收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 偶然遇到的可疑文件,请大家测试一下
12
返回列表 发新帖
楼主: lovelive10010
 收起左侧

[可疑文件] 偶然遇到的可疑文件,请大家测试一下

[复制链接]
www-tekeze
发表于 2019-5-7 23:19:46 | 显示全部楼层

安天智甲,kill 6X 。。。管家无BD,kill 3X 。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

杀软病综合医院
发表于 2019-5-8 00:06:46 | 显示全部楼层
360卫士有个奇葩的表现,单独用360扫,只出4个,这四个应该跟其他软件扫出的一样。
但用卡巴扫完删除4个之后,再用360扫,结果又扫出淘宝网EXE和百度EXE


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

YU2711
发表于 2019-5-8 00:54:01 | 显示全部楼层
Trend Micro Beta 2X
  1. Threat:        PUA_QIWMONK
  2. Source:        Spyware
  3. Affected Files:        C:\Users\USER\Downloads\新建文件夹_2(1)\新建文件夹\C\Program Files\shoucang\百度一下.exe
  4. Response:        Removed
  5. Detected By:        Manual Scan
  6. Threat:        TROJ_GEN.R060C0WD319
  7. Source:        Virus
  8. Affected Files:        C:\Users\USER\Downloads\新建文件夹_2(1)\新建文件夹\C\WINDOWS\temp\dqpsxzx.exe
  9. Response:        Removed
  10. Detected By:        Manual Scan
复制代码




回复

举报

a233
发表于 2019-5-8 01:01:56 | 显示全部楼层
a233 发表于 2019-5-7 22:28
Avast Kill 4X(实杀)
* Avast Scan Report
* This file is generated automatically

这几个文件除了那个~satcb.del其它的报毒的文件都已经当误报上传了,现在已经解除了一些误报的文件了,中午附图~
回复

举报

lovelive10010
 楼主| 发表于 2019-5-8 07:41:05 | 显示全部楼层
a233 发表于 2019-5-8 01:01
这几个文件除了那个~satcb.del其它的报毒的文件都已经当误报上传了,现在已经解除了一些误报的文件了,中 ...

并不一定是误报,哈勃上显示高风险,好像确实有流氓行为
文件名称:       
dqpsxzx.exe

MD5:        1ea4ba08d5b1b5f320506d54c94c5cb0
文件类型:        EXE
上传时间:        2019-05-07 22:46:09
出品公司:        N/A
版本:        6.1.19.318---6.1.19.318
壳或编译器信息:        PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
子文件信息:        详情
关键行为
行为描述:        获取文件属性探测虚拟机
详情信息:       
GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxGuest.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxMouse.sys

GetFileAttributes: FileName = C:\Windows\System32\drivers\VBoxSF.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxVideo.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmci.sys

GetFileAttributes: FileName = C:\WINDOWS\system32\Drivers\vmdebug.sys

GetFileAttributes: FileName = C:\Windows\System32\DRIVERS\vmhgfs.sys

GetFileAttributes: FileName = C:\Program Files\VMware\VMware

GetFileAttributes: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys

GetFileAttributes: FileName = C:\Program Files\VMware\VMware.exe

GetFileAttributes: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys.exe

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmmouse.sys

GetFileAttributes: FileName = C:\Windows\system32\drivers\vmscsi.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmxnet.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmx_svga.sys

行为描述:        添加浏览器收藏夹
详情信息:       
C:\Documents and Settings\Administrator\Favorites\百度一下.url

C:\Documents and Settings\Administrator\Favorites\链接\百度一下.url

C:\Documents and Settings\Administrator\Favorites\links\百度一下.url

C:\Documents and Settings\Administrator\Favorites\网址导航.url

C:\Documents and Settings\Administrator\Favorites\链接\网址导航.url

C:\Documents and Settings\Administrator\Favorites\links\网址导航.url

C:\Documents and Settings\Administrator\Favorites\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\链接\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\links\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\京东商城.url

C:\Documents and Settings\Administrator\Favorites\链接\京东商城.url

C:\Documents and Settings\Administrator\Favorites\links\京东商城.url

C:\Documents and Settings\Administrator\Favorites\天猫精选.url

C:\Documents and Settings\Administrator\Favorites\链接\天猫精选.url

C:\Documents and Settings\Administrator\Favorites\links\天猫精选.url

行为描述:        获取TickCount值
详情信息:       
TickCount = 237431, SleepMilliseconds = 10.

TickCount = 237447, SleepMilliseconds = 10.

TickCount = 237791, SleepMilliseconds = 10.

TickCount = 237806, SleepMilliseconds = 10.

TickCount = 250181, SleepMilliseconds = 10.

TickCount = 250197, SleepMilliseconds = 10.

TickCount = 252760, SleepMilliseconds = 10.

TickCount = 253072, SleepMilliseconds = 10.

TickCount = 253135, SleepMilliseconds = 10.

TickCount = 253197, SleepMilliseconds = 10.

TickCount = 253275, SleepMilliseconds = 10.

TickCount = 253306, SleepMilliseconds = 10.

TickCount = 253369, SleepMilliseconds = 10.

TickCount = 253400, SleepMilliseconds = 10.

TickCount = 253431, SleepMilliseconds = 10.

行为描述:        打开注册表_检测虚拟机相关
详情信息:       
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\VMware Physical Disk Helper Service

行为描述:        更名后删除HOST文件
详情信息:       
C:\WINDOWS\system32\drivers\etc\hosts

行为描述:        查找文件方式探测虚拟机
详情信息:       
FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxGuest.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxMouse.sys

FindFirstFileEx: FileName = C:\Windows\System32\drivers\VBoxSF.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxVideo.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmci.sys

FindFirstFileEx: FileName = C:\WINDOWS\system32\Drivers\vmdebug.sys

FindFirstFileEx: FileName = C:\Windows\System32\DRIVERS\vmhgfs.sys

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware.exe

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys.exe

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmmouse.sys

FindFirstFileEx: FileName = C:\Windows\system32\drivers\vmscsi.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmxnet.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmx_svga.sys

行为描述:        修改注册表_IE首页
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page

行为描述:        修改注册表_启动项
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv

进程行为
行为描述:        隐藏窗口创建进程
详情信息:       
ImagePath = , CmdLine = Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~fiscanp.inf

行为描述:        创建进程
详情信息:       
[0x00000af8]ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe" /nstart

[0x00000c68]ImagePath = C:\WINDOWS\system32\drwtsn32.exe, CmdLine = C:\WINDOWS\system32\drwtsn32 -p 3128 -e 404 -g

[0x00000d28]ImagePath = C:\WINDOWS\system32\drwtsn32.exe, CmdLine = C:\WINDOWS\system32\drwtsn32 -p 3316 -e 392 -g

[0x00000d74]ImagePath = C:\WINDOWS\system32\rundll32.exe, CmdLine = Rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~fiscanp.inf

[0x00000d7c]ImagePath = C:\WINDOWS\system32\runonce.exe, CmdLine = runonce -r

行为描述:        创建本地线程
详情信息:       
TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2612, ThreadID = 2624, StartAddress = 77DC845A, Parameter = 00000000

TargetProcess: %temp%\****.exe, InheritedFromPID = 2000, ProcessID = 2612, ThreadID = 2628, StartAddress = 004499DF, Parameter = 0137B3E0

TargetProcess: %temp%\****.exe, InheritedFromPID = 2612, ProcessID = 2808, ThreadID = 2816, StartAddress = 77DC845A, Parameter = 00000000

TargetProcess: %temp%\****.exe, InheritedFromPID = 2612, ProcessID = 2808, ThreadID = 2820, StartAddress = 004499DF, Parameter = 0137B3F8

TargetProcess: brcxkna.exe, InheritedFromPID = 2612, ProcessID = 3128, ThreadID = 3136, StartAddress = 77DC845A, Parameter = 00000000

TargetProcess: brcxkna.exe, InheritedFromPID = 2612, ProcessID = 3128, ThreadID = 3140, StartAddress = 004499DF, Parameter = 0137B2D0

TargetProcess: bvyfxys.exe, InheritedFromPID = 2612, ProcessID = 3316, ThreadID = 3324, StartAddress = 77DC845A, Parameter = 00000000

TargetProcess: bvyfxys.exe, InheritedFromPID = 2612, ProcessID = 3316, ThreadID = 3328, StartAddress = 004499DF, Parameter = 0137B2D0

行为描述:        创建新文件进程
详情信息:       
[0x00000c38]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\brcxkna.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\brcxkna.exe /HomeRegAccess10

[0x00000cf4]ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvyfxys.exe, CmdLine = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvyfxys.exe /HomeRegAccess10

行为描述:        枚举进程
详情信息:       
N/A

文件行为
行为描述:        创建文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\2808qmcmycd

C:\Documents and Settings\Administrator\Local Settings\Temp\brcxkna.exe

C:\Documents and Settings\Administrator\Local Settings\Temp\aut6.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\3128itdefna

C:\Documents and Settings\Administrator\Local Settings\Temp\~hkntojf.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\bvyfxys.exe

C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\3316ukqacdr

C:\Documents and Settings\Administrator\Local Settings\Temp\~bvrczyx.tmp

C:\WINDOWS\system32\drivers\etc\hosts

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\显示桌面.scf

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk

行为描述:        获取文件属性探测虚拟机
详情信息:       
GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxGuest.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxMouse.sys

GetFileAttributes: FileName = C:\Windows\System32\drivers\VBoxSF.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\VBoxVideo.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmci.sys

GetFileAttributes: FileName = C:\WINDOWS\system32\Drivers\vmdebug.sys

GetFileAttributes: FileName = C:\Windows\System32\DRIVERS\vmhgfs.sys

GetFileAttributes: FileName = C:\Program Files\VMware\VMware

GetFileAttributes: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys

GetFileAttributes: FileName = C:\Program Files\VMware\VMware.exe

GetFileAttributes: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys.exe

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmmouse.sys

GetFileAttributes: FileName = C:\Windows\system32\drivers\vmscsi.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmxnet.sys

GetFileAttributes: FileName = C:\Windows\system32\DRIVERS\vmx_svga.sys

行为描述:        创建可执行文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\brcxkna.exe

C:\Documents and Settings\Administrator\Local Settings\Temp\bvyfxys.exe

行为描述:        添加浏览器收藏夹
详情信息:       
C:\Documents and Settings\Administrator\Favorites\百度一下.url

C:\Documents and Settings\Administrator\Favorites\链接\百度一下.url

C:\Documents and Settings\Administrator\Favorites\links\百度一下.url

C:\Documents and Settings\Administrator\Favorites\网址导航.url

C:\Documents and Settings\Administrator\Favorites\链接\网址导航.url

C:\Documents and Settings\Administrator\Favorites\links\网址导航.url

C:\Documents and Settings\Administrator\Favorites\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\链接\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\links\淘宝网.url

C:\Documents and Settings\Administrator\Favorites\京东商城.url

C:\Documents and Settings\Administrator\Favorites\链接\京东商城.url

C:\Documents and Settings\Administrator\Favorites\links\京东商城.url

C:\Documents and Settings\Administrator\Favorites\天猫精选.url

C:\Documents and Settings\Administrator\Favorites\链接\天猫精选.url

C:\Documents and Settings\Administrator\Favorites\links\天猫精选.url

行为描述:        查找文件
详情信息:       
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\****.exe

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2612nstvztw

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996EIhJm.exe

FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996EIhKn.exe

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ozefazw

FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xebdyec

FileName = C:\WINDOWS\PELOAD\~PELOAD.BIN

FileName = C:\Documents and Settings\Administrator\桌面\2345安全卫士.lnk

FileName = C:\Documents and Settings\Administrator\桌面\2345安全卫士.url

FileName = C:\Documents and Settings\Administrator\桌面\2345安全卫士.exe

FileName = C:\Documents and Settings\Administrator\桌面\2345安全卫士

FileName = C:\Documents and Settings\All Users\桌面\2345安全卫士.lnk

FileName = C:\Documents and Settings\All Users\桌面\2345安全卫士.url

行为描述:        删除文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Bin\bsecfg.dat

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Bin\f.l.a.s.h_wk.dll

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Bin\malurl.dat

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Bin\bse_temp\updaterun.dat

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\CommCfg.xml

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\config.xml

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\configlocal.xml

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\DailyBackup\Dynamark.db.2012.08.20.09

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\DailyBackup\Dynamark.db.2012.09.14.11

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\DailyBackup\Dynamark.db.2012.10.15.14

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\DailyBackup\Dynamark.db.2012.10.24.10

C:\Documents and Settings\Administrator\Application Data\SogouExplorer\DailyBackup\Dynamark.db.2013.05.22.14

行为描述:        更名后删除HOST文件
详情信息:       
C:\WINDOWS\system32\drivers\etc\hosts

行为描述:        修改文件内容
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 65536

C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp ---> Offset = 73728

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw ---> Offset = 65536

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw ---> Offset = 131072

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw ---> Offset = 196608

C:\Documents and Settings\Administrator\Local Settings\Temp\2612nstvztw ---> Offset = 262144

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp ---> Offset = 65536

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp ---> Offset = 73728

C:\Documents and Settings\Administrator\Local Settings\Temp\2808qmcmycd ---> Offset = 0

C:\Documents and Settings\Administrator\Local Settings\Temp\2808qmcmycd ---> Offset = 65536

C:\Documents and Settings\Administrator\Local Settings\Temp\2808qmcmycd ---> Offset = 131072

C:\Documents and Settings\Administrator\Local Settings\Temp\2808qmcmycd ---> Offset = 196608

行为描述:        覆盖已有文件
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\aut4.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\aut5.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\aut6.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\aut7.tmp

网络行为
行为描述:        连接指定站点
详情信息:       
WinHttpConnect: ServerName = yu****om, PORT = 80, UserName = , Password = , hSession = 0x02394000, hConnect = 0x02394100, Flags = 0x00000000

行为描述:        打开HTTP连接
详情信息:       
WinHttpOpen: UserAgent: Mozilla/5.0 (Windows NT 5.1) WinHttp/1.6.3.9 (WinHTTP/5.1) like Gecko, hSession = 0x02394000

行为描述:        建立到一个指定的套接字连接
详情信息:       
URL: yu****om, IP: **.133.40.**:80, SOCKET = 0x00000164

行为描述:        发送HTTP包
详情信息:       
POST /ns HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 5.1) WinHttp/1.6.3.9 (WinHTTP/5.1) like Gecko Host: yu****om Content-Length: 356 Connection: Keep-Alive ir5BMQ7jJBH7aM+vIh+agnXVOm5DhCPqv0HbX1hBuK05LY7WtdSV9+WSwE3zDgSx eCCxiDu+di93gImaghMnNE5wT7BiURPiUII+MRwrJqeJPmdmhgGwCVj/Y+mAfmu7 LWBOuXmPMHNDjD53lxNxcjgBbYnN2RiUaw8bVRBom3yB8gpEBZHGy/aCq7xNqlVD ti8qJk8Ng1F7c2ITlOPjV2h/qsdQDjrAIFmhCpLTDpDzgzLqErjaTH2601BRCEIW zPQaXJJplV164IejjMeqaNc/ZQfwPOgd4C/aDBlXZbqd5Vh+MrTvTOTzkYWWtMfO 5vGDm2qq4rtS1J0MnjqQWw==

行为描述:        打开HTTP请求
详情信息:       
WinHttpOpenRequest: yu****om:80/ns, hConnect = 0x02394100, hRequest = 0x029c0000, Verb: POST, Referer: , Flags = 0x00000040

行为描述:        按名称获取主机地址
详情信息:       
GetAddrInfoW: yu****om

注册表行为
行为描述:        删除注册表键_BHO
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

行为描述:        打开注册表_检测虚拟机相关
详情信息:       
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\services\VMware Physical Disk Helper Service

行为描述:        修改注册表_组策略
详情信息:       
\REGISTRY\USER\S-*\Software\Policies\Microsoft\Internet Explorer\Main\Start Page

\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\Start Page

行为描述:        修改注册表_IE关键属性
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL

\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

行为描述:        删除注册表键_组策略
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\disallowed\Certificates\

行为描述:        删除注册表键
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\

行为描述:        删除注册表键_删除启动项
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\RunOnce\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\

行为描述:        修改注册表
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page

\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\First Home Page

\REGISTRY\MACHINE\SOFTWARE\Baidu\BaiduProtect\LockIEStartPage\Start Page

\REGISTRY\MACHINE\SOFTWARE\360Safe\safemon\userset\hp

\REGISTRY\MACHINE\SOFTWARE\Tencent\QQPCMgr\SupplyID

\REGISTRY\MACHINE\SOFTWARE\Tencent\QQBrowser\SupplyID

\REGISTRY\MACHINE\SOFTWARE\Tencent\QQBrowser\SubSupplyID

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

行为描述:        删除注册表键值
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW\DWFileTreeRoot

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\RunOnce\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\

\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\.NETFramework\

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv

行为描述:        修改注册表_隐藏桌面图标设置
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}

行为描述:        修改注册表_IE首页
详情信息:       
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

\REGISTRY\USER\S-*\Software\Microsoft\Internet Explorer\Main\Start Page

行为描述:        修改注册表_启动项
详情信息:       
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv

其他行为
行为描述:        检测自身是否被调试
详情信息:       
IsDebuggerPresent

行为描述:        创建互斥体
详情信息:       
CTF.LBES.MutexDefaultS-*

CTF.Compart.MutexDefaultS-*

CTF.Asm.MutexDefaultS-*

CTF.Layouts.MutexDefaultS-*

CTF.TMD.MutexDefaultS-*

CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*

DCB327EE729C7BA3

DCB327EE729C7BA2

Local\ZonesCounterMutex

行为描述:        创建事件对象
详情信息:       
EventName = Global\userenv: User Profile setup event

EventName = DINPUTWINMM

EventName = ShellCopyEngineRunning

EventName = Global\crypt32LogoffEvent

EventName = ShellCopyEngineFinished

行为描述:        设置对象安全信息
详情信息:       
CURRENT_USER\Software\Microsoft\Internet Explorer\Main

CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl

CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings

CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch

行为描述:        查找指定窗口
详情信息:       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]

行为描述:        加密数据
详情信息:       
[CryptEncrypt] Data: 0x04228090, PlainTextLen: 256, CipherTextLen: 256, Flags: 0x00000000

行为描述:        打开事件
详情信息:       
HookSwitchHookEnabledEvent

Global\crypt32LogoffEvent

\SECURITY\LSA_AUTHENTICATION_INITIALIZED

_fCanRegisterWithShellService

行为描述:        获取TickCount值
详情信息:       
TickCount = 237431, SleepMilliseconds = 10.

TickCount = 237447, SleepMilliseconds = 10.

TickCount = 237791, SleepMilliseconds = 10.

TickCount = 237806, SleepMilliseconds = 10.

TickCount = 250181, SleepMilliseconds = 10.

TickCount = 250197, SleepMilliseconds = 10.

TickCount = 252760, SleepMilliseconds = 10.

TickCount = 253072, SleepMilliseconds = 10.

TickCount = 253135, SleepMilliseconds = 10.

TickCount = 253197, SleepMilliseconds = 10.

TickCount = 253275, SleepMilliseconds = 10.

TickCount = 253306, SleepMilliseconds = 10.

TickCount = 253369, SleepMilliseconds = 10.

TickCount = 253400, SleepMilliseconds = 10.

TickCount = 253431, SleepMilliseconds = 10.

行为描述:        调整进程token权限
详情信息:       
SE_RESTORE_PRIVILEGE

SE_LOAD_DRIVER_PRIVILEGE

行为描述:        枚举窗口
详情信息:       
N/A

行为描述:        可执行文件签名信息
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\brcxkna.exe(签名验证: 未通过)

C:\Documents and Settings\Administrator\Local Settings\Temp\bvyfxys.exe(签名验证: 未通过)

行为描述:        调用Sleep函数
详情信息:       
[1]: MilliSeconds = 10.

[2]: MilliSeconds = 250.

[3]: MilliSeconds = 10.

[4]: MilliSeconds = 10.

[5]: MilliSeconds = 10.

[6]: MilliSeconds = 10.

[7]: MilliSeconds = 10.

[8]: MilliSeconds = 10.

[9]: MilliSeconds = 10.

[10]: MilliSeconds = 10.

[2]: MilliSeconds = 10.

行为描述:        隐藏指定窗口
详情信息:       
[Window,Class] = [AutoIt v3,AutoIt v3]

行为描述:        可执行文件MD5
详情信息:       
C:\Documents and Settings\Administrator\Local Settings\Temp\brcxkna.exe ---> 文件过大!

C:\Documents and Settings\Administrator\Local Settings\Temp\bvyfxys.exe ---> 文件过大!

行为描述:        打开互斥体
详情信息:       
ShimCacheMutex

Local\!IETld!Mutex

行为描述:        导入密钥
详情信息:       
[CryptImportKey] Algorithm: CALG_AES_128 (0x0000660e), Data: 0x043AF038, DataLen: 28, Flags: 0x00000000

行为描述:        查找文件方式探测虚拟机
详情信息:       
FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxGuest.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxMouse.sys

FindFirstFileEx: FileName = C:\Windows\System32\drivers\VBoxSF.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\VBoxVideo.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmci.sys

FindFirstFileEx: FileName = C:\WINDOWS\system32\Drivers\vmdebug.sys

FindFirstFileEx: FileName = C:\Windows\System32\DRIVERS\vmhgfs.sys

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware.exe

FindFirstFileEx: FileName = C:\Program Files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys.exe

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmmouse.sys

FindFirstFileEx: FileName = C:\Windows\system32\drivers\vmscsi.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmxnet.sys

FindFirstFileEx: FileName = C:\Windows\system32\DRIVERS\vmx_svga.sys

进程树
****.exe (PID: 0x00000a34)
brcxkna.exe (PID: 0x00000c38)
drwtsn32.exe drwtsn32 -p 3128 -e 404 -g (PID: 0x00000c68)
bvyfxys.exe (PID: 0x00000cf4)
drwtsn32.exe drwtsn32 -p 3316 -e 392 -g (PID: 0x00000d28)
****.exe (PID: 0x00000af8)
rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 ~fiscanp.inf (PID: 0x00000d74)
runonce.exe runonce -r (PID: 0x00000d7c)
回复

举报

飞碟1234
头像被屏蔽
发表于 2019-5-8 21:42:18 | 显示全部楼层

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-4-28 17:58 , Processed in 0.106533 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表