沙箱运行监控到的行为:
Created a service named: syshost.exe
Created an event named: Global\NitrGB
Created an event named: Local\NitrGB
Created file in defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\79e4054f.tmp
Created process: (null),C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe,(null)
Created process: (null),cmd.exe /C del /Q /F "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1b158495.tmp",(null)
Defined file type created in Windows folder: C:\WINDOWS\system32\drivers\4802ff.sys
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\syshost32 = C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\DisplayName = syshost.exe
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\ImagePath = C:\WINDOWS\system32\drivers\4802ff.sys
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\Start = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\4802ff\Type = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\SbieSvc\SandboxedServices = *yshost324802ff
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\ImagePath = "C:\WINDOWS\Installer\{E70BF38A-2625-DDC3-5509-CE002C0BE8B5}\syshost.exe" /service
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\SBIE_CurrentState = 01000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\Start = 02000000
Defined registry AutoStart location created or modified: machine\system\CurrentControlSet\Services\syshost32\Type = 10000000
Detected keylogger functionality
Ends Windows session
Enumerated running processes
Got volume information
Hide file from user: C:\WINDOWS\SbiePst.dat
Injected code into process:
Injected code into process: c:\documents and settings\administrator\桌面\bsa\bsa.exe
Injected code into process: c:\program files\vmware\vmware tools\vmacthlp.exe
Injected code into process: c:\program files\vmware\vmware tools\vmtoolsd.exe
Injected code into process: c:\program files\vmware\vmware tools\vmupgradehelper.exe
Injected code into process: c:\program files\vmware\vmware tools\vmwaretray.exe
Injected code into process: c:\program files\vmware\vmware tools\vmwareuser.exe
Injected code into process: c:\windows\explorer.exe
Injected code into process: c:\windows\system32\cmd.exe
Injected code into process: c:\windows\system32\ctfmon.exe
Injected code into process: c:\windows\system32\lsass.exe
Injected code into process: c:\windows\system32\services.exe
Injected code into process: c:\windows\system32\smss.exe
Injected code into process: c:\windows\system32\spoolsv.exe
Injected code into process: c:\windows\system32\svchost.exe
Injected code into process: c:\windows\system32\winlogon.exe
Loaded a system driver: :41 SBIE2103 亂bk \諎燫}忹|邁q毃R '4802ff
