收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 百度下载来的样本。,。。青蛙祖玛。。。百度,您叫我情 ...
12下一页
返回列表 发新帖
查看: 5659|回复: 15
收起左侧

[病毒样本] 百度下载来的样本。,。。青蛙祖玛。。。百度,您叫我情何以堪

[复制链接]
Invalid_ID
发表于 2017-7-3 21:24:58 | 显示全部楼层 |阅读模式
http://rj.baidu.com/soft/detail/27272.html?ald

样本在这

幸亏我是下载啥都会virustotal下的人

https://www.virustotal.com/en/file/04981cf3d672ecb2d3761f13b9c3dc8a9353ab56b15d2787649ee216deb8b233/analysis/

Detection ratio:18 / 61

回复

举报

Jirehlov1234
发表于 2017-7-3 21:36:17 | 显示全部楼层
BDTS 2017 扫描miss
未双击
回复

举报

心醉咖啡
发表于 2017-7-3 23:52:59 | 显示全部楼层
毒霸扫描miss
回复

举报

ziyerain2015
发表于 2017-7-4 00:38:30 | 显示全部楼层
Zemana AntiMalware右键MISS
双击报恶意软件
关了安装,选择性的安装是否修改主页,然后默默的安装了除了这个的2个小游戏,卸载后桌面上留下2个游戏图标
没什么其他的了,就百度浏览器也是报的恶意软件,用下来也没什么问题....
回复

举报

XZ8SM7Sx0bVkoUV
发表于 2017-7-4 10:33:02 | 显示全部楼层
火绒kill

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

許典翔
发表于 2017-7-4 12:31:50 | 显示全部楼层
卡巴右鍵掃描MISS,安裝後報毒
回复

举报

Gollum
发表于 2017-7-4 12:37:07 | 显示全部楼层
BDTS扫描放过,运行安装

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

安全守护者
头像被屏蔽
发表于 2017-7-5 13:10:06 | 显示全部楼层

[mw_shl_code=sql,true]文件检测评级:
未发现风险


基本信息
文件名称:       
qingwazuma2014521.1400834725.exe
MD5:        f48785359e08f92601d48861b39543ca
文件类型:        EXE
上传时间:        2017-07-05 13:03:21
出品公司:        www.962.net
版本:        9.6.2.0---完美版
壳或编译器信息:        COMPILER:NSIS
子文件信息:
祖玛传奇.exe /  9988628aac55b08d14701f6093a4f77b /  EXE
PlayGame.exe /  830e4442b1e85a633de75870a6d99e27 /  EXE
SimHei48_layer0.gif /  9ad63a2ab2e8b368bab1ee2e4d7704e7 /  Unknown
7za.exe /  42badc1d2f03a8b1e4875740d3d49336 /  EXE
reverse1.wav /  6a1440b2082ea65adfc25d471f86b4cf /  Unknown
Thumbs.db /  934286ba0e17d1ace42c6bbee56664ca /  Compound
loadingscreen.jpg /  9f18ae84db97c25f1aa40f6dea7a762d /  Unknown
chant1.wav /  c5f077dda0054c4bca5d9efec8ea0d82 /  Unknown
chant8.wav /  10fdfb007cf5c6f5035c7b72aebe1745 /  Unknown
slowdown1.wav /  44e2223d7403ae1ad945bb05137a79cc /  Unknown
bombexplode.wav /  171fd2a76424f07552c6a8e01717e318 /  Unknown
DFPPuDingW7-B522_layer0.gif /  476336fcef715e3398df04f35c1dcd28 /  Unknown
ufo1.wav /  61cdad91510f1bc3964900023cb34ed6 /  Unknown
chant2.wav /  284018be163faa3329fd8795684a14ed /  Unknown
SimHei48_layer0_.gif /  8cd0e716dbcd75529a1b345008e32341 /  Unknown
earthquake.wav /  5fdcaf9aad9426bcd81bdbce81633fd1 /  Unknown
SimHei16_layer0.gif /  81b58e3b619629af6442a707b45d6ccd /  Unknown
zuma.mo3 /  d725d48eb0b44eabeecde68701fb69f8 /  Unknown
aqhttp.dll /  3c9ec661f20ee6ca4bb17cfe7c0a5174 /  DLL


关键行为
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:        在桌面创建文件
详情信息:       
C:\Documents and Settings\Administrator\桌面\祖玛传奇.lnk
C:\Documents and Settings\Administrator\桌面\乐游网.lnk
行为描述:        获取TickCount值
详情信息:       
TickCount = 293781, SleepMilliseconds = 60000.
TickCount = 293796, SleepMilliseconds = 60000.
TickCount = 293812, SleepMilliseconds = 60000.
TickCount = 293828, SleepMilliseconds = 60000.
TickCount = 293843, SleepMilliseconds = 60000.
TickCount = 233943, SleepMilliseconds = 100.
TickCount = 233959, SleepMilliseconds = 100.
TickCount = 233990, SleepMilliseconds = 100.
TickCount = 234006, SleepMilliseconds = 100.
TickCount = 234021, SleepMilliseconds = 100.
TickCount = 234100, SleepMilliseconds = 100.
TickCount = 234115, SleepMilliseconds = 100.
TickCount = 234131, SleepMilliseconds = 100.
TickCount = 234146, SleepMilliseconds = 100.
TickCount = 234178, SleepMilliseconds = 100.
进程行为
行为描述:        创建本地线程
详情信息:       
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3220, StartAddress = 7C947EBB, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3224, StartAddress = 7C930230, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3388, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3416, StartAddress = 77E56C7D, Parameter = 001D91D0
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3420, StartAddress = 769AE43B, Parameter = 001D83F8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3424, StartAddress = 01B8507F, Parameter = 001284B8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3428, StartAddress = 00404EF5, Parameter = 00020372
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3432, StartAddress = 6359727B, Parameter = 0026F0A8
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3436, StartAddress = 6359727B, Parameter = 031EF160
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3440, StartAddress = 6359727B, Parameter = 031EF200
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 3140, ThreadID = 3816, StartAddress = 03E91018, Parameter = 03216E28
文件行为
行为描述:        创建文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\modern-header.bmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\ButtonLinker.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\WebCtrl.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ad[1].html
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
行为描述:        在系统敏感位置(如开始菜单等)释放链接或快捷方式
详情信息:       
C:\Documents and Settings\Administrator\「开始」菜单\程序\祖玛传奇\祖玛传奇完美版.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\祖玛传奇\游戏无法运行.lnk
C:\Documents and Settings\Administrator\「开始」菜单\程序\祖玛传奇\乐游网.url
C:\Documents and Settings\Administrator\「开始」菜单\程序\祖玛传奇\卸载.lnk
行为描述:        创建可执行文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\System.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\ButtonLinker.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\WebCtrl.dll
C:\Game962\ZumaDeluxe\PlayGame.exe
C:\Game962\ZumaDeluxe\bass.dll
C:\Game962\ZumaDeluxe\祖玛传奇.exe
C:\Game962\ZumaDeluxe\7za.exe
C:\Game962\ZumaDeluxe\Greening.dll
C:\Game962\ZumaDeluxe\NsisPlugin.dll
C:\Game962\ZumaDeluxe\aq7z.dll
C:\Game962\ZumaDeluxe\aqhttp.dll
C:\Game962\ZumaDeluxe\Uninstall.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NSISdl.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\nsDialogs.dll
行为描述:        覆盖已有文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\background_gradient[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\info_48[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\bullet[1]
行为描述:        查找文件
详情信息:       
FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp
FileName = C:\NUL
FileName = D:\NUL
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\left.bmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\NsisPlugin.dll
FileName = C:\Game962\ZumaDeluxe
FileName = C:\Game962
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\Local Settings
FileName = C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\WINDOWS\system32\Ras\*.pbk
FileName = C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
行为描述:        删除文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nsh3.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ad[1].html
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\ErrorPageTemplate[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\errorPageStrings[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\httpErrorPagesScripts[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\background_gradient[3]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6TLOMATB\info_48[2]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IUKHR8T2\bullet[2]
C:\Documents and Settings\Administrator\Local Settings\Temp\setup.tmp
行为描述:        在桌面创建文件
详情信息:       
C:\Documents and Settings\Administrator\桌面\祖玛传奇.lnk
C:\Documents and Settings\Administrator\桌面\乐游网.lnk
行为描述:        修改BAT脚本文件
详情信息:       
C:\Game962\ZumaDeluxe\properties\dosign.bat ---> Offset = 0
行为描述:        设置特殊文件夹属性
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述:        修改文件内容
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\System.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp ---> Offset = 98304
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\left.bmp ---> Offset = 124048
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll ---> Offset = 32354
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll ---> Offset = 65122
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll ---> Offset = 65848
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\modern-header.bmp ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\ButtonLinker.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\WebCtrl.dll ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\navcancl[2] ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C1OS62RY\ErrorPageTemplate[1] ---> Offset = 0
网络行为
行为描述:        连接指定站点
详情信息:       
InternetConnectA: ServerName = bo****et, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述:        打开HTTP连接
详情信息:       
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489), hSession = 0x00cc0004
行为描述:        建立到一个指定的套接字连接
详情信息:       
URL: bo****et, IP: **.133.40.**:80, SOCKET = 0x00000390
URL: bo****et, IP: **.133.40.**:80, SOCKET = 0x0000000c
URL: 96****et, IP: **.133.40.**:80, SOCKET = 0x00000518
行为描述:        读取网络文件
详情信息:       
hFile = 0x00cc000c, BytesToRead =4096, BytesRead = 4096.
行为描述:        发送HTTP包
详情信息:       
GET /ad.html HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; KB974489) Host: bo****et Connection: Keep-Alive
GET /show/push.txt HTTP/1.0 Host: 96****et User-Agent: NSISDL/1.2 (Mozilla) Accept: */*
行为描述:        打开HTTP请求
详情信息:       
HttpOpenRequestA: bo****et:80/ad.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400200
HttpOpenRequestA: bo****et:80/ad.html, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: GET, Referer: , Flags = 0x00400010
行为描述:        按名称获取主机地址
详情信息:       
GetAddrInfoW: bo****et
gethostbyname: 96****et
注册表行为
行为描述:        修改注册表
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\962\祖玛传奇\
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\HelpLink
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\InstallSource
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\ModifyPath
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\ProductID
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\RegCompany
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\URLUpdateInfo
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZumaDeluxe\DisplayIcon
行为描述:        删除注册表键值
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
其他行为
行为描述:        获取光标位置
详情信息:       
CursorPos = (80,18468), SleepMilliseconds = 60000.
CursorPos = (6373,26501), SleepMilliseconds = 60000.
CursorPos = (19208,15725), SleepMilliseconds = 60000.
CursorPos = (11517,29359), SleepMilliseconds = 1000.
CursorPos = (27001,24465), SleepMilliseconds = 1000.
CursorPos = (5744,28146), SleepMilliseconds = 1000.
CursorPos = (23320,16828), SleepMilliseconds = 1000.
行为描述:        创建互斥体
详情信息:       
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
RasPbFile
MSCTF.Shared.MUTEX.IEM
Local\!PrivacIE!SharedMemory!Mutex
CritOpMutex
行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [,Button]
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [启用网址导航,Button]
[Window,Class] = [安装乐乐游戏盒,Button]
[Window,Class] = [显示细节(&D),Button]
[Window,Class] = [,SysLink]
[Window,Class] = [,Static]
[Window,Class] = [文件大小未知,Static]
[Window,Class] = [打开此类文件前总是询问(&W),Button]
[Window,Class] = [发行者:,Static]
[Window,Class] = [,Shell Embedding]
[Window,Class] = [,Internet Explorer_Server]
行为描述:        查找指定窗口
详情信息:       
NtUserFindWindowEx: [Class,Window] = [#32770,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
行为描述:        打开事件
详情信息:       
HookSwitchHookEnabledEvent
_fCanRegisterWithShellService
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
\INSTALLATION_SECURITY_HOLD
MSFT.VSA.COM.DISABLE.3140
MSFT.VSA.IEC.STATUS.6c736db0
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000011
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000011
MSCTF.SendReceiveConection.Event.IOH.IM
MSCTF.SendReceive.Event.IOH.IM
行为描述:        获取TickCount值
详情信息:       
TickCount = 293781, SleepMilliseconds = 60000.
TickCount = 293796, SleepMilliseconds = 60000.
TickCount = 293812, SleepMilliseconds = 60000.
TickCount = 293828, SleepMilliseconds = 60000.
TickCount = 293843, SleepMilliseconds = 60000.
TickCount = 233943, SleepMilliseconds = 100.
TickCount = 233959, SleepMilliseconds = 100.
TickCount = 233990, SleepMilliseconds = 100.
TickCount = 234006, SleepMilliseconds = 100.
TickCount = 234021, SleepMilliseconds = 100.
TickCount = 234100, SleepMilliseconds = 100.
TickCount = 234115, SleepMilliseconds = 100.
TickCount = 234131, SleepMilliseconds = 100.
TickCount = 234146, SleepMilliseconds = 100.
TickCount = 234178, SleepMilliseconds = 100.
行为描述:        调整进程token权限
详情信息:       
SE_LOAD_DRIVER_PRIVILEGE
行为描述:        窗口信息
详情信息:       
Pid = 3140, Hwnd=0x10348, Text = 安装(&I), ClassName = Button.
Pid = 3140, Hwnd=0x1034a, Text = 取消(&C), ClassName = Button.
Pid = 3140, Hwnd=0x10356, Text = www.962.Net , ClassName = Static.
Pid = 3140, Hwnd=0x10358, Text = www.962.Net, ClassName = Static.
Pid = 3140, Hwnd=0x1035c, Text = 选择安装位置, ClassName = Static.
Pid = 3140, Hwnd=0x1035e, Text = 选择“祖玛传奇 完美版”的安装文件夹。, ClassName = Static.
Pid = 3140, Hwnd=0x10368, Text = C:\Game962\ZumaDeluxe, ClassName = Edit.
Pid = 3140, Hwnd=0x1036a, Text = 浏览(&B)..., ClassName = Button.
Pid = 3140, Hwnd=0x1036c, Text = 可用空间: 4.8GB, ClassName = Static.
Pid = 3140, Hwnd=0x10370, Text = 所需空间: 25.2MB, ClassName = Static.
Pid = 3140, Hwnd=0x10372, Text = Setup 将安装 祖玛传奇 完美版 在下列文件夹。要安装到不同文件夹,单击 [浏览(B)] 并选择其他的文件夹。 单击 [安装(I)] 开始安装进程。, ClassName = Static.
Pid = 3140, Hwnd=0x10374, Text = 目标文件夹, ClassName = Button(GroupBox).
Pid = 3140, Hwnd=0x20362, Text = 启用网址导航, ClassName = Button(CheckBox).
Pid = 3140, Hwnd=0x10382, Text = 安装乐乐游戏盒, ClassName = Button(CheckBox).
Pid = 3140, Hwnd=0x20342, Text = 祖玛传奇 完美版 安装 , ClassName = #32770.
行为描述:        可执行文件签名信息
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\System.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\ButtonLinker.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\WebCtrl.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\PlayGame.exe(签名验证: 通过)
C:\Game962\ZumaDeluxe\bass.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\祖玛传奇.exe(签名验证: 未通过)
C:\Game962\ZumaDeluxe\7za.exe(签名验证: 未通过)
C:\Game962\ZumaDeluxe\Greening.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\NsisPlugin.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\aq7z.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\aqhttp.dll(签名验证: 未通过)
C:\Game962\ZumaDeluxe\Uninstall.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NSISdl.dll(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\nsDialogs.dll(签名验证: 未通过)
行为描述:        调用Sleep函数
详情信息:       
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 100.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 0.
[6]: MilliSeconds = 10.
[7]: MilliSeconds = 10.
[8]: MilliSeconds = 1000.
[9]: MilliSeconds = 1000.
[10]: MilliSeconds = 1000.
行为描述:        创建事件对象
详情信息:       
EventName = DINPUTWINMM
EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IEM.IC
EventName = MSCTF.SendReceiveConection.Event.IEM.IC
EventName = MSCTF.SendReceive.Event.AGN.IC
EventName = MSCTF.SendReceiveConection.Event.AGN.IC
行为描述:        可执行文件MD5
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\System.dll ---> 00a0194c20ee912257df53bfe258ee4a
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NsisPlugin.dll ---> b1934c6af2fbd347173e427e56df95d7
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\ButtonLinker.dll ---> dd85ac7d85c92dd0e3cc17dfd4890f54
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\WebCtrl.dll ---> 418a34a689d5f9bb85fc951168749edb
C:\Game962\ZumaDeluxe\PlayGame.exe ---> 830e4442b1e85a633de75870a6d99e27
C:\Game962\ZumaDeluxe\bass.dll ---> 6731f160e001bb85ba930574b8d42776
C:\Game962\ZumaDeluxe\祖玛传奇.exe ---> 9988628aac55b08d14701f6093a4f77b
C:\Game962\ZumaDeluxe\7za.exe ---> 42badc1d2f03a8b1e4875740d3d49336
C:\Game962\ZumaDeluxe\Greening.dll ---> 82ccb4dd63833063abd1c56ea80b529a
C:\Game962\ZumaDeluxe\NsisPlugin.dll ---> b1934c6af2fbd347173e427e56df95d7
C:\Game962\ZumaDeluxe\aq7z.dll ---> 53014f3764238d08a48590e2e1f5f4b9
C:\Game962\ZumaDeluxe\aqhttp.dll ---> 3c9ec661f20ee6ca4bb17cfe7c0a5174
C:\Game962\ZumaDeluxe\Uninstall.exe ---> 073d516070208ee6a51cfb4ab61a69bb
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\NSISdl.dll ---> 254f13dfd61c5b7d2119eb2550491e1d
C:\Documents and Settings\Administrator\Local Settings\Temp\nss4.tmp\nsDialogs.dll ---> ab73c0c2a23f913eabdc4cb24b75cbad
行为描述:        打开互斥体
详情信息:       
ShimCacheMutex
Local\!IETld!Mutex
Local\_!MSFTHISTORY!_
Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Local\c:!documents and settings!administrator!cookies!
Local\c:!documents and settings!administrator!local settings!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
CtfmonInstMutexDefaultS-*
行为描述:        加载新释放的文件
详情信息:       
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\System.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\ButtonLinker.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\WebCtrl.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\NSISdl.dll.
Image: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nss4.tmp\nsDialogs.dll.
Copyright©1998 - 2017 Tencent.All Rights Reserved
腾讯公司 版权所有[/mw_shl_code]










回复

举报

lanpor
发表于 2017-7-5 14:07:59 | 显示全部楼层

看来ESET还是不错的

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

你看我头像
发表于 2017-7-6 14:49:52 | 显示全部楼层
文件名: qingwazuma2014521.1400834725.exe
威胁名称: Trojan.Gen.2完整路径:。。。\desktop\qingwazuma2014521.1400834725.exe

____________________________

____________________________


在电脑上 
2017-07-06 ( 14:46:27 )

上次使用时间 
2017-07-06 ( 14:48:28 )

启动项 


已启动 


威胁类型: 病毒。 将自身插入或附加到其他程序、文件或电脑区域以感染这些媒介的程序。

____________________________


qingwazuma2014521.1400834725.exe 威胁名称: Trojan.Gen.2
定位


少量用户信任的文件
Norton 社区中有数百名用户 使用了此文件。

发布已久的文件
该文件已在 3 年 3 个月 前发行。


此文件具有高风险。


____________________________


来源: 外部介质

源文件:
qingwazuma2014521.1400834725.exe

____________________________

文件操作

文件: 。。。desktop\ qingwazuma2014521.1400834725.exe 已删除
____________________________


文件指纹 - SHA:
04981cf3d672ecb2d3761f13b9c3dc8a9353ab56b15d2787649ee216deb8b233
文件指纹 - MD5:
f48785359e08f92601d48861b39543ca
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-8 10:27 , Processed in 0.127634 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表