Detection ratio: 2 / 53 A969.tmp.exe 加密勒索挂马（更新）

显示全部楼层 · 发表于 2015-12-5 09:43:18

本帖最后由墨家小子于 2015-12-5 09:45 编辑

SHA256: 8fe2a68134a3031d11d85ea5c3cd3ee4adaf5adbf000914e7e97b95d86d81984
File name: A969.tmp.exe
Detection ratio: 2 / 53
Analysis date: 2015-12-05 01:32:53 UTC ( 0 minutes ago )
https://www.virustotal.com/en/fi ... nalysis/1449279173/

2015/12/5 9:30:14,C:\Program Files (x86)\Internet Explorer\iexplore.exe,53,Allowed ;执行应用程序 (C:

\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe)

2015/12/5 9:30:14,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 (\??\C:\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:30:14,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程

(A969.tmp.exe(pid=3056))

2015/12/5 9:30:17,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 (C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe)

2015/12/5 9:30:20,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,47,Allowed ;创建交换数

据流 (C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe:Zone.Identifier)

2015/12/5 9:30:52,C:\Program Files (x86)\Internet Explorer\iexplore.exe,53,Allowed ;执行应用程序 (C:

\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe)

2015/12/5 9:30:52,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 (\??\C:\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:30:52,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程

(5A1C.tmp.exe(pid=5204))

2015/12/5 9:30:58,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 ("C:\windows\SysWOW64\cmd.exe" /c start "" "C:\Users\AAAAA\AppData\Local\Temp\Low

\A969.tmp.exe")

2015/12/5 9:30:58,C:\Windows\SysWOW64\cmd.exe,53,Allowed ;执行应用程序 (\??\C:\windows

\system32\conhost.exe 0xffffffff)

2015/12/5 9:31:00,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 (C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe)

2015/12/5 9:31:02,C:\Windows\SysWOW64\cmd.exe,53,Allowed ;执行应用程序 ("C:\Users\AAAAA

\AppData\Local\Temp\Low\A969.tmp.exe" )

2015/12/5 9:31:02,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 (\??\C:\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:31:02,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程

(A969.tmp.exe(pid=3652))

2015/12/5 9:31:04,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,47,Allowed ;创建交换数

据流 (C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe:Zone.Identifier)

2015/12/5 9:31:06,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 ("C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe" )

2015/12/5 9:31:09,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 ("C:\windows\SysWOW64\cmd.exe" /c start "" "C:\Users\AAAAA\AppData\Local\Temp\Low

\5A1C.tmp.exe")

2015/12/5 9:31:11,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,47,Allowed ;创建交换数据

流 (C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe:Zone.Identifier)

2015/12/5 9:31:12,C:\Windows\SysWOW64\cmd.exe,53,Allowed ;执行应用程序 ("C:\Users\AAAAA

\AppData\Local\Temp\Low\5A1C.tmp.exe" )

2015/12/5 9:31:12,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程序

(\??\C:\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:31:12,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程

(5A1C.tmp.exe(pid=5528))

2015/12/5 9:31:25,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程

序 (C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe)

2015/12/5 9:31:25,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Allowed ;执行应用程序 (\??\C:

\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:31:25,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程 (oygtp-

a.exe(pid=5012))

2015/12/5 9:31:27,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 ("C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe" )

2015/12/5 9:31:31,C:\Users\AAAAA\AppData\Local\Temp\Low\A969.tmp.exe,53,Allowed ;执行应用程序

("C:\windows\system32\cmd.exe" /c DEL C:\Users\AAAAA\AppData\Local\Temp\Low\A969TM~1.EXE)

2015/12/5 9:31:33,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Allowed ;执行应用程序 (C:

\Users\AAAAA\AppData\Roaming\oygtp-a.exe)

2015/12/5 9:31:34,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,47,Allowed ;创建交换数

据流 (C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe:Zone.Identifier)

2015/12/5 9:31:36,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,47,Allowed ;创建交换数据流 (C:

\Users\AAAAA\AppData\Roaming\oygtp-a.exe:Zone.Identifier)

2015/12/5 9:31:39,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 (C:\Users\AAAAA\AppData\Roaming\xgkay-a.exe)

2015/12/5 9:31:39,C:\Users\AAAAA\AppData\Roaming\xgkay-a.exe,53,Allowed ;执行应用程序 (\??\C:

\windows\system32\conhost.exe 0xffffffff)

2015/12/5 9:31:39,C:\Windows\System32\conhost.exe,40,Allowed ;以修改权限打开进程或线程 (xgkay-

a.exe(pid=2964))

2015/12/5 9:31:43,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序

(bcdedit.exe /set {current} bootems off)

2015/12/5 9:31:45,C:\Users\AAAAA\AppData\Local\Temp\Low\5A1C.tmp.exe,53,Allowed ;执行应用程

序 ("C:\windows\system32\cmd.exe" /c DEL C:\Users\AAAAA\AppData\Local\Temp\Low

\5A1CTM~1.EXE)

2015/12/5 9:31:47,C:\Users\AAAAA\AppData\Roaming\xgkay-a.exe,53,Allowed ;执行应用程序 (C:

\Users\AAAAA\AppData\Roaming\xgkay-a.exe)

2015/12/5 9:31:48,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序

(bcdedit.exe /set {current} advancedoptions off)

2015/12/5 9:31:49,C:\Users\AAAAA\AppData\Roaming\xgkay-a.exe,47,Allowed ;创建交换数据流 (C:

\Users\AAAAA\AppData\Roaming\xgkay-a.exe:Zone.Identifier)

2015/12/5 9:31:51,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序

(bcdedit.exe /set {current} optionsedit off)
2015/12/5 9:31:54,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序

(bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures)
2015/12/5 9:31:56,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序

(bcdedit.exe /set {current} recoveryenabled off)

2015/12/5 9:31:59,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,26,Blocked ;修改受保护的注册表键

(HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Policies\System,EnableLinkedConnections)
2015/12/5 9:32:01,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,26,Blocked ;修改受保护的注册表键

(HKCU\Software\Microsoft\Windows\CurrentVersion\Run,Acronis)

2015/12/5 9:32:02,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Blocked ;执行应用程序 ("C:

\Windows\System32\vssadmin.exe" delete shadows /all /Quiet )

2015/12/5 9:32:04,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,40,Blocked ;以修改权限打开进程或

线程 (wininit.exe(pid=592))

2015/12/5 9:32:07,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,50,Allowed ;使用 DNS 解析服务访

问网络

2015/12/5 9:32:19,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,48,Blocked ;出站网络访问

2015/12/5 9:32:24,C:\Users\AAAAA\AppData\Roaming\oygtp-a.exe,53,Terminated ;执行应用程序 ("C:

\Windows\System32\vssadmin.exe" delete shadows /all /Quiet )

+++++++++++++++++++++++++++++++++++

赠送：

显示全部楼层 · 发表于 2015-12-5 09:52:56

SUD to BAV

显示全部楼层 · 发表于 2015-12-5 09:53:38

本帖最后由 xyz0703 于 2015-12-5 09:54 编辑

赠送的杀前两对象感染源 HEUR:Trojan.Win32.Generic

显示全部楼层 · 发表于 2015-12-5 11:28:26

D:\下载文件存储文件夹\123\新建文件夹\5A1C.tmp.rar=>5A1C.tmp.exe HEUR/QVM20.1.Malware.Gen 已删除
D:\下载文件存储文件夹\123\新建文件夹\A969.tmp.rar=>A969.tmp.exe HEUR/QVM20.1.Malware.Gen 已删除
D:\下载文件存储文件夹\123\新建文件夹\bJqeOS6Ks8.rar=>bJqeOS6Ks8.exe 感染型病毒(Win32/Trojan.Multi.daf) 已删除
D:\下载文件存储文件夹\123\新建文件夹\ea80eb5deaad6d695d6378e74c593918d892cc5937203556342d9d862b61865e.rar=>ea80eb5deaad6d695d6378e74c593918d892cc5937203556342d9d862b61865e.exe 感染型病毒(Win32/Trojan.be9) 已删除

显示全部楼层 · 发表于 2015-12-5 11:29:26

显示全部楼层 · 发表于 2015-12-5 11:30:53

火绒

显示全部楼层 · 发表于 2015-12-5 12:28:24

显示全部楼层 · 发表于 2015-12-5 14:32:47

感谢楼主分享
已下载

显示全部楼层 · 发表于 2015-12-5 16:03:54

红伞kill all

显示全部楼层 · 发表于 2015-12-5 17:04:28

g data双击杀

[可疑文件] Detection ratio: 2 / 53 A969.tmp.exe 加密勒索挂马（更新）

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

评分

浏览过的版块