收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 太跨張了,一直被攻擊,我虛擬機 一開外網,馬上就有..
123456789下一页
返回列表 发新帖
查看: 8434|回复: 83
收起左侧

[病毒样本] 太跨張了,一直被攻擊,我虛擬機 一開外網,馬上就有..

  [复制链接]
a7878330
发表于 2018-10-1 21:19:08 | 显示全部楼层 |阅读模式
本帖最后由 a7878330 于 2018-10-1 21:22 编辑

太跨張了,一直被攻擊,我虛擬機 一開外網,馬上就有不明ip
攻擊
結果被置入木馬或是病毒

我擷取到其中一個
但是歌曲不知道是什麼
呵呵
聽起來像是千本櫻



載點:https://www.sendspace.com/file/39i3e2
載點2:http://www.funp.net/939605
各位大大幫我分析一下


回复

举报

a7878330
 楼主| 发表于 2018-10-1 21:23:31 | 显示全部楼层
本帖最后由 a7878330 于 2018-10-1 21:27 编辑

補充!!
我一開機就開始運行
加上我密碼連續被更換
只好想辦法用快照恢復虛擬機
回复

举报

BE_HC
发表于 2018-10-1 21:25:54 | 显示全部楼层
Norton Scan MISS

----

以下由PortEx-master自动生成

PEID Signatures
***************

[UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser] bytes matched: 44 at address: 0x450b60
pattern:  60 be ?? ?? ?? ?? 8d be ?? ?? ?? ?? 57 89 e5 8d 9c 24 ?? ?? ?? ?? 31 c0 50 39 dc 75 fb 46 46 53 68 ?? ?? ?? ?? 57 83 c3 04 53 68 ?? ?? ?? ?? 56 83 c3 04 53 50 c7 03 03 00 02 00 90 90 90 90 90

Hashes
******

MD5:    a0b227c70922a41e93498e9118dff8ed
SHA256: b42f0759433650efa99064cd041e88c20f4522731eddbbca5b7ddf5f763f386a

Section      Type      Hash Value                                                      
---------------------------------------------------------------------------------------
1. UPX0      MD5                                                                       
             SHA256                                                                    
2. UPX1      MD5       7f115a4acac766a234b0b9f746e0602d                                
             SHA256    ea85ed0e931bde815f7e4433323551a75194fc12cedcec80e4eff9ece05e99a7
3. .rsrc     MD5       5685924d77dc4855e56b9a1e8b5ed02f                                
             SHA256    e6429536eb63c2d45e9c870fcd05932e22caebb14fed8d295d8b3958ee35be4d

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

安全守护者
头像被屏蔽
发表于 2018-10-1 21:29:38 | 显示全部楼层
大陆载点:https://www.lanzous.com/i200gve
我加了数字签名,其他没动
回复

举报

Jerry.Lin
发表于 2018-10-1 21:29:46 | 显示全部楼层
Huorong MISS

VTSS MISS
回复

举报

dreams521
发表于 2018-10-1 21:30:03 | 显示全部楼层
TO KL

衍生物
https://www.lanzous.com/i200h0j   




回复

举报

a7878330
 楼主| 发表于 2018-10-1 21:30:04 | 显示全部楼层
誰能救救我
我研究用的貴重資料在虛擬機
我用快照就會沒有
我忘了備份

回复

举报

安全守护者
头像被屏蔽
发表于 2018-10-1 21:31:49 | 显示全部楼层

  1. 文件检测评级:
  2. 高度风险
  3. 文件名称: ABC.exe
  4. 基本信息
  5. 文件名称:        
  6. ABC.exe
  7. MD5:        de07473a624179e027a4e4cae93e2f82
  8. 文件类型:        EXE
  9. 上传时间:        2018-10-01 21:28:30
  10. 出品公司:        N/A
  11. 版本:        1.0.0.0
  12. 壳或编译器信息:        PACKER:UPX V2.00-V3.00 -> Markus Oberhumer & Laszlo Molnar & John Reiser [Overlay] *
  13. 子文件信息:        详情
  14. 关键行为
  15. 行为描述:        修改用户密码
  16. 详情信息:        
  17. ImagePath = , CmdLine = cmd.exe /c net user %username% "
  18. ImagePath = , CmdLine = cmd.exe /c net user %username% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXIXXXXXXXXXXXXXXXJKLJKLJLKJLJKLXJKLJXKLXJKLJDGJDKSLHGSDKHGLSDKLSDGHJHKLDSJHLK;DSJHKLHJDSHLKKLtaiwan
  19. 行为描述:        设置特殊文件夹属性
  20. 详情信息:        
  21. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
  22. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
  23. C:\Documents and Settings\Administrator\Local Settings\History
  24. C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
  25. C:\Documents and Settings\Administrator\Cookies
  26. 行为描述:        查找PE资源信息
  27. 详情信息:        
  28. (FindResourceA) hModule = 0x00400000, ResName: F, ResType:
  29. 行为描述:        获取TickCount值
  30. 详情信息:        
  31. TickCount = 285515, SleepMilliseconds = 60000.
  32. TickCount = 285546, SleepMilliseconds = 60000.
  33. TickCount = 285562, SleepMilliseconds = 60000.
  34. TickCount = 285578, SleepMilliseconds = 60000.
  35. TickCount = 285625, SleepMilliseconds = 60000.
  36. TickCount = 285656, SleepMilliseconds = 60000.
  37. TickCount = 285640, SleepMilliseconds = 60000.
  38. TickCount = 285671, SleepMilliseconds = 60000.
  39. TickCount = 285703, SleepMilliseconds = 60000.
  40. TickCount = 285718, SleepMilliseconds = 60000.
  41. TickCount = 285750, SleepMilliseconds = 60000.
  42. TickCount = 285765, SleepMilliseconds = 60000.
  43. TickCount = 285781, SleepMilliseconds = 60000.
  44. TickCount = 285796, SleepMilliseconds = 60000.
  45. TickCount = 285812, SleepMilliseconds = 60000.
  46. 进程行为
  47. 行为描述:        隐藏窗口创建进程
  48. 详情信息:        
  49. ImagePath = , CmdLine = "C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat" "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe"
  50. ImagePath = , CmdLine = cmd.exe /c net user %username% "
  51. 行为描述:        创建进程
  52. 详情信息:        
  53. [0x00000bc4]ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c ""C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat" "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe""
  54. 行为描述:        创建本地线程
  55. 详情信息:        
  56. TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2904, ThreadID = 3008, StartAddress = 765E964D, Parameter = 001C6550
  57. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3028, StartAddress = 77C0A341, Parameter = 003FCC68
  58. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3032, StartAddress = 77C0A341, Parameter = 003FCC68
  59. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3048, StartAddress = 071238B3, Parameter = 012E0828
  60. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3052, StartAddress = 071238B3, Parameter = 012E0978
  61. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3056, StartAddress = 071238B3, Parameter = 012E0AC8
  62. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3060, StartAddress = 071238B3, Parameter = 012E0C18
  63. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3064, StartAddress = 071238B3, Parameter = 012E0DB0
  64. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3068, StartAddress = 071238B3, Parameter = 012E0F00
  65. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3084, StartAddress = 7C947EBB, Parameter = 00000000
  66. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3088, StartAddress = 7C93059A, Parameter = 001FC250
  67. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3092, StartAddress = 7C949B6F, Parameter = 00000000
  68. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3096, StartAddress = 77DC845A, Parameter = 00000000
  69. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3100, StartAddress = 77E56C7D, Parameter = 0023DD20
  70. TargetProcess: A.exe, InheritedFromPID = 3012, ProcessID = 3020, ThreadID = 3104, StartAddress = 769AE43B, Parameter = 001FC4B0
  71. 行为描述:        创建新文件进程
  72. 详情信息:        
  73. [0x00000bcc]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = .\A.EXE
  74. [0x00000c30]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  75. [0x00000c78]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  76. [0x00000c9c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  77. [0x00000d4c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  78. [0x00000da8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  79. [0x00000e18]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  80. [0x00000e6c]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  81. [0x00000eac]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  82. [0x00000ed8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  83. [0x00000f20]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe, CmdLine = A.exe /K
  84. 文件行为
  85. 行为描述:        创建文件
  86. 详情信息:        
  87. C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
  88. C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat
  89. C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe
  90. C:\Documents and Settings\Administrator\Local Settings\%temp%\USA.mp3
  91. C:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
  92. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.bak
  93. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.done
  94. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
  95. 行为描述:        创建可执行文件
  96. 详情信息:        
  97. C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe
  98. 行为描述:        修改脚本文件
  99. 详情信息:        
  100. C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat ---> Offset = 0
  101. 行为描述:        覆盖已有文件
  102. 详情信息:        
  103. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML
  104. 行为描述:        复制文件
  105. 详情信息:        
  106. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.bak ---> C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML
  107. 行为描述:        删除文件
  108. 详情信息:        
  109. C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
  110. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.done
  111. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.bak
  112. 行为描述:        查找文件
  113. 详情信息:        
  114. FileName = C:\DOCUME~1
  115. FileName = C:\DOCUME~1\ADMINI~1
  116. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
  117. FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
  118. FileName = C:\Documents and Settings
  119. FileName = C:\Documents and Settings\Administrator
  120. FileName = C:\Documents and Settings\Administrator\Local Settings
  121. FileName = C:\Documents and Settings\Administrator\My Documents
  122. FileName = C:\Documents and Settings\All Users
  123. FileName = C:\Documents and Settings\All Users\Documents
  124. FileName = C:\Documents and Settings\Administrator\桌面
  125. FileName = C:\Documents and Settings\All Users\桌面
  126. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
  127. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
  128. FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat
  129. 行为描述:        设置特殊文件夹属性
  130. 详情信息:        
  131. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
  132. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
  133. C:\Documents and Settings\Administrator\Local Settings\History
  134. C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
  135. C:\Documents and Settings\Administrator\Cookies
  136. 行为描述:        修改文件内容
  137. 详情信息:        
  138. C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe ---> Offset = 0
  139. C:\Documents and Settings\Administrator\Local Settings\%temp%\USA.mp3 ---> Offset = 0
  140. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML.bak ---> Offset = 0
  141. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNS.XML ---> Offset = 0
  142. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML ---> Offset = 0
  143. C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML ---> Offset = 38
  144. 注册表行为
  145. 行为描述:        修改注册表
  146. 详情信息:        
  147. \REGISTRY\USER\S-*\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp\ABC.bat
  148. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\General\UniqueID
  149. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
  150. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
  151. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\Namespace\LocalBase
  152. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\Namespace\DTDFile
  153. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\Namespace\LocalDelta
  154. \REGISTRY\USER\S-*\Software\Microsoft\Windows Media\WMSDK\Namespace\RemoteDelta
  155. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS\ProxyStyle
  156. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS\ProxyName
  157. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS\ProxyPort
  158. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS\ProxyBypass
  159. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\MMS\ProxyExclude
  160. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyStyle
  161. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Preferences\ProxySettings\HTTP\ProxyName
  162. 行为描述:        删除注册表键值
  163. 详情信息:        
  164. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Player\Settings\Client ID
  165. \REGISTRY\USER\S-*\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache\1
  166. 行为描述:        删除注册表键
  167. 详情信息:        
  168. \REGISTRY\USER\S-*\Software\Microsoft\MediaPlayer\Health\{B379A02E-86A5-46CF-959C-F760BC09D4CF}\
  169. 其他行为
  170. 行为描述:        调整进程token权限
  171. 详情信息:        
  172. SE_LOAD_DRIVER_PRIVILEGE
  173. 行为描述:        创建互斥体
  174. 详情信息:        
  175. CTF.LBES.MutexDefaultS-*
  176. CTF.Compart.MutexDefaultS-*
  177. CTF.Asm.MutexDefaultS-*
  178. CTF.Layouts.MutexDefaultS-*
  179. CTF.TMD.MutexDefaultS-*
  180. CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
  181. Local\ZonesCounterMutex
  182. Local\ZoneAttributeCacheCounterMutex
  183. Local\ZonesCacheCounterMutex
  184. Local\ZonesLockedCacheCounterMutex
  185. AMResourceMutex2
  186. VideoRenderer
  187. eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-*
  188. MSCTF.Shared.MUTEX.IOH
  189. 行为描述:        创建事件对象
  190. 详情信息:        
  191. EventName = DINPUTWINMM
  192. EventName = Global\crypt32LogoffEvent
  193. EventName = {D6D6C847-CA28-498A-850E-52AB4128FCB6}
  194. EventName = {31535143-948E-4B30-A155-CBCA4E220EEC}
  195. EventName = {2E9227F1-A1A4-443A-B9C9-455BEED49F98}
  196. EventName = {C75381F3-1028-40FF-998A-649BF0EBA4F8}
  197. EventName = {FB3BF503-72D7-4A9A-84E5-8988946BCB21}
  198. EventName = {75E2C828-51A0-4EF7-AEFF-51CBFEC1F59F}
  199. EventName = {7294D2F7-684A-494A-8D3C-27D9E9179EFD}
  200. EventName = {61FA50B2-DD2B-47F5-8EBC-047AD4F0C35B}
  201. EventName = {9CB90512-E42C-4AF7-BC5C-09149E86BFE0}
  202. EventName = {74EBE5CE-29E4-408E-972D-BFD22917D57E}
  203. EventName = {B379A02E-86A5-46CF-959C-F760BC09D4CF}
  204. 行为描述:        查找指定窗口
  205. 详情信息:        
  206. NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
  207. 行为描述:        隐藏指定窗口
  208. 详情信息:        
  209. [Window,Class] = [工程1,ThunderRT6Main]
  210. [Window,Class] = [Form1,ThunderRT6FormDC]
  211. 行为描述:        打开事件
  212. 详情信息:        
  213. HookSwitchHookEnabledEvent
  214. _fCanRegisterWithShellService
  215. \SECURITY\LSA_AUTHENTICATION_INITIALIZED
  216. Global\crypt32LogoffEvent
  217. WMPPERF_APP_END_OF_LAUNCH
  218. MSFT.VSA.COM.DISABLE.3020
  219. MSFT.VSA.IEC.STATUS.6c736db0
  220. {D6D6C847-CA28-498A-850E-52AB4128FCB6}
  221. MSFT.VSA.COM.DISABLE.3120
  222. {31535143-948E-4B30-A155-CBCA4E220EEC}
  223. MSFT.VSA.COM.DISABLE.3192
  224. {2E9227F1-A1A4-443A-B9C9-455BEED49F98}
  225. MSFT.VSA.COM.DISABLE.3228
  226. Global\SvcctrlStartEvent_A3752DX
  227. {C75381F3-1028-40FF-998A-649BF0EBA4F8}
  228. 行为描述:        获取TickCount值
  229. 详情信息:        
  230. TickCount = 285515, SleepMilliseconds = 60000.
  231. TickCount = 285546, SleepMilliseconds = 60000.
  232. TickCount = 285562, SleepMilliseconds = 60000.
  233. TickCount = 285578, SleepMilliseconds = 60000.
  234. TickCount = 285625, SleepMilliseconds = 60000.
  235. TickCount = 285656, SleepMilliseconds = 60000.
  236. TickCount = 285640, SleepMilliseconds = 60000.
  237. TickCount = 285671, SleepMilliseconds = 60000.
  238. TickCount = 285703, SleepMilliseconds = 60000.
  239. TickCount = 285718, SleepMilliseconds = 60000.
  240. TickCount = 285750, SleepMilliseconds = 60000.
  241. TickCount = 285765, SleepMilliseconds = 60000.
  242. TickCount = 285781, SleepMilliseconds = 60000.
  243. TickCount = 285796, SleepMilliseconds = 60000.
  244. TickCount = 285812, SleepMilliseconds = 60000.
  245. 行为描述:        获取光标位置
  246. 详情信息:        
  247. CursorPos = (80,18468), SleepMilliseconds = 60000.
  248. CursorPos = (6373,26501), SleepMilliseconds = 60000.
  249. CursorPos = (19208,15725), SleepMilliseconds = 60000.
  250. CursorPos = (11517,29359), SleepMilliseconds = 60000.
  251. CursorPos = (27001,24465), SleepMilliseconds = 60000.
  252. CursorPos = (5744,28146), SleepMilliseconds = 60000.
  253. CursorPos = (23320,16828), SleepMilliseconds = 60000.
  254. CursorPos = (10000,492), SleepMilliseconds = 60000.
  255. CursorPos = (3034,11943), SleepMilliseconds = 60000.
  256. CursorPos = (4866,5437), SleepMilliseconds = 60000.
  257. CursorPos = (32430,14605), SleepMilliseconds = 60000.
  258. CursorPos = (3941,154), SleepMilliseconds = 60000.
  259. CursorPos = (331,12383), SleepMilliseconds = 60000.
  260. CursorPos = (17460,18717), SleepMilliseconds = 60000.
  261. CursorPos = (19757,19896), SleepMilliseconds = 60000.
  262. 行为描述:        窗口信息
  263. 详情信息:        
  264. Pid = 3872, Hwnd=0x3051a, Text = 确定, ClassName = Button.
  265. Pid = 3872, Hwnd=0x20528, Text = Run-time error "5": Invalid procedure call or argument, ClassName = Static.
  266. Pid = 3872, Hwnd=0x404de, Text = 工程1, ClassName = #32770.
  267. 行为描述:        查找PE资源信息
  268. 详情信息:        
  269. (FindResourceA) hModule = 0x00400000, ResName: F, ResType:
  270. 行为描述:        可执行文件签名信息
  271. 详情信息:        
  272. C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe(签名验证: 未通过)
  273. 行为描述:        调用Sleep函数
  274. 详情信息:        
  275. [1]: MilliSeconds = 25.
  276. [2]: MilliSeconds = 25.
  277. [3]: MilliSeconds = 25.
  278. [4]: MilliSeconds = 25.
  279. [5]: MilliSeconds = 25.
  280. [6]: MilliSeconds = 25.
  281. [7]: MilliSeconds = 25.
  282. [8]: MilliSeconds = 25.
  283. [9]: MilliSeconds = 25.
  284. [10]: MilliSeconds = 25.
  285. [1]: MilliSeconds = 60000.
  286. [2]: MilliSeconds = 0.
  287. [3]: MilliSeconds = 0.
  288. [4]: MilliSeconds = 250.
  289. 行为描述:        修改用户密码
  290. 详情信息:        
  291. ImagePath = , CmdLine = cmd.exe /c net user %username% "
  292. ImagePath = , CmdLine = cmd.exe /c net user %username% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXIXXXXXXXXXXXXXXXJKLJKLJLKJLJKLXJKLJXKLXJKLJDGJDKSLHGSDKHGLSDKLSDGHJHKLDSJHLK;DSJHKLHJDSHLKKLtaiwan
  293. 行为描述:        可执行文件MD5
  294. 详情信息:        
  295. C:\Documents and Settings\Administrator\Local Settings\%temp%\A.exe ---> 241979930dd9495293352954e25b2bbc
  296. 行为描述:        打开互斥体
  297. 详情信息:        
  298. ShimCacheMutex
  299. Local\!IETld!Mutex
  300. MutexToProtectNamespace
  301. Local\_!MSFTHISTORY!_
  302. Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
  303. Local\c:!documents and settings!administrator!cookies!
  304. Local\c:!documents and settings!administrator!local settings!history!history.ie5!
  305. 进程树
  306. ****.exe (PID: 0x00000b58)
  307. -cmd.exe (PID: 0x00000bc4)
  308. --a.exe (PID: 0x00000bcc)
复制代码


回复

举报

a7878330
 楼主| 发表于 2018-10-1 21:33:39 | 显示全部楼层
這個病毒把我的虛擬機密碼更改了
救救我
哭哭
回复

举报

dreams521
发表于 2018-10-1 21:34:09 | 显示全部楼层
安全守护者 发表于 2018-10-1 21:31

评分多少?
回复

举报

下一页 »
123456789下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-4-20 10:58 , Processed in 0.134491 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表