本帖最后由 root1605 于 2015-5-2 12:48 编辑
上报瑞星
基本信息关键行为进程行为文件行为注册表行为其他行为运行截图基本信息 文件名称: TR60(没有通过病毒扫描).rar
MD5: 6700fc2dd3fe987b315228db04a097cd
文件类型: Rar
上传时间: 2015-05-02 12:45:01
出品公司: N/A
版本: N/A
壳或编译器信息: N/A
子文件信息: 详情
TR60days_NS.exedumpFile / 1ce16f056c6a783039c4cfde8e7b49bf / EXE
TR60days_NS.exe / 1ce16f056c6a783039c4cfde8e7b49bf / EXE
TR60days_NSBU.exedumpFile / fdf633890ad87114ea54e518bde1b141 / EXE
TR60days_NSBU.exe / fdf633890ad87114ea54e518bde1b141 / EXE
читать.txtdumpFile / 43e7f904876cfe082e9dc3c60bb36b07 / Unknown
читать.txt / 43e7f904876cfe082e9dc3c60bb36b07 / Unknown
关键行为 行为描述: 写权限映射文件
详情信息: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.ACK..EAJFF
MSCTF.MarshalInterface.FileMap.ACK.B.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.C.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.D.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.E.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.F.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.G.EBJFF
MSCTF.Shared.SFM.ACK
行为描述: 隐藏指定窗口
详情信息: [Window,Class] = [,ComboLBox]
[Window,Class] = [,Button]
[Window,Class] = [杨玟囗??镱祛?SFX Creator,Static]
[Window,Class] = [杨玟囗??镱祛?SFX Creator ,Static]
[Window,Class] = [,Static]
行为描述: 杀掉进程
详情信息: TargetProcess = "NS.EXE"
进程行为 行为描述: 隐藏窗口创建进程
详情信息: ImagePath = , CmdLine = "c:\windows\system32\taskkill.exe" /f /im "ns.exe"
行为描述: 创建进程
详情信息: ImagePath = C:\WINDOWS\system32\taskkill.exe, CmdLine = "C:\WINDOWS\system32\taskkill.exe" /f /im "NS.exe"
行为描述: 杀掉进程
详情信息: TargetProcess = "NS.EXE"
文件行为 行为描述: 写权限映射文件
详情信息: CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.ACK..EAJFF
MSCTF.MarshalInterface.FileMap.ACK.B.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.C.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.D.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.E.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.F.EBJFF
MSCTF.MarshalInterface.FileMap.ACK.G.EBJFF
MSCTF.Shared.SFM.ACK
行为描述: 创建可执行文件
详情信息: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\System.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\LangDLL.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ExecDos.dll
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\InstallOptions.dll
行为描述: 修改文件内容
详情信息: C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini---> Offset = 0
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini---> Offset = 48
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini---> Offset = 92
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini---> Offset = 108
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 36
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\modern-wizard.bmp---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 124
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 33
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 43
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 60
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 277
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 329
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 384
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj6.tmp\ioSpecial.ini---> Offset = 392
注册表行为 行为描述: 修改注册表
详情信息: \REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-28996
行为描述: 修改注册表_系统常用文件夹
详情信息: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CommonVideo
其他行为 行为描述: 创建互斥体
详情信息: CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.ACK
行为描述: 隐藏指定窗口
详情信息: [Window,Class] = [,ComboLBox]
[Window,Class] = [,Button]
[Window,Class] = [杨玟囗??镱祛?SFX Creator,Static]
[Window,Class] = [杨玟囗??镱祛?SFX Creator ,Static]
[Window,Class] = [,Static]
行为描述: 查找指定窗口
详情信息: NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 枚举窗口
详情信息: N/A
行为描述: 获取系统权限
详情信息: SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述: 窗口信息
详情信息: Pid = 2588, Hwnd=0x10352, Text = Russian / Russkij, ClassName = ComboBox.
Pid = 2588, Hwnd=0x10356, Text = OK, ClassName = Button.
Pid = 2588, Hwnd=0x10358, Text = Cancel, ClassName = Button.
Pid = 2588, Hwnd=0x1035a, Text = Please select a language., ClassName = Static.
Pid = 2588, Hwnd=0x1034e, Text = Installer Language, ClassName = #32770.
Pid = 2588, Hwnd=0x20358, Text = &玉蜞眍忤螯, ClassName = Button.
Pid = 2588, Hwnd=0x20356, Text = 悟戾磬, ClassName = Button.
Pid = 2588, Hwnd=0x10364, Text = 杨玟囗??镱祛?SFX Creator , ClassName = Static.
Pid = 2588, Hwnd=0x10366, Text = 杨玟囗??镱祛?SFX Creator, ClassName = Static.
Pid = 2588, Hwnd=0x10378, Text = 锣?镳桠弪耱怏弪 爨耱屦 篑蜞眍怅?TR60days_NS, ClassName = Static.
Pid = 2588, Hwnd=0x1037a, Text = 蒡?镳钽疣祆?篑蜞眍忤?TR60days_NS 磬 忄?觐祜蝈? 襄疱?磬鬣腩?篑蜞眍怅?疱觐戾礓箦蝰 |
楼主: kfshadu789
[复制链接]
楼主
发表于 2015-5-2 12:42:16
发表于 2015-5-6 11:13:19
