Detection ratio: 5 / 55 记录键盘输入、监视剪贴版变更、截取屏幕

墨家小子

SHA256:        d335dc8abd8d4eb9a0d4e21e750f81e908a7d8afbc12ffcb6c0c08fad20ec772
File name:        shipping-documents pdf.exe
Detection ratio:        5 / 55
Analysis date:        2015-12-05 12:12:03 UTC ( 0 minutes ago )
https://www.virustotal.com/en/fi ... nalysis/1449317523/

挥泪斩情思

KIS UDS拦截

每顿需吃三大碗

ESET9解压杀

Renascence

扫描、双击均过诺顿，沙盘内运行重复出现同一个程序，不知道是不是运行环境问题。

aboringman

AVG：

扫描：miss；

双击：带监控双击，在衍生物kb.exe出现后，监控报毒，居然还回滚了（本体及其恶意行为）；关闭监控后双击，IDP则秒杀（可能已被缓存）。【以上均为无沙环境】


带监控双击：

"";"Trojan horse MSIL9.TJJ, c:\ProgramData\kb.exe";"Healed, Moved to Virus Vault";"File or Directory";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\ScriptedSandbox.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\ScriptedSandbox.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\ScriptedSandbox.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\xpsrchw.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\Desktop\shipping-documents pdf.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\xpsrchw.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\Desktop\shipping-documents pdf.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\Desktop\shipping-documents pdf.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\Desktop\shipping-documents pdf.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\cmd.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Windows\System32\reg.exe";"Object was blocked";"Process";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\Desktop\shipping-documents pdf.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\xpsrchw.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2015/12/5, 20:48:18"
"";", HKEY_USERS\S-1-5-21-1910074467-3606790842-1030588025-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD";"Deleted, Moved to Virus Vault";"Registry value";"2015/12/5, 20:48:18"
"";", C:\Users\Killer\AppData\Roaming\Microsoft\Blend\14.0\FeedCache\ScriptedSandbox.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2015/12/5, 20:48:18"

不带监控双击：

"";"Unknown, C:\Users\Killer\Desktop\新建文件夹\shipping-documents pdf.exe";"Deleted, Moved to Virus Vault";"File or Directory";"2015/12/5, 21:10:36"
"";", C:\Users\Killer\Desktop\新建文件夹\shipping-documents pdf.exe";"Object was blocked";"Process";"2015/12/5, 21:10:36"

XywCloud

SUD to BAV

追影子的十三

解压后红伞杀

nick20010117

aboringman 发表于 2015-12-5 21:18
AVG：

扫描：miss；

好像监控的回滚是最近添加的吧

aboringman

nick20010117 发表于 2015-12-5 22:01
好像监控的回滚是最近添加的吧

不知道，不过超赞连监控都有回滚了，好玩

nick20010117

@aboringman