用户锁，密码slear

显示全部楼层 · 发表于 2018-7-28 22:25:54

锁机病毒，禁用资源管理器的一些按钮，比如开始菜单、关机按钮，隐藏桌面图标，删除safeboot相关注册表项以禁用登陆到安全模式，关闭了Windows的注册表编辑器（regedit.exe）功能，通过某些注册表键值来检测已知的来自于中国厂商的反病毒软件，与设备驱动进行通信，将文件属性设置为删除，停止windows服务，使用windows实用程序代替windows的基础功能，插入http://schemas.microsoft.com/SMI/2005/WindowsSettings，

显示全部楼层 · 发表于 2018-7-28 22:32:03

WD WIN10 64 1803

显示全部楼层 · 发表于 2018-7-28 22:37:10

好无聊

那BGM也是醉了

显示全部楼层 · 发表于 2018-7-28 22:38:18

BD
网页拦截
Web Protection by
Bitdefender
Dangerous page blocked for your protection
https://att.kafan.cn/forum.php?mo ... Dl8MjEyODczMw%3D%3D
Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.
Take me back to safety
I understand the risks, take me there anyway
下载下来后
Infected file detected
now

Feature:
Antivirus

The file D:\下载\ÓÃ»§Ëø£¬ÃÜÂëslear.zip has been detected as infected. Bitdefender deleted this item. Your device is threat-free. Threat name: DeepScan:Generic.Malware.SFMYVd.E86739CE

显示全部楼层 · 发表于 2018-7-28 22:43:11

显示全部楼层 · 发表于 2018-7-28 22:43:40

多引擎检出率9/25
反病毒软件
检测结果

AVG
Trojan horse Generic35.YWR

腾讯（Tencent）
Trojan.Win32.Skillis.aaa

微软（MSE）
TrojanDropper:Win32/Killav.A

金山（Kingsoft）
VIRUS_UNKNOWN

火绒（Huorong）
Worm/Qunsender.x

ESET
a variant of Win32/QQWare.AA trojan

Baidu-China
Win32.Trojan.Skillis.a

NANO
Trojan.Win32.Skillis.cqimdi

IKARUS
Trojan.Win32.Skillis

熊猫（Panda）
非恶意

360（Qihoo 360）
非恶意

小红伞（Avira）
非恶意

Sophos
非恶意

GDATA
非恶意

大蜘蛛（Dr.Web）
非恶意

瑞星（Rising）
非恶意

江民（JiangMin）
非恶意

卡巴斯基（Kaspersky）
非恶意

ClamAV
非恶意

Avast
非恶意

Baidu
非恶意

安天（Antiy）
非恶意

K7
非恶意

开维（Kaiwei）
非恶意

WebShell专杀
非恶意
威胁情报 IOC
[td]

IOC 对象	IOC 类型	情报类型	可信度	严重程度	标签
c52f9244c63e7f2537c94840d94c9698bc6752a258a3d2726ef0756761ed66e2	file_sha256	malware	75	严重	N/A

行为签名
恶意行为（8）

设置注册表实现自启动

reg_key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg_value:	c:\windows\system32\slear.exe

reg_key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg_value:	c:\windows\system32\slear.exe

reg_key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\slear.exe
reg_value:	c:\windows\system32\slear.exe

修改资源管理器（explorer）的文件夹的隐藏属性
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
向系统服务发送控制码
[td]
Time & API
Arguments
Status
Return
2018-07-28 04:53:34
ControlService
service_handle :0x0019d4e8
service_name :SHAREDACCESS
control_code :4
0 0

禁用资源管理器的一些按钮，比如开始菜单、关机按钮
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x00000154 regkey_r :NoRun reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoClose reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoFind reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoFolderOptions reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoRun reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoFolderOptions reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoClose reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoFind reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoLogOff reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoRecentDocsMenu reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoLogOff reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoSetFolders reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders	1	0

关闭了Windows的任务管理器（taskmgr.exe）功能
registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

隐藏桌面图标
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoDesktop reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop	1	0
2018-07-28 04:52:59 RegSetValueExA	key_handle :0x0000015c regkey_r :NoDesktop reg_type :4 value :1 regkey :HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop	1	0

发起了一些ICMP流量

删除safeboot相关注册表项以禁用登陆到安全模式
registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\EventLog\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PNP Filter\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Ndisuio\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CryptSvc\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Netlogon\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmserver\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ndisuio\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NDIS\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Browser\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZCSVC\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmadmin\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\termservice\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WinMgmt\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot file system\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanServer\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SCSI Class\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PlugPlay\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SharedAccess\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Base\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\RpcSs\

registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
可疑行为（12）

尝试拖慢分析任务的进度
[/table]
通过某些注册表键值来检测已知的来自于中国厂商的反病毒软件
regkey
.*360Safe
与设备驱动进行通信
[td]
[table=98%]

Time & API
Arguments
Status
Return

2018-07-28 04:52:57
DeviceIoControl
input_buffer :
control_code :3735560
device_handle :0x000000c0
output_buffer :“t—Dü€r3&OS÷J.ØgOhùòÆ~k}¼©ˉŸÏÕÎ@7 #©Ædúíàtô
11

2018-07-28 04:52:57
DeviceIoControl
input_buffer :
control_code :3735560
device_handle :0x000000c0
output_buffer :z“™ñÃ$Tê￥fòBI?ŠTo™õˉ-…_¡òõÿ½{′Ym§ô¾-#)€¿
11

2018-07-28 04:53:03
DeviceIoControl
input_buffer :
control_code :3735560
device_handle :0x000000c0
output_buffer :òÃYz„TÄ”‚_‘<-lîíƒv9|¨BWGÛDhkx￥e¬ŸØTM$Y￥
11

2018-07-28 04:53:03
DeviceIoControl
input_buffer :
control_code :3735560
device_handle :0x000000c0
output_buffer :L~€CsÕì￠1ü8uó¶ØïË¬ÏÏú–”ˉf»n'%©Yy—¶v¸
11
在文件系统上创建可执行文件
file
c:\2dll.bat

file
c:\slear.bat

file
c:\guanlian.bat

file
c:\kill.bat

file
c:\1exe.bat

file
c:\1dll.bat

file
c:\2exe.bat
关闭了Windows的注册表编辑器（regedit.exe）功能
registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools

搜索并加载模块资源
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:41 FindResourceExW	module_handle :0x00400000 type :DEFAULT_ICON name :#14 language_identifier :0	1	5094168
2018-07-28 04:52:41 LoadResource	pointer :0x004e2280 resource_handle :0x004dbb18 module_handle :0x00400000	1	5120640

获取按键信息
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:53:03 GetKeyState	key_code :17	1	0
2018-07-28 04:53:03 GetKeyState	key_code :16	1	0
2018-07-28 04:53:03 GetKeyState	key_code :18	1	0
2018-07-28 04:53:06 GetKeyState	key_code :17	1	0
2018-07-28 04:53:06 GetKeyState	key_code :16	1	0
2018-07-28 04:53:06 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyboardState		1	1
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :91	1	0
2018-07-28 04:53:16 GetKeyState	key_code :92	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :91	1	0
2018-07-28 04:53:16 GetKeyState	key_code :92	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyboardState		1	1
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :91	1	0
2018-07-28 04:53:16 GetKeyState	key_code :92	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :91	1	0
2018-07-28 04:53:16 GetKeyState	key_code :92	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyboardState		1	1
2018-07-28 04:53:16 GetKeyState	key_code :18	1	0
2018-07-28 04:53:16 GetKeyState	key_code :17	1	0
2018-07-28 04:53:16 GetKeyState	key_code :16	1	0

将文件属性设置为删除
[td]
Time & API
Arguments
Status
Return
2018-07-28 04:52:59
SetFileAttributesW
file_attributes :32
filepath_r :C:\Windows\system32\cmd.bat
filepath :C:\Windows\System32\cmd.bat
1 1

停止windows服务
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:53:28 CreateProcessInternalW	thread_identifier :2900 thread_handle :0x0000006c process_identifier :2316 current_directory :C:\Users\vbccsb\AppData\Local\Temp filepath :C:\Windows\System32\net.exe track :1 command_line :net stop sharedaccess filepath_r :C:\Windows\system32\net.exe stack_pivoted :0 creation_flags :524288 inherit_handles :1 process_handle :0x00000070	1	1

打开服务控制管理器
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:53:03 OpenSCManagerW	desired_access :1 database_name : machine_name :	1	2568224
2018-07-28 04:53:34 OpenSCManagerW	desired_access :2147483648 database_name : machine_name :	1	1693064
2018-07-28 04:53:34 OpenSCManagerW	desired_access :1 database_name : machine_name :	1	1693224
2018-07-28 04:54:14 OpenSCManagerW	desired_access :2147483648 database_name : machine_name :	1	2282816
2018-07-28 04:54:14 OpenSCManagerW	desired_access :1 database_name : machine_name :	1	2282976

读取软件策略
registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels

registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags

使用windows实用程序代替windows的基础功能
cmdline
net stop Shadow" "System" "Service

cmdline
attrib C:\Windows\system32\cmd.bat +r +s +h

cmdline
net user vbccsb slear

cmdline
net user vbccsb slear

cmdline
net stop sharedaccess
正常行为（10）
全部收起

样本释放的文件
file
c:\2dll.bat

file
c:\slear.bat

file
c:\guanlian.bat

file
c:\kill.bat

file
c:\1exe.bat

file
c:\1dll.bat

file
c:\2exe.bat

枚举文件和目录
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:41 FindFirstFileExW	filepath_r :c:\windows\system32\slear.exe filepath :c:\Windows\System32\slear.exe	1	2571416
2018-07-28 04:52:41 FindFirstFileExW	filepath_r :c:\windows\system32\slear.exe filepath :c:\Windows\System32\slear.exe	1	2570816
2018-07-28 04:52:46 FindFirstFileExW	filepath_r :c:\windows\system32\slear.exe filepath :c:\Windows\System32\slear.exe	1	2593728
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\Users filepath :C:\Users	1	3606512
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\Users\vbccsb filepath :C:\Users\vbccsb	1	3606512
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\Users\vbccsb\AppData filepath :C:\Users\vbccsb\AppData	1	3606512
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\Users\vbccsb\AppData\Local filepath :C:\Users\vbccsb\AppData\Local	1	3606512
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\Users\vbccsb\AppData\Local\Temp filepath :C:\Users\vbccsb\AppData\Local\Temp	1	3606512
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :c:\1dll.bat filepath :c:\1dll.bat	1	3606680
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :c:\1dll.bat filepath :c:\1dll.bat	1	3608888
2018-07-28 04:52:43 FindFirstFileExW	filepath_r :C:\.dll filepath :C:\.dll	1	3723016
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\* filepath :C:\*	1	3723048
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\$Recycle.Bin\.dll filepath :C:\$Recycle.Bin\.dll	0	4294967295
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\$Recycle.Bin\* filepath :C:\$Recycle.Bin\*	1	3609152
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\.dll filepath :C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\.dll	0	4294967295
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\* filepath :C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\*	1	3609216
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\Config.Msi\.dll filepath :C:\Config.Msi\.dll	0	4294967295
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\Config.Msi\* filepath :C:\Config.Msi\*	1	3609144
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\MSOCache\.dll filepath :C:\MSOCache\.dll	0	4294967295
2018-07-28 04:52:47 FindFirstFileExW	filepath_r :C:\MSOCache\* filepath :C:\MSOCache\*	1	3609048
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\.dll filepath :C:\MSOCache\All Users\.dll	0	4294967295
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\* filepath :C:\MSOCache\All Users\*	1	3737816
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\microsoft.watson.watsonrc15.data\.dll filepath :C:\MSOCache\All Users\microsoft.watson.watsonrc15.data\.dll	0	4294967295
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\microsoft.watson.watsonrc15.data\* filepath :C:\MSOCache\All Users\microsoft.watson.watsonrc15.data\*	1	3881504
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0016-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-0016-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:48 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0016-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-0016-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:49 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0018-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-0018-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:49 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0018-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-0018-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:50 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0019-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-0019-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:50 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0019-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-0019-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:51 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-001A-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-001A-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:51 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-001A-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-001A-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:51 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-001B-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-001B-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:51 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-001B-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-001B-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:52 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:52 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\*	1	3871552
2018-07-28 04:52:52 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.en\.dll filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.en\.dll	0	4294967295
2018-07-28 04:52:52 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.en\* filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.en\*	1	3872032
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.es\.dll filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.es\.dll	0	4294967295
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.es\* filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.es\*	1	3872032
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\.dll filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\.dll	0	4294967295
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\* filepath :C:\MSOCache\All Users\{90150000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\*	1	3872032
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0044-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-0044-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:53 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0044-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-0044-0409-0000-0000000FF1CE}-C\*	1	3873184
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0090-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-0090-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-0090-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-0090-0409-0000-0000000FF1CE}-C\*	1	3873184
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-00A1-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-00A1-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-00A1-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-00A1-0409-0000-0000000FF1CE}-C\*	1	3873184
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-00BA-0409-0000-0000000FF1CE}-C\.dll filepath :C:\MSOCache\All Users\{90150000-00BA-0409-0000-0000000FF1CE}-C\.dll	0	4294967295
2018-07-28 04:52:54 FindFirstFileExW	filepath_r :C:\MSOCache\All Users\{90150000-00BA-0409-0000-0000000FF1CE}-C\* filepath :C:\MSOCache\All Users\{90150000-00BA-0409-0000-0000000FF1CE}-C\*	1	3873184

初始化COM组件
[td]
Time & API
Arguments
Status
Return
2018-07-28 04:53:06
CoInitializeEx
options :2
0 1
在文件内存中发现IP地址或url
url
http://schemas.microsoft.com/SMI/2005/WindowsSettings
查询系统内存大小，某些恶意程序会根据内存大小来判定是否运行在虚拟机中
[td]
Time & API
Arguments
Status
Return
2018-07-28 04:52:56
GlobalMemoryStatusEx
1 1
发起了一些ICMP流量

打开文件并赋予可删除的访问权限
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:43 NtCreateFile	create_disposition :1 file_handle :0x00000068 filepath :C:\Windows\System32\en-US\KERNELBASE.dll.mui desired_access :0x80100080 file_attributes :0 filepath_r :\??\C:\Windows\system32\en-US\KERNELBASE.dll.mui create_options :0 status_info :1 share_access :5	1	0
2018-07-28 04:53:01 NtCreateFile	create_disposition :1 file_handle :0x000000c4 filepath :C:\Windows\System32\en-US\NETMSG.DLL.mui desired_access :0x80100080 file_attributes :0 filepath_r :\??\C:\Windows\system32\en-US\NETMSG.DLL.mui create_options :0 status_info :1 share_access :5	1	0

打开Windows的内核安全设备驱动程序（KsecDD）
[td]

Time & API	Arguments	Status	Return
2018-07-28 04:52:57 NtOpenFile	file_handle :0x000000c0 filepath :\Device\KsecDD desired_access :0x00100001 filepath_r :\Device\KsecDD status_info :0 open_options :32 share_access :7	1	0
2018-07-28 04:53:03 NtOpenFile	file_handle :0x000000c0 filepath :\Device\KsecDD desired_access :0x00100001 filepath_r :\Device\KsecDD status_info :0 open_options :32 share_access :7	1	0

查询系统用户名
[td]
Time & API
Arguments
Status
Return
2018-07-28 04:52:45
GetUserNameA
username :vbccsb
1 1
2018-07-28 04:52:50
GetUserNameA
username :vbccsb
1 1

读取计算机名称
registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
[td]

源地址	目标地址
192.168.122.188:5355	192.168.122.177:52891

释放文件
[td]

文件名称	文件信息
install.res.1028.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 76304 MD5 : 4151a4d07640863783f837e588235837 SHA256 : 58475a90250c6818f73763775eea6379e06da6c38e8d2cf0f54eb6112a0a6aee 文件路径 : C:\install.res.1028.dll
install.res.1031.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 96272 MD5 : 3b8a82e04238655eaef97e074fb29911 SHA256 : 5e49c21b9a15c3a0fddde7ddc32fda220302ee57b8aff66f4f78b370e049410d 文件路径 : C:\install.res.1031.dll
install.res.1033.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 91152 MD5 : 9edeb8b1c5c0a4cd3a3016b85108127d SHA256 : 9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9 文件路径 : C:\install.res.1033.dll
install.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 562688 MD5 : 520a6d1cbcc9cf642c625fe814c93c58 SHA256 : 08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2 文件路径 : C:\install.exe
install.res.1036.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 97296 MD5 : 5b6ff470cfa7087690e61f87e81ef78a SHA256 : 2d1c0a1b17266cff3be7d46cf3020b176e4a058fd7fc57f7b6b97e0760cc45db 文件路径 : C:\install.res.1036.dll
$I346QQ9.exe	文件类型 : data 文件大小 : 544 MD5 : 86dc7bbc2e564838050baa04cdf110d7 SHA256 : 746c13b4cc6eb65fdb68469e003d2830827b8bf5ff4141ca3ce62e1902fdda61 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$I346QQ9.exe
install.res.1040.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 95248 MD5 : 6310ab8fc9e3dbee80592fc453a34fee SHA256 : 7774f2436c96a70b0cdc8176883ee7a4614353f17ad61bfbd5a8d7a1906483d3 文件路径 : C:\install.res.1040.dll
$I7WBCK4.exe	文件类型 : data 文件大小 : 544 MD5 : 59961d8ad2ea579509375f92dcaf02fd SHA256 : 22c91d31c29a8937a82b0ba418a899e8f22e1d0de0538faaf60a1b41c8cb9067 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$I7WBCK4.exe
install.res.1041.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 81424 MD5 : 13ed4517152203de4bc52acc0255d952 SHA256 : 6183324fe24006bc3d8928029dcaccbdae517eb09727f5dd47ea5aaeed3ee26d 文件路径 : C:\install.res.1041.dll
$INLQRYL.exe	文件类型 : data 文件大小 : 544 MD5 : 808d9675aeee96f579c469f6fb1882de SHA256 : cdb2e8f043d3d6f2e1cb161a27c5a4e55686c8d4e286cade5fe386cff5033c83 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$INLQRYL.exe
install.res.1042.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 79888 MD5 : 0d4fb4095ea49c1ec89b9e8db0b936a3 SHA256 : 7d86f3ba0232c2ac4b4fce96e4cebb23700312a032d5d0db988ec6b358be1686 文件路径 : C:\install.res.1042.dll
install.res.2052.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 75792 MD5 : d7366b34e8afb605c39ef56e2201fe85 SHA256 : f7aa6ebf1413a6e4816bcad5b77c47b6bbe0cfc05cafde4aa872abe3fbd5e62b 文件路径 : C:\install.res.2052.dll
install.res.3082.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 96272 MD5 : 41bb37a347121f3e5e88d85100638b79 SHA256 : 320c305177ab4ec6e00883a2cf0886019b5d36557219e4a188cf9df3768f157f 文件路径 : C:\install.res.3082.dll
$R346QQ9.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 50449456 MD5 : 251743dfd3fda414570524bac9e55381 SHA256 : 65e064258f2e418816b304f646ff9e87af101e4c9552ab064bb74d281c38659f 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$R346QQ9.exe
osetupui.dll	文件类型 : PE32 executable (DLL) (console) Intel 80386, for MS Windows 文件大小 : 191648 MD5 : f6a30f01eebac61a929d8d5e0e63d60e SHA256 : 5e5208f533c40078757add68e6965c07fc53035cdc27cd16d01c69bc8a611e80 文件路径 : C:\MSOCache\All Users\{90150000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll
osetup.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 7083120 MD5 : 215aef24f306b9dac823c2765bf7839c SHA256 : 8db35ac4e7d889c99a67396cb783456d1accc3b2da051c9da67c6b4ec3462c8e 文件路径 : C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\osetup.dll
PidGenX.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 1274456 MD5 : fe100eb225aad3ba0caa3cadf9a2393f SHA256 : 92c464c1e6c5da57dbad809596bd20e646d5286ee40610408c104617ccc655ec 文件路径 : C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll
setup.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 829576 MD5 : c4136d75731001a351684c9c368c8753 SHA256 : 5a376b548186bb2da03256842e2395eeff69ebd69870239a0b9585001a82ca5f 文件路径 : C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.dll
$R7WBCK4.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 56427072 MD5 : 06c3650e5f3b3518348844af7ef1d64b SHA256 : 13d5ed94fe40d9403d5d25b1ef46593dc7f96993df735ea36a32db3dc8ed8ec7 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$R7WBCK4.exe
AiodLite.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 324080 MD5 : 0353cc71b791370bf3c1f7c2beb42c52 SHA256 : 8ca4e34a6328214e7f30a6fe8d518ecb0e006e4e2a99f05e12729377cb2b56fd 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
A3DUtils.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 166896 MD5 : e5437e80d8d5db9d79bc2f54b55a544b SHA256 : 5c88c4585872b4419dc1163249865d61f378ad167de0530fe83c135014f5fd6b 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll
ACE.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 954352 MD5 : ae0e45a78b65347590cdd41bf1b2c0f0 SHA256 : 741a22483aa0f0364c4eca4288b08d28450710e3a1c52f4427d402f3c827764e 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\ACE.dll
slear.bat	文件类型 : ASCII text, with no line terminators 文件大小 : 53 MD5 : b7dccf1a68df6a828b09ed843036b4b0 SHA256 : 69c3eb018371400c7899c5f83b9bb8b4bf008f3f1ed5847d0ce48277d9502d7f 文件路径 : C:\slear.bat
Acrofx32.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 79032 MD5 : 0c67bffe68617d9695eda5c59f375868 SHA256 : 37f92f1919847ef7d0befb3bd7d723d9e3c4e64f91acacb49d4e7c5ad2c08cf9 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll
AcroRd32.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 24031728 MD5 : 3b030c6b082d2172d614e95cb63e1f17 SHA256 : 146b1d62cc3907052ce5cf5decf0640312665c2950df32ae2614d2b1ece08b2f 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll
$RNLQRYL.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 1821192 MD5 : b936f0f378b9a35489353e878154e899 SHA256 : c6a7e484f4d84883bc1205bccea3114c0521025712922298ede9b2a1cd632357 文件路径 : C:\$Recycle.Bin\S-1-5-21-2946486835-2728351130-1651602021-1000\$RNLQRYL.exe
ose.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 150648 MD5 : 2b8e4c792bed0e5882702720bc528ae5 SHA256 : 6d7cb027bc6014cb268c49b46049cdff3ba94d07102a65bd053335a28e83d125 文件路径 : C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\ose.exe
setup.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 207496 MD5 : aa63d1fa6d81d69c08b388c7b54d9507 SHA256 : c55bc3de64eb6553d66523b9f462a0dcc0f137a6a0c4e5fbb473a74c36cc90a8 文件路径 : C:\MSOCache\All Users\{91150000-0011-0000-0000-0000000FF1CE}-C\setup.exe
AcroRd32Res.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 14718960 MD5 : 01554d67f4052decd9e41248385ab95a SHA256 : 43ac9c1169704b80dc38a12bae0a34e69de73d20fcd48b3488fdaad4b13c7451 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll
AcrylicConsole.exe	文件类型 : PE32 executable (console) Intel 80386, for MS Windows 文件大小 : 329216 MD5 : fc639c9d48e9944deea0e1eafc7a9426 SHA256 : ffc26ff8204eea97a5f5db157eacb1fe13ebd025c40700283ef0b992c81956ff 文件路径 : C:\Program Files\Acrylic DNS Proxy\AcrylicConsole.exe
AcrylicController.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 47104 MD5 : 6807eb1f2ed9c05480ddd5172c31740d SHA256 : 6e5fdbdcc0afb9d67a9a8f372b9ae48f18aa987dfd7e8f63d99bb16ecbe7f82e 文件路径 : C:\Program Files\Acrylic DNS Proxy\AcrylicController.exe
AcrylicRegExTester.exe	文件类型 : PE32 executable (console) Intel 80386, for MS Windows 文件大小 : 222720 MD5 : e9c0c449397fc230d54f5c95e09b87e1 SHA256 : 7761a2644e2c777f4534ea47b3cd5344bb58873b445a8b1cd7cc848a6bc041aa 文件路径 : C:\Program Files\Acrylic DNS Proxy\AcrylicRegExTester.exe
AdobeLinguistic.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 516592 MD5 : e6194bf3eaa94eba38d00180d95fa59a SHA256 : 90105b6d12ded506fb2f2ca50df51417d2c9bfc444e6807335135e8b94f994bb 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll
AcrylicService.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 648704 MD5 : 3bfd7d2cd35aaa2a8aa58866eea8ba58 SHA256 : 1f1928864412315dc794af9251041a29057a9dfe978ef23fc4d6ebce0b113e14 文件路径 : C:\Program Files\Acrylic DNS Proxy\AcrylicService.exe
Uninstall.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 74231 MD5 : ed6c4c27e544fc6153d67481d27ff171 SHA256 : f7ec782cd534f501aa624ab92b781edc8fed6a768b65520bb70de5676366cbbc 文件路径 : C:\Program Files\Acrylic DNS Proxy\Uninstall.exe
adoberfp.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 284240 MD5 : c8a002f867ee5472c79a96b39be8e167 SHA256 : aaaa373a3d0c922241cfaf38917d588a94d45bd4491e411a8a5e2a147e49dd4b 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\adoberfp.dll
AcroBroker.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 288240 MD5 : 6360fb77398b8dc077d8285e15bfc414 SHA256 : 1dcfdbba6e34824169f31c0768167452b84d1b990386094df346245410710069 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
AdobeXMP.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 306768 MD5 : 15c44511b123c5924073de43d8d256a0 SHA256 : 1c76b75d487ae5aa115d8831ab9545f3f5ce1ea8305d644af4513198df7bc961 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll
AcroRd32.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 2270704 MD5 : 697be3d35167f8e52ed09a3bbbf7ee6c SHA256 : e59a05c89cc6dc7bcf7982478d33a761caef79c9e4343b4e7b7b846ab1c8847f 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
AGM.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 5144560 MD5 : 99524f8c2c8bf5387b5422395ed2b7a9 SHA256 : c9de7fdc29cb1aa968caaf297de6ba24c02c1426a2091961c85bc8671a126c72 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AGM.dll
AcroRd32Info.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 29168 MD5 : 0358e1c1640be5b430cf8e1c7ad08c83 SHA256 : 3f3767ec563d3ac62b6aa657a169aabeb3e0aa6ae3cfb865d205f7961c7bfa54 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
AcroTextExtractor.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 45040 MD5 : 127d567841241ef2ebc2fefaff056c38 SHA256 : 4161764d6f1930bf9e2ecf33224c63e1110c4d83920ac36ab2e7de61f357035d 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
ahclient.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 272056 MD5 : e7042a1f10540a60300de864cc463b7c SHA256 : c580f46b30e74e8deb4db186e52d2b98ded377443b7e0b3cb1e37b4236c15724 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\ahclient.dll
ADelRCP.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 138736 MD5 : e1eb8ae680f32f950e2912e5c1379482 SHA256 : accc14e277d3ef7ad389ec9d6ec8aa0f8208ea159e7085b0195204c190d075a3 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
AdobeCollabSync.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 886768 MD5 : 047777018b35a47e807d58e3162985bd SHA256 : 99155bbcbfdc7038aba7b062b04c059f68ca51d66e8536a96b37505a3e6f923a 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
AIDE.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 1141840 MD5 : e870ac17165c088996fbda07075920ec SHA256 : 891ffc0ba96fcd644a97e493e391ef304fe15fb25e7bc3fc3f5b6c0654744eed 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AIDE.dll
Eula.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 86096 MD5 : 6472ea6d72ffe72a5774db67f6bb19c6 SHA256 : 01f60aaa886c8b1730b6546b9684a46f8745b8eeee0615cf570563ec4d474cb2 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\Eula.exe
arh.exe	文件类型 : PE32 executable (console) Intel 80386, for MS Windows 文件大小 : 86688 MD5 : 62763ce3356d1eade149553aab089674 SHA256 : 85012194a74546c1bdf1c921f58a541b12931d0b44993fdf516f51d800d4dd88 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\arh.exe
LogTransport2.exe	文件类型 : PE32 executable (console) Intel 80386, for MS Windows 文件大小 : 353872 MD5 : 6623abd95d6ca5b4e9d78570d1e531ad SHA256 : db197e4e2d60b8161a5cf5c41a9d3d1d5cc694c19fe96d71e33747dd20c1d4b3 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe
reader_sl.exe	文件类型 : PE32 executable (GUI) Intel 80386, for MS Windows 文件大小 : 53840 MD5 : d0b23d1f0d1d730493cf89be5dcbbb4e SHA256 : a8f964bb1623295131320f9a0a3817c5ea9318485c849ac5dcbf0255c9263dea 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\reader_sl.exe
AXE8SharedExpat.dll	文件类型 : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 文件大小 : 199152 MD5 : b1ffcde0b936dadb8f21149193a887e7 SHA256 : 42eca55f629eab90593e8e38e73d2ef7aa48e73155e85c7591f9302d54faef92 文件路径 : C:\Program Files\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll

网址：https://s.threatbook.cn/report/f ... p1_enx86_office2013

显示全部楼层 · 发表于 2018-7-28 22:47:32

Trojan.DownLoader21.39298

这报毒名莫名其妙啊。。

显示全部楼层 · 发表于 2018-7-28 22:51:33

fuzhk 发表于 2018-7-28 22:47
这报毒名莫名其妙啊。。

哪家报的？

显示全部楼层 · 发表于 2018-7-28 22:52:02

18603867890 发表于 2018-7-28 22:51
哪家报的？

Dr.Web

显示全部楼层 · 发表于 2018-7-28 22:52:56

大蜘蛛，不过看样本分析，不是下载者木马。

[病毒样本] 用户锁，密码slear

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源