收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 关于鬼影6
12345678下一页
返回列表 发新帖
楼主: 潇湘颦儿
 收起左侧

[病毒样本] 关于鬼影6

  [复制链接]
liulangzhecgr
发表于 2012-8-23 07:59:18 | 显示全部楼层
本帖最后由 liulangzhecgr 于 2012-8-23 08:15 编辑
00315 发表于 2012-8-22 21:31
MD会被样本给强制退出,你忘记了?


2012-8-22 20:04:29    创建新进程    允许
进程: c:\windows\explorer.exe
目标: e:\downloads\管理员\1001\1001.exe
命令行: "E:\downloads\管理员\1001\1001.exe"
规则: [应用程序]*

2012-8-22 20:04:33    创建文件夹    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\Temp
规则: [应用程序]* -> [文件]*

2012-8-22 20:04:43    修改文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: \Device\NamedPipe\samr
规则: [应用程序]* -> [文件]*

2012-8-22 20:04:57    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
值:
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:14    创建注册表项    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\DOMAINS\Account\Users\Names\mima1
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:23    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\mima1
值:
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:40    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Groups\00000201\C
值: 02 00 01 00 01 02 00 00 07 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 b0 00 00 00 02 00 01 00 b0 00 00 00 08 00 00 00 00 00 00 00 b8 00 00 00 08 00 00 00 00 00 00 00 c0 00 00 00 64 00 00 00 05 00 00 00 01 00 14 80 90 00 00 00 a0 00 00 00 14 00 00 00 44 00 00 00 02 00 30 00 02 00 00 00 02 c0 14 00 0e 00 05 01 01 01 00 00 00 00 00 01 00 00 00 00 02 c0 14 00 ff ff 1f 00 01 01 00 00 00 00 00 05 07 00 00 00 02 00 4c 00 03 00 00 00 00 00 14 00 11 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 18 00 1f 00 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 18 00 1f 00 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 24 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 4e 00 6f 00 6e 00 65 00 00 4e 2c 82 28 75 37 62 f4 01 00 00 f5 01 00 00 e8 03 00 00 ea 03 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:46    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EC\F
值: 02 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 00 00 ec 03 00 00 01 02 00 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff db 01 93 7c
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:52    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EC\V
值: 00 00 00 00 d4 00 00 00 02 00 01 00 d4 00 00 00 0a 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 08 00 00 00 01 00 00 00 e8 00 00 00 04 00 00 00 00 00 00 00 ec 00 00 00 04 00 00 00 00 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 f4 00 00 00 04 00 00 00 00 00 00 00 01 00 14 80 b4 00 00 00 c4 00 00 00 14 00 00 00 44 00 00 00 02 00 30 00 02 00 00 00 02 c0 14 00 44 00 05 01 01 01 00 00 00 00 00 01 00 00 00 00 02 c0 14 00 ff ff 1f 00 01 01 00 00 00 00 00 05 07 00 00 00 02 00 70 00 04 00 00 00 00 00 14 00 5b 03 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 18 00 ff 07 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 18 00 ff 07 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 24 02 00 00 00 00 24 00 44 00 02 00 01 05 00 00 00 00 00 05 15 00 00 00 fc e3 15 31 11 c3 5f 73 83 3d 2b 46 ec 03 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 6d 00 69 00 6d 00 61 00 31 00 00 00 01 02 00 00 07 00 00 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:05:58    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\F
值: 02 00 01 00 00 00 00 00 b2 af 4e cf 82 6f c8 01 17 00 00 00 00 00 00 00 00 00 00 00 40 de ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 cc 1d cf fb ff ff ff 00 cc 1d cf fb ff ff ff 00 00 00 00 00 00 00 00 ed 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 01 00 00 00 01 00 01 00 01 00 00 00 38 00 00 00 5e 91 28 32 ae 9e dc b9 a7 9d 2d d9 25 a1 ae 62 c5 51 77 ee 7c 30 4a 33 f6 36 8c b7 f8 64 bf fd 04 eb 3b b4 c2 af c7 ce 79 8b 2e 9f 0e 90 25 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:03    修改文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: \Device\NamedPipe\lsarpc
规则: [应用程序]* -> [文件]*

2012-8-22 20:06:24    创建注册表项    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\DOMAINS\Builtin\Aliases\Members\S-1-5-21-823518204-1935655697-1177238915\000003EC
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:28    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-823518204-1935655697-1177238915\000003EC
值: Ƞ
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:34    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-823518204-1935655697-1177238915
值:
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:40    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\C
值: 20 02 00 00 00 00 00 00 98 00 00 00 02 00 01 00 98 00 00 00 1c 00 00 00 00 00 00 00 b4 00 00 00 28 00 00 00 00 00 00 00 dc 00 00 00 38 00 00 00 02 00 00 00 01 00 14 80 78 00 00 00 88 00 00 00 14 00 00 00 44 00 00 00 02 00 30 00 02 00 00 00 02 c0 14 00 13 00 05 01 01 01 00 00 00 00 00 01 00 00 00 00 02 c0 14 00 ff ff 1f 00 01 01 00 00 00 00 00 05 07 00 00 00 02 00 34 00 02 00 00 00 00 00 14 00 0c 00 02 00 01 01 00 00 00 00 00 01 00 00 00 00 00 00 18 00 1f 00 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 41 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 73 00 a1 7b 06 74 58 54 f9 5b a1 8b 97 7b 3a 67 2f 00 df 57 09 67 0d 4e d7 53 50 96 36 52 84 76 8c 5b 68 51 bf 8b ee 95 43 67 01 05 00 00 00 00 00 05 15 00 00 00 fc e3 15 31 11 c3 5f 73 83 3d 2b 46 f4 01 00 00 01 05 00 00 00 00 00 05 15 00 00 00 fc e3 15 31 11 c3 5f 73 83 3d 2b 46 ec 03 00 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:45    修改注册表值    允许
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\F
值: 02 00 01 00 00 00 00 00 58 4d 4c cf 82 6f c8 01 09 00 00 00 00 00 00 00 00 00 00 00 40 de ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 cc 1d cf fb ff ff ff 00 cc 1d cf fb ff ff ff 00 00 00 00 00 00 00 00 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-22 20:06:55    从其他进程复制句柄    允许
进程: c:\windows\system32\svchost.exe
目标: e:\downloads\管理员\1001\1001.exe
句柄: (WindowStation) \Windows\WindowStations\WinSta0
规则: [应用程序]c:\windows\system32\svchost.exe

2012-8-22 20:07:02    创建新进程    允许
进程: c:\windows\system32\svchost.exe
目标: c:\windows\system32\ipconfig.exe
命令行: ipconfig.exe /release
规则: [应用程序]*

2012-8-22 20:07:09    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\LogSessionName
值: stdout
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:15    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\Active
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:19    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\ControlFlags
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:24    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier\Guid
值: 5f31090b-d990-4e91-b16d-46121d0255aa
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:31    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier\BitNames
值:  Error Unusual Info Debug
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:34    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\LogSessionName
值: stdout
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:38    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\Active
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:41    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\ControlFlags
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:45    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier\Guid
值: 5f31090b-d990-4e91-b16d-46121d0255aa
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:51    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier\BitNames
值:  Error Unusual Info Debug
规则: [应用程序]* -> [注册表]*

2012-8-22 20:07:58    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\LogSessionName
值: stdout
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:02    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\Active
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:05    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\ControlFlags
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:09    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier\Guid
值: 8aefce96-4618-42ff-a057-3536aa78233e
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:12    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier\BitNames
值:  Error Unusual Info Debug
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:17    创建注册表项    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:21    创建注册表项    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:26    删除注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:29    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\EventMessageFile
值: C:\WINDOWS\system32\ESENT.dll
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:33    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryMessageFile
值: C:\WINDOWS\system32\ESENT.dll
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:36    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\CategoryCount
值: 0x00000010(16)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:39    修改注册表值    允许
进程: c:\windows\system32\ipconfig.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT\TypesSupported
值: 0x00000007(7)
规则: [应用程序]* -> [注册表]*

2012-8-22 20:08:43    修改文件    允许
进程: c:\windows\system32\ipconfig.exe
目标: \Device\NamedPipe\lsarpc
规则: [应用程序]* -> [文件]*

2012-8-22 20:08:56    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\zwrojhbzur.sys
规则: [应用程序]* -> [文件]*

2012-8-22 20:09:03    安装驱动程序或服务    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\zwrojhbzur.sys
规则: [应用程序]*

2012-8-22 20:09:18    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:24    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\Type
值: 0x00000001(1)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:28    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\Start
值: 0x00000003(3)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:32    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\ErrorControl
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:38    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\ImagePath
值: \??\C:\temp\zwrojhbzur.sys
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:42    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\DisplayName
值: zwrojhbzur
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:46    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\Security
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:50    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zwrojhbzur\Security\Security
值: 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-22 20:09:57    加载驱动程序    允许
进程: c:\windows\system32\services.exe
目标: c:\temp\zwrojhbzur.sys
规则: [应用程序]c:\windows\system32\services.exe

2012-8-22 20:10:04    修改注册表值    允许
进程: c:\windows\system32\winlogon.exe
目标: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec
值: 1
规则: [应用程序]c:\windows\system32\winlogon.exe -> [注册表]*



跟踪到此蓝屏出现...
强制重启系统,windows登陆框出现,要输入密码...

被创建的文件:
C:\Temp\zwrojhbzur.sys
C:\WINDOWS\system32\safemon.dll
C:\WINDOWS\system32\drivers\p2phook.sys
C:\WINDOWS\system32\drivers\sioctl.sys

被修改的文件:
C:\WINDOWS\system32\drivers\beep.sys



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

liulangzhecgr
发表于 2012-8-23 08:45:10 | 显示全部楼层
00315 发表于 2012-8-22 21:31
MD会被样本给强制退出,你忘记了?

呵呵! 此鬼影非那个鬼影哦! 那个鬼影比此鬼影算小巫见大巫吧...  
回复

举报

00315
发表于 2012-8-23 08:54:46 | 显示全部楼层
liulangzhecgr 发表于 2012-8-23 08:45
呵呵! 此鬼影非那个鬼影哦! 那个鬼影比此鬼影算小巫见大巫吧...

哦,昨天我这里下载不了附件,也没看这个
回复

举报

fireworld
发表于 2012-8-23 09:07:07 | 显示全部楼层
实机运行的?
回复

举报

潇湘颦儿
 楼主| 发表于 2012-8-23 09:11:35 | 显示全部楼层
liulangzhecgr 发表于 2012-8-23 07:59
2012-8-22 20:04:29    创建新进程    允许
进程: c:\windows\explorer.exe
目标: e:\downloads\管理 ...

我用WinHex没发现改动MBR呀,呵呵
回复

举报

00315
发表于 2012-8-23 09:12:58 | 显示全部楼层
潇湘颦儿 发表于 2012-8-23 09:11
我用WinHex没发现改动MBR呀,呵呵

PE下备份出来看看,我这里样本都运行不了
回复

举报

潇湘颦儿
 楼主| 发表于 2012-8-23 09:15:24 | 显示全部楼层
楼上各位,请问explorer.exe进程里有safemon.dll模块吗? 我允许后没发现,所以很奇怪。
回复

举报

liulangzhecgr
发表于 2012-8-23 09:17:55 | 显示全部楼层
潇湘颦儿 发表于 2012-8-23 09:11
我用WinHex没发现改动MBR呀,呵呵

运行样本之后,重启是否出现windows登陆窗口。。。密码怎么知道哦如何进入系统。。。
回复

举报

00315
发表于 2012-8-23 09:29:25 | 显示全部楼层
liulangzhecgr 发表于 2012-8-23 09:17
运行样本之后,重启是否出现windows登陆窗口。。。密码怎么知道哦如何进入系统。。。

PE工具清除吧

这样在我这里死活不给运行,就是启动IE完了没事了
火眼http://fireeye.ijinshan.com/anal ... 8fddf270&type=1
回复

举报

liulangzhecgr
发表于 2012-8-23 09:39:25 | 显示全部楼层
本帖最后由 liulangzhecgr 于 2012-8-23 09:41 编辑
00315 发表于 2012-8-23 09:29
PE工具清除吧

这样在我这里死活不给运行,就是启动IE完了没事了


pe下清除...太马虎而昨晚只好离开机子哦!

全部放行也不是,如何适当找个点儿呢?!
允许加载驱动之后,就不好说...再次出现昨晚的情况的话...

2012-8-23 09:19:00    创建新进程    允许
进程: c:\windows\explorer.exe
目标: e:\downloads\管理员\1001\1001.exe
命令行: "E:\downloads\管理员\1001\1001.exe"
规则: [应用程序]*

2012-8-23 09:19:07    创建文件夹    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\Temp
规则: [应用程序]* -> [文件]*

2012-8-23 09:19:16    修改文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: \Device\NamedPipe\samr
规则: [应用程序]* -> [文件]*

2012-8-23 09:19:25    修改注册表值    阻止
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
值:
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*

2012-8-23 09:19:46    使用配置单元文件替换注册表项    阻止
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM
配置单元:
规则: [应用程序]c:\windows\system32\lsass.exe

2012-8-23 09:19:51    修改文件    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: \Device\NamedPipe\lsarpc
规则: [应用程序]* -> [文件]*

2012-8-23 09:20:03    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\cwmhezwrke.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:20:17    安装驱动程序或服务    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\cwmhezwrke.sys
规则: [应用程序]*

2012-8-23 09:20:24    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:26    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\Type
值: 0x00000001(1)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:29    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\Start
值: 0x00000003(3)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:30    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\ErrorControl
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:32    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\ImagePath
值: \??\C:\temp\cwmhezwrke.sys
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:34    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\DisplayName
值: cwmhezwrke
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:36    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\Security
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:37    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cwmhezwrke\Security\Security
值: 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:20:54    加载驱动程序    阻止
进程: c:\windows\system32\services.exe
目标: c:\temp\cwmhezwrke.sys
规则: [应用程序]c:\windows\system32\services.exe

2012-8-23 09:21:03    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\zxrmhezxrp.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:21:18    创建注册表项    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\p2phook
规则: [应用程序]* -> [注册表]*

2012-8-23 09:21:20    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Type
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:21:22    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ErrorControl
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:21:25    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Start
值: 0x00000003(3)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:21:44    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ImagePath
值: \??\C:\temp\zxrmhezxrp.sys
规则: [应用程序]* -> [注册表]*

2012-8-23 09:22:03    加载驱动程序    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: c:\temp\zxrmhezxrp.sys
规则: [应用程序]*

2012-8-23 09:22:16    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\hoezwrpjhb.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:22:20    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:23    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\Type
值: 0x00000001(1)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:25    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\Start
值: 0x00000003(3)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:26    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\ErrorControl
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:32    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\ImagePath
值: \??\C:\temp\hoezwrpjhb.sys
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:35    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\DisplayName
值: hoezwrpjhb
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:36    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\Security
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:38    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hoezwrpjhb\Security\Security
值: 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:22:43    加载驱动程序    阻止
进程: c:\windows\system32\services.exe
目标: c:\temp\hoezwrpjhb.sys
规则: [应用程序]c:\windows\system32\services.exe

2012-8-23 09:22:58    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\qkicasnlfd.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:23:09    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Type
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:23:10    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ErrorControl
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:23:11    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Start
值: 0x00000003(3)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:23:12    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ImagePath
值: \??\C:\temp\qkicasnlfd.sys
规则: [应用程序]* -> [注册表]*

2012-8-23 09:23:16    加载驱动程序    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: c:\temp\qkicasnlfd.sys
规则: [应用程序]*

2012-8-23 09:24:11    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\ljebwuomge.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:24:27    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:31    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\Type
值: 0x00000001(1)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:32    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\Start
值: 0x00000003(3)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:35    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\ErrorControl
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:37    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\ImagePath
值: \??\C:\temp\ljebwuomge.sys
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:39    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\DisplayName
值: ljebwuomge
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:41    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\Security
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:43    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ljebwuomge\Security\Security
值: 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:24:51    加载驱动程序    阻止
进程: c:\windows\system32\services.exe
目标: c:\temp\ljebwuomge.sys
规则: [应用程序]c:\windows\system32\services.exe

2012-8-23 09:25:02    删除文件    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\Temp\ljebwuomge.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:25:12    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\zxspkhcaus.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:25:14    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Type
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:25:15    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ErrorControl
值: 0x00000001(1)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:25:16    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\Start
值: 0x00000003(3)
规则: [应用程序]* -> [注册表]*

2012-8-23 09:25:25    修改注册表值    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2phook\ImagePath
值: \??\C:\temp\zxspkhcaus.sys
规则: [应用程序]* -> [注册表]*

2012-8-23 09:25:31    加载驱动程序    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: c:\temp\zxspkhcaus.sys
规则: [应用程序]*

2012-8-23 09:25:55    创建文件    允许
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\ojgbztrljd.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:25:56    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:25:58    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\Type
值: 0x00000001(1)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:25:59    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\Start
值: 0x00000003(3)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:01    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\ErrorControl
值: 0x00000000(0)
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:05    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\ImagePath
值: \??\C:\temp\ojgbztrljd.sys
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:07    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\DisplayName
值: ojgbztrljd
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:10    创建注册表项    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\Security
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:13    修改注册表值    允许
进程: c:\windows\system32\services.exe
目标: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ojgbztrljd\Security\Security
值: 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
规则: [应用程序]c:\windows\system32\services.exe -> [注册表]*

2012-8-23 09:26:22    加载驱动程序    阻止
进程: c:\windows\system32\services.exe
目标: c:\temp\ojgbztrljd.sys
规则: [应用程序]c:\windows\system32\services.exe

2012-8-23 09:26:25    删除文件    阻止
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\Temp\ojgbztrljd.sys
规则: [应用程序]* -> [文件]*

2012-8-23 09:26:49    创建文件    阻止并结束进程
进程: e:\downloads\管理员\1001\1001.exe
目标: C:\temp\wrpjhbztrm.sys
规则: [应用程序]* -> [文件]*


回复

举报

下一页 »
12345678下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-16 10:55 , Processed in 0.112129 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表