WD实机双击触发行为遥测,云行为分析杀,而且触发本地行为监控,母体被删除
BEGIN BM telemetry
GUID:{96E9A6FD-9D9F-FB77-1B57-9B7EB27FAE8B}
TelemetryName:Behavior:Win32/PsHiddenWindowLaunch.A
SignatureID:71140829738329
ProcessID:4168
ProcessCreationTime:132108374522463789
SessionID:1
CreationTime:08-21-2019 13:04:14
ImagePath:C:\Windows\System32\wscript.exe
ImagePathHash:F42201B5D890A96302F90102B16D7C31CFCC3B67C801BA7C6F6BE223F16D7011
TargetFileName:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
END BM telemetry
2019-08-21T05:04:15.789Z [Cloud] Start of cloud request.
2019-08-21T05:04:15.789Z [Cloud] Queued cloud request.
2019-08-21T05:04:15.789Z [Cloud] Dequeued cloud request.
2019-08-21T05:04:15.789Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
2019-08-21T05:04:15.858Z [Cloud] MpEngineParseSpyNetResponse(). hr = 0x0
2019-08-21T05:04:15.858Z [Cloud] End of cloud request.
2019-08-21T05:04:17.462Z [Cloud] Engine is requesting config to do cloud query [regular network].
2019-08-21T05:04:17.462Z [Cloud] Start of cloud request.
2019-08-21T05:04:17.462Z [Cloud] Queued cloud request.
2019-08-21T05:04:17.462Z [Cloud] MpEngineCloudRequest(). hr = 0x0
2019-08-21T05:04:17.462Z [Cloud] Dequeued cloud request.
2019-08-21T05:04:17.462Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Windows Defender\Scans\\RtSigs\Data\39f5a24493284ed674c1f35c04147c02ae2f04e3
Dynamic Signature Compilation Timestamp:08-21-2019 13:04:19
Persistence Type:VDM Version
Source Version:282759332888577
Expiration Version:282759332888577
2019-08-21T05:04:18.163Z Dynamic signature received
2019-08-21T05:04:18.295Z [Cloud] End of cloud request.
BEGIN BM telemetry
GUID:{2DA48BC7-F72F-68E1-C6A2-EA6FC6F687FE}
TelemetryName:Behavior:Win32/SuspPsReadFile.D
SignatureID:66741195881356
ProcessID:7204
ProcessCreationTime:132108374545819948
SessionID:1
CreationTime:08-21-2019 13:04:14
ImagePath:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ImagePathHash:908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53
TargetFileName:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
END BM telemetry
2019-08-21T05:04:18.326Z [Cloud] Start of cloud request.
2019-08-21T05:04:18.326Z [Cloud] Queued cloud request.
2019-08-21T05:04:18.326Z [Cloud] Dequeued cloud request.
2019-08-21T05:04:18.326Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
2019-08-21T05:04:18.448Z [Cloud] MpEngineParseSpyNetResponse(). hr = 0x0
2019-08-21T05:04:18.448Z [Cloud] End of cloud request.
2019-08-21T05:04:18.564Z [Cloud] Engine is requesting config to do cloud query [regular network].
2019-08-21T05:04:18.579Z [Cloud] Start of cloud request.
2019-08-21T05:04:18.579Z [Cloud] Queued cloud request.
2019-08-21T05:04:18.579Z [Cloud] MpEngineCloudRequest(). hr = 0x0
2019-08-21T05:04:18.579Z [Cloud] Dequeued cloud request.
2019-08-21T05:04:18.579Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
2019-08-21T05:04:18.764Z [Cloud] End of cloud request.
2019-08-21T05:04:18.949Z [Cloud] Engine is requesting config to do cloud query [regular network].
2019-08-21T05:04:18.965Z [Cloud] Start of cloud request.
2019-08-21T05:04:18.965Z [Cloud] Queued cloud request.
2019-08-21T05:04:18.965Z [Cloud] MpEngineCloudRequest(). hr = 0x0
2019-08-21T05:04:18.965Z [Cloud] Dequeued cloud request.
2019-08-21T05:04:18.965Z [Cloud] RpcSpynetQueueGenerateReport(). hr = 0x0
Dynamic Signature has been received
Dynamic Signature Type:Signature Update
Signature Path:C:\ProgramData\Microsoft\Windows Defender\Scans\\RtSigs\Data\329712ed2f51dd764be80faa294d05357341f8e7
Dynamic Signature Compilation Timestamp:08-21-2019 13:04:21
Persistence Type:VDM Version
Source Version:282759332888577
Expiration Version:282759332888577
2019-08-21T05:04:19.366Z Dynamic signature received
2019-08-21T05:04:19.366Z [MpRtp] Engine VFZ block: \Device\HarddiskVolume5\12345\3f.js\3f.js. status=0x8070002, statusex=0x2, threatid=0x8003e730, sigseq=0x2667b38901e4
2019-08-21T05:04:19.366Z [Cloud] End of cloud request.
BEGIN BM telemetry
GUID:{23ED1B22-0EF4-1E18-EDFA-FCC004D13D1D}
TelemetryName:Behavior:Win32/VbsLaunchPs.A
SignatureID:162400387308353
ProcessID:4168
ProcessCreationTime:132108374522463789
SessionID:1
CreationTime:08-21-2019 13:04:14
ImagePath:C:\Windows\System32\wscript.exe
ImagePathHash:F42201B5D890A96302F90102B16D7C31CFCC3B67C801BA7C6F6BE223F16D7011
TargetFileName:C:\Windows\System32\wscript.exe
END BM telemetry
2019-08-21T05:04:19.397Z [Mini-filter] Blocked file: \Device\HarddiskVolume5\12345\3f.js\3f.js. Process: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Status: 0x0, State: 16, ScanRequest #83464, FileId: 0x200000000b695, Reason: OnOpen, IoStatusBlockForNewFile: 0xffffffff, DesiredAccess:0x120089, FileAttributes:0x80, ScanAttributes:0x0, AccessStateFlags:0x801, BackingFileInfo: 0x0, 0x0, 0x0:0\0x0:0
Begin Resource Scan
Scan ID:{E3EC1B2B-BBDA-4F48-B646-FAF52CF6A21B}
Scan Source:3
Start Time:08-21-2019 13:04:19
End Time:08-21-2019 13:04:19
Explicit resource to scan
Resource Schema:file
Resource Path:D:\12345\3f.js\3f.js
Result Count:1
Threat Name:Behavior:Win32/Execution.XE!ml
ID:2147737318
Severity:5
Number of Resources:1
Resource Schema:file
Resource Path:D:\12345\3f.js\3f.js
Extended Info:42226835587556
End Scan |
楼主: Jerry.Lin
发表于 2019-8-20 13:52:59
