فيروس Ransom لإغلاق الشاشة بتقنية ذكية (لكسر الروتين)

yones7x · 4 يوليو 2014

بسم الله الرحمن الرحيم
أقدم لكم اليوم عينة من برمجتي
وهي عبارة عن فيروس Ransom بسيط جدًا للتجربة

والفيروس -بكل بساطة- يخفي جميع الواجهات التي على الويندوز شاملًا واجهات عملية explorer.exe

وذلك بدلًا من إغلاق العمليات، حيث تتسبب الأخيرة في اشتباه كبير بالفيروس

وبهذه التقنية (إخفاء الواجهات فقط بدون إغلاق العملية) سيكون اكتشافه من برنامج الحماية ضعيف جدًا
وأيضًا -بهذه التقنية- يستطيع إخفاء واجهات برامج الحماية

وذلك لا يشمل كاسبر 2015 (يشمل 2014 وتحت

) وأونلاين أرمور حتى الآن حسب تجربتي

كما أنوه أن الفيروس لم استخدم تقنيات أخرى فيه لتقليل الاشتباه كالتشفير وغيره
ولم أحسن التقنية التي فيه كما يجب، ولكن وضعتها بأبسط ما يكون

أي أن الاكتشافات لهذا الفيروس ستكون أعلى ما يمكن، فلنرى كم ستكون حسب تجاربكم

[hide]رابط التحميل:

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

Pass: infected[/hide]

ملاحظة: وضعت مقبض أمان في حال تم تخطي برنامج الحماية

وهو أن الفيروس يسمح لك بإدخال كلمة OK في مربع النص
وسيتم إزالة الفيروس، وسيبقى عليك إعادة التشغيل + حذفه من المسار الذي سيخبرك به

وإذا لم يتم إدخال النص OK سيبقى الفيروس يعمل حتى بعد إعادة التشغيل

MagicianMiDo32 · 4 يوليو 2014

جاري التجربة على المكافي

Devil Eye · 4 يوليو 2014

النورتن تعامل معه بفك الضغط

yones7x · 4 يوليو 2014

Devil Eye قال:
النورتن تعامل معه بفك الضغط
مشاهدة المرفق 55867

على ما يبدو، اكتشاف كاذب كما هي عادة النورتن

دائمًا ما يقول هكذا لأي برنامج بلغة AutoIt

لكن أتمنى تضع تسمية الإكتشاف لنرى...

qysr · 4 يوليو 2014

ما شاءالله النود نايم في العسل

Devil Eye · 4 يوليو 2014

yones7x قال:
على ما يبدو، اكتشاف كاذب كما هي عادة النورتن
دائمًا ما يقول هكذا لأي برنامج بلغة AutoIt

لكن أتمنى تضع تسمية الإكتشاف لنرى...

Abdallah Pro · 4 يوليو 2014

الفحص على فيروس توتال

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

alaa8iniesta · 4 يوليو 2014

فك الضغط ..

الحجز

MagicianMiDo32 · 4 يوليو 2014

ali2014 قال:
الفحص على فيروس توتال

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

أخي فيرس توتال يرسل العينات الآن باظت التشفيرة
لاتقلق اخي ان لم تكن تعلم ذلك

أمم nano security يحتاج الى تجربة

Abdallah Pro · 4 يوليو 2014

medo32 قال:
أخي فيرس توتال يرسل العينات الآن باظت التشفيرة
لاتقلق اخي ان لم تكن تعلم ذلك

أمم nano security يحتاج الى تجربة

أعتذر جدا أخى الكريم لم أكن أعلم

عبدالرحمن نبهان · 4 يوليو 2014

أفاست عند فك الضغط

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

MagicianMiDo32 · 4 يوليو 2014

بسم الله الرحمن الرحيم
التجربة على المكافي

تم تفعيل ال maximum protection لكن مع وضع الـ Access protection على وضع ال Report only mode

ثانيا تم أضافة قاعدة لمراقبة جميع قيم الريجستري

وقاعدة لمراقبة جميع الملفات بالسي

وأخرى لمراقبة الحقن بالعملية explorer.exe

ثم تم تشغيل الملف وتجمد النظام>> طبعا المكافي يعطي تقارير فقط

وتمت كتابة ok >>> حلوة يايونس

أقترح اضافة ملف مضاد مع الفيروسات التي يطرحها الاعضاء

وظهرت هذة الرسالة بها مسار الفيروس

ثم تم عمل ريستارت وأشتغل النظام

وفي ذلك الحين قام المكافي بفصفصة الملف بشكل كامل وأليكم التقرير + التحليل
تشغيل الملف
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rules

revent programs to access to System drive Action blocked : Read

أستخراج نفسه في بيانات البريفيكت >> ليعمل بسرعة وتلقائيا مع بدأ التشغيل رائع يايونس
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf User-defined Rules

revent programs to access to System drive Action blocked : Read

أضافة قاعدة الى الكرنل عن طريق ملف ال ntdl
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\ntdll.dll User-defined Rules

revent programs to access to System drive Action blocked : Read
وطبعا بديهي الحقن في ال kernel.dll
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\KERNEL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

++ مع العلم انه يمكن حقن مكتبة ربط ديناميكي dll بهذين الملفين لجعل أي ملف تريده يعمل مع الستارت اب!!!

يحاول الاتصال بالملف المسؤول عن اليونيكود UNICODE.NLS واعطاب هذا الملف يمنع الجهاز من تنصيب أية برامج
30/06/2014 06:04:40 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\UNICODE.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read

+ التعديل على ملفات أخرى

30/06/2014 06:04:41 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\SORTTBLS.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:41 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\OLE32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RPCRT4.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:42 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\SECUR32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\GDI32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USER32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSVCRT.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
يحاول استخراج ملف في مجلد System32
30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USP10.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RPCSS.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:45 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSCTF.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\IMM32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
الملف المستخرج يحاول التعديل على ملف نظام
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
الحصول على الصلاحيات لتجميد الشاشة
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read

30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\WININET.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute

30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RICHED20.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rules

revent programs to access to System drive Action blocked : Read
بعد الحصول على الصلاحيات من الملف المستخرج بدا عملية التجميد
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USP10.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3R.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSCTF.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
والآن تم الحقن في ملف ال svchost
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SoftwareDistribution\ReportingEvents.log User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSASN1.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
يحاول ال svchost الحقن في ملف ال wuauclt
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RICHED20.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\APPHELP.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\APPHELP.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RPCSS.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\MSCTF.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\IMM32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
تم الحقن في ملف ال wuauclt
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\CLBCATQ.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\ntdll.dll User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\Registration\R000000000007.clb User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\KERNEL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHDOCVW.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\UNICODE.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHDOCVW.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\LOCALE.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\WININET.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SORTTBLS.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
;تمت سرقة صلاحيات الملف wuauclt
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\wuauclt.exe User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSVCRT.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\OLE32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\RPCRT4.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINMM.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSACM32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RICHED20.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\VERSION.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
فتح الثغرة للملف المستخرج لتجميد الشاشة
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\USERENV.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\UXTHEME.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:00 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\CTYPE.NLS User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:00 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:01 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:01 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MYDOCS.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINSPOOL.DRV User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ALFARES\Start Menu\Programs\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\IPHLPAPI.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\SHELL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINHTTP.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\CRYPT32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSASN1.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSPATCHA.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WBEM\WBEMCOMN.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Games\DESKTOP.INI User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SETUPAPI.DLL User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\SHIMENG.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\Common Framework\ccme_base.dll User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\UXTHEME.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WBEM\Logs\wbemcore.log User-defined Rules

revent programs to access to System drive Action blocked : Write
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\LPK.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rules

revent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rules

revent programs to access to System drive Action blocked : Read
30/06/2014 06:05:05 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WBEM\Logs\wbemcore.log User-defined Rules

revent programs to access to System drive Action blocked : Write

الحقن عن طريق الربط الديناميكي dll hijacking
بالتوفيق

MagicianMiDo32 · 4 يوليو 2014

شكرا اخي
تمت اضافة التجربة

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

لا تقتبسو الرد أعلاه
الرجاء التشغيل لان الملف قوي

بالمناسبة شكرا على خاصية الطوارئ نسيت عمل سناف شوت

yones7x · 4 يوليو 2014

Devil Eye قال:
مشاهدة المرفق 55868

كما هو واضح

تم الإكتشاف لأن الملف تم تحميله من الإنترنت، وهذه عادة النورتن، وهي اكتشاف أي ملف جديد يتم تحميله من الإنترنت

لتجاوز الإكتشاف، قم بإغلاق النورتن، ثم قم بتحميل الملف (وأزل الصح الذي يقول تم التحميل من مصدر خارجي في خصائص) ثم قم بتشغيل النورتن

ولن يكتشف الملف

بالنسبة للأخ ali2014،
الله يسامحك، سيتم اكتشاف الملف بعد فترة بشكل سريع !
هناك موقع فحص تنتهي بـ 4you لا تقوم بإرسال عينات لبرامج الحماية
ولو إنك أدهشتني لأن التقرير طلع نظيف رغم أني لم أقم بشيء لتشفير عمل الملف وأساليب ملتوية لمزيد من الخداع

البقية، سيتم الرد عليكم لاحقًا، ومبارك عليكم يوم الجمعة

أحمد البدارنة · 4 يوليو 2014

تم تخطي الكمودو على الافتراضي وعلى اقصى اعدادات الساند

تم اعدادا موضوع bugs في الكمودو بخصوص هذا الامر هل تسمح لي باعطائي العينة للمطورين لانهم سوف يطلبونها مني

Abdelkarim · 4 يوليو 2014

عند فك الضغط

Abdelkarim · 4 يوليو 2014

بعد اغلاق وحدة الانتي فايرس و السحاب ونقل الملف الى التقييد المنخفض
ثم التشغيل
و طبقة السيستم وتشر قامت بالواجب

Abdelkarim · 4 يوليو 2014

و اخيرا

yones7x · 4 يوليو 2014

qysr قال:
ما شاءالله النود نايم في العسل

يمكن صائم، خليه براحته

alaa8iniesta قال:
فك الضغط ..

الحجز

ممتاز، ولو أن التسمية عامة لخطر ما

medo32 قال:
أخي فيرس توتال يرسل العينات الآن باظت التشفيرة
لاتقلق اخي ان لم تكن تعلم ذلك

أمم nano security يحتاج الى تجربة

Nano anti-virus يكتشف أي ملف مبرمج بـ AutoIt كأنه فيروس

سياسة غريبة من الشركة بإقصاء لغة برمجة بكاملها

عند التشفير لن يظهر أنها مبرمجة بـ AutoIt هههههههه

عبدالرحمن نبهان قال:
أفاست عند فك الضغط

يجب عليك تسجيل الدخول او تسجيل لمشاهدة الرابط المخفي

حسب اسم الإكتشاف
وضعه تحت بند إشتباه

medo32 قال:
بسم الله الرحمن الرحيم
التجربة على المكافي

تم تفعيل ال maximum protection لكن مع وضع الـ Access protection على وضع ال Report only mode
مشاهدة المرفق 55871

ثانيا تم أضافة قاعدة لمراقبة جميع قيم الريجستري

مشاهدة المرفق 55872
مشاهدة المرفق 55873

وقاعدة لمراقبة جميع الملفات بالسي

مشاهدة المرفق 55874

وأخرى لمراقبة الحقن بالعملية explorer.exe

مشاهدة المرفق 55875

ثم تم تشغيل الملف وتجمد النظام>> طبعا المكافي يعطي تقارير فقط

مشاهدة المرفق 55876

وتمت كتابة ok >>> حلوة يايونس
أقترح اضافة ملف مضاد مع الفيروسات التي يطرحها الاعضاء

وظهرت هذة الرسالة بها مسار الفيروس

مشاهدة المرفق 55877

ثم تم عمل ريستارت وأشتغل النظام
مشاهدة المرفق 55878
مشاهدة المرفق 55879

وفي ذلك الحين قام المكافي بفصفصة الملف بشكل كامل وأليكم التقرير + التحليل
تشغيل الملف
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rulesrevent programs to access to System drive Action blocked : Read

أستخراج نفسه في بيانات البريفيكت >> ليعمل بسرعة وتلقائيا مع بدأ التشغيل رائع يايونس
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf User-defined Rulesrevent programs to access to System drive Action blocked : Read

أضافة قاعدة الى الكرنل عن طريق ملف ال ntdl
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\ntdll.dll User-defined Rulesrevent programs to access to System drive Action blocked : Read
وطبعا بديهي الحقن في ال kernel.dll
30/06/2014 06:04:39 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\KERNEL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

++ مع العلم انه يمكن حقن مكتبة ربط ديناميكي dll بهذين الملفين لجعل أي ملف تريده يعمل مع الستارت اب!!!

يحاول الاتصال بالملف المسؤول عن اليونيكود UNICODE.NLS واعطاب هذا الملف يمنع الجهاز من تنصيب أية برامج
30/06/2014 06:04:40 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\UNICODE.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read

+ التعديل على ملفات أخرى

30/06/2014 06:04:41 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\SORTTBLS.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:41 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\OLE32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RPCRT4.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:42 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\SECUR32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\GDI32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USER32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:43 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSVCRT.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
يحاول استخراج ملف في مجلد System32
30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USP10.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:44 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RPCSS.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:45 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSCTF.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\IMM32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
الملف المستخرج يحاول التعديل على ملف نظام
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
الحصول على الصلاحيات لتجميد الشاشة
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read

30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\WININET.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:46 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute

30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RICHED20.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:47 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\VERCLSID.EXE User-defined Rulesrevent programs to access to System drive Action blocked : Read
بعد الحصول على الصلاحيات من الملف المستخرج بدا عملية التجميد
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:48 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\USP10.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MSXML3R.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSCTF.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
والآن تم الحقن في ملف ال svchost
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SoftwareDistribution\ReportingEvents.log User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\MSASN1.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
يحاول ال svchost الحقن في ملف ال wuauclt
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\RICHED20.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:49 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\APPHELP.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares **\VERCLSID.EXE C:\WINDOWS\System32\APPHELP.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:50 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RPCSS.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:51 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\MSCTF.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\IMM32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
تم الحقن في ملف ال wuauclt
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:52 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\CLBCATQ.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\ntdll.dll User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\Registration\R000000000007.clb User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\KERNEL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHDOCVW.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\UNICODE.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:53 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHDOCVW.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\LOCALE.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\WININET.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SORTTBLS.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:54 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
;تمت سرقة صلاحيات الملف wuauclt
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\wuauclt.exe User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSVCRT.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:55 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\OLE32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\RPCRT4.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\WindowsShell.Manifest User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINMM.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:56 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSACM32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\RICHED20.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:57 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\VERSION.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
فتح الثغرة للملف المستخرج لتجميد الشاشة
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:58 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\USERENV.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\UXTHEME.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:04:59 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:00 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\CTYPE.NLS User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:00 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:01 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\system32\verclsid.exe C:\WINDOWS\System32\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:01 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MYDOCS.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINSPOOL.DRV User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ALFARES\Start Menu\Programs\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\IPHLPAPI.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\SHELL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WINHTTP.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\CRYPT32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Entertainment\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSASN1.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\Communications\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:02 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\MSPATCHA.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\WBEM\WBEMCOMN.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) SMART-PC\alfares C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Games\DESKTOP.INI User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM **\WUAUCLT.EXE C:\WINDOWS\System32\SETUPAPI.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\SHIMENG.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\Common Framework\ccme_base.dll User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\UXTHEME.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:03 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WBEM\Logs\wbemcore.log User-defined Rulesrevent programs to access to System drive Action blocked : Write
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\LPK.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.DLL User-defined Rulesrevent programs to access to System drive Action blocked : Execute
30/06/2014 06:05:04 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy User-defined Rulesrevent programs to access to System drive Action blocked : Read
30/06/2014 06:05:05 ص Would be blocked by Access Protection rule (rule is currently not enforced) NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WBEM\Logs\wbemcore.log User-defined Rulesrevent programs to access to System drive Action blocked : Write

الحقن عن طريق الربط الديناميكي dll hijacking
بالتوفيق

ما شاء الله، تحليل ضخم

لا يوجد حقن… الخ

يبدو أن التقرير يشمل كل شيء في الويندوز

أيضًا الإتصال بمكتبات dll معروف بالنسبة لبرمجيات AutoIt لتبدأ العمل وكذلك بقية البرامج

وذلك للقيام بالأوامر وإظهار الواجهة… الخ

أحمد البدارنة قال:
تم تخطي الكمودو على الافتراضي وعلى اقصى اعدادات الساند

تم اعدادا موضوع bugs في الكمودو بخصوص هذا الامر هل تسمح لي باعطائي العينة للمطورين لانهم سوف يطلبونها مني

لماذا كل هذه العجلة؟

دع الفرصة لغيرك للتجربة أخي !

خصوصًا أن هذه التقنية في Ransom، أكاد أجزم أنها لم تستخدم من قبل

Abdelkarim قال:
عند فك الضغط
مشاهدة المرفق 55880 مشاهدة المرفق 55881 مشاهدة المرفق 55882

Abdelkarim قال:
بعد اغلاق وحدة الانتي فايرس و السحاب ونقل الملف الى التقييد المنخفض
ثم التشغيل
و طبقة السيستم وتشر قامت بالواجب
مشاهدة المرفق 55884 مشاهدة المرفق 55885 مشاهدة المرفق 55886 مشاهدة المرفق 55887

Abdelkarim قال:
و اخيرا
مشاهدة المرفق 55888 مشاهدة المرفق 55889 مشاهدة المرفق 55890

تسلم على التحليل الجيد

وشكرًا للكاسبر على الصد رغم إغلاق وحدة الأنتي فيروس

PrinceOfPersia · 4 يوليو 2014

ماشاء الله

تجربة جديدة وتحاليل رائعة

عضو شرف

توقيع : yones7x

مراقب قسم الحماية ، خبراء زيزووم

توقيع : MagicianMiDo32

زيزوومى فضى

توقيع : Devil Eye

عضو شرف

توقيع : yones7x

زيزوومي VIP

زيزوومى فضى

توقيع : Devil Eye

عضو شرف

توقيع : Abdallah Pro

زيزوومى ذهبى

توقيع : alaa8iniesta

مراقب قسم الحماية ، خبراء زيزووم

توقيع : MagicianMiDo32

عضو شرف

توقيع : Abdallah Pro

زيزوومى ذهبى

توقيع : عبدالرحمن نبهان

مراقب قسم الحماية ، خبراء زيزووم

توقيع : MagicianMiDo32

مراقب قسم الحماية ، خبراء زيزووم

توقيع : MagicianMiDo32

عضو شرف

توقيع : yones7x

.: خبير تحليل ملفات :.

(خبراء زيزووم)

(خبراء زيزووم)

(خبراء زيزووم)

عضو شرف

توقيع : yones7x

زيزوومي VIP

توقيع : PrinceOfPersia