收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 Backdoor/Humpler
123下一页
返回列表 发新帖
楼主: Jerry.Lin
 收起左侧

[病毒样本] Backdoor/Humpler

[复制链接]
温馨小屋
头像被屏蔽
发表于 2018-6-21 08:58:16 | 显示全部楼层
BD双击全程miss
我这里没有发现改主页动作
回复

举报

a445441
发表于 2018-6-21 11:42:03 | 显示全部楼层
微点拦截一个

评分

参与人数 1人气 +1 收起 理由
itcql + 1 版区有你更精彩: )

查看全部评分

回复

举报

dreams521
发表于 2018-6-21 12:28:41 | 显示全部楼层
TO KL
回复

举报

275751198
发表于 2018-6-21 13:22:20 | 显示全部楼层
Karna 发表于 2018-6-20 23:01
可怕,VT上除了Cylance,扫描全过。不过锁主页的PUP确实不好弄。

那不是个误报王吗
回复

举报

www-tekeze
发表于 2018-6-21 15:48:01 | 显示全部楼层
温馨小屋 发表于 2018-6-21 08:58
BD双击全程miss
我这里没有发现改主页动作

并不是任何浏览器都会锁首,而且病毒发作比较小心,不满足条件不发作,隐蔽性比较强吧。。。
还可以云控,将来会怎么发展也许只有作者才清楚。。


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

KJD
发表于 2018-6-21 18:34:20 | 显示全部楼层
本帖最后由 KJD 于 2018-6-21 18:36 编辑







本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

bambooslip
发表于 2018-6-21 21:38:43 | 显示全部楼层
KJD 发表于 2018-6-21 18:34

你同时装这么多杀软不卡吗
回复

举报

KJD
发表于 2018-6-22 09:30:03 | 显示全部楼层
bambooslip 发表于 2018-6-21 21:38
你同时装这么多杀软不卡吗

虚拟机卡就卡呗
回复

举报

Jerry.Lin
 楼主| 发表于 2018-6-22 10:30:58 | 显示全部楼层
Comodo




  1. <?xml version="1.0" encoding="ISO-8859-1"?>
  2. <vscope guid="202713604D4EF65B7A99B87F88E7903C" ver="2.0">
  3. <process parentpath="C:\Windows\explorer.exe" isVirtualized="true" restrictionLevel="NoRestriction" detected="false" trusted="false" hashCrc32="1234202307" sha1="8D6B470F594C7ABE9B9251C2907787AC6E23925B" createtime="2018-06-22T02:26:29.034Z" cmdline="" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\超级老板键.exe" pid="5756">
  4. <activities>
  5. <activity id="50889" path="C:\Windows\SysWOW64\apphelp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.050Z"/>
  6. <activity id="50890" path="C:\Windows\apppatch\sysmain.sdb" type="LoadImageFile" timestamp="2018-06-22T02:26:29.050Z"/>
  7. <activity id="50891" path="C:\Windows\SysWOW64\wininet.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.065Z"/>
  8. <activity id="50892" path="C:\Windows\SysWOW64\winmm.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.065Z"/>
  9. <activity id="50893" path="C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.112_none_42ecccf244e44518\comctl32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.065Z"/>
  10. <activity id="50894" path="C:\Windows\SysWOW64\winmmbase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.065Z"/>
  11. <activity id="50896" path="C:\Windows\SysWOW64\imm32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.081Z"/>
  12. <activity id="50897" path="C:\Windows\SysWOW64\oleaut32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.081Z"/>
  13. <activity id="50898" path="C:\Windows\WindowsShell.Manifest" type="LoadImageFile" timestamp="2018-06-22T02:26:29.081Z"/>
  14. <activity id="50899" path="C:\Windows\SysWOW64\guard32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  15. <activity id="50900" path="C:\Windows\SysWOW64\version.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  16. <activity id="50901" path="C:\Windows\Globalization\Sorting\SortDefault.nls" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  17. <activity id="50902" path="C:\Windows\SysWOW64\cmdvrt32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  18. <activity id="50903" path="C:\Windows\SysWOW64\shell32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  19. <activity id="50904" path="C:\Windows\SysWOW64\ntmarta.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  20. <activity id="50906" path="C:\Windows\SysWOW64\KernelBase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.097Z"/>
  21. <activity id="50908" path="C:\Windows\SysWOW64\ntdll.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.112Z"/>
  22. <activity id="50909" path="C:\Windows\SysWOW64\kernel32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.112Z"/>
  23. <activity id="50913" path="C:\Windows\SysWOW64\user32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.112Z"/>
  24. <activity id="50921" path="C:\Windows\SysWOW64\combase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.112Z"/>
  25. <activity id="50925" path="C:\Windows\SysWOW64\advapi32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.128Z"/>
  26. <activity id="50939" path="C:\Windows\SysWOW64\rpcrt4.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.128Z"/>
  27. <activity id="50945" path="C:\Windows\SysWOW64\sechost.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.144Z"/>
  28. <activity id="51033" path="C:\Windows\SysWOW64\fltLib.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.222Z"/>
  29. <activity id="51119" path="C:\Windows\System32\rpcss.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.347Z"/>
  30. <activity id="51120" path="C:\Windows\Registration\R00000000000d.clb" type="LoadImageFile" timestamp="2018-06-22T02:26:29.362Z"/>
  31. <activity id="51121" path="C:\Windows\SysWOW64\MMDevAPI.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.362Z"/>
  32. <activity id="51124" path="C:\Windows\SysWOW64\devobj.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.362Z"/>
  33. <activity id="51125" path="C:\Windows\SysWOW64\propsys.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.362Z"/>
  34. <activity id="51127" path="C:\Windows\Fonts\StaticCache.dat" type="LoadImageFile" timestamp="2018-06-22T02:26:29.394Z"/>
  35. <activity id="51131" path="C:\Windows\SysWOW64\uxtheme.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.597Z"/>
  36. <activity id="51136" path="C:\Program Files\Listary\ListaryHook.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.597Z"/>
  37. <activity id="51140" path="C:\Windows\SysWOW64\oleacc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.597Z"/>
  38. <activity id="51141" path="C:\Windows\SysWOW64\oleaccrc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.597Z"/>
  39. <activity id="51148" type="KernelObject" timestamp="2018-06-22T02:26:29.612Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:5756:168:WilStaging_02"/>
  40. <activity id="51149" path="C:\Windows\SysWOW64\dwmapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.612Z"/>
  41. <activity id="51194" path="C:\Windows\SysWOW64\TextInputFramework.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.706Z"/>
  42. <activity id="51195" path="C:\Windows\SysWOW64\CoreUIComponents.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.706Z"/>
  43. <activity id="51196" path="C:\Windows\SysWOW64\CoreMessaging.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.706Z"/>
  44. <activity id="51197" path="C:\Windows\SysWOW64\WinTypes.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.706Z"/>
  45. <activity id="51206" path="C:\Windows\SysWOW64\atlthunk.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.722Z"/>
  46. <activity id="51217" type="KernelObject" timestamp="2018-06-22T02:26:29.753Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:5756:64:WilError_01"/>
  47. <activity id="51218" type="KernelObject" timestamp="2018-06-22T02:26:29.753Z" objectType="Semaphore" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:5756:64:WilError_01_p0"/>
  48. <activity id="51313" path="C:\Windows\SysWOW64\SogouTSF.ime" type="LoadImageFile" timestamp="2018-06-22T02:26:29.909Z"/>
  49. <activity id="51316" path="C:\Windows\SysWOW64\msimg32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.909Z"/>
  50. <activity id="51319" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\kernel32.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:29.925Z"/>
  51. <activity id="51320" type="KernelObject" timestamp="2018-06-22T02:26:29.925Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x00630072"/>
  52. <activity id="51321" type="KernelObject" timestamp="2018-06-22T02:26:29.940Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x00760074"/>
  53. <activity id="51322" type="KernelObject" timestamp="2018-06-22T02:26:29.940Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\Filemap_VersionReg57f53f7"/>
  54. <activity id="51323" path="C:\Windows\SysWOW64\SogouPY.ime" type="LoadImageFile" timestamp="2018-06-22T02:26:29.940Z"/>
  55. <activity id="51326" path="C:\Windows\SysWOW64\winhttp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.940Z"/>
  56. <activity id="51330" type="KernelObject" timestamp="2018-06-22T02:26:29.956Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\M53320972160cdd99e4cc938d4171f83f47af5bf1b6"/>
  57. <activity id="51331" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\KernelBase.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:29.956Z"/>
  58. <activity id="51332" path="C:\Windows\SysWOW64\zh-CN\KernelBase.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:29.956Z"/>
  59. <activity id="51336" type="KernelObject" timestamp="2018-06-22T02:26:29.972Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x00650058"/>
  60. <activity id="51337" type="KernelObject" timestamp="2018-06-22T02:26:29.972Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x00370007"/>
  61. <activity id="51338" type="KernelObject" timestamp="2018-06-22T02:26:29.972Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x00230029"/>
  62. <activity id="51339" type="KernelObject" timestamp="2018-06-22T02:26:29.972Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\sgime_psglog.filemap209157f53f7"/>
  63. <activity id="51340" type="KernelObject" timestamp="2018-06-22T02:26:29.972Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x005B0038"/>
  64. <activity id="51341" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\sgime_env_fm1.v1.filemap.sogouime57f53f7"/>
  65. <activity id="51342" path="C:\Windows\SysWOW64\tzres.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:29.987Z"/>
  66. <activity id="51343" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\tzres.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:29.987Z"/>
  67. <activity id="51346" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SogouIme_DictWriteManager_3__FileMap_u57f53f7"/>
  68. <activity id="51347" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SogouIme_VersionManagerSharedTable__FileMap_u57f53f7"/>
  69. <activity id="51348" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_GlobalConfig_Filemap_v0_u57f53f7"/>
  70. <activity id="51349" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\sgim_quick.bin" type="LoadImageFile" timestamp="2018-06-22T02:26:29.987Z"/>
  71. <activity id="51350" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_sgim_quick_bin8.9.0.2091_Filemap_v1_u57f53f7"/>
  72. <activity id="51351" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_SupportCharDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  73. <activity id="51352" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_PunctureDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  74. <activity id="51353" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_FixFirstDict_Filemap_v1_u57f53f7"/>
  75. <activity id="51354" type="KernelObject" timestamp="2018-06-22T02:26:29.987Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_AbbrUsrDict_Filemap_v1_u57f53f7"/>
  76. <activity id="51355" type="KernelObject" timestamp="2018-06-22T02:26:30.003Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\fimemap_for_sogou_cloud209157f53f7"/>
  77. <activity id="51356" type="KernelObject" timestamp="2018-06-22T02:26:30.003Z" objectType="Event" isCreate="true" name="\Sessions\1\BaseNamedObjects\SgImeUniqueApp"/>
  78. <activity id="51357" type="KernelObject" timestamp="2018-06-22T02:26:30.003Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x000E000F"/>
  79. <activity id="51358" type="DeleteKey" timestamp="2018-06-22T02:26:30.003Z" regKey="S-1-5-21-3774652721-2607747548-2788097174-1001\Software\SogouInput.user"/>
  80. <activity id="51359" type="CreateKey" timestamp="2018-06-22T02:26:30.003Z" regKey="\REGISTRY\USER\S-1-5-21-3774652721-2607747548-2788097174-1001\SOFTWARE\SogouInput.user"/>
  81. <activity id="51360" type="SetValueKey" timestamp="2018-06-22T02:26:30.003Z" regKey="S-1-5-21-3774652721-2607747548-2788097174-1001\Software\SogouInput.user" regValData="1529634398" regValType="REG_DWORD" regValName="SogouComponentFirstLoad"/>
  82. <activity id="51365" type="SetValueKey" timestamp="2018-06-22T02:26:30.003Z" regKey="S-1-5-21-3774652721-2607747548-2788097174-1001\Software\SogouInput.user" regValData="1529634398" regValType="REG_DWORD" regValName="Used"/>
  83. <activity id="51370" path="C:\Users\zhong\AppData\LocalLow\SogouPY.users\00000001\env.ini" type="CreateFile" timestamp="2018-06-22T02:26:30.019Z"/>
  84. <activity id="51375" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\Resource.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:30.034Z"/>
  85. <activity id="51377" type="KernelObject" timestamp="2018-06-22T02:26:30.034Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x0033002B"/>
  86. <activity id="51389" path="C:\Users\zhong\AppData\LocalLow\SogouPy\verify.ini" type="ModifyFile" timestamp="2018-06-22T02:26:30.050Z"/>
  87. <activity id="51390" type="KernelObject" timestamp="2018-06-22T02:26:30.050Z" objectType="Event" isCreate="true" name="\Sessions\1\BaseNamedObjects\SGNoSCExp_{144A0213-B100-4a00-BA33-62C66BD53F64}"/>
  88. <activity id="51391" type="KernelObject" timestamp="2018-06-22T02:26:30.050Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x002E002A"/>
  89. <activity id="51392" path="C:\Windows\Fonts\msyh.ttc" type="LoadImageFile" timestamp="2018-06-22T02:26:30.065Z"/>
  90. <activity id="51393" type="KernelObject" timestamp="2018-06-22T02:26:30.081Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\msyh.ttc"/>
  91. <activity id="51394" path="C:\Windows\Fonts\arial.ttf" type="LoadImageFile" timestamp="2018-06-22T02:26:30.097Z"/>
  92. <activity id="51395" type="KernelObject" timestamp="2018-06-22T02:26:30.097Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\arial.ttf"/>
  93. <activity id="51396" path="C:\Windows\Fonts\arialbd.ttf" type="LoadImageFile" timestamp="2018-06-22T02:26:30.112Z"/>
  94. <activity id="51397" type="KernelObject" timestamp="2018-06-22T02:26:30.112Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\arialbd.ttf"/>
  95. <activity id="51398" type="KernelObject" timestamp="2018-06-22T02:26:30.128Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\sgime_skin.v1.filemap.sogouime209157f53f7"/>
  96. <activity id="51399" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\msctf.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:30.128Z"/>
  97. <activity id="51400" type="KernelObject" timestamp="2018-06-22T02:26:30.128Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\mutex_file_0x001D0030"/>
  98. <activity id="51401" type="KernelObject" timestamp="2018-06-22T02:26:30.144Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SogouImeActiveMap57f53f7"/>
  99. <activity id="51413" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\sgim_adjcache.bin" type="LoadImageFile" timestamp="2018-06-22T02:26:31.019Z"/>
  100. <activity id="51414" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_sgim_adjcache_bin8.9.0.2091_Filemap_v1_u57f53f7"/>
  101. <activity id="51415" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_PyTipDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  102. <activity id="51416" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\sgim_tra.bin" type="LoadImageFile" timestamp="2018-06-22T02:26:31.019Z"/>
  103. <activity id="51417" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_sgim_tra_bin8.9.0.2091_Filemap_v1_u57f53f7"/>
  104. <activity id="51418" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\sgim_eng_pre.bin" type="LoadImageFile" timestamp="2018-06-22T02:26:31.019Z"/>
  105. <activity id="51419" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_sgim_eng_pre_bin8.9.0.2091_Filemap_v1_u57f53f7"/>
  106. <activity id="51420" path="C:\Program Files (x86)\SogouInput\8.9.0.2091\sgim_url.bin" type="LoadImageFile" timestamp="2018-06-22T02:26:31.019Z"/>
  107. <activity id="51421" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_sgim_url_bin8.9.0.2091_Filemap_v1_u57f53f7"/>
  108. <activity id="51422" type="KernelObject" timestamp="2018-06-22T02:26:31.019Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_UrlGuideDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  109. <activity id="51423" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_NumFreqAdjustDict_Filemapv1_v1_u57f53f7"/>
  110. <activity id="51424" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_infokeyict8.9.0.2091_Filemap_v1_u57f53f7"/>
  111. <activity id="51425" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_infoblackict8.9.0.2091_Filemap_v1_u57f53f7"/>
  112. <activity id="51426" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_smartinfo8.9.0.2091_Filemap_v1_u57f53f7"/>
  113. <activity id="51427" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_CloudCachecDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  114. <activity id="51428" type="KernelObject" timestamp="2018-06-22T02:26:31.034Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_CloudCachecDictLongWord8.9.0.2091_Filemap_v1_u57f53f7"/>
  115. <activity id="51429" type="KernelObject" timestamp="2018-06-22T02:26:31.050Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_CloudCachecDictGrayWord8.9.0.2091_Filemap_v1_u57f53f7"/>
  116. <activity id="51430" type="KernelObject" timestamp="2018-06-22T02:26:31.050Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_ExtDict_Filemap_v1_u57f53f7"/>
  117. <activity id="51431" type="KernelObject" timestamp="2018-06-22T02:26:31.050Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_UsrExtDict_Filemap_v1_u57f53f7"/>
  118. <activity id="51432" type="KernelObject" timestamp="2018-06-22T02:26:31.050Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_UserSpellModelDict_Filemap_v1_u57f53f7"/>
  119. <activity id="51433" type="KernelObject" timestamp="2018-06-22T02:26:31.050Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_PrivilegeDict8.9.0.2091_Filemap_v1_u57f53f7"/>
  120. <activity id="51434" type="KernelObject" timestamp="2018-06-22T02:26:31.065Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_EngUsrDict_Filemap_v1_u57f53f7"/>
  121. <activity id="51435" type="KernelObject" timestamp="2018-06-22T02:26:31.065Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_UrlUsrDict_Filemap_v1_u57f53f7"/>
  122. <activity id="51436" type="KernelObject" timestamp="2018-06-22T02:26:31.065Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SGPY_ClipBoardDict_Filemap_v1_u57f53f7"/>
  123. <activity id="51470" type="KernelObject" timestamp="2018-06-22T02:26:33.815Z" objectType="Port" isCreate="true" name="\BaseNamedObjects\[CoreUI]-PID(5756)-TID(12524) 11f88364-956b-4eac-a315-c0f90c66197d"/>
  124. <activity id="51762" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\config.ini" type="CreateFile" timestamp="2018-06-22T02:26:34.284Z"/>
  125. <activity id="51764" type="CreateKey" timestamp="2018-06-22T02:26:34.284Z" regKey="\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\BossKey"/>
  126. <activity id="51765" type="SetValueKey" timestamp="2018-06-22T02:26:34.284Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="9" regValType="REG_DWORD" regValName="AppVersion"/>
  127. <activity id="51886" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\config.ini" type="ModifyFile" timestamp="2018-06-22T02:26:34.472Z"/>
  128. <activity id="51887" type="SetValueKey" timestamp="2018-06-22T02:26:34.472Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="18239" regValType="REG_DWORD" regValName="AppStatus"/>
  129. <activity id="51894" type="SetValueKey" timestamp="2018-06-22T02:26:34.503Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="c:\users\zhong\downloads\compressed\virus test\backdoorhumpler\cjlbj_9.9\超级老板键.exe" regValType="REG_SZ" regValName="AppPath"/>
  130. <activity id="51899" type="SetValueKey" timestamp="2018-06-22T02:26:34.503Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="1" regValType="REG_DWORD" regValName="RunCount"/>
  131. <activity id="51901" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\TrayHook.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:34.503Z"/>
  132. <activity id="51902" path="C:\Windows\SysWOW64\iertutil.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:34.503Z"/>
  133. <activity id="51912" type="KernelObject" timestamp="2018-06-22T02:26:34.519Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\5756-SingleThreadInProcessByQDBLnk"/>
  134. <activity id="51914" type="CreateKey" timestamp="2018-06-22T02:26:34.519Z" regKey="\Registry\User\S-1-5-21-3774652721-2607747548-2788097174-1001\SOFTWARE\BossKey"/>
  135. <activity id="51915" type="KernelObject" timestamp="2018-06-22T02:26:34.519Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\BossKeyPluginUpdate5.0"/>
  136. <activity id="51918" type="SetValueKey" timestamp="2018-06-22T02:26:34.519Z" regKey="S-1-5-21-3774652721-2607747548-2788097174-1001\Software\BossKey" regValData="B044CC0C" regValType="REG_BINARY" regValName="TestData"/>
  137. <activity id="51922" path="C:\Users\zhong\AppData\Roaming\BossKey" type="CreateFile" timestamp="2018-06-22T02:26:34.519Z"/>
  138. <activity id="51923" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\BossKeyLoader64.exe" type="LoadImageFile" timestamp="2018-06-22T02:26:34.519Z"/>
  139. <activity id="51925" path="C:\Users\zhong\AppData\Roaming\BossKey\TestData" type="CreateFile" timestamp="2018-06-22T02:26:34.519Z"/>
  140. <activity id="51927" type="KernelObject" timestamp="2018-06-22T02:26:34.519Z" objectType="Port" isCreate="true" name="\RPC Control\OLE439C6AA7F20164E66EB0F5FD8263"/>
  141. <activity id="52197" cmdline="" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\BossKeyLoader64.exe" type="CreateProcess" timestamp="2018-06-22T02:26:35.362Z"/>
  142. <activity id="52209" type="SetValueKey" timestamp="2018-06-22T02:26:35.378Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="584" regValType="REG_DWORD" regValName="CtrlViewX"/>
  143. <activity id="52210" type="SetValueKey" timestamp="2018-06-22T02:26:35.378Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="186" regValType="REG_DWORD" regValName="CtrlViewY"/>
  144. <activity id="52232" type="KernelObject" timestamp="2018-06-22T02:26:35.440Z" objectType="Port" isCreate="true" name="\BaseNamedObjects\[CoreUI]-PID(5756)-TID(12524) 746cc732-a235-4d93-a52d-d9808f9404c0"/>
  145. <activity id="52238" type="KernelObject" timestamp="2018-06-22T02:26:35.472Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\BossKeyShareMapping"/>
  146. <activity id="52501" type="SetValueKey" timestamp="2018-06-22T02:26:36.003Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" regValType="REG_BINARY" regValName="setting"/>
  147. <activity id="52502" path="C:\Windows\explorer.exe" type="LoadImageFile" timestamp="2018-06-22T02:26:36.003Z"/>
  148. <activity id="52505" cmdline="" path="C:\Windows\explorer.exe" type="CreateProcess" timestamp="2018-06-22T02:26:36.003Z"/>
  149. <activity id="52513" path="C:\Windows\System32\ctfmon.exe" type="LoadImageFile" timestamp="2018-06-22T02:26:36.034Z"/>
  150. <activity id="52514" cmdline="" path="C:\Windows\System32\ctfmon.exe" type="CreateProcess" timestamp="2018-06-22T02:26:36.034Z"/>
  151. <activity id="52658" path="C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.300Z"/>
  152. <activity id="52659" path="C:\Windows\SysWOW64\IPHLPAPI.DLL" type="LoadImageFile" timestamp="2018-06-22T02:26:36.300Z"/>
  153. <activity id="52667" path="C:\Windows\SysWOW64\mswsock.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.331Z"/>
  154. <activity id="52671" path="C:\Windows\SysWOW64\winnsi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.347Z"/>
  155. <activity id="52683" path="C:\Windows\SysWOW64\urlmon.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.362Z"/>
  156. <activity id="52694" type="KernelObject" timestamp="2018-06-22T02:26:36.378Z" objectType="Section" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\UrlZonesSM_zhong"/>
  157. <activity id="52699" type="KernelObject" timestamp="2018-06-22T02:26:36.378Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"/>
  158. <activity id="52713" type="KernelObject" timestamp="2018-06-22T02:26:36.394Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"/>
  159. <activity id="52775" path="C:\Windows\SysWOW64\dnsapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.487Z"/>
  160. <activity id="52782" path="C:\Windows\SysWOW64\rasadhlp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.487Z"/>
  161. <activity id="52788" path="C:\Windows\SysWOW64\FWPUCLNT.DLL" type="LoadImageFile" timestamp="2018-06-22T02:26:36.487Z"/>
  162. <activity id="52794" path="C:\Windows\SysWOW64\bcrypt.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.487Z"/>
  163. <activity id="52814" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\mswsock.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:36.519Z"/>
  164. <activity id="52817" path="C:\Windows\SysWOW64\wshqos.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.519Z"/>
  165. <activity id="52818" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\wshqos.dll.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:36.519Z"/>
  166. <activity id="64179" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.656Z" bytesOUT="66" bytesIN="0" dstPort="80" srcPort="50225" dstAdr="14.215.177.38" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  167. <activity id="64180" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.703Z" bytesOUT="66" bytesIN="330" dstPort="80" srcPort="50227" dstAdr="218.66.104.152" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  168. <activity id="64181" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.718Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50241" dstAdr="14.215.177.39" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  169. <activity id="64182" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.718Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50240" dstAdr="14.215.177.39" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  170. <activity id="64183" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.718Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50225" dstAdr="14.215.177.38" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  171. <activity id="64184" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:58.718Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50226" dstAdr="14.215.177.38" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  172. <activity id="64185" type="UrlRequest" timestamp="2018-06-22T02:26:58.718Z" action="0" request="http://www.baidu.com"/>
  173. <activity id="64186" type="UrlRequest" timestamp="2018-06-22T02:26:58.718Z" action="0" request="http://www.baidu.com"/>
  174. <activity id="64196" type="SetValueKey" timestamp="2018-06-22T02:26:58.922Z" regKey="S-1-5-21-3774652721-2607747548-2788097174-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content" regValData="" regValType="REG_SZ" regValName="CachePrefix"/>
  175. <activity id="64199" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\ZVNK6OYH.htm" type="CreateFile" timestamp="2018-06-22T02:26:58.984Z"/>
  176. <activity id="64200" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\ZVNK6OYH.htm" type="DeleteFile" timestamp="2018-06-22T02:26:58.984Z"/>
  177. <activity id="64202" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\L3LROOLZ.htm" type="CreateFile" timestamp="2018-06-22T02:26:58.984Z"/>
  178. <activity id="64203" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\L3LROOLZ.htm" type="DeleteFile" timestamp="2018-06-22T02:26:58.984Z"/>
  179. <activity id="64205" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:59.078Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50243" dstAdr="122.227.164.215" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  180. <activity id="64206" type="UrlRequest" timestamp="2018-06-22T02:26:59.078Z" action="0" request="http://s9.cnzz.com/stat.php?id=4394107&web_id=4394107"/>
  181. <activity id="64207" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\stat[1].js" type="CreateFile" timestamp="2018-06-22T02:26:59.140Z"/>
  182. <activity id="64209" type="UrlRequest" timestamp="2018-06-22T02:26:59.234Z" action="0" request="http://hzs10.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  183. <activity id="64210" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:59.234Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50244" dstAdr="140.205.60.79" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  184. <activity id="64211" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\43RHCHTG\stat[1].htm" type="CreateFile" timestamp="2018-06-22T02:26:59.515Z"/>
  185. <activity id="64212" type="UrlRequest" timestamp="2018-06-22T02:26:59.703Z" action="0" request="http://jserr.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  186. <activity id="64213" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:59.703Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50245" dstAdr="140.205.248.8" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  187. <activity id="64214" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\F2SDA6BI\stat[1].htm" type="CreateFile" timestamp="2018-06-22T02:26:59.922Z"/>
  188. <activity id="64215" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:26:59.984Z" bytesOUT="1938" bytesIN="120" dstPort="80" srcPort="50246" dstAdr="122.227.164.214" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  189. <activity id="64239" type="UrlRequest" timestamp="2018-06-22T02:27:01.000Z" action="0" request="http://c.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  190. <activity id="64250" type="UrlRequest" timestamp="2018-06-22T02:27:01.187Z" action="0" request="http://ei.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  191. <activity id="64252" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:27:01.187Z" bytesOUT="66" bytesIN="66" dstPort="80" srcPort="50247" dstAdr="140.205.61.85" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  192. <activity id="64269" path="C:\Users\zhong\AppData\Local\Microsoft\Windows\INetCache\IE\XA8YJKK2\stat[1].htm" type="CreateFile" timestamp="2018-06-22T02:27:01.234Z"/>
  193. <activity id="64270" type="UrlRequest" timestamp="2018-06-22T02:27:01.297Z" action="0" request="http://c.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  194. <activity id="64301" type="UrlRequest" timestamp="2018-06-22T02:27:01.625Z" action="0" request="http://c.cnzz.com/stat.htm?id=4394107&r=&lg=zh-cn&ntime=none&repeatip=1&rtime=2&cnzz_eid=none&showp=1280x1024&st=80000&sin=none&res=0&rnd=4586254"/>
  195. <activity id="64512" dir="OUT" type="NetworkConnection" timestamp="2018-06-22T02:27:04.265Z" bytesOUT="198" bytesIN="0" dstPort="80" srcPort="50248" dstAdr="42.123.125.237" srcAdr="192.168.43.88" protocol="TCP" etherType="IPv4"/>
  196. <activity id="64700" type="SetValueKey" timestamp="2018-06-22T02:27:05.750Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="18239" regValType="REG_DWORD" regValName="AppStatus"/>
  197. <activity id="64891" type="SetValueKey" timestamp="2018-06-22T02:27:07.765Z" regKey="SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" regValData=""c:\users\zhong\downloads\compressed\virus test\backdoorhumpler\cjlbj_9.9\超级老板键.exe" -autorun" regValType="REG_SZ" regValName="bosskey"/>
  198. <activity id="64895" type="SetValueKey" timestamp="2018-06-22T02:27:07.765Z" regKey="SOFTWARE\WOW6432Node\BossKey" regValData="18239" regValType="REG_DWORD" regValName="AppStatus"/>
  199. </activities>
  200. <children>
  201. <process parentpath="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\超级老板键.exe" isVirtualized="true" restrictionLevel="NoRestriction" detected="false" trusted="true" hashCrc32="1978979919" sha1="12F2B29A565C7C8C0D830E5D9B3640289883C766" createtime="2018-06-22T02:26:35.394Z" cmdline="" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\BossKeyLoader64.exe" pid="1536">
  202. <activities>
  203. <activity id="52207" path="C:\Windows\System32\apphelp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.378Z"/>
  204. <activity id="52208" path="C:\Windows\apppatch\sysmain.sdb" type="LoadImageFile" timestamp="2018-06-22T02:26:35.378Z"/>
  205. <activity id="52240" path="C:\Windows\System32\imm32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.487Z"/>
  206. <activity id="52241" path="C:\Windows\System32\guard64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.503Z"/>
  207. <activity id="52242" path="C:\Windows\System32\version.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.519Z"/>
  208. <activity id="52244" path="C:\Windows\System32\oleaut32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.534Z"/>
  209. <activity id="52245" path="C:\Windows\System32\cmdvrt64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.534Z"/>
  210. <activity id="52247" path="C:\Windows\System32\KernelBase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.550Z"/>
  211. <activity id="52248" path="C:\Windows\System32\ntmarta.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.550Z"/>
  212. <activity id="52250" path="C:\Windows\System32\ntdll.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.550Z"/>
  213. <activity id="52251" path="C:\Windows\System32\kernel32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.550Z"/>
  214. <activity id="52255" path="C:\Windows\System32\user32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.565Z"/>
  215. <activity id="52257" path="C:\Windows\System32\combase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.565Z"/>
  216. <activity id="52261" path="C:\Windows\System32\advapi32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.565Z"/>
  217. <activity id="52281" path="C:\Windows\System32\sechost.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.597Z"/>
  218. <activity id="52369" path="C:\Windows\System32\fltLib.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.753Z"/>
  219. <activity id="52494" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\TrayHook64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:35.987Z"/>
  220. <activity id="52518" path="C:\Windows\System32\shell32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.034Z"/>
  221. <activity id="52520" path="C:\Windows\Globalization\Sorting\SortDefault.nls" type="LoadImageFile" timestamp="2018-06-22T02:26:36.034Z"/>
  222. <activity id="52526" path="C:\Windows\System32\uxtheme.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.065Z"/>
  223. <activity id="52561" path="C:\Program Files\Listary\ListaryHook64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.112Z"/>
  224. <activity id="52564" path="C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.112_none_f94f898130982b3f\comctl32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.112Z"/>
  225. <activity id="52565" path="C:\Windows\System32\oleacc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.112Z"/>
  226. <activity id="52566" type="KernelObject" timestamp="2018-06-22T02:26:36.128Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:1536:304:WilStaging_02"/>
  227. <activity id="52567" path="C:\Windows\System32\oleaccrc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.128Z"/>
  228. <activity id="52577" path="C:\Windows\System32\dwmapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.144Z"/>
  229. </activities>
  230. <children/>
  231. </process>
  232. <process parentpath="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\超级老板键.exe" isVirtualized="true" restrictionLevel="NoRestriction" detected="false" trusted="true" hashCrc32="3653466982" sha1="F5D0299140CF98875B07DBD2D892617401DAD8B9" createtime="2018-06-22T02:26:36.019Z" cmdline="" path="C:\Windows\explorer.exe" pid="12752" termtime="2018-06-22T02:26:36.190Z">
  233. <activities>
  234. <activity id="52521" path="C:\Windows\System32\fltLib.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.050Z"/>
  235. <activity id="52524" path="C:\Windows\System32\apphelp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.065Z"/>
  236. <activity id="52525" path="C:\Windows\apppatch\sysmain.sdb" type="LoadImageFile" timestamp="2018-06-22T02:26:36.065Z"/>
  237. <activity id="52529" path="C:\Windows\System32\twinapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  238. <activity id="52533" path="C:\Windows\System32\TextInputFramework.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  239. <activity id="52534" path="C:\Windows\System32\propsys.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  240. <activity id="52535" path="C:\Windows\System32\SettingSyncCore.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  241. <activity id="52536" path="C:\Windows\System32\winmm.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  242. <activity id="52537" path="C:\Windows\System32\wininet.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  243. <activity id="52538" path="C:\Windows\System32\CoreUIComponents.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  244. <activity id="52539" path="C:\Windows\System32\CoreMessaging.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  245. <activity id="52540" path="C:\Windows\System32\uxtheme.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  246. <activity id="52541" path="C:\Windows\System32\dwmapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.081Z"/>
  247. <activity id="52542" path="C:\Windows\System32\userenv.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  248. <activity id="52543" path="C:\Windows\System32\sspicli.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  249. <activity id="52544" path="C:\Windows\System32\wtsapi32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  250. <activity id="52545" path="C:\Windows\System32\winmmbase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  251. <activity id="52548" path="C:\Windows\System32\ntmarta.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  252. <activity id="52549" path="C:\Windows\System32\WinTypes.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  253. <activity id="52552" path="C:\Windows\System32\cryptsp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  254. <activity id="52553" path="C:\Windows\System32\bcrypt.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  255. <activity id="52554" path="C:\Windows\System32\twinapi.appcore.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  256. <activity id="52556" path="C:\Windows\System32\rmclient.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.097Z"/>
  257. <activity id="52568" path="C:\Windows\System32\imm32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.128Z"/>
  258. <activity id="52570" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\zh-CN\explorer.exe.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:36.128Z"/>
  259. <activity id="52578" path="C:\Windows\System32\ole32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.144Z"/>
  260. <activity id="52579" path="C:\Windows\System32\guard64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.159Z"/>
  261. <activity id="52581" path="C:\Windows\System32\version.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.159Z"/>
  262. <activity id="52582" path="C:\Windows\System32\cmdvrt64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.159Z"/>
  263. <activity id="52584" path="C:\Windows\explorer.exe" type="LoadImageFile" timestamp="2018-06-22T02:26:36.159Z"/>
  264. <activity id="52585" cmdline="" path="C:\Windows\explorer.exe" type="CreateProcess" timestamp="2018-06-22T02:26:36.159Z"/>
  265. </activities>
  266. <children>
  267. <process parentpath="C:\Windows\explorer.exe" isVirtualized="true" restrictionLevel="NoRestriction" detected="false" trusted="true" hashCrc32="3653466982" sha1="F5D0299140CF98875B07DBD2D892617401DAD8B9" createtime="2018-06-22T02:26:36.159Z" cmdline="" path="C:\Windows\explorer.exe" pid="13084" termtime="2018-06-22T02:26:37.517Z">
  268. <activities>
  269. <activity id="52592" path="C:\Windows\System32\twinapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  270. <activity id="52593" path="C:\Windows\System32\propsys.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  271. <activity id="52594" path="C:\Windows\System32\winmm.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  272. <activity id="52595" path="C:\Windows\System32\SettingSyncCore.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  273. <activity id="52597" path="C:\Windows\System32\wininet.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  274. <activity id="52598" path="C:\Windows\System32\uxtheme.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  275. <activity id="52599" path="C:\Windows\System32\dwmapi.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  276. <activity id="52600" path="C:\Windows\System32\sspicli.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.190Z"/>
  277. <activity id="52601" path="C:\Windows\System32\userenv.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  278. <activity id="52602" path="C:\Windows\System32\twinapi.appcore.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  279. <activity id="52603" path="C:\Windows\System32\wtsapi32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  280. <activity id="52604" path="C:\Windows\System32\TextInputFramework.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  281. <activity id="52605" path="C:\Windows\System32\winmmbase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  282. <activity id="52607" path="C:\Windows\System32\bcrypt.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  283. <activity id="52608" path="C:\Windows\System32\cryptsp.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  284. <activity id="52609" path="C:\Windows\System32\rmclient.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  285. <activity id="52610" path="C:\Windows\System32\CoreUIComponents.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  286. <activity id="52611" path="C:\Windows\System32\CoreMessaging.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  287. <activity id="52612" path="C:\Windows\System32\ntmarta.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  288. <activity id="52613" path="C:\Windows\System32\WinTypes.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.206Z"/>
  289. <activity id="52617" path="C:\Windows\System32\imm32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.222Z"/>
  290. <activity id="52618" path="C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-cn_17134.5.8.0_neutral__8wekyb3d8bbwe\Windows\zh-CN\explorer.exe.mui" type="LoadImageFile" timestamp="2018-06-22T02:26:36.222Z"/>
  291. <activity id="52619" path="C:\Windows\System32\ole32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.237Z"/>
  292. <activity id="52620" path="C:\Windows\System32\guard64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.253Z"/>
  293. <activity id="52621" path="C:\Windows\System32\version.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.253Z"/>
  294. <activity id="52623" path="C:\Windows\System32\cmdvrt64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.253Z"/>
  295. <activity id="52625" path="C:\Windows\System32\shell32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.253Z"/>
  296. <activity id="52627" path="C:\Windows\System32\KernelBase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.253Z"/>
  297. <activity id="52629" path="C:\Windows\System32\ntdll.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.269Z"/>
  298. <activity id="52630" path="C:\Windows\System32\kernel32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.269Z"/>
  299. <activity id="52635" path="C:\Windows\System32\user32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.269Z"/>
  300. <activity id="52643" path="C:\Windows\System32\combase.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.284Z"/>
  301. <activity id="52647" path="C:\Windows\System32\advapi32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.284Z"/>
  302. <activity id="52674" path="C:\Windows\System32\sechost.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.362Z"/>
  303. <activity id="52776" path="C:\Windows\System32\fltLib.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.487Z"/>
  304. <activity id="52832" type="KernelObject" timestamp="2018-06-22T02:26:36.550Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:13084:304:WilStaging_02"/>
  305. <activity id="52834" path="C:\Windows\System32\rpcss.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.565Z"/>
  306. <activity id="52835" path="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\TrayHook64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.565Z"/>
  307. <activity id="52838" path="C:\Windows\Globalization\Sorting\SortDefault.nls" type="LoadImageFile" timestamp="2018-06-22T02:26:36.565Z"/>
  308. <activity id="52842" path="C:\Program Files\Listary\ListaryHook64.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.581Z"/>
  309. <activity id="52845" path="C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.112_none_fb3f961b30681c12\comctl32.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.581Z"/>
  310. <activity id="52846" path="C:\Windows\System32\oleacc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.581Z"/>
  311. <activity id="52847" path="C:\Windows\WindowsShell.Manifest" type="LoadImageFile" timestamp="2018-06-22T02:26:36.581Z"/>
  312. <activity id="52848" path="C:\Windows\System32\oleaccrc.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.581Z"/>
  313. <activity id="52850" type="KernelObject" timestamp="2018-06-22T02:26:36.597Z" objectType="Mutex" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:13084:120:WilError_01"/>
  314. <activity id="52851" type="KernelObject" timestamp="2018-06-22T02:26:36.597Z" objectType="Semaphore" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:13084:120:WilError_01_p0"/>
  315. <activity id="52852" type="KernelObject" timestamp="2018-06-22T02:26:36.597Z" objectType="Semaphore" isCreate="true" name="\Sessions\1\BaseNamedObjects\Local\SM0:13084:120:WilError_01_p0h"/>
  316. <activity id="52863" path="C:\Windows\System32\ninput.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.612Z"/>
  317. <activity id="52877" path="C:\Windows\Registration\R00000000000d.clb" type="LoadImageFile" timestamp="2018-06-22T02:26:36.636Z"/>
  318. <activity id="52880" path="C:\Windows\System32\ExplorerFrame.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:36.636Z"/>
  319. <activity id="52895" type="KernelObject" timestamp="2018-06-22T02:26:36.658Z" objectType="Port" isCreate="true" name="\RPC Control\OLE5091E2B752216DB75699CC278D72"/>
  320. <activity id="53178" path="C:\Windows\System32\actxprxy.dll" type="LoadImageFile" timestamp="2018-06-22T02:26:37.074Z"/>
  321. </activities>
  322. <children/>
  323. </process>
  324. </children>
  325. </process>
  326. <process parentpath="C:\Users\zhong\Downloads\Compressed\VIRUS TEST\BackdoorHumpler\cjlbj_9.9\超级老板键.exe" isVirtualized="true" restrictionLevel="NoRestriction" detected="false" trusted="true" hashCrc32="3372127385" sha1="C1D1F6AF856EAEC6F309186575839AAAFD3BEF00" createtime="2018-06-22T02:26:36.034Z" cmdline="" path="C:\Windows\System32\ctfmon.exe" pid="7212" termtime="2018-06-22T02:26:36.097Z">
  327. <activities/>
  328. <children/>
  329. </process>
  330. </children>
  331. </process>
  332. </vscope>
复制代码



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

bambooslip
发表于 2018-6-22 20:49:02 | 显示全部楼层
KJD 发表于 2018-6-22 09:30
虚拟机卡就卡呗

装在不同虚拟机下的吗?
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-4-24 04:21 , Processed in 0.106839 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表