2
EAX = 0x110cfea1, EDX = 0x000003a2
EAX = 0xd293b758, EDX = 0x000003a2
EAX = 0x4c39adc6, EDX = 0x000003a6
Gedrag beschrijving:关机或重启
Voor meer informatie:InitiateSystemShutdownExW
Gedrag beschrijving:加载新释放的文件
Voor meer informatie:Image: C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\showdrive.exe.
Image: C:\Users\ADMINI~1\AppData\Local\Temp\win7\files\bootinst.exe.
Screenshot uitvoeren
VirSCAN

Over VirSCAN | Privacybeleid | Neem contact met ons op | Vriendelijke link | Help VirSCAN
Vertaald door Ctrlaltdelete, Nederland
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号