能运行下分析该可以程序是什么东东吗？邮件里收到的

阿拉爱宁波

火绒Miss

Eset小粉絲

I76700K

85time 发表于 2017-10-1 18:26
那请问能虚拟机测个试吗？双击并关闭杀毒软件，看看有什么具体行为

给你一个哈勃分析报告 https://habo.qq.com/file/showdetail?pk=ADAGYF1lB2UIPVs0，这个系统你也可以上传其他文件分析的

不兼容x64，运行报错

缉毒新英雄

kis 2017

安全守护者

[mw_shl_code=css,true]文件检测评级：
高度风险
文件名称： 病毒.r00


基本信息
文件名称：        
病毒.r00
MD5：        8112999c2e328cfbba38be9d25aa4ca2
文件类型：        Rar5
上传时间：        2017-10-01 20:48:40
出品公司：        N/A
版本：        N/A
壳或编译器信息：        COMPILER:Borland Delphi 6.0 - 7.0
子文件信息：        详情
关键行为
行为描述：        获取TickCount值
详情信息：        
TickCount = 221393, SleepMilliseconds = 18.
TickCount = 221408, SleepMilliseconds = 18.
TickCount = 222250, SleepMilliseconds = 500.
TickCount = 222265, SleepMilliseconds = 500.
TickCount = 231984, SleepMilliseconds = 10000.
TickCount = 232296, SleepMilliseconds = 10000.
TickCount = 232609, SleepMilliseconds = 10000.
TickCount = 232921, SleepMilliseconds = 10000.
TickCount = 233234, SleepMilliseconds = 10000.
TickCount = 233546, SleepMilliseconds = 10000.
TickCount = 233859, SleepMilliseconds = 10000.
TickCount = 234171, SleepMilliseconds = 10000.
TickCount = 234484, SleepMilliseconds = 10000.
TickCount = 234796, SleepMilliseconds = 10000.
TickCount = 235109, SleepMilliseconds = 10000.
行为描述：        直接调用系统关键API
详情信息：        
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047937B
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047B813
Index = 0x000000CE, Name: NtResumeThread, Instruction Address = 0x0047741B
行为描述：        通过内存映射跨进程修改内存
详情信息：        
TargetProcess = Products Orders - 1HJ1239201709.exe
行为描述：        设置消息钩子
详情信息：        
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Products Orders - 1HJ1239201709.exe
行为描述：        设置线程上下文
详情信息：        
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Products Orders - 1HJ1239201709.exe
进程行为
行为描述：        创建进程
详情信息：        
[0x00000a8c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Products Orders - 1HJ1239201709.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Products Orders - 1HJ1239201709.exe"
行为描述：        创建本地线程
详情信息：        
TargetProcess: Products Orders - 1HJ1239201709.exe, InheritedFromPID = 2564, ProcessID = 2700, ThreadID = 2708, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: Products Orders - 1HJ1239201709.exe, InheritedFromPID = 2564, ProcessID = 2700, ThreadID = 2712, StartAddress = 00403BAB, Parameter = 00418728
TargetProcess: Products Orders - 1HJ1239201709.exe, InheritedFromPID = 2564, ProcessID = 2700, ThreadID = 2716, StartAddress = 00403B8B, Parameter = 00418728
TargetProcess: Products Orders - 1HJ1239201709.exe, InheritedFromPID = 2564, ProcessID = 2700, ThreadID = 2720, StartAddress = 00403BBA, Parameter = 00418728
行为描述：        通过内存映射跨进程修改内存
详情信息：        
TargetProcess = Products Orders - 1HJ1239201709.exe
行为描述：        枚举进程
详情信息：        
N/A
行为描述：        设置线程上下文
详情信息：        
C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe_7zdump\Products Orders - 1HJ1239201709.exe
文件行为
行为描述：        创建文件
详情信息：        
C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat
行为描述：        修改文件内容
详情信息：        
C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat ---> Offset = -1
C:\Documents and Settings\Administrator\Application Data\remcos\logs.dat ---> Offset = 0
行为描述：        查找文件
详情信息：        
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
网络行为
行为描述：        建立到一个指定的套接字连接
详情信息：        
IP: **.10.124.**:65531, SOCKET = 0x000000ec
注册表行为
行为描述：        修改注册表
详情信息：        
\REGISTRY\USER\S-*\Software\MY World-XPTCIT\EXEpath
其他行为
行为描述：        创建互斥体
详情信息：        
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MY World-XPTCIT
行为描述：        创建事件对象
详情信息：        
EventName = DINPUTWINMM
行为描述：        直接调用系统关键API
详情信息：        
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047937B
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x0047B813
Index = 0x000000CE, Name: NtResumeThread, Instruction Address = 0x0047741B
行为描述：        获取TickCount值
详情信息：        
TickCount = 221393, SleepMilliseconds = 18.
TickCount = 221408, SleepMilliseconds = 18.
TickCount = 222250, SleepMilliseconds = 500.
TickCount = 222265, SleepMilliseconds = 500.
TickCount = 231984, SleepMilliseconds = 10000.
TickCount = 232296, SleepMilliseconds = 10000.
TickCount = 232609, SleepMilliseconds = 10000.
TickCount = 232921, SleepMilliseconds = 10000.
TickCount = 233234, SleepMilliseconds = 10000.
TickCount = 233546, SleepMilliseconds = 10000.
TickCount = 233859, SleepMilliseconds = 10000.
TickCount = 234171, SleepMilliseconds = 10000.
TickCount = 234484, SleepMilliseconds = 10000.
TickCount = 234796, SleepMilliseconds = 10000.
TickCount = 235109, SleepMilliseconds = 10000.
行为描述：        获取光标位置
详情信息：        
CursorPos = (80,18468), SleepMilliseconds = 162.
CursorPos = (6373,26501), SleepMilliseconds = 162.
CursorPos = (19208,15725), SleepMilliseconds = 162.
CursorPos = (11517,29359), SleepMilliseconds = 162.
CursorPos = (27001,24465), SleepMilliseconds = 162.
CursorPos = (5744,28146), SleepMilliseconds = 162.
行为描述：        打开事件
详情信息：        
HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
行为描述：        调用Sleep函数
详情信息：        
[1]: MilliSeconds = 18.
[2]: MilliSeconds = 162.
[3]: MilliSeconds = 18.
[4]: MilliSeconds = 162.
[5]: MilliSeconds = 18.
[6]: MilliSeconds = 162.
[7]: MilliSeconds = 18.
[8]: MilliSeconds = 162.
[9]: MilliSeconds = 18.
[10]: MilliSeconds = 162.
[1]: MilliSeconds = 10000.
[2]: MilliSeconds = 500.
[3]: MilliSeconds = 10000.
[4]: MilliSeconds = 500.
[5]: MilliSeconds = 10000.
行为描述：        打开互斥体
详情信息：        
ShimCacheMutex
DBWinMutex
Remcos_Mutex_Inj
进程树
products orders - 1hj1239201709.exe (PID: 0x00000a04)
products orders - 1hj1239201709.exe (PID: 0x00000a8c)
Copyright©1998 - 2017 Tencent.All Rights Reserved
腾讯公司 版权所有[/mw_shl_code]

心醉咖啡

管家

540923555

WD都报毒了。。。。vagger

一覺到天明

FSP 掃描 木馬

ELOHIM

540923555 发表于 2017-10-2 21:05
WD都报毒了。。。。vagger

SEP 扫描不报，但是会隔离。也没有风险日志记录。

WIEP 扫描也不报。但是SEP只要扫描过，肯定会有隔离（其实是备份的一个副本，源文件没有动，还在原来位置）。一旦隔离，WIEP就提示 vagger。

不知道这个路径是什么路径：All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.7061.6600.105\Data\DecTemp\I2_LDVP.TMP\nav35.tmp