魔盾安全分析报告 文件详细信息 特征
Transcrição
魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-05-17 17:52:41 2016-05-17 17:55:15 154 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64 win7-sp1-x64 KVM 2016-05-17 17:52:41 2016-05-17 17:55:15 魔盾分数 10.0 恶意的 文件详细信息 文件名 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin 文件大小 2393216 字节 文件类型 PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive CRC32 39206291 MD5 6c9caff2a9bb4f01357268af2faf0683 SHA1 13a757bcbb0d63dc9c547da9f624c4e788fd543b SHA256 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb SHA512 e8ab80217b708b250dd2db73a957dd21519588da23b50545e49c9a544547105df7304f035d0a5cb4b49c86b2330b1db8c1aecf194108749bf41871eed861cbbc Ssdeep 49152:2dVKeqmdziN14EUpW4dPDyPHMGwQBa+r/mzA3hpXjpZY:2dVCF78J1OBwT/z+pFZY PEiD 无匹配 Yara VirusTotal MoleBoxv20 () VirusTotal链接 VirusTotal扫描时间: 2016-05-05 04:03:06 扫描结果: 24/55 特征 提供一个Authenticode数字签名 md5_fingerprint: 80598b22ba032fe0c40a3a2294b08d51 sha1_fingerprint: 5c15b77bfeecf24fa870ef90609cd442fa56c70 sn: 122605974798739533766591753697024209546 cn: Shanghai kuaiping Network Technology Co., Ltd 创建RWX内存 从文件自身的二进制镜像中读取数据 self_read: process: 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin, pid: 556, offset: 0x00000000, length: 0x0024669d self_read: process: 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin, pid: 556, offset: 0x0000f61d, length: 0x00237084 发起了一些HTTP请求 url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D url: http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D url: http://sf.symcb.com/sf.crl url: http://khit.cn/soft/azbconfig.ini url: http://khit.cn/soft/kp1configuration.ini url: http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D url: http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D url: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D url: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D url: http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D url: http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D url: http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D url: http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D 文件已被至少十个VirusTotal上的反病毒引擎检测为病毒 Malwarebytes: Adware.DownWare VIPRE: Trojan.Win32.Generic!BT AegisLab: Troj.Generic.mmEX K7GW: Unwanted-Program ( 004d23ea1 ) K7AntiVirus: Unwanted-Program ( 004d23ea1 ) ESET-NOD32: a variant of Win32/Packed.NSISmod.A suspicious Avast: Win32:Trojan-gen ClamAV: Win.Trojan.691128-1 Kaspersky: HEUR:Trojan.Win32.Invader NANO-Antivirus: Riskware.Win32.ShouQu.dmnfjx ViRobot: Trojan.Win32.Z.Yantai.2393216.N[h] Rising: Trojan.Invader!8.450-A0khOfDP6YB (Cloud) Sophos: Generic PUA BD (PUA) Zillya: Trojan.InvaderCRTD.Win32.209 McAfee-GW-Edition: Artemis!Trojan Fortinet: W32/Generic.AC.18053 Antiy-AVL: Trojan/Generic.ASMalwNS.4F5F AhnLab-V3: PUP/Win32.Downloader McAfee: Artemis!6C9CAFF2A9BB AVware: Trojan.Win32.Generic!BT VBA32: Malware-Cryptor.Inject.gen Ikarus: PUA.RiskWare.Yantai GData: Win32.Application.Agent.142900 AVG: Generic.6B7 尝试更改浏览器安全设置 运行截图 网络分析 访问主机记录 直接访问 IP地址 国家名 否 58.211.137.192 China 否 23.44.155.27 United States 否 23.44.149.163 United States 否 198.41.215.183 United States 否 183.136.208.39 China 否 117.18.237.29 Asia/Pacific Region 域名解析 域名 响应 ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.44.155.27 dns.msftncsi.com A 131.107.255.255 dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 sf.symcd.com sf.symcb.com A 23.44.149.163 CNAME e6845.dscb1.akamaiedge.net CNAME crl-ds.ws.symantec.com.edgekey.net khit.cn CNAME khit.cn.cdn20.com A 122.228.237.175 A 117.23.2.80 A 122.228.22.171 A 36.42.32.63 A 122.228.233.195 A 183.136.208.39 A 122.228.22.179 CNAME tf02.dlmix.ourdvs.com A 117.23.51.73 ss.symcd.com ocsp.msocsp.com A 198.41.214.185 CNAME hostedocsp.globalsign.com A 198.41.214.186 A 198.41.214.187 A 198.41.215.183 A 198.41.215.182 A 198.41.215.185 A 198.41.214.183 A 198.41.215.184 A 198.41.215.186 A 198.41.214.184 sd.symcd.com ocsp2.globalsign.com CNAME cdn.globalsigncdn.com A 58.211.137.192 ocsp.digicert.com CNAME cs9.wac.phicdn.net A 117.18.237.29 ocsp.globalsign.com s.symcd.com ocsp.omniroot.com TCP连接 IP地址 端口 117.18.237.29 80 117.18.237.29 80 178.255.83.1 80 178.255.83.1 80 178.255.83.1 80 183.136.208.39 80 183.136.208.39 80 198.41.215.183 80 23.44.149.163 80 23.44.155.27 80 23.44.155.27 80 23.44.155.27 80 23.44.155.27 80 23.44.155.27 80 23.44.155.27 80 58.211.137.192 80 58.211.137.192 80 UDP连接 IP地址 端口 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.255 137 192.168.122.255 138 192.168.122.70 55256 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 239.255.255.250 1900 40.69.40.157 123 HTTP请求 URL http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D http://sf.symcb.com/sf.crl http://khit.cn/soft/azbconfig.ini http://khit.cn/soft/kp1configuration.ini http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D 静态分析 PE 信息 初始地址 0x00400000 入口地址 0x00403dd3 声明校验值 0x00255d8c 实际校验值 0x00255d8c 最低操作系统版本要求 4.0 编译时间 2014-03-29 17:42:03 图标 图标精确哈希值 1d90995304986bd2338b4af1cff1e9d0 图标相似性哈希值 d67765543cf1ced3f87211cc2c802669 版本信息 LegalCopyright: Copyright (C) 2015\x5feb\x5c4f\x7f51\x7edc InternalName: ${Name} FileVersion: V1.0 CompanyName: \x5feb\x5c4f\x7f51\x7edc\x79d1\x6280\x6709\x9650\x516c\x53f8 LegalTrademarks: \x5feb\x5c4f\x7f51\x7edc ProductName: \x82b1\x732b\x65e5\x5386 ProductVersion: 1.0.0.0 FileDescription: \x82b1\x732b\x65e5\x5386\x5b89\x88c5\x7a0b\x5e8f Translation: 0x0804 0x03a8 PE数据组成 名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy) .text 0x00001000 0x0000714f 0x00007200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.49 .rdata 0x00009000 0x00001198 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.24 .data 0x0000b000 0x0001afbc 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.80 .ndata 0x00026000 0x0002c000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00 .rsrc 0x00052000 0x000069b8 0x00006a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.03 覆盖 偏移量: 0x0000f600 大小: 0x00238e80 资源 名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型 RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_ICON 0x00057de0 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 3.25 GLS_BINARY_LSB_FIRST RT_DIALOG 0x00058290 0x00000054 LANG_ENGLISH SUBLANG_ENGLISH_US 2.31 data RT_DIALOG 0x00058290 0x00000054 LANG_ENGLISH SUBLANG_ENGLISH_US 2.31 data RT_DIALOG 0x00058290 0x00000054 LANG_ENGLISH SUBLANG_ENGLISH_US 2.31 data RT_DIALOG 0x00058290 0x00000054 LANG_ENGLISH SUBLANG_ENGLISH_US 2.31 data RT_DIALOG 0x00058290 0x00000054 LANG_ENGLISH SUBLANG_ENGLISH_US 2.31 data RT_GROUP_ICON 0x000582e8 0x00000076 LANG_ENGLISH SUBLANG_ENGLISH_US 2.81 MS Windows icon resource - 8 icons, 32x32, 16-colors RT_VERSION 0x00058360 0x00000294 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.73 data RT_MANIFEST 0x000585f8 0x000003be LANG_ENGLISH SUBLANG_ENGLISH_US 5.21 XML document text 导入 库 KERNEL32.dll: • 0x40905c - GlobalLock • 0x409060 - GlobalAlloc • 0x409064 - CloseHandle • 0x409068 - SetFileTime • 0x40906c - CompareFileTime • 0x409070 - SearchPathA • 0x409074 - GetShortPathNameA • 0x409078 - GetFullPathNameA • 0x40907c - MoveFileA • 0x409080 - SetCurrentDirectoryA • 0x409084 - GetFileAttributesA • 0x409088 - GetLastError • 0x40908c - CreateDirectoryA • 0x409090 - SetFileAttributesA • 0x409094 - Sleep • 0x409098 - GetTickCount • 0x40909c - CreateFileA • 0x4090a0 - GetFileSize • 0x4090a4 - GetModuleFileNameA • 0x4090a8 - GetCurrentProcess • 0x4090ac - CopyFileA • 0x4090b0 - GlobalUnlock • 0x4090b4 - GetWindowsDirectoryA • 0x4090b8 - GetTempPathA • 0x4090bc - GetCommandLineA • 0x4090c0 - SetErrorMode • 0x4090c4 - lstrcpyA • 0x4090c8 - lstrcpynA • 0x4090cc - lstrcatA • 0x4090d0 - LoadLibraryA • 0x4090d4 - lstrlenA • 0x4090d8 - WideCharToMultiByte • 0x4090dc - VirtualAlloc • 0x4090e0 - VirtualProtect • 0x4090e4 - GetDiskFreeSpaceA • 0x4090e8 - CreateThread • 0x4090ec - CreateProcessA • 0x4090f0 - RemoveDirectoryA • 0x4090f4 - GetTempFileNameA • 0x4090f8 - GetSystemDirectoryA • 0x4090fc - GetVersion • 0x409100 - lstrcmpiA • 0x409104 - lstrcmpA • 0x409108 - ExpandEnvironmentStringsA • 0x40910c - GlobalFree • 0x409110 - WaitForSingleObject • 0x409114 - GetExitCodeProcess • 0x409118 - GetModuleHandleA • 0x40911c - LoadLibraryExA • 0x409120 - GetProcAddress • 0x409124 - FreeLibrary • 0x409128 - MulDiv • 0x40912c - MultiByteToWideChar • 0x409130 - WritePrivateProfileStringA • 0x409134 - GetPrivateProfileStringA • 0x409138 - WriteFile • 0x40913c - ReadFile • 0x409140 - SetFilePointer • 0x409144 - FindClose • 0x409148 - FindNextFileA • 0x40914c - FindFirstFileA • 0x409150 - DeleteFileA • 0x409154 - GlobalSize • 0x409158 - ExitProcess 库 USER32.dll: • 0x40917c - SetClassLongA • 0x409180 - IsWindowEnabled • 0x409184 - GetSysColor • 0x409188 - GetWindowLongA • 0x40918c - SetCursor • 0x409190 - LoadCursorA • 0x409194 - CheckDlgButton • 0x409198 - GetMessagePos • 0x40919c - LoadBitmapA • 0x4091a0 - CallWindowProcA • 0x4091a4 - IsWindowVisible • 0x4091a8 - CloseClipboard • 0x4091ac - SetClipboardData • 0x4091b0 - EmptyClipboard • 0x4091b4 - OpenClipboard • 0x4091b8 - TrackPopupMenu • 0x4091bc - GetSystemMenu • 0x4091c0 - CreatePopupMenu • 0x4091c4 - GetSystemMetrics • 0x4091c8 - SetDlgItemTextA • 0x4091cc - GetDlgItemTextA • 0x4091d0 - MessageBoxIndirectA • 0x4091d4 - CharPrevA • 0x4091d8 - DispatchMessageA • 0x4091dc - PeekMessageA • 0x4091e0 - RegisterClassA • 0x4091e4 - DialogBoxParamA • 0x4091e8 - CharNextA • 0x4091ec - ExitWindowsEx • 0x4091f0 - DestroyWindow • 0x4091f4 - CreateDialogParamA • 0x4091f8 - SetTimer • 0x4091fc - SetWindowTextA • 0x409200 - EnableMenuItem • 0x409204 - GetWindowRect • 0x409208 - ScreenToClient • 0x40920c - SetWindowPos • 0x409210 - EndDialog • 0x409214 - AppendMenuA • 0x409218 - GetClassInfoA • 0x40921c - PostQuitMessage • 0x409220 - SetForegroundWindow • 0x409224 - ShowWindow • 0x409228 - wsprintfA • 0x40922c - FindWindowExA • 0x409230 - IsWindow • 0x409234 - GetDlgItem • 0x409238 - SetWindowLongA • 0x40923c - GetClientRect • 0x409240 - LoadImageA • 0x409244 - GetDC • 0x409248 - EnableWindow • 0x40924c - InvalidateRect • 0x409250 - SendMessageA • 0x409254 - SendMessageTimeoutA 库 GDI32.dll: • 0x40903c - SetBkMode • 0x409040 - SetBkColor • 0x409044 - CreateBrushIndirect • 0x409048 - DeleteObject • 0x40904c - GetDeviceCaps • 0x409050 - SetTextColor • 0x409054 - CreateFontIndirectA 库 SHELL32.dll: • 0x409160 - SHGetPathFromIDListA • 0x409164 - SHBrowseForFolderA • 0x409168 - SHGetFileInfoA • 0x40916c - ShellExecuteA • 0x409170 - SHFileOperationA • 0x409174 - SHGetSpecialFolderLocation 库 ADVAPI32.dll: • 0x409000 - RegSetValueExA • 0x409004 - RegCreateKeyExA • 0x409008 - RegQueryValueExA • 0x40900c - RegEnumKeyA • 0x409010 - RegOpenKeyExA • 0x409014 - RegDeleteKeyA • 0x409018 - RegDeleteValueA • 0x40901c - RegEnumValueA • 0x409020 - RegCloseKey 库 COMCTL32.dll: • 0x409028 - ImageList_AddMasked • 0x40902c - ImageList_Destroy • 0x409030 - None • 0x409034 - ImageList_Create 库 ole32.dll: • 0x40926c - CLSIDFromString • 0x409270 - OleInitialize • 0x409274 - OleUninitialize • 0x409278 - CoTaskMemFree • 0x40927c - StringFromGUID2 • 0x409280 - CoCreateInstance 库 VERSION.dll: • 0x40925c - GetFileVersionInfoA • 0x409260 - VerQueryValueA • 0x409264 - GetFileVersionInfoSizeA 投放文件 down.png 文件名 相关文件 down.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png 文件大小 161 bytes 文件类型 PNG image data, 7 x 9, 8-bit/color RGBA, non-interlaced MD5 bacb91b049e287a496f8d1e4fdb9dc05 SHA1 58d81b51a030d9f0dd5215b6ed73745a914a1509 SHA256 1eabe022a47d5c59432b0fef5048b399fafba4ac5d28e9e39ed90ffb11ac94a6 SHA512 3f4fdd0373aceba51aa8d2a2cb1e87ac811fce4289f5d3fffa0a69196d8d51be382c1c684babddd671594178bb9c0169382aa7ef1d202b2aab24ee1d5857e176 Ssdeep 3:yionv//thPly2tjllB9+o4RthwkBDsTBZtmkoml6gFe/JjjSjjBRuupJLblsg1p:6v/lhPxDERnDspzToAgJeNRugljp Yara 无匹配 VirusTotal 搜索相关分析 img_01.png 文件名 相关文件 img_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png 文件大小 32408 bytes 文件类型 PNG image data, 146 x 137, 8-bit/color RGBA, non-interlaced MD5 f87f1ae94b55f4ba074ed5c6fbc7444d SHA1 669f67a6cbba8755df80a15b158ec691db632ec9 SHA256 e326c815d55b64ebbbe4f6b949c8c5796fda5119daba166c2117a5152d884b86 SHA512 eeabbf8e705b296d7f99f77cdce59693f2dcf760f17dffe6da0035b6954e1099890d3adef8291dfb5878dd7b3061fad106d14b070a37d803999f124254b62620 Ssdeep 384:NFEJHdNecVzE8z/tmz3uCztq2heiXU9GGXXm1xpUndwvau:XE8YzPb+Onk3+Yau Yara 无匹配 VirusTotal 搜索相关分析 delete.png 文件名 相关文件 delete.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png 文件大小 496 bytes 文件类型 PNG image data, 36 x 10, 8-bit/color RGBA, non-interlaced MD5 ba59b3cc9a1e75cc37fc468230ac3cff SHA1 8db01447f16cc2c88ecfda8bd4261d73460d7e7d SHA256 4762377c3cddd1f5d89c147f141b19c07407a5c2920254e328a9ded7129c9c17 SHA512 866a5b14105e91754fcb6f730bbb219b0a47b48afd6f7efb84ce7d12b7101181be5c55a2098f5e2b2daf04111b82df2f7680b719a7c3a778aab1621df6140ff6 Ssdeep 12:6v/7MU7disUzF5fPTcB65w0TaKJ07gIokL:ISFxbcB6nTZJ07gS Yara 无匹配 VirusTotal 搜索相关分析 change.png 文件名 相关文件 change.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png 文件大小 311 bytes 文件类型 PNG image data, 180 x 30, 8-bit/color RGBA, non-interlaced MD5 ac127c606b71870ece6ec2104105e951 SHA1 01a38d66c20114221279bb5828010f3c3d7db9bf SHA256 ed1b029b0a819abb0a720eb402fa4fcbacb54873a10de15679d6cd02745c3180 SHA512 e5755bb7fa0e0707d032d14b9d7d1ba830eeb3ee77cfd6ad73702d3a9f3c013dbb370100c6197697eb1de709a3db5527f6d9f15549dfa9fb11b5df434f10f6ab Ssdeep 6:6v/lhPu/+UyKftldpzmP+VjZ5BH9LsYKyHyHyHyHyHoM/dp:6v/7G/+U7dpjRHN9SSSStz Yara 无匹配 VirusTotal 搜索相关分析 bg.png 文件名 相关文件 bg.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png 文件大小 25807 bytes 文件类型 PNG image data, 358 x 167, 8-bit/color RGBA, non-interlaced MD5 1942305f9f8820603c75509fb6431899 SHA1 1ce893390141b72eacf3a57012b433d34e58751f SHA256 48d17754b9becc369fd7732edd3290a4f5ffb16de775aed1d99443cafa76501e SHA512 c9f236495453f56aaaaf51c45fd2df6b0d6267a7ea41a3b080fb8a2156c9a5fd719a05a258742e43d157cad1f5271005d1085019a757c3812eb33a82b509d466 Ssdeep 384:s50wftrV353Bp2oBJ9eQdKN2mOmVKbWhE5I1qL9:aZtV9emKNVi5I1G Yara 无匹配 VirusTotal 搜索相关分析 input_01.png 文件名 相关文件 input_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png 文件大小 384 bytes 文件类型 PNG image data, 537 x 26, 8-bit/color RGBA, non-interlaced MD5 ad21ecdcd2148b752efa6f430db4a437 SHA1 2533d2c20ec5818c4d6dd80a96da1501811bd6a8 SHA256 88d1521cf3fddd35b3da8e6b58684e3cd197d710af5374195717ae46140ea1d7 SHA512 10172cf9cd7275e41c968448856e96d785a40b7ca3f3cc5ed2d3b1a2d74d4f87409d650ff249b4e7e2865001babd21831cba115f74f47bd2a0b326664e4df9de Ssdeep 6:6v/lhP0/lNVR/ChmVjnDq3Ij9EBUklOnMk8u7HkBmSiCoQ/3mlfL+X/76fL+X/7U:6v/7U/za3IGUsOnguwvv/3mlI6I6I6I0 Yara 无匹配 VirusTotal 搜索相关分析 System.dll 文件名 相关文件 System.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll 文件大小 11264 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 00a0194c20ee912257df53bfe258ee4a SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2 SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 Ssdeep 192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw Yara 无匹配 VirusTotal 搜索相关分析 info.png 文件名 相关文件 文件大小 info.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png 5692 bytes 文件类型 PNG image data, 210 x 47, 8-bit/color RGBA, non-interlaced MD5 8752d7da1271f095aab6b53d5685f514 SHA1 434f5892a3af9e09e7282937b3cc8c912247e8a0 SHA256 cbe36e5e8339762698e01f0dd158243ea9902a522ba82183c803886214fe5388 SHA512 6ac19ba785ecbb3161c6b559235e3cda091b3720000a2f834e273d4f6ffd7c63aa5c53840833e1e389058fc4e49e60f40481b4558238b5d880c7358d2b1d1768 Ssdeep 96:YSDZ/I09Da01l+gmkyTt6Hk8nT7dxoPwUyfWHd+6fXqoZeHVTOgpxRj+Ywm+r9t2:YSDS0tKg9E05T7dmSW9+6fXqoY1TOgdf Yara 无匹配 VirusTotal 搜索相关分析 finish.png 文件名 相关文件 finish.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png 文件大小 7542 bytes 文件类型 PNG image data, 600 x 60, 8-bit/color RGBA, non-interlaced MD5 7d2eba4b389c538fdfa3277805fb648f SHA1 3fe31b51310b0d961ca6da39edbd31ee5cf9f9f5 SHA256 a72a8324ab428723d50b2447b3eb444013d61c0d9cdc7a40a3bbaface028f7ec SHA512 93aa003398c6d81d5b93976edc8f9b48ee3cef45e484ae136d1310a7ad65df8bfc18b2d93586647ab9f49ef99157cf93abcf5acfb71782e407b3925d48925e96 Ssdeep 192:8PVqda4SBVXeAEGBwC+d/G6DCNpdRIQ3d3Gdo:8PVXeATwCsjCRRf3D Yara 无匹配 VirusTotal 搜索相关分析 jieya_button.png 文件名 相关文件 jieya_button.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png 文件大小 7909 bytes 文件类型 PNG image data, 800 x 60, 8-bit/color RGBA, non-interlaced MD5 e1998a671f960dba6f1c16e4f1a46ba8 SHA1 2ed320dd71e47554b7a46a82ff22af7e4cf98519 SHA256 1d44ad0b56ff1340745ab37a0e7d0cf235731479be9b26462536905c33b88324 SHA512 24def5934434addc2db09aecf56bb27689b5ddfbc72fdb8b98710e72e18ef046c4c7e3f6a19cb0d1d0e2870cb9482e6c267f234ff44a75a017d2e9f57683d0d2 Ssdeep 192:wiBmA7T4b1CQ0oJ7r0VlCC2rMOAfxQxpebMRFxkCA28M:4A7T4b1QoNrLM5f4fu2 Yara 无匹配 VirusTotal 搜索相关分析 NSISdl.dll 文件名 相关文件 NSISdl.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll 文件大小 14848 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 254f13dfd61c5b7d2119eb2550491e1d SHA1 5083f6804ee3475f3698ab9e68611b0128e22fd6 SHA256 fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28 SHA512 fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7 Ssdeep 192:t5ZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRYgsfA:fBo/680dCI5adOjFOg9//p27uNw2bo Yara 无匹配 VirusTotal 搜索相关分析 cancel.png 文件名 相关文件 cancel.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png 文件大小 1284 bytes 文件类型 PNG image data, 69 x 12, 8-bit/color RGBA, non-interlaced MD5 9f439310a422e58355ce87847765ff3d SHA1 744ad30abb57de585974801a077e916321946091 SHA256 ba02da2548a4819f6db98cecf479ac8f1ff17fd2d88e2925b3d7c76a68f4d1ad SHA512 6f8a1cf7ceea1fbf505688f8216476d5bbb99c015c45ba60da881783c6861bbe105a897cff4c913faed4b746ce3095d9ed70cf3695af6b8d01f99ddac0d4ca3f Ssdeep 24:icy1he91Wwjx82lY2T3ouVJc/GyJ3VCy11zGASyrcTXMDm2nZ/3oR+pDSc:nwqQNn2xredJ3JbzF7Ag62nZvoMx Yara 无匹配 VirusTotal 搜索相关分析 go.png 文件名 相关文件 go.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png 文件大小 6782 bytes 文件类型 PNG image data, 267 x 28, 8-bit/color RGBA, non-interlaced MD5 d1b1b5339ff8b19f6b3cbdc2aad70a55 SHA1 7ee7ab4cf7cef934e1f7f6c7a110c3a3a320f011 SHA256 17354c20734c291b7d085a0da8c2629b9645ea5b450e0122f5fb3ba5d078a378 SHA512 dbd9bfd83204195e40b8ff6db5b0a8a6773f59a723201046d755d554d3238787e6d07079f7ad0da98f0a7f7ad9096e46060f2cc06fa71729fa440d1555dd50e1 Ssdeep 96:9Y2rbK9wffOm4F70XmjhU1pTwrR8uxUZZ0VZMLCnSGOiPG7yRVvYM7aHqJ+nYp6:96qO70ZDTUG4nSpie1jJYp6 Yara 无匹配 VirusTotal 搜索相关分析 azbconfig.ini 文件名 相关文件 azbconfig.ini C:\Users\test\AppData\Roaming\azbconfig.ini 文件大小 98 bytes 文件类型 ASCII text, with CRLF line terminators MD5 b8f0cd31172f859c0eed29931f9f7ad9 SHA1 cf8c6c5501e40a7c772d65e877ad002eacf811d5 SHA256 c663226d07c54b65c54f0afb4bd604dfa3e245f884ae1eaf2672aff41b7d9605 SHA512 bf7e9df3e7f8d5ccdee6f9be93c91bd4696380e6834101d2c968d2a32d05e3dc6585371e9a8ae2467c67c5c4dfe4924020f290bc20a9788e7bc11550ac6da189 Ssdeep 3:NUy6Jp5fgVJ8WvNxQEYrUyYfXJpgsHn:Gy6j2V+qBymXssH Yara 无匹配 VirusTotal 搜索相关分析 up.png 文件名 相关文件 up.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png 文件大小 160 bytes 文件类型 PNG image data, 7 x 9, 8-bit/color RGBA, non-interlaced MD5 355a128adabe5b32e3eed951feb2341a SHA1 bf9ea6c62daf297c98edbf9a5667affd8151e59b SHA256 b2ce7a9b5efc5ef16d013843438e24a649f2d3467435e3450de131a5e4b87430 SHA512 dad0f0129e1e8ba9ccf090917e66c768a3008d5a1a4ae4c7535d9e37853b013d88b20fdf16313c376829c51876b1f32dbe93c5ce3f01efae13c1fd75c1674561 Ssdeep 3:yionv//thPly2tjllB9+o4RthwkBDsTBZtnAkxXpuR6P6k2DkOUp9RGRB3AF8n1s:6v/lhPxDERnDspnAkZkcnMFwSn3PnYRz Yara 无匹配 VirusTotal 搜索相关分析 FindProcDLL.dll 文件名 相关文件 FindProcDLL.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll 文件大小 3584 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 8614c450637267afacad1645e23ba24a SHA1 e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2 SHA256 0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758 SHA512 af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b Ssdeep 48:SJp9bgAa4QYAOpO+k5SR4aV0GV/XamAKDNh7Mt:Ab+4Tptk5SR4gxV/XamBN Yara 无匹配 VirusTotal 搜索相关分析 DialogEx.dll 文件名 相关文件 DialogEx.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll 文件大小 21504 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 2015bb43ab225bebd66bf474df424155 SHA1 3179aae8019577c720bafca7d126574d837ece00 SHA256 0af63a42fb77e2e31eccaea6953c86a461fa1fa82b2471e3493ee66f3e864f3e SHA512 66567cb93231cfec913463cfc47343844931251ba8e83df0bc67d2ee42fd6fb2eb8d468c9e1af6d2a087701f2e9eb22f0f41bc573f2a471110c422bd54c0815e Ssdeep 384:wPnkG6fcXeYBGD6Ngx4dwjgiQTr88zUUWh6XEK4EuN:GZXxBGD6NT+jjSrl/WnBT Yara 无匹配 VirusTotal 搜索相关分析 kp1configuration.ini 文件名 相关文件 kp1configuration.ini C:\Users\test\AppData\Roaming\kp1configuration.ini 文件大小 888 bytes 文件类型 ISO-8859 text, with CRLF line terminators MD5 a7dd899310db0b1e7ea3d101d1910b77 SHA1 1d49466334b6851777ae81a33db5d068f94f987a SHA256 47d2014804d2f41dc54cc0374c0dfddd02c1acd55e412013f1f3849334c47948 SHA512 378b530a28d980a0887a968f454ef61f38aa13b837a7e843e4520148c9d613a5c96af27b040126009fd091c17bab8d00638ae6a07b07d8153972bc3870d977f2 Ssdeep 12:RXHMFqjIOXGoQOXGcFhxKLG/KIHy69FPN4nrMnM3FHU4T3X0DF4Rzq0vhgFUs3J8:RjjI4GoQ4GJLbIHHCawrXFvBKibE0n Yara 无匹配 VirusTotal 搜索相关分析 Banner.dll 文件名 相关文件 Banner.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll 文件大小 4096 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 91c9ee5005ac6cb4ec79a3b039b4c8df SHA1 95a9c018b501b6697beca846a33955909c3f97be SHA256 05838c8f81efbb98679010158f29cefd88a34fb1fe5d603e839dd406235ddf29 SHA512 41cc45a64fbe64cd83e704e87193004245f5d29f4f880921d041e5f2ceec86ca0653146e6477642eba73875b9d5f0d773b540436b19e4797def9c15d7618474b Ssdeep 48:6zQCRj3ybzBhsNDt/fsgOTF3D3cHEvRugYy/CQBSz7as:x8jvkggVjcHGRunQa Yara 无匹配 VirusTotal 搜索相关分析 CheckRunVirtual.dll 文件名 相关文件 CheckRunVirtual.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll 文件大小 32768 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 a0cb8030c255059749db3bffa0c78956 SHA1 8d945131c91a4bd99f53758d75691349cd4127cb SHA256 bcd19389fd4e58e552fc45c4222eae3aa70f0e7e1573b2afc8e7ad433f131398 SHA512 b9ad84d528b7b4f95c1ee1b315bc7d76ff3c093e99bbc6b806517742320cd3a592ceb4ab407e1e003b3476e4ee5bc608029c102244ede5fee7fded8ac21e15d7 Ssdeep 384:9Rt4SLHEXLPdJtKP3Ko5wL19ODBg6ghwzlXR+1nu6EDHeMI1/NC3vy58Jv:9RthLyN9OmNhihmnTEDd3vy5q Yara VirusTotal DebuggerCheck__API () 搜索相关分析 bg_02.png 文件名 相关文件 bg_02.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png 文件大小 111909 bytes 文件类型 PNG image data, 585 x 390, 8-bit/color RGBA, non-interlaced MD5 4835487b0286dff7cb758fc4cc4c6f3c SHA1 215307b9c99c0a1040933318d06ab4831f568939 SHA256 5dacca188414a5f556097acfca2c5e8fdd696fc1d6cfb2e66bbd56af2b652235 SHA512 69bba5bf200ab34dd7406f8031818f82bc474bfa184f5b86d9a569ea5c494b7179749629ca9b12d588c13721080931c65fca08d014efaddc5d7137920f497e69 Ssdeep 3072:ce8khFO7qAGX3ysgfs74WfaqXuLFjW4hh:ce8GO7gyJm9QFThh Yara 无匹配 VirusTotal 搜索相关分析 check-box2.png 文件名 相关文件 check-box2.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png 文件大小 438 bytes 文件类型 PNG image data, 91 x 13, 8-bit/color RGBA, non-interlaced MD5 8f33bf9e8628c38fc69d167c80e3f396 SHA1 a631bcc319c9c3715b9166a75d862d2589699229 SHA256 55e1b9996f9ee6837d7a0841387f65940b13c6a94def79aaf60758b0d174e9e1 SHA512 7377701dd22537c504a79d03264ebbedffc8dffc1cbe7418af5ee08b2e761849fe64a876628896b10e92ec86eba4e215e83cc2d6c47f67e550d0ee9dc9a4b2f3 Ssdeep 12:6v/7uU7d/IknybWh7uvdq4lVeexPmHxrXdRB:CWknJuvg+VOHxTdRB Yara 无匹配 VirusTotal 搜索相关分析 jindutiao.png 文件名 相关文件 jindutiao.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png 文件大小 1316 bytes 文件类型 PNG image data, 460 x 28, 8-bit/color RGBA, non-interlaced MD5 9fbaa289c7a946e1224b65e89d4b14c5 SHA1 021f4ffaef2b3c9019a1b43817a46f07e23b879e SHA256 f5c99243ea7f7209d1da544ae56e6ce898302cb10f5cdec1b10405d0f7ae51a8 SHA512 6aadc2ea1a836d2b8035b6bd85dbfdc74fff7e4fb3446c4f811c6332261680949096019c28c91b623ce516259977c0f159014583935fda0da751ab4e4578faf5 Ssdeep 24:Lm/6Bea5gzGVfsMVoL5j102R+MfZnOIuryMs4DRhcik7:Lm/6J5g+RG102RLZnOjyMNHe Yara 无匹配 VirusTotal 搜索相关分析 check-box.png 文件名 相关文件 check-box.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png 文件大小 456 bytes 文件类型 PNG image data, 91 x 13, 8-bit/color RGBA, non-interlaced MD5 05b58e6f1b294342ac1a0d48b60e736f SHA1 ec7d6125ab69a0da9dd41c0aa9b1818604340af6 SHA256 c174d3fd88b0927826847c8e2c1e926f45f541ceccf1fa4632c9e33434db92c7 SHA512 168b6a77b99d9c0900c5c03e889ae350fea176ad7f328e2269aa26a68e67e118d8f7e1936a118ff2f51ad8218429ff107b80f0ce0e5d516367ccb686b44250a3 Ssdeep 6:6v/lhPpehUyKftldZsiXJaXgrnWWPi0kuchgiMljFXA5dJG1iGOPcHi9dmLup:6v/7uU7dZsiXJZrRiSFXAPJGoxB9dV Yara 无匹配 VirusTotal 搜索相关分析 ToolTips.dll 文件名 相关文件 ToolTips.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll 文件大小 4608 bytes 文件类型 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 9a0da2692764bb842411a8b9687ebbb7 SHA1 5c3a459faa08a704bdf162476897ad4580ae39bd SHA256 28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb SHA512 814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed Ssdeep 48:apm2+v7BWCLWQqLa7JZ0ZK59HXesxdrqZZSakw6/K:Ymjv7BWoTicJZ0ZKPHXVx1MOw6 Yara 无匹配 VirusTotal 搜索相关分析 行为分析 互斥量(Mutexes) Local\MSCTF.Asm.MutexDefault1 DefaultTabtip-MainUI 执行的命令 无信息 创建的服务 无信息 启动的服务 无信息 进程 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin 访问的文件 \Device\KsecDD C:\Users\test\AppData\Local\Temp\SHFOLDER.DLL C:\Windows\System32\shfolder.dll \??\MountPointManager C:\Users\test\AppData\Local\Temp\ C:\Users\test\AppData\Local\Temp C:\Users\test\AppData\Local\Temp\nsu36A8.tmp PID: 556, 上一级进程 PID: 1852 C:\Users\test\AppData\Local\Temp\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin C:\Users\test\AppData\Local\Temp\nsf36E8.tmp C:\Users\test\AppData\Local\Temp\nsu36F8.tmp C:\Users C:\Users\test C:\Users\test\AppData C:\Users\test\AppData\Local C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll C:\Windows\Fonts\staticcache.dat C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll C:\Users\test\AppData\Roaming\azbconfig.ini C:\Users\test\AppData\Roaming\kp1configuration.ini C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\MSIMG32.dll C:\Windows\System32\msimg32.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll \DEVICE\NETBT_TCPIP_{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787} C:\Users\test\AppData\Local\Temp\RichEd20.DLL C:\Windows\System32\riched20.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Program Files (x86)\hmrl C:\Program Files (x86) C:\ C:\Program Files (x86)\ C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll C:\Users\test\AppData\Local\Temp\imageres.dll C:\Windows\System32\imageres.dll C:\Windows\System32\zh-CN\imageres.dll.mui C:\Windows\sysnative\zh-CN\imageres.dll.mui C:\Windows\System32\zh-Hans\imageres.dll.mui C:\Windows\System32\zh\imageres.dll.mui C:\Windows\System32\en-US\imageres.dll.mui 读取的文件 \Device\KsecDD C:\Windows\System32\shfolder.dll C:\Users\test\AppData\Local\Temp\nsu36A8.tmp C:\Users\test\AppData\Local\Temp\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin C:\Users\test\AppData\Local\Temp\nsf36E8.tmp C:\Users\test\AppData\Local\Temp\nsu36F8.tmp C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll C:\Windows\Fonts\staticcache.dat C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll C:\Users\test\AppData\Roaming\azbconfig.ini C:\Users\test\AppData\Roaming\kp1configuration.ini C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll C:\Windows\System32\msimg32.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll \DEVICE\NETBT_TCPIP_{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787} C:\Windows\System32\riched20.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll C:\Windows\System32\imageres.dll C:\Windows\System32\zh-CN\imageres.dll.mui C:\Windows\sysnative\zh-CN\imageres.dll.mui C:\Windows\System32\zh-Hans\imageres.dll.mui C:\Windows\System32\zh\imageres.dll.mui C:\Windows\System32\en-US\imageres.dll.mui C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png 修改的文件 C:\Users\test\AppData\Local\Temp\nsf36E8.tmp C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll C:\Users\test\AppData\Roaming\azbconfig.ini C:\Users\test\AppData\Roaming\kp1configuration.ini C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll 删除的文件 C:\Users\test\AppData\Local\Temp\nsu36A8.tmp C:\Users\test\AppData\Local\Temp\nsu36F8.tmp C:\Users\test\AppData\Roaming\azbconfig.ini C:\Users\test\AppData\Roaming\kp1configuration.ini 注册表键 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\FindProcDLL.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Banner.dll HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90} HKEY_CURRENT_USER HKEY_CURRENT_USER\Keyboard Layout\Toggle HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\INTERNET EXPLORER\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NSISdl.dll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DialogEx.dll HKEY_CURRENT_USER\Software\hmrl\huamaorili HKEY_CURRENT_USER\Software\hmrl\huamaorili\hmrlqd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.dll HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33e35b0a-d1f6-4ab1-a1ae-56b8a256b787} HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}\EnableDhcp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage\Bind HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\Software\Policies HKEY_CURRENT_USER\Software\Policies HKEY_CURRENT_USER\Software HKEY_LOCAL_MACHINE\Software HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab HKEY_CURRENT_USER\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default) HKEY_CURRENT_USER\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32 HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default) HKEY_CURRENT_USER\Control Panel\Desktop HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ToolTips.dll 读取的注册表键 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\FindProcDLL.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Banner.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NSISdl.dll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DialogEx.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.dll HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}\EnableDhcp HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage\Bind HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default) HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ToolTips.dll 修改的注册表键 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\INTERNET EXPLORER\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe HKEY_CURRENT_USER\Software\hmrl\huamaorili HKEY_CURRENT_USER\Software\hmrl\huamaorili\hmrlqd 删除的注册表键 无信息 API解析 cryptbase.dll.SystemFunction036 uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware shfolder.dll.SHGetFolderPathA setupapi.dll.CM_Get_Device_Interface_List_Size_ExW setupapi.dll.CM_Get_Device_Interface_List_ExW kernel32.dll.GetUserDefaultUILanguage kernel32.dll.FlsAlloc kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.FlsFree checkrunvirtual.dll.IsRunVirtualPC findprocdll.dll.FindProc psapi.dll.EnumProcesses psapi.dll.EnumProcessModules psapi.dll.GetModuleBaseNameA banner.dll.show dwmapi.dll.DwmIsCompositionEnabled comctl32.dll.RegisterClassNameW uxtheme.dll.EnableThemeDialogTexture ole32.dll.CoInitializeEx ole32.dll.CoUninitialize ole32.dll.CoRegisterInitializeSpy ole32.dll.CoRevokeInitializeSpy gdi32.dll.GetLayout gdi32.dll.GdiRealizationInfo gdi32.dll.FontIsLinked advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW gdi32.dll.GetTextFaceAliasW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW gdi32.dll.GetFontAssocStatus advapi32.dll.RegQueryValueExA advapi32.dll.RegEnumKeyExW gdi32.dll.GetTextExtentExPointWPri nsisdl.dll.download_quiet dnsapi.dll.DnsApiFree dialogex.dll.Init dialogex.dll.SetGlobalParam system.dll.Call iphlpapi.dll.GetAdaptersInfo dhcpcsvc.dll.DhcpIsEnabled iphlpapi.dll.ConvertInterfaceNameToLuidW system.dll.Alloc system.dll.Free banner.dll.destroy oleaut32.dll.#500 uxtheme.dll.OpenThemeData uxtheme.dll.GetThemeBool user32.dll.GetSystemMenu user32.dll.DeleteMenu dialogex.dll.LoadPng gdiplus.dll.GdipLoadImageFromStream gdiplus.dll.GdipDisposeImage gdiplus.dll.GdipGetImageWidth gdiplus.dll.GdipGetImageHeight gdiplus.dll.GdipGetImagePixelFormat gdiplus.dll.GdipCreateFromHDC gdiplus.dll.GdipDrawImageRectI gdiplus.dll.GdipDeleteGraphics gdiplus.dll.GdiplusStartup gdiplus.dll.GdiplusShutdown kernel32.dll.IsProcessorFeaturePresent user32.dll.GetWindowInfo user32.dll.GetAncestor user32.dll.GetMonitorInfoA user32.dll.EnumDisplayMonitors user32.dll.EnumDisplayDevicesA gdi32.dll.ExtTextOutW gdi32.dll.GdiIsMetaPrintDC windowscodecs.dll.DllGetClassObject kernel32.dll.WerRegisterMemoryBlock gdi32.dll.CreatePatternBrush gdi32.dll.DeleteObject gdi32.dll.CreateRoundRectRgn user32.dll.SetWindowRgn dialogex.dll.OnClick user32.dll.LoadCursorA dialogex.dll.SetBtnImage uxtheme.dll.IsThemePartDefined uxtheme.dll.GetThemeFont uxtheme.dll.GetThemeColor imm32.dll.ImmIsIME kernel32.dll.GetDiskFreeSpaceExA imm32.dll.ImmGetContext imm32.dll.ImmLockIMC imm32.dll.ImmUnlockIMC imm32.dll.ImmReleaseContext imm32.dll.ImmSetCompositionFontW uxtheme.dll.DrawThemeBackground imm32.dll.ImmGetCompositionWindow imm32.dll.ImmSetCompositionWindow shlwapi.dll.SHAutoComplete ole32.dll.CoCreateInstance comctl32.dll.#411 comctl32.dll.#410 ole32.dll.CLSIDFromString uxtheme.dll.GetThemePartSize uxtheme.dll.CloseThemeData uxtheme.dll.GetThemeTextExtent uxtheme.dll.GetThemeMargins comctl32.dll.#413 user32.dll.SetWindowLongA user32.dll.SetDlgItemTextA dialogex.dll.CreateCtrl comctl32.dll.#412 tooltips.dll.Modern dialogex.dll.Create uxtheme.dll.BufferedPaintInit uxtheme.dll.BeginBufferedPaint uxtheme.dll.EndBufferedPaint ©2016 上海魔盾信息科技有限公司
Documentos relacionados
魔盾安全分析报告 URL信息 特征 运行截图 网络分析 访问主机记录
bg_header_bbs[1].png C:\Users\test\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGQJCUPQ\bg_header_bbs[1].png
Leia mais魔盾安全分析报告 URL信息 特征 运行截图 网络分析 访问主机记录
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D
Leia mais魔盾安全分析报告 URL信息 特征 运行截图 网络分析 访问主机记录
http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0243119537643981&format=336x280&output=html&h=280&slotname=7625312430&adk=3474974944&w=336&lmt=1457818294&ea=0&flash=20.0.0 M&shv=r...
Leia maisConvocatoria Camp Pan Juv BRA 09
rules for the FIG Individual Apparatus World Cup and Challenge Cup Series in Artistic Gymnastics. For the qualification the gymnasts will be divided into groups as per the drawing of lots results. ...
Leia mais