行为描述: 获取硬件属性检测虚拟机
详情信息:
检测Vmware: 调用WMI接口获取硬件信息
行为描述: 获取TickCount值
详情信息:
TickCount = 219681, SleepMilliseconds = 10.
TickCount = 223181, SleepMilliseconds = 10.
TickCount = 234728, SleepMilliseconds = 10.
TickCount = 234791, SleepMilliseconds = 10.
TickCount = 234806, SleepMilliseconds = 10.
TickCount = 234838, SleepMilliseconds = 10.
TickCount = 234869, SleepMilliseconds = 10.
TickCount = 234931, SleepMilliseconds = 10.
TickCount = 235056, SleepMilliseconds = 10.
TickCount = 235072, SleepMilliseconds = 10.
TickCount = 235541, SleepMilliseconds = 10.
TickCount = 235572, SleepMilliseconds = 10.
TickCount = 235588, SleepMilliseconds = 10.
TickCount = 236119, SleepMilliseconds = 10.
TickCount = 236260, SleepMilliseconds = 10.
行为描述: 打开注册表_检测虚拟机相关
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
行为描述: 修改注册表_系统防火墙可信进程列表
详情信息:
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\public\clientwlg\wlg_ctrl.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\public\clientwlg\wlg_rcap.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\public\clientwlg\rctrl_server.exe
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\public\clientwlg\wlg_contact.exe
行为描述: 杀掉进程
详情信息:
C:\WINDOWS\system32\finclean.exe
行为描述: 创建系统服务
详情信息:
[服务创建成功]: WLG_RCTRL_SERVER, "C:\Users\public\clientwlg\rctrl_server.exe" -service
[服务创建成功]: wlg_Minispy, system32\DRIVERS\wlg_minispy.sys
行为描述: 修改注册表_启动项
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv |
[复制链接]
发表于 2017-10-21 11:30:26
发表于 2017-10-21 16:14:41
