[病毒样本] 4x

显示全部楼层 · 发表于 2017-8-25 16:00:59

1757142.doc VT: https://virustotal.com/en/file/ef106cc2f56affb2fba4a4a21628ea13f54c69f0c4c564cb9f451abb377eba71/analysis/
TrendMicro OfficeScan XG detected as W2KM_SHERU.E

SINV0709.vbs VT: https://virustotal.com/en/file/aa75f8ecb2a990615dc534155a15fd9d8ea99ca2db718e8bc6092dc07fda9b2c/analysis/
TrendMicro OfficeScan XG detected as Mal_VBSCRDLX

SINV0711.docm VT: https://virustotal.com/en/file/027d37e56f9878cb334d35ebe49080061f9c5436e6d7c8f67fd732fe3ff85001/analysis/
TrendMicro OfficeScan missed

bill-201708.exe VT: https://virustotal.com/en/file/abacabfc7c6550bd8594fd0b758c3f890a01212fcc23d3a04b04f761684cc86e/analysis/
TrendMicro OfficeScan XG detected as Ransom_LOCKY.TH824

显示全部楼层 · 发表于 2017-8-25 16:03:55

TPCMgr kill 1
[mw_shl_code=css,true][Scan information]

Start time:2017-8-25 16:02:16
Elapsed time:00:00:01
Scan type:Custom scan
Antivirus engines:Tencent cloud protection engine Tencent antivirus engine II Tencent system repair engine Bitdefender local antivirus engine
Scan status:Scan complete

[Scan Report]

Files scanned:4
Threats detected:1
Threats processed:1

---------------------
2017-8-25 16:02:21 MD5:5e8a183a5fe1b0b36eaf6a7a10b30fa5 D:\迅雷下载\病毒测试区\4\bill-201708.exe [Trojan.Ransom.BTI] [Delete success]
---------------------
[/mw_shl_code]

显示全部楼层 · 发表于 2017-8-25 16:06:17

费尔双击拦截

显示全部楼层 · 发表于 2017-8-25 16:10:46

卡巴杀3,余1

显示全部楼层 · 发表于 2017-8-25 16:13:38

显示全部楼层 · 发表于 2017-8-25 16:30:16

显示全部楼层 · 发表于 2017-8-25 20:42:06

Q管监控kill1个 360补杀了2个

显示全部楼层 · 发表于 2017-8-25 22:13:01

本帖最后由左手于 2017-8-25 22:17 编辑

加密的。小心。[mw_shl_code=css,true]2017-8-25 22:10:08 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:08 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-527237240-1659004503-1801674531-500\Products\0762812C5FEEC1B428F26679F2DFAE7C\Usage\DefaultFeature
值: 0x4b190141(1259929921)
规则: [注册表组]《保护》_重要注册表项 -> [注册表]*\Software\Microsoft\Windows*\*

2017-8-25 22:10:08 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
值: C:\Documents and Settings\Administrator\Local Settings\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:09 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:10 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:18 修改注册表值危险等级:敏感阻止
进程: d:\program files\fscapture8.4_chs\fscapture.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\NetHood
值: C:\Documents and Settings\Administrator\NetHood
规则: [应用程序组]→a080_★★★【一般加至该组《常用的程序和游戏》】★★★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:22 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: C:\Documents and Settings\Administrator\My Documents
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:22 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu
值: C:\Documents and Settings\Administrator\「开始」菜单
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu
值: C:\Documents and Settings\All Users\「开始」菜单
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
值: C:\Documents and Settings\All Users\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures
值: C:\Documents and Settings\Administrator\My Documents\My Pictures
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures
值: C:\Documents and Settings\All Users\Documents\My Pictures
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic
值: C:\Documents and Settings\All Users\Documents\My Music
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo
值: C:\Documents and Settings\All Users\Documents\My Videos
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:10:23 创建文件危险等级:低危阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [文件]*; index.dat

2017-8-25 22:10:49 创建新进程危险等级:未知允许
进程: c:\windows\explorer.exe
目标: c:\windows\system32\wscript.exe
命令行: "C:\WINDOWS\system32\WScript.exe" "C:\Documents and Settings\Administrator\桌面\SINV0709.vbs"
规则: [应用程序]c:\windows\explorer.exe -> [子应用程序]→a002_《不受信任组》_潜在不受欢迎的木马病毒 -> [应用程序]*\wscript.exe

2017-8-25 22:10:58 读文件危险等级:低危允许
进程: c:\windows\system32\wscript.exe
目标: C:\Documents and Settings\Administrator\桌面\SINV0709.vbs
规则: [应用程序]c:\windows\system32\?script.exe -> [文件]*; *.vbs

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
值: C:\Documents and Settings\Administrator\Local Settings\History
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
值: C:\Documents and Settings\All Users\Application Data
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
值: 150.176.182.31;80:80
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
值: *.local
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:10:58 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
值: 150.176.182.31;80:80
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 访问网络阻止并结束进程
进程: c:\windows\system32\wscript.exe
目标: UDP [本机 : 3753] -> [127.0.0.1 : 3753]
规则: [应用程序]c:\windows\system32\?script.exe -> [网络组]n0所有允许或阻止

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\windows\system32\wscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
值: *.local
规则: [应用程序组]→a999_★《临时规则_安装模式》★ -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
值: C:\Documents and Settings\Administrator\Cookies
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
值: C:\Documents and Settings\Administrator\Local Settings\History
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
值: C:\Documents and Settings\All Users\Application Data
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
值: 150.176.182.31;80:80
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:11 修改注册表值危险等级:敏感阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
值: *.local
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:21 访问网络允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: TCP [本机 : 3756] -> [46.183.165.45 : 80 (http)]
规则: [应用程序]*.exe -> [网络]任意协议 [本机 : 任意端口] <-> [任意地址 : 任意端口]

2017-8-25 22:11:24 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:24 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-527237240-1659004503-1801674531-500\Products\0762812C5FEEC1B428F26679F2DFAE7C\Usage\DefaultFeature
值: 0x4b190141(1259929921)
规则: [注册表组]《保护》_重要注册表项 -> [注册表]*\Software\Microsoft\Windows*\*

2017-8-25 22:11:24 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
值: C:\Documents and Settings\Administrator\Local Settings\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:24 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:24 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:33 修改文件危险等级:敏感允许
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\桌面\SINV0711.docm
规则: [应用程序组]→a080_★★★【一般加至该组《常用的程序和游戏》】★★★ -> [文件组]《询问》f060_桌面

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: D:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]d:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: E:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]e:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: F:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]f:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: G:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]g:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: H:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]h:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: I:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]i:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: J:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]j:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: K:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]k:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: E:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]e:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: F:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]f:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: I:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]i:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: J:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]j:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: G:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]g:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: D:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]d:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: H:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]h:\*

2017-8-25 22:11:33 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: K:
规则: [文件组]《坚固》f111_隐藏磁盘 -> [文件]k:\*

2017-8-25 22:11:47 读文件夹危险等级:低危允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\a
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [文件组]《终止》f022_高优先禁读 -> [文件]?:\; ?

2017-8-25 22:11:47 创建文件危险等级:低危允许
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\桌面\~$NV0711.docm
规则: [应用程序组]→a080_★★★【一般加至该组《常用的程序和游戏》】★★★ -> [文件组]《询问》f060_桌面

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
值: C:\Documents and Settings\Administrator\桌面
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: C:\Documents and Settings\Administrator\My Documents
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
值: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 修改文件危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\application data\microsoft\office\*

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office12\wordconv.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
值: C:\Documents and Settings\Administrator\Local Settings\Application Data
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-8-25 22:11:47 创建注册表项危险等级:未知阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FAAB64EE-21D6-474F-A7B9-1FF7A22D1BCC}
规则: [注册表组]《保护》_重要注册表项 -> [注册表]*\Software\Classes\*

2017-8-25 22:11:47 创建注册表项危险等级:未知阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Classes\TypeLib\{FAAB64EE-21D6-474F-A7B9-1FF7A22D1BCC}
规则: [注册表组]《保护》_重要注册表项 -> [注册表]*\Software\Classes\*

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Start Menu
值: C:\Documents and Settings\Administrator\「开始」菜单
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Start Menu
值: C:\Documents and Settings\All Users\「开始」菜单
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
值: C:\Documents and Settings\All Users\Application Data
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures
值: C:\Documents and Settings\Administrator\My Documents\My Pictures
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal
值: C:\Documents and Settings\Administrator\My Documents
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonPictures
值: C:\Documents and Settings\All Users\Documents\My Pictures
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents
值: C:\Documents and Settings\All Users\Documents
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonMusic
值: C:\Documents and Settings\All Users\Documents\My Music
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 修改注册表值危险等级:敏感阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo
值: C:\Documents and Settings\All Users\Documents\My Videos
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [注册表]*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

2017-8-25 22:11:47 创建文件危险等级:低危阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [文件]*; index.dat

2017-8-25 22:11:56 删除文件危险等级:敏感允许
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\桌面\~$NV0711.docm
规则: [应用程序组]→a080_★★★【一般加至该组《常用的程序和游戏》】★★★ -> [文件组]《询问》f060_桌面

2017-8-25 22:12:01 读文件夹危险等级:低危允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\a
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [文件组]《终止》f022_高优先禁读 -> [文件]?:\; ?

2017-8-25 22:12:01 创建文件危险等级:低危阻止
进程: c:\program files\microsoft office\office11\winword.exe
目标: C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Recent\index.dat
规则: [应用程序组]→a070_SystemRoot《系统程序》 -> [文件]*; index.dat

2017-8-25 22:12:03 读文件夹危险等级:低危允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\a
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [文件组]《终止》f022_高优先禁读 -> [文件]?:\; ?

2017-8-25 22:12:06 读文件夹危险等级:低危 (3) 允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\a\a
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [文件组]《终止》f022_高优先禁读 -> [文件]?:\?\*

2017-8-25 22:12:09 读文件夹危险等级:低危 (3) 允许
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\a\bak
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [文件组]《终止》f022_高优先禁读 -> [文件]?:\?\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\(原创)无测试模式无重启，有图有真相完美破解64位Sandboxie
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201601
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201602
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201603
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201604
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201605
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201606
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201607
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201608
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201609
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\201610
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\cachm1001
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\dbank
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\FileRecv
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\fuli
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\QQ
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\Resources
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\saiban
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\themes主题
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\virus
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\vivo Y13L
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\Walpaper
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\yfx
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\zd423
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\后期素材
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\小瘦牛
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\庆霏凡15年】ACDPhotoEditor 3.1.49.4 精简汉化优化版
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\微视频
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\沙盘和谐工具
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\电子书
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\百度文库下载器V2.3.4.1_1
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\美丽背影
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\自解压文件创建工具(Make SFX)5.5.49.159汉化版
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:11 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\Resourced\蓝色海底世界
规则: [应用程序]?:\*\*\*\* -> [文件组]《保护》f998_受保护的用户重要文件或目录 -> [文件]?:\documents and settings\*\桌面\resourced\*

2017-8-25 22:12:18 读文件夹危险等级:低危阻止
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\VisTitle\preset\TemplateStyles
规则: [文件组]《终止》f009_病毒生成物2 -> [文件]*; *test*

2017-8-25 22:12:20 修改文件危险等级:敏感阻止并结束进程
进程: c:\documents and settings\administrator\桌面\bill-201708.exe
目标: C:\Documents and Settings\Administrator\桌面\2017-3-8\模板.pptx
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\桌面\*
[/mw_shl_code]

显示全部楼层 · 发表于 2017-8-25 22:52:08

右键双击

[病毒样本] 4x

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源