魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-11-25 00:20:03 2016-11-25 00:22:18 135 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64 win7-sp1-x64 KVM 2016-11-25 00:20:03 2016-11-25 00:22:18 魔盾分数 0.0 正常的 文件详细信息 文件名 remove360.bat 文件大小 2859 字节 文件类型 ASCII text, with CRLF line terminators CRC32 551A650A MD5 38be70f4206f373acb221de197974410 SHA1 749411ed5dca7331ddf1515c1d0e39b8d3972d08 SHA256 ef2a9a4a58fbfd1484eb2f0f0d85969dded42c4b45d86291b5e97bd2af6e57d2 SHA512 632da3b0b9fed4e3f722806b2cbb0b01a932c9a7bba54fae91eaee428cf92c05cb70ebd8e8a6abf976f67 24e7e969bf6b3d133edfc7fab3529aa809f60763e61 Ssdeep 48:zMQVBUAfvikvRdKP9PcNzmUzHCK3Z3J3WFTFDF6FzF0wF0SFMFFFIFArFq8zR7DK:xwUBROt0 PEiD 无匹配 Yara 无Yara规则匹配 VirusTotal 无此文件扫描结果 特征 无特征匹配 运行截图 网络分析
静态分析 投放文件 行为分析 互斥量 (Mutexes) 执行的命令 创建的服务 启动的服务 进程 cmd.exe PID: 2520, 上一级进程 PID: 2556 cmd.exe PID: 2604, 上一级进程 PID: 2520 访问的文件 C:\Users\test\AppData\Local\Temp C:\Users C:\Users\test C:\Users\test\AppData C:\Users\test\AppData\Local C:\ C:\Users\test\AppData\Local\Temp\remove360.bat C:\Users\test\AppData\Local\Temp\remove360.bat\ C:\Users\test\AppData\Local\Temp\ C:\Users\test\AppData\Local\ C:\Users\test\AppData\ C:\Users\test\ C:\Users\ C: \??\MountPointManager C:\Program Files (x86)\360\360safe\360base.dll C:\Program Files (x86)\360\360safe C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui C:\Program Files (x86)\360\360safe\360common.dll C:\Program Files (x86)\360\360safe\360conf.dll C:\Program Files (x86)\360\360safe\360netbase.dll C:\Program Files (x86)\360\360safe\360util.dll C:\Program Files (x86)\360\360safe\config\newui\themes\default C:\Program Files (x86)\360\360safe\config\newui\themes\default\* C:\Program Files (x86)\360\360safe\config\newui\themes C:\Program Files (x86)\360\360safe\config\newui\themes\* C:\Program Files (x86)\360\360safe\config\newui C:\Program Files (x86)\360\360safe\config\newui\* C:\Program Files (x86)\360\360safe\config C:\Program Files (x86)\360\360safe\config\* C:\Program Files (x86)\360\360safe\ipc\drvutility.dll C:\Program Files (x86)\360\360safe\ipc C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat C:\Program Files (x86)\360\360safe\ipc\filecache C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat.log1 C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat.log2 C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat{7eee90ee-b215-11e6-a3af-c22e3f3617f7}.tm.blf
C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat{7eee90ee-b215-11e6-a3afc22e3f3617f7}.tmcontainer00000000000000000001.regtrans-ms C:\Program Files (x86)\360\360safe\ipc\filecache\filecache.dat{7eee90ee-b215-11e6-a3afc22e3f3617f7}.tmcontainer00000000000000000002.regtrans-ms C:\Program Files (x86)\360\360safe\ipc\filecache\* C:\Program Files (x86)\360\360safe\ipc\qutmipc.dll C:\Program Files (x86)\360\360safe\ipc\* C:\Program Files (x86)\360\360safe\netmon\360askmsg.dll C:\Program Files (x86)\360\360safe\netmon C:\Program Files (x86)\360\360safe\netmon\360nmvdl.dll C:\Program Files (x86)\360\360safe\netmon\* C:\Program Files (x86)\360\360safe\safemon\360guardbase.dll C:\Program Files (x86)\360\360safe\safemon C:\Program Files (x86)\360\360safe\safemon\360hipspopwnd.dll C:\Program Files (x86)\360\360safe\safemon\360udiskguard64.dll C:\Program Files (x86)\360\360safe\safemon\safehmpg64.dll C:\Program Files (x86)\360\360safe\safemon\safemon.dll C:\Program Files (x86)\360\360safe\safemon\safemon64.dll C:\Program Files (x86)\360\360safe\safemon\safewrapper.dll C:\Program Files (x86)\360\360safe\safemon\safewrapper32.dll C:\Program Files (x86)\360\360safe\safemon\wdexhelperx64.dll C:\Program Files (x86)\360\360safe\safemon\wdui2.dll C:\Program Files (x86)\360\360safe\safemon\* C:\Program Files (x86)\360\360safe\uninst.exe C:\Program Files (x86)\360\360safe\utils\npaxlogin.dll C:\Program Files (x86)\360\360safe\utils C:\Program Files (x86)\360\360safe\utils\* C:\Program Files (x86)\360\360safe\softmgr C:\Program Files (x86)\360\360safe\softmgr\* C:\Program Files (x86)\360\360safe\leakrepair.dat C:\Users\ADMINI~1\AppData\Local\Temp\remove360.bat C:\Users\ADMINI~1\AppData\Local\Temp 读取的文件 C:\Users\test\AppData\Local\Temp\remove360.bat C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui 修改的文件 删除的文件 C:\Program Files (x86)\360\360safe\config\newui\themes\default C:\Program Files (x86)\360\360safe\config\newui\themes C:\Program Files (x86)\360\360safe\config\newui C:\Program Files (x86)\360\360safe\config C:\Program Files (x86)\360\360safe\ipc\filecache C:\Program Files (x86)\360\360safe\ipc C:\Program Files (x86)\360\360safe\netmon C:\Program Files (x86)\360\360safe\safemon C:\Program Files (x86)\360\360safe\utils C:\Program Files (x86)\360\360safe\softmgr C:\Program Files (x86)\360\360safe 注册表键 HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\\GP\ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable 读取的注册表键 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable 修改的注册表键 删除的注册表键 API 解析 kernel32.dll.setthreaduilanguage kernel32.dll.copyfileexw kernel32.dll.isdebuggerpresent kernel32.dll.setconsoleinputexenamew advapi32.dll.saferidentifylevel advapi32.dll.safercomputetokenfromlevel advapi32.dll.safercloselevel 2016 上海魔盾信息科技有限公司