VirSCAN VirSCAN

1, Vous pouvez ENVOYER tout fichier mais il y a une limite de 20 Mo par fichier.
2, VirSCAN supporte la décompression Rar/Zip mais il doit y avoir moins de 20 fichiers.
3, VirSCAN peut détecter un fichier compressé avec le mot de passe 'infected' ou 'virus'.
4, Si votre navigateur ne peut pas télécharger le fichier, téléchargez virscan uploader pour télécharger.

La langue
Charge du serveur
Server Load

VirSCAN
VirSCAN

1, Vous pouvez ENVOYER tout fichier mais il y a une limite de 20 Mo par fichier.
2, VirSCAN supporte la décompression Rar/Zip mais il doit y avoir moins de 20 fichiers.
3, VirSCAN peut détecter un fichier compressé avec le mot de passe 'infected' ou 'virus'.

   Informations sur les fichiers

Rapport d'analyse multi-moteur Virscan.org
Rapport d'analyse du comportement:         Analyse de fichier Habo

Informations de base

MD5:8ec7aab8f0b19113a1d2116505f1001e
文件大小:5.58MB
上传时间: 2014-09-22 10:36:30 (CST)
Nom du paquet:
Environnement d'exploitation minimum:
Droit d'auteur:

Comportement clé

Description du comportement: 跨进程写入数据
Détails: TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00090000, Size = 0x0002d000 TargetPID = 0x00000c40
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x000c0000, Size = 0x00000104 TargetPID = 0x00000c40
TargetProcess = C:\WINDOWS\system32\calc.exe, WriteAddress = 0x000a0000, Size = 0x00000d4c TargetPID = 0x00000c4c
TargetProcess = C:\WINDOWS\system32\calc.exe, WriteAddress = 0x000a0d4c, Size = 0x00000540 TargetPID = 0x00000c4c
TargetProcess = C:\WINDOWS\system32\mspaint.exe, WriteAddress = 0x000a0000, Size = 0x0002d000 TargetPID = 0x00000cec
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00411000, Size = 0x00003800 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00415000, Size = 0x00001e00 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x0044c000, Size = 0x00001e00 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x7ffd9008, Size = 0x00000004 TargetPID = 0x00000d10
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00310000, Size = 0x00000310 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00320000, Size = 0x0004e000 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03fe0000, Size = 0x00000310 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x04000000, Size = 0x0004e000 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e30000, Size = 0x00000310 TargetPID = 0x00000260
Description du comportement: 创建远程线程
Détails: TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3144, StartAddress = 00097BE0, Parameter = 000C0000
TargetProcess: calc.exe, InheritedFromPID = 2616, ProcessID = 3148, ThreadID = 3156, StartAddress = 000A0E8C, Parameter = 000A0000
TargetProcess: mspaint.exe, InheritedFromPID = 3136, ProcessID = 3308, ThreadID = 3316, StartAddress = 000ABFE0, Parameter = 00000000
TargetProcess: smss.exe, InheritedFromPID = 4, ProcessID = 520, ThreadID = 3360, StartAddress = 00325C50, Parameter = 00310000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3364, StartAddress = 04005C50, Parameter = 03FE0000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3368, StartAddress = 01415C50, Parameter = 00E30000
TargetProcess: services.exe, InheritedFromPID = 608, ProcessID = 652, ThreadID = 3372, StartAddress = 00BB5C50, Parameter = 00750000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3376, StartAddress = 025C5C50, Parameter = 00D30000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 936, ThreadID = 3380, StartAddress = 00E75C50, Parameter = 00E60000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 976, ThreadID = 3384, StartAddress = 05B05C50, Parameter = 05AF0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1060, ThreadID = 3388, StartAddress = 007B5C50, Parameter = 007A0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1092, ThreadID = 3392, StartAddress = 01135C50, Parameter = 01120000
TargetProcess: spoolsv.exe, InheritedFromPID = 652, ProcessID = 1180, ThreadID = 3400, StartAddress = 015B5C50, Parameter = 00FA0000
TargetProcess: jqs.exe, InheritedFromPID = 652, ProcessID = 1304, ThreadID = 3404, StartAddress = 013B5C50, Parameter = 013A0000
TargetProcess: alg.exe, InheritedFromPID = 652, ProcessID = 1624, ThreadID = 3408, StartAddress = 00D85C50, Parameter = 00C90000
Description du comportement: 设置线程上下文
Détails: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe
Description du comportement: 获取TickCount值
Détails: TickCount = 247492, SleepMilliseconds = 3492.
TickCount = 252570, SleepMilliseconds = 3492.
Description du comportement: 跨进程写代码段数据
Détails: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00401000, Size = 0x00010000 TargetPID = 0x00000d10
Description du comportement: 查找PE资源信息
Détails: (FindResourceA) hModule = 0x00000000, ResName: 1, ResType:
Description du comportement: 查找文件方式探测虚拟机
Détails: FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*
Description du comportement: 设置特殊文件夹属性
Détails: C:\DiskX
Description du comportement: 修改注册表_启动项
Détails: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer Manager

Comportement du processus

Description du comportement: 隐藏窗口创建进程
Détails: ImagePath = C:\WINDOWS\system32\calc.exe, CmdLine =
Description du comportement: 创建进程
Détails: [0x00000c40]ImagePath = C:\WINDOWS\system32\svchost.exe, CmdLine = "C:\WINDOWS\system32\svchost.exe"
[0x00000c4c]ImagePath = C:\WINDOWS\system32\calc.exe, CmdLine = "C:\WINDOWS\system32\calc.exe"
[0x00000cec]ImagePath = C:\WINDOWS\system32\mspaint.exe, CmdLine = "C:\WINDOWS\system32\mspaint.exe"
[0x00000d10]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe"
Description du comportement: 创建本地线程
Détails: TargetProcess: CkrhNhK.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 2664, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: CkrhNhK.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 3128, StartAddress = 00405080, Parameter = 00000000
TargetProcess: CkrhNhK.exe, InheritedFromPID = 2000, ProcessID = 2616, ThreadID = 3132, StartAddress = 004071D0, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3200, StartAddress = 000979C0, Parameter = 000C0000
TargetProcess: calc.exe, InheritedFromPID = 2616, ProcessID = 3148, ThreadID = 3212, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3216, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3220, StartAddress = 00097AE0, Parameter = 00000000
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3224, StartAddress = 00095EC0, Parameter = 001CFF8C
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3228, StartAddress = 000987C0, Parameter = 000A2828
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3232, StartAddress = 000987C0, Parameter = 000A2620
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3236, StartAddress = 000987C0, Parameter = 000A240C
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3240, StartAddress = 000987C0, Parameter = 000A2C40
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3264, StartAddress = 00098420, Parameter = 000A2308
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3268, StartAddress = 00098420, Parameter = 000A20B0
TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3276, StartAddress = 00095720, Parameter = 00000000
Description du comportement: 跨进程写入数据
Détails: TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x00090000, Size = 0x0002d000 TargetPID = 0x00000c40
TargetProcess = C:\WINDOWS\system32\svchost.exe, WriteAddress = 0x000c0000, Size = 0x00000104 TargetPID = 0x00000c40
TargetProcess = C:\WINDOWS\system32\calc.exe, WriteAddress = 0x000a0000, Size = 0x00000d4c TargetPID = 0x00000c4c
TargetProcess = C:\WINDOWS\system32\calc.exe, WriteAddress = 0x000a0d4c, Size = 0x00000540 TargetPID = 0x00000c4c
TargetProcess = C:\WINDOWS\system32\mspaint.exe, WriteAddress = 0x000a0000, Size = 0x0002d000 TargetPID = 0x00000cec
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00400000, Size = 0x00000400 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00411000, Size = 0x00003800 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00415000, Size = 0x00001e00 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x0044c000, Size = 0x00001e00 TargetPID = 0x00000d10
TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x7ffd9008, Size = 0x00000004 TargetPID = 0x00000d10
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00310000, Size = 0x00000310 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\smss.exe, WriteAddress = 0x00320000, Size = 0x0004e000 TargetPID = 0x00000208
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x03fe0000, Size = 0x00000310 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\csrss.exe, WriteAddress = 0x04000000, Size = 0x0004e000 TargetPID = 0x00000248
TargetProcess = C:\WINDOWS\system32\winlogon.exe, WriteAddress = 0x00e30000, Size = 0x00000310 TargetPID = 0x00000260
Description du comportement: 创建远程线程
Détails: TargetProcess: svchost.exe, InheritedFromPID = 2616, ProcessID = 3136, ThreadID = 3144, StartAddress = 00097BE0, Parameter = 000C0000
TargetProcess: calc.exe, InheritedFromPID = 2616, ProcessID = 3148, ThreadID = 3156, StartAddress = 000A0E8C, Parameter = 000A0000
TargetProcess: mspaint.exe, InheritedFromPID = 3136, ProcessID = 3308, ThreadID = 3316, StartAddress = 000ABFE0, Parameter = 00000000
TargetProcess: smss.exe, InheritedFromPID = 4, ProcessID = 520, ThreadID = 3360, StartAddress = 00325C50, Parameter = 00310000
TargetProcess: csrss.exe, InheritedFromPID = 520, ProcessID = 584, ThreadID = 3364, StartAddress = 04005C50, Parameter = 03FE0000
TargetProcess: winlogon.exe, InheritedFromPID = 520, ProcessID = 608, ThreadID = 3368, StartAddress = 01415C50, Parameter = 00E30000
TargetProcess: services.exe, InheritedFromPID = 608, ProcessID = 652, ThreadID = 3372, StartAddress = 00BB5C50, Parameter = 00750000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 872, ThreadID = 3376, StartAddress = 025C5C50, Parameter = 00D30000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 936, ThreadID = 3380, StartAddress = 00E75C50, Parameter = 00E60000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 976, ThreadID = 3384, StartAddress = 05B05C50, Parameter = 05AF0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1060, ThreadID = 3388, StartAddress = 007B5C50, Parameter = 007A0000
TargetProcess: svchost.exe, InheritedFromPID = 652, ProcessID = 1092, ThreadID = 3392, StartAddress = 01135C50, Parameter = 01120000
TargetProcess: spoolsv.exe, InheritedFromPID = 652, ProcessID = 1180, ThreadID = 3400, StartAddress = 015B5C50, Parameter = 00FA0000
TargetProcess: jqs.exe, InheritedFromPID = 652, ProcessID = 1304, ThreadID = 3404, StartAddress = 013B5C50, Parameter = 013A0000
TargetProcess: alg.exe, InheritedFromPID = 652, ProcessID = 1624, ThreadID = 3408, StartAddress = 00D85C50, Parameter = 00C90000
Description du comportement: 设置线程上下文
Détails: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe
Description du comportement: 枚举进程
Détails: N/A
Description du comportement: 跨进程写代码段数据
Détails: TargetProcess = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe, WriteAddress = 0x00401000, Size = 0x00010000 TargetPID = 0x00000d10

Comportement du fichier

Description du comportement: 创建文件
Détails: C:\Documents and Settings\Administrator\Application Data\c731200
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
C:\DiskX\c731200
C:\DiskX\..lnk
C:\DiskX\...lnk
Description du comportement: 创建可执行文件
Détails: C:\Documents and Settings\Administrator\Application Data\c731200
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Description du comportement: 覆盖已有文件
Détails: C:\Documents and Settings\Administrator\Application Data\c731200
Description du comportement: 复制文件
Détails: C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe ---> C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\CkrhNhK.exe ---> C:\Documents and Settings\Administrator\Application Data\c731200
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> C:\Documents and Settings\Administrator\Application Data\c731200
Description du comportement: 删除文件
Détails: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\desktop.ini
C:\DiskX\c731200
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\system32\CatRoot2\edb.log
C:\WINDOWS\system32\CatRoot2\edb00003.log
C:\WINDOWS\system32\CatRoot2\edb00004.log
C:\WINDOWS\system32\CatRoot2\edb00005.log
C:\WINDOWS\system32\CatRoot2\edb00006.log
C:\WINDOWS\system32\CatRoot2\edb00007.log
C:\WINDOWS\system32\CatRoot2\edb00008.log
C:\WINDOWS\system32\CatRoot2\edb00009.log
C:\WINDOWS\system32\CatRoot2\edb0000A.log
C:\WINDOWS\system32\CatRoot2\edb0000B.log
Description du comportement: 查找文件
Détails: FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\svchost.exe
FileName = C:\WINDOWS\system32\calc.exe
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\*.*
FileName = C:\\Documents and Settings\All users\Start Menu\Programs\Startup\*.*
FileName = X:\*
FileName = C:\WINDOWS\system32\mspaint.exe
FileName = C:\Documents and Settings\Administrator\Application Data\*.*
FileName = *.exe
FileName = *.gonewiththewings
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\All Users
FileName = C:\Documents and Settings\Administrator\桌面
FileName = C:\Documents and Settings\Administrator
Description du comportement: 重命名文件
Détails: C:\RECYCLER ---> C:\utdivedxy
Description du comportement: 设置特殊文件夹属性
Détails: C:\DiskX
Description du comportement: 修改文件内容
Détails: C:\Documents and Settings\Administrator\Application Data\c731200 ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\c731200 ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\c731200 ---> Offset = 131072
C:\Documents and Settings\Administrator\Application Data\c731200 ---> Offset = 196608
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> Offset = 131072
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> Offset = 196608
C:\DiskX\..lnk ---> Offset = 0
C:\DiskX\...lnk ---> Offset = 0
C:\WINDOWS\system32\CatRoot2\dberr.txt ---> Offset = 5382

Comportement du registre

Description du comportement: 修改注册表
Détails: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
Description du comportement: 删除注册表键_删除启动项
Détails: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\RunOnce\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Description du comportement: 修改注册表_启动项
Détails: \REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer Manager

Autre comportement

Description du comportement: 创建互斥体
Détails: RasPbFile
__PDH_PLA_MUTEX__
oleacc-msaa-loaded
SSLOADasdasc000900
SHIMLIB_LOG_MUTEX
c731200
SVCHOST_MUTEX_OBJECT_RELEASED_c000900
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
-65b46629Mutex
Description du comportement: 创建事件对象
Détails: EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = Global\crypt32LogoffEvent
EventName = MSCTF.SendReceive.Event.EL.IC
EventName = MSCTF.SendReceiveConection.Event.EL.IC
Description du comportement: 查找指定窗口
Détails: NtUserFindWindowEx: [Class,Window] = [Acrobat Viewer,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
Description du comportement: 打开事件
Détails: HookSwitchHookEnabledEvent
Global\crypt32LogoffEvent
MSFT.VSA.COM.DISABLE.3136
MSFT.VSA.IEC.STATUS.6c736db0
_fCanRegisterWithShellService
Global\SvcctrlStartEvent_A3752DX
MSCTF.SendReceiveConection.Event.EL.IC
MSCTF.SendReceive.Event.EL.IC
Description du comportement: 获取TickCount值
Détails: TickCount = 247492, SleepMilliseconds = 3492.
TickCount = 252570, SleepMilliseconds = 3492.
Description du comportement: 调整进程token权限
Détails: SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
Description du comportement: 枚举窗口
Détails: N/A
Description du comportement: 查找PE资源信息
Détails: (FindResourceA) hModule = 0x00000000, ResName: 1, ResType:
Description du comportement: 调用Sleep函数
Détails: [1]: MilliSeconds = 3492.
Description du comportement: 隐藏指定窗口
Détails: [Window,Class] = [,Auto-Suggest Dropdown]
Description du comportement: 可执行文件MD5
Détails: C:\Documents and Settings\Administrator\Application Data\c731200 ---> 3369968ebaab1a6c1d0f8fd02476590d
C:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe ---> 3369968ebaab1a6c1d0f8fd02476590d
Description du comportement: 打开互斥体
Détails: RasPbFile
ShimCacheMutex
FvLQ49I嵗zLjj6m
Description du comportement: 查找文件方式探测虚拟机
Détails: FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序\Oracle VM VirtualBox Guest Additions\*.*