请大佬帮我看看,电脑锁机,软件已经加了壳
刚才手残,点开一个锁机,现在电脑被锁了,win7系统,请大佬帮我看看,查查密码, 病毒样本链接:https://pan.baidu.com/s/1fbL000Z3go0Gx2GNn29QIQ提取码:t37f
基本信息
文件名称:
2333.exe
MD5: b6e8b17301770d542b67e6bf2478eeba
文件类型: EXE
上传时间: 2019-07-11 08:57:31
出品公司: N/A
版本: 1.0.0.0---1.0.0.0
壳或编译器信息: COMPILER:Elan
关键行为
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x0f6b4f37, EDX = 0x000000b4
EAX = 0x0f6b4f83, EDX = 0x000000b4
EAX = 0x0f6b4fcf, EDX = 0x000000b4
EAX = 0x0f6b501b, EDX = 0x000000b4
EAX = 0x0f6b5067, EDX = 0x000000b4
EAX = 0x0f6b50b3, EDX = 0x000000b4
EAX = 0x0f6b50ff, EDX = 0x000000b4
EAX = 0x0f6b514b, EDX = 0x000000b4
EAX = 0x0f6b5197, EDX = 0x000000b4
EAX = 0x0f6b51e3, EDX = 0x000000b4
行为描述: 获取窗口截图信息
详情信息:
Foreground window Info: HWND = 0x0001034a, DC = 0x01010057.
Foreground window Info: HWND = 0x0001034a, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001035c, DC = 0x01010057.
Foreground window Info: HWND = 0x0002035e, DC = 0x01010057.
Foreground window Info: HWND = 0x0003035c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034a, DC = 0x07010751.
进程行为
行为描述: 枚举进程
详情信息:
N/A
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Multimedia\DrawDib\vga.drv 1920x973x32(BGR 0)
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.IOH
MSCTF.Shared.MUTEX.AKJ
行为描述: 创建事件对象
详情信息:
EventName = DINPUTWINMM
EventName = MSCTF.SendReceiveConection.Event.AKJ.IC
EventName = MSCTF.SendReceive.Event.AKJ.IC
行为描述: 打开互斥体
详情信息:
ShimCacheMutex
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: =
NtUserFindWindowEx: =
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
CTF.ThreadMIConnectionEvent.000007E8.00000000.00000010
CTF.ThreadMarshalInterfaceEvent.000007E8.00000000.00000010
MSCTF.SendReceiveConection.Event.IOH.IC
MSCTF.SendReceive.Event.IOH.IC
行为描述: 窗口信息
详情信息:
Pid = 2460, Hwnd=0x1034a, Text = 使用说明, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2460, Hwnd=0x10348, Text = 启动, ClassName = Button.
Pid = 2460, Hwnd=0x10346, Text = 您好,我是本外挂作者! 在此,我将向您介绍使用方法: 若您是首次使用本软件, 1、请先退出杀毒软件 2、点击[启动]即可使用! 最后,我真挚的祝福你:开挂快乐~, ClassName = _EL_Label.
Pid = 2460, Hwnd=0x10342, Text = 打开前务必关闭杀软,否则该软件将无法使用! 打开前务必关闭杀软,否则该软件将无法使用! 打开前务必关闭杀软,否则该软件将无法使用! 重要的事说三次!!, ClassName = _EL_Label.
Pid = 2460, Hwnd=0x10340, Text = 教程界面 取次花丛懒回顾,半缘修道半缘君!, ClassName = WTWindow.
Pid = 2460, Hwnd=0x1035c, Text = 确定, ClassName = Button.
Pid = 2460, Hwnd=0x1035e, Text = 您开启了杀毒软件,使用时可能阻止操作,请手动在右下角托盘处右键退出杀毒软件,谢谢配合!, ClassName = Static.
Pid = 2460, Hwnd=0x6035a, Text = 信息:, ClassName = #32770.
Pid = 2460, Hwnd=0x2035e, Text = 确定, ClassName = Button.
Pid = 2460, Hwnd=0x2035c, Text = 您开启了杀毒软件,使用时可能阻止操作,请手动在右下角托盘处右键退出杀毒软件,谢谢配合!, ClassName = Static.
Pid = 2460, Hwnd=0x7035a, Text = 信息:, ClassName = #32770.
Pid = 2460, Hwnd=0x3035c, Text = 确定, ClassName = Button.
Pid = 2460, Hwnd=0x3035e, Text = 您开启了杀毒软件,使用时可能阻止操作,请手动在右下角托盘处右键退出杀毒软件,谢谢配合!, ClassName = Static.
Pid = 2460, Hwnd=0x8035a, Text = 信息:, ClassName = #32770.
Pid = 2460, Hwnd=0x4035e, Text = 确定, ClassName = Button.
行为描述: 获取窗口截图信息
详情信息:
Foreground window Info: HWND = 0x0001034a, DC = 0x01010057.
Foreground window Info: HWND = 0x0001034a, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001035c, DC = 0x01010057.
Foreground window Info: HWND = 0x0002035e, DC = 0x01010057.
Foreground window Info: HWND = 0x0003035c, DC = 0x0c0101e7.
Foreground window Info: HWND = 0x0001034a, DC = 0x07010751.
行为描述: 隐藏指定窗口
详情信息:
= [,_EL_Timer]
= [,ComboLBox ]
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x0f6b4f37, EDX = 0x000000b4
EAX = 0x0f6b4f83, EDX = 0x000000b4
EAX = 0x0f6b4fcf, EDX = 0x000000b4
EAX = 0x0f6b501b, EDX = 0x000000b4
EAX = 0x0f6b5067, EDX = 0x000000b4
EAX = 0x0f6b50b3, EDX = 0x000000b4
EAX = 0x0f6b50ff, EDX = 0x000000b4
EAX = 0x0f6b514b, EDX = 0x000000b4
EAX = 0x0f6b5197, EDX = 0x000000b4
EAX = 0x0f6b51e3, EDX = 0x000000b4
进程树
****.exe (PID: 0x0000099c) https://bbs.kafan.cn/thread-2135185-1-1.html 进PE 重建下主引导记录
页:
[1]