ESET kill doc
HaBo:
js 轻度风险
[mw_shl_code=css,true]基本信息
文件名称:
3dde686d7207b5b88e0a78...29aee0e62867155626a561.js
MD5: 6f67a4ffbfca561624f46e69aef009c6
文件类型: Windows Script
上传时间: 2017-09-06 12:28:51
出品公司: N/A
版本: N/A
壳或编译器信息: N/A
进程行为
行为描述: 创建本地线程
详情信息:
TargetProcess: wscript.exe, InheritedFromPID = 2000, ProcessID = 2468, ThreadID = 2480, StartAddress = 01002FD4, Parameter = 008E4480
TargetProcess: wscript.exe, InheritedFromPID = 2000, ProcessID = 2468, ThreadID = 2496, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: wscript.exe, InheritedFromPID = 2000, ProcessID = 2468, ThreadID = 2512, StartAddress = 765E964D, Parameter = 001C5F48
TargetProcess: wscript.exe, InheritedFromPID = 2000, ProcessID = 2468, ThreadID = 2528, StartAddress = 77E56C7D, Parameter = 001C0178
TargetProcess: wscript.exe, InheritedFromPID = 2000, ProcessID = 2468, ThreadID = 2532, StartAddress = 769AE43B, Parameter = 001A8490
文件行为
行为描述: 查找文件
详情信息:
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\%temp%\****.js
其他行为
行为描述: 创建事件对象
详情信息:
EventName = Global\crypt32LogoffEvent
行为描述: 打开事件
详情信息:
MSFT.VSA.COM.DISABLE.2468
MSFT.VSA.IEC.STATUS.6c736db0
Global\crypt32LogoffEvent
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
进程树
wscript.exe (PID: 0x000009a4)[/mw_shl_code]
exe 高度风险
[mw_shl_code=css,true]基本信息
文件名称:
e454cd6f7220ae25083c5e...6f7220ae25_titlenljtq.exe
MD5: c8be3a7e91cfa426531935853823e4ba
文件类型: EXE
上传时间: 2017-09-06 12:29:02
出品公司: N/A
版本: N/A
壳或编译器信息: PACKER:UPolyX v0.5
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000f94
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000f94
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f94
行为描述: 疑似加密敲诈行为
详情信息:
N/A
N/A
行为描述: 修改注册表_修改桌面背景注册表
详情信息:
\REGISTRY\USER\S-*\Control Panel\Desktop\WallpaperStyle
\REGISTRY\USER\S-*\Control Panel\Desktop\Wallpaper
行为描述: 获取TickCount值
详情信息:
TickCount = 210093, SleepMilliseconds = 33000.
TickCount = 210109, SleepMilliseconds = 33000.
TickCount = 210187, SleepMilliseconds = 33000.
TickCount = 210218, SleepMilliseconds = 33000.
TickCount = 210250, SleepMilliseconds = 33000.
TickCount = 210265, SleepMilliseconds = 33000.
TickCount = 210281, SleepMilliseconds = 33000.
TickCount = 210296, SleepMilliseconds = 33000.
TickCount = 210312, SleepMilliseconds = 33000.
TickCount = 210437, SleepMilliseconds = 33000.
TickCount = 210468, SleepMilliseconds = 33000.
TickCount = 210484, SleepMilliseconds = 33000.
TickCount = 210500, SleepMilliseconds = 33000.
TickCount = 210515, SleepMilliseconds = 33000.
TickCount = 210531, SleepMilliseconds = 33000.
行为描述: 在桌面创建文件
详情信息:
C:\Users\Administrator\Desktop\IT40E94E-3KS1-6PR5-DAB811DC-7F561E64AEA1.lukitus
C:\Users\Administrator\Desktop\lukitus-d330.htm
C:\Users\Administrator\Desktop\lukitus.htm
C:\Users\Administrator\Desktop\lukitus.bmp
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xb16b07f8, EDX = 0x0000007a
进程行为
行为描述: 隐藏窗口创建进程
详情信息:
ImagePath = , CmdLine = cmd.exe /C del /Q /F "C:\Users\ADMINI~1\AppData\Local\Temp\sysCE52.tmp"
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150000, Size = 0x00000020 TargetPID = 0x00000f94
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x00150020, Size = 0x00000034 TargetPID = 0x00000f94
TargetProcess = C:\Windows\System32\cmd.exe, WriteAddress = 0x7ffde238, Size = 0x00000004 TargetPID = 0x00000f94
行为描述: 枚举进程
详情信息:
N/A
行为描述: 创建进程
详情信息:
[0x00000f94]ImagePath = C:\Windows\System32\cmd.exe, CmdLine = cmd.exe /C del /Q /F "C:\Users\ADMINI~1\AppData\Local\Temp\sysCE52.tmp"
文件行为
行为描述: 创建文件
详情信息:
C:\Users\Administrator\IT40E94E-3KS1-6PR5-BAD5B1F5-3CF7782B97B8.lukitus
C:\Users\Administrator\lukitus-78c4.htm
C:\IT40E94E-3KS1-6PR5-CF5ED57E-893891247FFA.lukitus
C:\lukitus-c8e6.htm
C:\Users\Administrator\Pictures\IT40E94E-3KS1-6PR5-70C7FA25-6C6C3EF3D7F5.lukitus
C:\Users\Administrator\Pictures\lukitus-5a31.htm
C:\Users\Administrator\Documents\IT40E94E-3KS1-6PR5-9FCA27FF-7958AE5A88EF.lukitus
C:\Users\Administrator\Documents\lukitus-7ca8.htm
C:\IT40E94E-3KS1-6PR5-739D21BD-69E9017C397E.lukitus
C:\IT40E94E-3KS1-6PR5-9EA24007-6E209A65A755.lukitus
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\IT40E94E-3KS1-6PR5-B9FFCC4A-4A24771E1F8E.lukitus
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\lukitus-8c35.htm
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\IT40E94E-3KS1-6PR5-01E6F940-B488D9275462.lukitus
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\IT40E94E-3KS1-6PR5-BB59BCA8-BAE5ABC19FA6.lukitus
C:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\IT40E94E-3KS1-6PR5-4004C7F7-1A1B6C28C731.lukitus
行为描述: 修改脚本文件
详情信息:
C:\autoexec.bat ---> Offset = 0
行为描述: 查找文件
详情信息:
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = d:\*
FileName = c:\*
FileName = x:\*
FileName = c:\AnalyzeControl\*
FileName = c:\DiskD\*
FileName = c:\DiskX\*
FileName = c:\monitor\*
FileName = c:\MSOCache\*
FileName = c:\MSOCache\All Users\*
FileName = c:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\*
行为描述: 删除文件
详情信息:
C:\Users\Administrator\Desktop\4A9989FCE46AB6D9FCC569CB3F037B72.tmp
C:\Users\Administrator\157CBEDBEDCBB7A9317EB347EF1B9A22.tmp
C:\330874635A0BD48B6525A53ECE132364.tmp
C:\Users\Administrator\Pictures\FE8029E83EB9E545CBE49CB0F7BD37D7.tmp
C:\Users\Administrator\Documents\1A6F2B5C40EA2F1438DC714C55771496.tmp
C:\DB2232F1F529DB653A749B3C1C07BA8E.tmp
C:\8E198F6177F34AF37EC620E8ECCFE829.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\76FB915081F80030B14C732869A51C94.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\A268E7B97B4A60556198453C983E53C8.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\6F9D9FE67EE17F5F3839757CF9D5712B.tmp
C:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\A9441FFD163C712C07949AEB74AF38AB.tmp
C:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\7EB55EEB14F1A78A1025A0288333052F.tmp
C:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\60EF3AD9772E9FBE18D90761FE6D3B98.tmp
C:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\F19B9637E5DE24CF492DFFA13E57CD61.tmp
C:\MSOCache\All Users\{90120000-0018-0804-0000-0000000FF1CE}-C\2273815E4E22A85A17EB6C3070464B75.tmp
行为描述: 在桌面创建文件
详情信息:
C:\Users\Administrator\Desktop\IT40E94E-3KS1-6PR5-DAB811DC-7F561E64AEA1.lukitus
C:\Users\Administrator\Desktop\lukitus-d330.htm
C:\Users\Administrator\Desktop\lukitus.htm
C:\Users\Administrator\Desktop\lukitus.bmp
行为描述: 重命名文件
详情信息:
C:\Users\Administrator\money.doc ---> c:\Users\Administrator\157CBEDBEDCBB7A9317EB347EF1B9A22.tmp
C:\autoexec.bat ---> c:\DB2232F1F529DB653A749B3C1C07BA8E.tmp
C:\cin.txt ---> c:\8E198F6177F34AF37EC620E8ECCFE829.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml ---> c:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\76FB915081F80030B14C732869A51C94.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml ---> c:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\A268E7B97B4A60556198453C983E53C8.tmp
C:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\Setup.xml ---> c:\MSOCache\All Users\{90120000-0011-0000-0000-0000000FF1CE}-C\6F9D9FE67EE17F5F3839757CF9D5712B.tmp
C:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\AccessMUI.xml ---> c:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\A9441FFD163C712C07949AEB74AF38AB.tmp
C:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\Setup.xml ---> c:\MSOCache\All Users\{90120000-0015-0804-0000-0000000FF1CE}-C\7EB55EEB14F1A78A1025A0288333052F.tmp
C:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\ExcelMUI.xml ---> c:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\60EF3AD9772E9FBE18D90761FE6D3B98.tmp
C:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\Setup.xml ---> c:\MSOCache\All Users\{90120000-0016-0804-0000-0000000FF1CE}-C\F19B9637E5DE24CF492DFFA13E57CD61.tmp
C:\MSOCache\All Users\{90120000-0018-0804-0000-0000000FF1CE}-C\PowerPointMUI.xml ---> c:\MSOCache\All Users\{90120000-0018-0804-0000-0000000FF1CE}-C\2273815E4E22A85A17EB6C3070464B75.tmp
C:\MSOCache\All Users\{90120000-0018-0804-0000-0000000FF1CE}-C\Setup.xml ---> c:\MSOCache\All Users\{90120000-0018-0804-0000-0000000FF1CE}-C\C28F7BB9D5FBD47555E97E95B76C2816.tmp
C:\MSOCache\All Users\{90120000-006E-0804-0000-0000000FF1CE}-C\OfficeMUI.xml ---> c:\MSOCache\All Users\{90120000-006E-0804-0000-0000000FF1CE}-C\EA7AB2D5FD1B81EFF0B9267A97BA47BE.tmp
C:\MSOCache\All Users\{90120000-0019-0804-0000-0000000FF1CE}-C\Setup.xml ---> c:\MSOCache\All Users\{90120000-0019-0804-0000-0000000FF1CE}-C\9E6C5BFFE67CFD28E56EABF38756BBC7.tmp
C:\MSOCache\All Users\{90120000-001A-0804-0000-0000000FF1CE}-C\OutlookMUI.xml ---> c:\MSOCache\All Users\{90120000-001A-0804-0000-0000000FF1CE}-C\BA01114638CD762CF4FC6A34343C98E8.tmp
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述: 修改文件内容
详情信息:
C:\Users\Administrator\Desktop\IT40E94E-3KS1-6PR5-DAB811DC-7F561E64AEA1.lukitus ---> Offset = 0
C:\Users\Administrator\Desktop\IT40E94E-3KS1-6PR5-DAB811DC-7F561E64AEA1.lukitus ---> Offset = 23040
C:\Users\Administrator\Desktop\lukitus-d330.htm ---> Offset = 0
C:\Users\Administrator\IT40E94E-3KS1-6PR5-BAD5B1F5-3CF7782B97B8.lukitus ---> Offset = 0
C:\Users\Administrator\IT40E94E-3KS1-6PR5-BAD5B1F5-3CF7782B97B8.lukitus ---> Offset = 23040
C:\Users\Administrator\money.doc ---> Offset = 0
C:\Users\Administrator\lukitus-78c4.htm ---> Offset = 0
C:\IT40E94E-3KS1-6PR5-CF5ED57E-893891247FFA.lukitus ---> Offset = 0
C:\IT40E94E-3KS1-6PR5-CF5ED57E-893891247FFA.lukitus ---> Offset = 23040
C:\lukitus-c8e6.htm ---> Offset = 0
C:\Users\Administrator\Pictures\IT40E94E-3KS1-6PR5-70C7FA25-6C6C3EF3D7F5.lukitus ---> Offset = 0
C:\Users\Administrator\Pictures\IT40E94E-3KS1-6PR5-70C7FA25-6C6C3EF3D7F5.lukitus ---> Offset = 23040
C:\Users\Administrator\Pictures\lukitus-5a31.htm ---> Offset = 0
C:\Users\Administrator\Documents\IT40E94E-3KS1-6PR5-9FCA27FF-7958AE5A88EF.lukitus ---> Offset = 0
C:\Users\Administrator\Documents\IT40E94E-3KS1-6PR5-9FCA27FF-7958AE5A88EF.lukitus ---> Offset = 23040
网络行为
行为描述: 打开HTTP连接
详情信息:
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), hSession = 0x00cc0004
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = **.234.37.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
InternetConnectA: ServerName = **.230.211.**, PORT = 80, UserName = , Password = , hSession = 0x00cc0004, hConnect = 0x00cc0008, Flags = 0x00000000
行为描述: 打开指定IE网页
详情信息:
C:\Users\Administrator\Desktop\lukitus.htm
行为描述: 建立到一个指定的套接字连接
详情信息:
IP: **.234.37.**:80, SOCKET = 0x000002e4
IP: **.230.211.**:80, SOCKET = 0x000002e4
行为描述: 发送HTTP包
详情信息:
POST /imageload.cgi HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://109.234.37.227/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: **.234.37.** Content-Length: 790 Connection: Keep-Alive
POST /imageload.cgi HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://91.230.211.76/ x-requested-with: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: **.230.211.** Content-Length: 790 Connection: Keep-Alive
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: **.234.37.**:80/imageload.cgi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x844c0300
HttpOpenRequestA: **.230.211.**:80/imageload.cgi, hConnect = 0x00cc0008, hRequest = 0x00cc000c, Verb: POST, Referer: , Flags = 0x844c0300
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\b70c_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF
\REGISTRY\USER\S-*\Software\Microsoft\Direct3D\MostRecentApplication\Name
行为描述: 删除注册表键值
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
行为描述: 修改注册表_修改桌面背景注册表
详情信息:
\REGISTRY\USER\S-*\Control Panel\Desktop\WallpaperStyle
\REGISTRY\USER\S-*\Control Panel\Desktop\Wallpaper
其他行为
行为描述: 检测自身是否被调试
详情信息:
IsDebuggerPresent
行为描述: 创建互斥体
详情信息:
RasPbFile
行为描述: 枚举网络共享资源
详情信息:
N/A
行为描述: 创建事件对象
详情信息:
EventName = Global\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
EventName = Local\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
行为描述: 疑似加密敲诈行为
详情信息:
N/A
N/A
行为描述: 打开互斥体
详情信息:
Global\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
Local\7a9a8a6aBaDa3a4a3aCa2aFa:a:aEaFa
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [DDEMLMom,]
行为描述: 加密数据
详情信息:
[CryptEncrypt] Data: 0x0012F6F4, PlainTextLen: 128, CipherTextLen: 128, Flags: 0x00000000
[CryptEncrypt] Data: 0x01B3F6DC, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000
行为描述: 打开照片查看器
详情信息:
C:\Users\Administrator\Desktop\lukitus.bmp
行为描述: 获取TickCount值
详情信息:
TickCount = 210093, SleepMilliseconds = 33000.
TickCount = 210109, SleepMilliseconds = 33000.
TickCount = 210187, SleepMilliseconds = 33000.
TickCount = 210218, SleepMilliseconds = 33000.
TickCount = 210250, SleepMilliseconds = 33000.
TickCount = 210265, SleepMilliseconds = 33000.
TickCount = 210281, SleepMilliseconds = 33000.
TickCount = 210296, SleepMilliseconds = 33000.
TickCount = 210312, SleepMilliseconds = 33000.
TickCount = 210437, SleepMilliseconds = 33000.
TickCount = 210468, SleepMilliseconds = 33000.
TickCount = 210484, SleepMilliseconds = 33000.
TickCount = 210500, SleepMilliseconds = 33000.
TickCount = 210515, SleepMilliseconds = 33000.
TickCount = 210531, SleepMilliseconds = 33000.
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
\INSTALLATION_SECURITY_HOLD
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
Global\TermSrvReadyEvent
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2796
MSFT.VSA.IEC.STATUS.6c736db0
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 33000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 0.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 0.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xb16b07f8, EDX = 0x0000007a
行为描述: 导入密钥
详情信息:
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x0012FC24, DataLen: 148, Flags: 0x00000000
[CryptImportKey] Algorithm: CALG_RC2 (0x00006602), Data: 0x0012F36C, DataLen: 140, Flags: 0x00000100
[CryptImportKey] Algorithm: CALG_RSA_KEYX (0x0000a400), Data: 0x00381400, DataLen: 276, Flags: 0x00000000
进程树
****.exe (PID: 0x00000aec)
cmd.exe (PID: 0x00000f94)[/mw_shl_code] |