收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 5分钟前现抓,勒索软件(非cerber)
1234下一页
返回列表 发新帖
查看: 10988|回复: 39
收起左侧

[病毒样本] 5分钟前现抓,勒索软件(非cerber)

  [复制链接]
windows7爱好者
发表于 2017-1-12 20:33:14 | 显示全部楼层 |阅读模式
本帖最后由 windows7爱好者 于 2017-1-12 20:42 编辑


感谢墨家为本人提供的挂马地址
@墨家小子

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1人气 +1 收起 理由
翼风Fly + 1 mission complete~

查看全部评分

回复

举报

诸葛亮
发表于 2017-1-12 20:36:06 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

引领五基生活
发表于 2017-1-12 20:40:40 | 显示全部楼层
费尔双击杀
回复

举报

haol
发表于 2017-1-12 20:54:01 | 显示全部楼层
本帖最后由 haol 于 2017-1-12 20:57 编辑

Avira found HEUR/APC(Cloud)
回复

举报

a445441
发表于 2017-1-12 20:54:45 | 显示全部楼层
微点拦截
回复

举报

青衣染雪
发表于 2017-1-12 21:06:28 | 显示全部楼层
火绒扫描kill
fs双击kill

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

fireherman
发表于 2017-1-12 22:19:26 | 显示全部楼层


ESET kill



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

彩虹丶//
头像被屏蔽
发表于 2017-1-12 22:30:34 | 显示全部楼层
本帖最后由 彩虹丶// 于 2017-1-12 22:31 编辑

rad0355D.tmp\rad0355D.tmp.exe
结果:     检测到威胁: UDS:DangerousObject.Multi.Generic
原因:     KSN 服务
回复

举报

学雷锋做人
发表于 2017-1-12 23:25:35 | 显示全部楼层
基本上都报吧

跑了一下行为

[mw_shl_code=css,true]23:21:09:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:09:创建\打开文件:C:\WINDOWS\WindowsShell.Manifest

23:21:09:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:09:创建\打开文件:\\.\WMIDataDevice

23:21:12:(手动允许)创建\打开文件:\\.\Ip

23:21:20:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:20:删除文件:C:\Documents and Settings\Administrator\桌面\样本测试\File_safe\rad0355D.tmp.exe:Zone.Identifier

23:21:20:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:20:删除文件:C:\Documents and Settings\Administrator\桌面\样本测试\File_safe\rad0355D.tmp.exe:Zone.Identifier

23:21:20:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:20:(自动允许)创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\File_safe\rad0355D.tmp.exe

23:21:21:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:21:删除文件:C:\Documents and Settings\All Users\Application Data\Spy Security SoftWare_c6f26321_ec5fc44b.exe:Zone.Identifier

23:21:21:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:21:删除文件:C:\Documents and Settings\All Users\Application Data\Spy Security SoftWare_c6f26321_ec5fc44b.exe:Zone.Identifier

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Cookies

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini

23:21:21:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\

23:21:21:(自动允许)访问进程:1980(进程PID)     获取权限:2035711

23:21:24:(手动允许)创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

23:21:24:设置文件属性:C:\Documents and Settings\Administrator\Cookies\

23:21:24:(自动允许)访问进程:1980(进程PID)     获取权限:2035711

23:21:25:(手动允许)创建\打开文件:C:\Documents and Settings\Administrator\Cookies\index.dat

23:21:25:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\

23:21:25:(自动允许)访问进程:1980(进程PID)     获取权限:2035711

23:21:26:(手动允许)创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat

23:21:26:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\

23:21:26:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

23:21:26:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\

23:21:26:设置文件属性:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini

23:21:26:打开网址资源:http://91.121.244.84/ms_inforima ... Y6STYhjkfjuisskFDSA

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\WINDOWS\system32\rsaenh.dll

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\WINDOWS\system32\rsaenh.dll

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\lsarpc

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:创建注册表键:640\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建远程线程:-1(进程句柄)

23:21:33:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\.\PIPE\ROUTER

23:21:33:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\ntuser.dat

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\ntuser.dat.log

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Favorites\链接\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Favorites\链接\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\local settings\history\history.ie5\index.dat

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\local settings\history\history.ie5\mshist012017011220170113\index.dat

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Music\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Music\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Pictures\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Pictures\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Videos\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\My Videos\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\Tencent Files\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\My Documents\Tencent Files\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\my documents\tencent files\all users\qq\history.db

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\my documents\tencent files\all users\qq\perfre.db

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\my documents\tencent files\all users\qq\registry.db

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\NetHood\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\NetHood\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\PrintHood\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\PrintHood\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\privacie\index.dat

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\PrivacIE\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\PrivacIE\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Recent\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\Recent\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\SendTo\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\SendTo\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\WinRAR\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\WinRAR\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\系统工具\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\系统工具\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\木马测试\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\木马测试\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\桌面\样本测试\file_safe\a.exe.log

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\administrator\桌面\样本测试\file_safe\rad0355d.tmp.exe.log

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:(自动允许)创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\File_safe\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:(自动允许)创建\打开文件:C:\Documents and Settings\Administrator\桌面\样本测试\File_safe\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\all users\ntuser.dat

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:\\?\c:\documents and settings\all users\ntuser.dat.log

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Music\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Music\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Pictures\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Pictures\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Videos\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\My Videos\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\Tencent\INSTRUCTION RESTORE FILE.TXT

23:21:33:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:33:创建\打开文件:C:\Documents and Settings\All Users\Documents\Tencent\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\Documents\Tencent\QQ\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\Documents\Tencent\QQ\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\DRM\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\DRM\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\WinRAR\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\WinRAR\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\游戏\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\游戏\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\管理工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\管理工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\迅雷软件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\迅雷软件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\系统工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\系统工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\通讯\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\附件\通讯\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\爱奇艺视频\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\爱奇艺视频\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\360安全中心\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\360安全中心\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\360安全中心\360安全卫士\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\「开始」菜单\程序\360安全中心\360安全卫士\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\All Users\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\default user\ntuser.dat

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\default user\ntuser.dat.log

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Favorites\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\My Documents\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\My Documents\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\NetHood\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\NetHood\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\PrintHood\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\PrintHood\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Recent\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\Recent\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\SendTo\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\SendTo\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\娱乐\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\「开始」菜单\程序\附件\辅助工具\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\Default User\桌面\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\localservice\ntuser.dat

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\localservice\ntuser.dat.log

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\localservice\local settings\history\history.ie5\index.dat

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\程序\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\LocalService\「开始」菜单\程序\启动\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\networkservice\ntuser.dat

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\documents and settings\networkservice\ntuser.dat.log

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\Local Settings\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Documents and Settings\NetworkService\Local Settings\History\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\RECYCLER\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\RECYCLER\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\RECYCLER\S-1-5-21-1482476501-2049760794-725345543-500\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\RECYCLER\S-1-5-21-1482476501-2049760794-725345543-500\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\FOUND.000\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\FOUND.000\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\FOUND.001\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\FOUND.001\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Recycled\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Recycled\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Config.Msi\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\Config.Msi\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\360sandbox\360sandbox.sav

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\?\c:\360sandbox\360sandbox.sav.log

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\360SANDBOX\INSTRUCTION RESTORE FILE.TXT

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:C:\360SANDBOX\INSTRUCTION RESTORE FILE.TXT

23:21:34:创建远程线程:-1(进程句柄)

23:21:34:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\.\PIPE\ROUTER

23:21:34:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:34:创建远程线程:-1(进程句柄)

23:21:34:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\.\PIPE\ROUTER

23:21:34:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:34:创建远程线程:-1(进程句柄)

23:21:34:创建注册表键:HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing

23:21:34:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:34:创建\打开文件:\\.\PIPE\ROUTER

23:21:34:创建注册表键:624\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections

23:21:37:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:37:(自动允许)访问进程:3636(进程PID)     获取权限:2035711

23:21:37:运行外部程序地址:C:\Documents and Settings\Administrator\My Documents\My Music\INSTRUCTION RESTORE FILE.TXT     命令行:
[/mw_shl_code]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1人气 +1 收起 理由
windows7爱好者 + 1 dalao来了

查看全部评分

回复

举报

Dolby123
发表于 2017-1-13 02:38:47 | 显示全部楼层
KIS

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

下一页 »
1234下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-4-25 05:39 , Processed in 0.121249 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表