本帖最后由 hxuf 于 2020-10-10 23:18 编辑
https://www.hostloc.com/thread-751208-1-1.html
二楼提供的连接网盘。软件更新后是病毒。卡巴和火绒全部挂了。
麻烦版主处理下。@mtx @欧阳逍遥
更新一下habo的扫描信息:https://habo.qq.com/file/showdetail?md5=f9e75f2e161f068002663a8c462cd826&pk=ADcGYl1lB2MIO1s%2BU2Q%3D
目前全盘扫描99%,没有问题。
截取habo扫描信息:
基本信息
文件名称:
KinhDown.exe
MD5: f9e75f2e161f068002663a8c462cd826
文件类型: EXE
上传时间: 2020-10-10 23:07:21
出品公司: Uallen_Qbit
版本: 1.0.0.0---1.0.0.0
壳或编译器信息: PACKER:UPolyX v0.5
关键行为
行为描述: 直接调用系统关键API
详情信息:
Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x011260C9
Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x01CC1078
Index = 0x00000074, Name: NtOpenFile, Instruction Address = 0x010D6703
Index = 0x00000032, Name: NtCreateSection, Instruction Address = 0x01102F3E
Index = 0x0000006C, Name: NtMapViewOfSection, Instruction Address = 0x01102F3E
Index = 0x0000010B, Name: NtUnmapViewOfSection, Instruction Address = 0x010FFA67
Index = 0x00000019, Name: NtClose, Instruction Address = 0x010FFA67
Index = 0x00000019, Name: NtClose, Instruction Address = 0x0118B783
Index = 0x00000089, Name: NtProtectVirtualMemory, Instruction Address = 0x01102F3E
行为描述: 获取TickCount值
详情信息:
TickCount = 231822, SleepMilliseconds = 10.
TickCount = 231838, SleepMilliseconds = 10.
TickCount = 231853, SleepMilliseconds = 10.
TickCount = 231869, SleepMilliseconds = 10.
TickCount = 231885, SleepMilliseconds = 10.
TickCount = 231900, SleepMilliseconds = 10.
TickCount = 231916, SleepMilliseconds = 10.
TickCount = 231931, SleepMilliseconds = 10.
TickCount = 231947, SleepMilliseconds = 10.
TickCount = 231963, SleepMilliseconds = 10.
TickCount = 231978, SleepMilliseconds = 10.
TickCount = 231994, SleepMilliseconds = 10.
TickCount = 232010, SleepMilliseconds = 10.
TickCount = 232025, SleepMilliseconds = 10.
TickCount = 232041, SleepMilliseconds = 10.
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0xf922d0fb, EDX = 0x000000bb
EAX = 0xf922d147, EDX = 0x000000bb
EAX = 0xf922d193, EDX = 0x000000bb
EAX = 0xf922d1df, EDX = 0x000000bb
EAX = 0xf922d22b, EDX = 0x000000bb
EAX = 0xf922d277, EDX = 0x000000bb
EAX = 0xf922d2c3, EDX = 0x000000bb
EAX = 0xf922d30f, EDX = 0x000000bb
EAX = 0xf922d35b, EDX = 0x000000bb
EAX = 0xf922d3a7, EDX = 0x000000bb
行为描述: VMWare特殊指令检测虚拟机
详情信息:
N/A
进程行为
创建进程
创建本地线程
枚举进程
更多>>
文件行为
查找文件
更多>>
其他行为
直接调用系统关键API
检测自身是否被调试
创建互斥体
创建事件对象
打开互斥体
查找指定窗口
打开事件
搜索kernel32.dll基地址
窗口信息
调用Sleep函数
隐藏指定窗口
获取TickCount值
直接获取CPU时钟
VMWare特殊指令检测虚拟机
更多>> |