Cerber（17.10.17）

显示全部楼层 · 发表于 2017-10-17 18:20:57

89.45.67.144/onore.exe

https://transfer.sh/EcVaJ/onore.7z

infected

https://www.virustotal.com/en/fi ... /analysis/#analysis

显示全部楼层 · 发表于 2017-10-17 19:10:18

avast kill

显示全部楼层 · 发表于 2017-10-17 19:54:23

管家扫描miss

显示全部楼层 · 发表于 2017-10-17 20:17:16

卡巴终止下载

显示全部楼层 · 发表于 2017-10-17 20:34:20

17.10.2017 20.33.56;检测到的对象 ( 文件 ) 已删除;
C:\Users\USER\Downloads\Compressed\Virus Test\onore\onore.exe;Windows Explorer;C:\Users\USER\Downloads\Compressed\Virus Test\onore\onore.exe;10/17/2017 20:33:56;
UDS:DangerousObject.Multi.Generic

显示全部楼层 · 发表于 2017-10-17 20:39:59

下载到两个文件，哈希不一样。

WIEP 扫描不报。

显示全部楼层 · 发表于 2017-10-17 21:25:39

本帖最后由左手于 2017-10-17 21:44 编辑

[mw_shl_code=css,true]2017-10-17 21:07:35 修改注册表值风险提示:敏感阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序]?:\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-10-17 21:08:06 创建文件风险提示:低风险允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Application Data\QuickMediaEditor\Application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\ikucmc.azm
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\application data\*

2017-10-17 21:08:15 创建文件风险提示:低风险允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Application Data\QuickMediaEditor\Application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\msvcr120.ozu
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\application data\*

2017-10-17 21:08:23 创建文件风险提示:低风险允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Application Data\QuickMediaEditor\Application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\f_0000f2.igy
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\application data\*

2017-10-17 21:08:29 创建文件风险提示:低风险允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Application Data\QuickMediaEditor\Application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe
规则: [应用程序]?:\*\*\*\* -> [文件]c:\documents and settings\*\application data\*

2017-10-17 21:08:36 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Ifeco
规则: [注册表组]r111_低优先询问 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft

2017-10-17 21:08:36 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Ifeco
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft; Ifeco

2017-10-17 21:08:43 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Funu
规则: [注册表组]r111_低优先询问 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft

2017-10-17 21:08:43 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Funu
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft; Funu

2017-10-17 21:08:48 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Soevyn
规则: [注册表组]r111_低优先询问 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft

2017-10-17 21:08:48 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Soevyn
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\*

2017-10-17 21:08:48 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Iwruc
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\*

2017-10-17 21:08:48 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Quolu
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\*

2017-10-17 21:08:48 创建注册表项风险提示:未知阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Ecife
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [应用程序]c:\documents and settings\administrator\桌面\onore.exe -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\*

2017-10-17 21:08:48 创建新进程风险提示:未知允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: c:\documents and settings\administrator\application data\quickmediaeditor\application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe
命令行: "C:\Documents and Settings\Administrator\Application Data\QuickMediaEditor\Application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe"
规则: [应用程序]??\?* -> [子应用程序]c:\documents and settings\*\application data\*\*.exe

2017-10-17 21:09:19 修改注册表值风险提示:敏感阻止
进程: c:\documents and settings\administrator\application data\quickmediaeditor\application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
值: C:\Documents and Settings\Administrator\Application Data
规则: [应用程序]?:\*\*\*\*\*\* -> [注册表组]阻止_优先黑名单

2017-10-17 21:09:19 修改文件风险提示:敏感阻止
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\upd4938a6fb.bat
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [文件组]《坚固》f299_询问修改的文件>a100 -> [文件]*; *.bat

2017-10-17 21:09:37 删除文件风险提示:敏感允许
进程: c:\documents and settings\administrator\桌面\onore.exe
目标: C:\Documents and Settings\Administrator\Local Settings\Temp\upd4938a6fb.bat
规则: [应用程序组]→a999_√★《临时规则_安装模式》★√ -> [文件组]《坚固》f299_询问修改的文件>a100 -> [文件]*; *.bat

2017-10-17 21:10:32 创建新进程风险提示:未知允许
进程: c:\documents and settings\administrator\application data\quickmediaeditor\application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe
目标: c:\windows\system32\svchost.exe
命令行: C:\WINDOWS\system32\svchost.exe -k netsvcs
规则: [应用程序]??\?* -> [子应用程序]a085_《行为防御》_特殊位置限制 -> [应用程序]c:\windows\system32\svchost.exe

2017-10-17 21:10:32 修改其他进程的内存风险提示:高风险 (2) 阻止
进程: c:\documents and settings\administrator\application data\quickmediaeditor\application\1.0.0.2057\share\mlt\presets\consumer\avformat\stills\run.exe
目标: c:\windows\system32\svchost.exe
规则: [应用程序组]a082_《行为防御》_自动运行 -> [应用程序]c:\documents and settings\*\* -> [目标应用程序]?:\windows\system32\svchost.exe

2017-10-17 21:11:05 修改注册表值风险提示:敏感阻止
进程: d:\program files\360chrome\360chrome.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop
值: C:\Documents and Settings\All Users\桌面
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-10-17 21:11:06 修改注册表值风险提示:敏感阻止
进程: c:\program files\tencent\qqwubi\2.2.339.400\qqwubiconfig.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序组]→a080_√√√★★★『一般加至该组《常用的程序和游戏》』★★★√√√ -> [注册表组]阻止_优先黑名单

2017-10-17 21:11:06 修改注册表值风险提示:敏感阻止
进程: c:\program files\tencent\qqwubi\2.2.339.400\qqwubiconfig.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
值: 150.176.182.31;80:80
规则: [应用程序组]→a080_√√√★★★『一般加至该组《常用的程序和游戏》』★★★√√√ -> [注册表组]阻止_优先黑名单

2017-10-17 21:11:06 修改注册表值风险提示:敏感阻止
进程: c:\program files\tencent\qqwubi\2.2.339.400\qqwubiconfig.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
值: *.local
规则: [应用程序组]→a080_√√√★★★『一般加至该组《常用的程序和游戏》』★★★√√√ -> [注册表组]阻止_优先黑名单

2017-10-17 21:11:27 修改物理内存风险提示:高风险阻止
进程: c:\program files\tencent\qqwubi\2.2.339.400\qqwubiconfig.exe
规则: [应用程序组]→a080_√√√★★★『一般加至该组《常用的程序和游戏》』★★★√√√ -> [应用程序]c:\program files\tencent\qqwubi\2.2.339.400\qqwubiconfig.exe

2017-10-17 21:20:00 修改注册表值风险提示:敏感 (2) 阻止
进程: c:\program files\aliwangwang\9.11.02c\aliexternal.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData
值: C:\Documents and Settings\Administrator\Local Settings\Application Data
规则: [应用程序]?:\program files\*\*.exe -> [注册表组]阻止_优先黑名单

2017-10-17 21:20:18 创建注册表项风险提示:未知 (2) 阻止
进程: c:\program files\aliwangwang\9.11.02c\alifilecheck.exe
目标: HKEY_CURRENT_USER\SOFTWARE\Classes\.阿里旺旺接收的可疑文件
规则: [注册表组]《受保护的注册表》 -> [注册表]*\Software\Classes\*

2017-10-17 21:20:18 创建注册表项风险提示:未知 (2) 阻止
进程: c:\program files\aliwangwang\9.11.02c\alifilecheck.exe
目标: HKEY_CURRENT_USER\Software\Classes\.阿里旺旺接收的可疑文件
规则: [注册表组]《受保护的注册表》 -> [注册表]*\Software\Classes\*

2017-10-17 21:23:50 修改注册表值风险提示:敏感阻止
进程: c:\windows\system32\svchost.exe
目标: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\svchost.exe -> [注册表]HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings; ProxyEnable

2017-10-17 21:23:50 修改注册表值风险提示:敏感阻止
进程: c:\windows\system32\svchost.exe
目标: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
值: 46 00 00 00 65 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 81 05 fa fc 43 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 c0 a8 01 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 23 00 2e 00 08 00 40 02 15 00 40 02 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 05 00 35 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0a 00 38 00 08 00
规则: [应用程序]c:\windows\system32\svchost.exe -> [注册表]HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections; SavedLegacySettings
[/mw_shl_code]

显示全部楼层 · 发表于 2017-10-17 21:26:15

显示全部楼层 · 发表于 2017-10-17 21:57:54

毒霸

显示全部楼层 · 发表于 2017-10-17 22:06:34

文件

网页

[病毒样本] Cerber（17.10.17）

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源