魔盾安全分析报告 文件详细信息 特征

魔盾安全分析报告
分析类型
开始时间
结束时间
持续时间
分析引擎版本
FILE
2016-05-17 17:52:41
2016-05-17 17:55:15
154 秒
1.4-Maldun
虚拟机机器名
标签
虚拟机管理
开机时间
关机时间
win7-sp1-x64
win7-sp1-x64
KVM
2016-05-17 17:52:41
2016-05-17 17:55:15
魔盾分数
10.0
恶意的
文件详细信息
文件名
672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin
文件大小
2393216 字节
文件类型
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
CRC32
39206291
MD5
6c9caff2a9bb4f01357268af2faf0683
SHA1
13a757bcbb0d63dc9c547da9f624c4e788fd543b
SHA256
672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb
SHA512
e8ab80217b708b250dd2db73a957dd21519588da23b50545e49c9a544547105df7304f035d0a5cb4b49c86b2330b1db8c1aecf194108749bf41871eed861cbbc
Ssdeep
49152:2dVKeqmdziN14EUpW4dPDyPHMGwQBa+r/mzA3hpXjpZY:2dVCF78J1OBwT/z+pFZY
PEiD
无匹配
Yara
VirusTotal
MoleBoxv20 ()
VirusTotal链接
VirusTotal扫描时间: 2016-05-05 04:03:06
扫描结果: 24/55
特征
提供一个Authenticode数字签名
md5_fingerprint: 80598b22ba032fe0c40a3a2294b08d51
sha1_fingerprint: 5c15b77bfeecf24fa870ef90609cd442fa56c70
sn: 122605974798739533766591753697024209546
cn: Shanghai kuaiping Network Technology Co., Ltd
创建RWX内存
从文件自身的二进制镜像中读取数据
self_read: process: 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin, pid: 556, offset: 0x00000000, length: 0x0024669d
self_read: process: 672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin, pid: 556, offset: 0x0000f61d, length: 0x00237084
发起了一些HTTP请求
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
url: http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D
url: http://sf.symcb.com/sf.crl
url: http://khit.cn/soft/azbconfig.ini
url: http://khit.cn/soft/kp1configuration.ini
url: http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D
url: http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
url: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D
url: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
url: http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D
url: http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D
url:
http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D
url: http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
url: http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D
url: http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
url:
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
Malwarebytes: Adware.DownWare
VIPRE: Trojan.Win32.Generic!BT
AegisLab: Troj.Generic.mmEX
K7GW: Unwanted-Program ( 004d23ea1 )
K7AntiVirus: Unwanted-Program ( 004d23ea1 )
ESET-NOD32: a variant of Win32/Packed.NSISmod.A suspicious
Avast: Win32:Trojan-gen
ClamAV: Win.Trojan.691128-1
Kaspersky: HEUR:Trojan.Win32.Invader
NANO-Antivirus: Riskware.Win32.ShouQu.dmnfjx
ViRobot: Trojan.Win32.Z.Yantai.2393216.N[h]
Rising: Trojan.Invader!8.450-A0khOfDP6YB (Cloud)
Sophos: Generic PUA BD (PUA)
Zillya: Trojan.InvaderCRTD.Win32.209
McAfee-GW-Edition: Artemis!Trojan
Fortinet: W32/Generic.AC.18053
Antiy-AVL: Trojan/Generic.ASMalwNS.4F5F
AhnLab-V3: PUP/Win32.Downloader
McAfee: Artemis!6C9CAFF2A9BB
AVware: Trojan.Win32.Generic!BT
VBA32: Malware-Cryptor.Inject.gen
Ikarus: PUA.RiskWare.Yantai
GData: Win32.Application.Agent.142900
AVG: Generic.6B7
尝试更改浏览器安全设置
运行截图
网络分析
访问主机记录
直接访问
IP地址
国家名
否
58.211.137.192
China
否
23.44.155.27
United States
否
23.44.149.163
United States
否
198.41.215.183
United States
否
183.136.208.39
China
否
117.18.237.29
Asia/Pacific Region
域名解析
域名
响应
ocsp.verisign.com
CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
dns.msftncsi.com
A 131.107.255.255
dns.msftncsi.com
AAAA fd3e:4f5a:5b81::1
sf.symcd.com
sf.symcb.com
A 23.44.149.163
CNAME e6845.dscb1.akamaiedge.net
CNAME crl-ds.ws.symantec.com.edgekey.net
khit.cn
CNAME khit.cn.cdn20.com
A 122.228.237.175
A 117.23.2.80
A 122.228.22.171
A 36.42.32.63
A 122.228.233.195
A 183.136.208.39
A 122.228.22.179
CNAME tf02.dlmix.ourdvs.com
A 117.23.51.73
ss.symcd.com
ocsp.msocsp.com
A 198.41.214.185
CNAME hostedocsp.globalsign.com
A 198.41.214.186
A 198.41.214.187
A 198.41.215.183
A 198.41.215.182
A 198.41.215.185
A 198.41.214.183
A 198.41.215.184
A 198.41.215.186
A 198.41.214.184
sd.symcd.com
ocsp2.globalsign.com
CNAME cdn.globalsigncdn.com
A 58.211.137.192
ocsp.digicert.com
CNAME cs9.wac.phicdn.net
A 117.18.237.29
ocsp.globalsign.com
s.symcd.com
ocsp.omniroot.com
TCP连接
IP地址
端口
117.18.237.29
80
117.18.237.29
80
178.255.83.1
80
178.255.83.1
80
178.255.83.1
80
183.136.208.39
80
183.136.208.39
80
198.41.215.183
80
23.44.149.163
80
23.44.155.27
80
23.44.155.27
80
23.44.155.27
80
23.44.155.27
80
23.44.155.27
80
23.44.155.27
80
58.211.137.192
80
58.211.137.192
80
UDP连接
IP地址
端口
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.255
137
192.168.122.255
138
192.168.122.70
55256
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
224.0.0.252
5355
239.255.255.250
1900
40.69.40.157
123
HTTP请求
URL
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D
http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D
http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEFw9DUQ%2BanEIoUhEtfz%2B8oo%3D
http://sf.symcb.com/sf.crl
http://khit.cn/soft/azbconfig.ini
http://khit.cn/soft/kp1configuration.ini
http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6
http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D
http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D
静态分析
PE 信息
初始地址
0x00400000
入口地址
0x00403dd3
声明校验值
0x00255d8c
实际校验值
0x00255d8c
最低操作系统版本要求
4.0
编译时间
2014-03-29 17:42:03
图标
图标精确哈希值
1d90995304986bd2338b4af1cff1e9d0
图标相似性哈希值
d67765543cf1ced3f87211cc2c802669
版本信息
LegalCopyright:
Copyright (C) 2015\x5feb\x5c4f\x7f51\x7edc
InternalName:
${Name}
FileVersion:
V1.0
CompanyName:
\x5feb\x5c4f\x7f51\x7edc\x79d1\x6280\x6709\x9650\x516c\x53f8
LegalTrademarks:
\x5feb\x5c4f\x7f51\x7edc
ProductName:
\x82b1\x732b\x65e5\x5386
ProductVersion:
1.0.0.0
FileDescription:
\x82b1\x732b\x65e5\x5386\x5b89\x88c5\x7a0b\x5e8f
Translation:
0x0804 0x03a8
PE数据组成
名称
虚拟地址
虚拟大小
原始数据大小
特征
熵(Entropy)
.text
0x00001000
0x0000714f
0x00007200
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
6.49
.rdata
0x00009000
0x00001198
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
5.24
.data
0x0000b000
0x0001afbc
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
4.80
.ndata
0x00026000
0x0002c000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
0.00
.rsrc
0x00052000
0x000069b8
0x00006a00
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
4.03
覆盖
偏移量:
0x0000f600
大小:
0x00238e80
资源
名称
偏移量
大小
语言
子语言
熵(Entropy)
文件类型
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_ICON
0x00057de0
0x00000128
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.25
GLS_BINARY_LSB_FIRST
RT_DIALOG
0x00058290
0x00000054
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.31
data
RT_DIALOG
0x00058290
0x00000054
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.31
data
RT_DIALOG
0x00058290
0x00000054
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.31
data
RT_DIALOG
0x00058290
0x00000054
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.31
data
RT_DIALOG
0x00058290
0x00000054
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.31
data
RT_GROUP_ICON
0x000582e8
0x00000076
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.81
MS Windows icon resource - 8 icons, 32x32, 16-colors
RT_VERSION
0x00058360
0x00000294
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
3.73
data
RT_MANIFEST
0x000585f8
0x000003be
LANG_ENGLISH
SUBLANG_ENGLISH_US
5.21
XML document text
导入
库 KERNEL32.dll:
• 0x40905c - GlobalLock
• 0x409060 - GlobalAlloc
• 0x409064 - CloseHandle
• 0x409068 - SetFileTime
• 0x40906c - CompareFileTime
• 0x409070 - SearchPathA
• 0x409074 - GetShortPathNameA
• 0x409078 - GetFullPathNameA
• 0x40907c - MoveFileA
• 0x409080 - SetCurrentDirectoryA
• 0x409084 - GetFileAttributesA
• 0x409088 - GetLastError
• 0x40908c - CreateDirectoryA
• 0x409090 - SetFileAttributesA
• 0x409094 - Sleep
• 0x409098 - GetTickCount
• 0x40909c - CreateFileA
• 0x4090a0 - GetFileSize
• 0x4090a4 - GetModuleFileNameA
• 0x4090a8 - GetCurrentProcess
• 0x4090ac - CopyFileA
• 0x4090b0 - GlobalUnlock
• 0x4090b4 - GetWindowsDirectoryA
• 0x4090b8 - GetTempPathA
• 0x4090bc - GetCommandLineA
• 0x4090c0 - SetErrorMode
• 0x4090c4 - lstrcpyA
• 0x4090c8 - lstrcpynA
• 0x4090cc - lstrcatA
• 0x4090d0 - LoadLibraryA
• 0x4090d4 - lstrlenA
• 0x4090d8 - WideCharToMultiByte
• 0x4090dc - VirtualAlloc
• 0x4090e0 - VirtualProtect
• 0x4090e4 - GetDiskFreeSpaceA
• 0x4090e8 - CreateThread
• 0x4090ec - CreateProcessA
• 0x4090f0 - RemoveDirectoryA
• 0x4090f4 - GetTempFileNameA
• 0x4090f8 - GetSystemDirectoryA
• 0x4090fc - GetVersion
• 0x409100 - lstrcmpiA
• 0x409104 - lstrcmpA
• 0x409108 - ExpandEnvironmentStringsA
• 0x40910c - GlobalFree
• 0x409110 - WaitForSingleObject
• 0x409114 - GetExitCodeProcess
• 0x409118 - GetModuleHandleA
• 0x40911c - LoadLibraryExA
• 0x409120 - GetProcAddress
• 0x409124 - FreeLibrary
• 0x409128 - MulDiv
• 0x40912c - MultiByteToWideChar
• 0x409130 - WritePrivateProfileStringA
• 0x409134 - GetPrivateProfileStringA
• 0x409138 - WriteFile
• 0x40913c - ReadFile
• 0x409140 - SetFilePointer
• 0x409144 - FindClose
• 0x409148 - FindNextFileA
• 0x40914c - FindFirstFileA
• 0x409150 - DeleteFileA
• 0x409154 - GlobalSize
• 0x409158 - ExitProcess
库 USER32.dll:
• 0x40917c - SetClassLongA
• 0x409180 - IsWindowEnabled
• 0x409184 - GetSysColor
• 0x409188 - GetWindowLongA
• 0x40918c - SetCursor
• 0x409190 - LoadCursorA
• 0x409194 - CheckDlgButton
• 0x409198 - GetMessagePos
• 0x40919c - LoadBitmapA
• 0x4091a0 - CallWindowProcA
• 0x4091a4 - IsWindowVisible
• 0x4091a8 - CloseClipboard
• 0x4091ac - SetClipboardData
• 0x4091b0 - EmptyClipboard
• 0x4091b4 - OpenClipboard
• 0x4091b8 - TrackPopupMenu
• 0x4091bc - GetSystemMenu
• 0x4091c0 - CreatePopupMenu
• 0x4091c4 - GetSystemMetrics
• 0x4091c8 - SetDlgItemTextA
• 0x4091cc - GetDlgItemTextA
• 0x4091d0 - MessageBoxIndirectA
• 0x4091d4 - CharPrevA
• 0x4091d8 - DispatchMessageA
• 0x4091dc - PeekMessageA
• 0x4091e0 - RegisterClassA
• 0x4091e4 - DialogBoxParamA
• 0x4091e8 - CharNextA
• 0x4091ec - ExitWindowsEx
• 0x4091f0 - DestroyWindow
• 0x4091f4 - CreateDialogParamA
• 0x4091f8 - SetTimer
• 0x4091fc - SetWindowTextA
• 0x409200 - EnableMenuItem
• 0x409204 - GetWindowRect
• 0x409208 - ScreenToClient
• 0x40920c - SetWindowPos
• 0x409210 - EndDialog
• 0x409214 - AppendMenuA
• 0x409218 - GetClassInfoA
• 0x40921c - PostQuitMessage
• 0x409220 - SetForegroundWindow
• 0x409224 - ShowWindow
• 0x409228 - wsprintfA
• 0x40922c - FindWindowExA
• 0x409230 - IsWindow
• 0x409234 - GetDlgItem
• 0x409238 - SetWindowLongA
• 0x40923c - GetClientRect
• 0x409240 - LoadImageA
• 0x409244 - GetDC
• 0x409248 - EnableWindow
• 0x40924c - InvalidateRect
• 0x409250 - SendMessageA
• 0x409254 - SendMessageTimeoutA
库 GDI32.dll:
• 0x40903c - SetBkMode
• 0x409040 - SetBkColor
• 0x409044 - CreateBrushIndirect
• 0x409048 - DeleteObject
• 0x40904c - GetDeviceCaps
• 0x409050 - SetTextColor
• 0x409054 - CreateFontIndirectA
库 SHELL32.dll:
• 0x409160 - SHGetPathFromIDListA
• 0x409164 - SHBrowseForFolderA
• 0x409168 - SHGetFileInfoA
• 0x40916c - ShellExecuteA
• 0x409170 - SHFileOperationA
• 0x409174 - SHGetSpecialFolderLocation
库 ADVAPI32.dll:
• 0x409000 - RegSetValueExA
• 0x409004 - RegCreateKeyExA
• 0x409008 - RegQueryValueExA
• 0x40900c - RegEnumKeyA
• 0x409010 - RegOpenKeyExA
• 0x409014 - RegDeleteKeyA
• 0x409018 - RegDeleteValueA
• 0x40901c - RegEnumValueA
• 0x409020 - RegCloseKey
库 COMCTL32.dll:
• 0x409028 - ImageList_AddMasked
• 0x40902c - ImageList_Destroy
• 0x409030 - None
• 0x409034 - ImageList_Create
库 ole32.dll:
• 0x40926c - CLSIDFromString
• 0x409270 - OleInitialize
• 0x409274 - OleUninitialize
• 0x409278 - CoTaskMemFree
• 0x40927c - StringFromGUID2
• 0x409280 - CoCreateInstance
库 VERSION.dll:
• 0x40925c - GetFileVersionInfoA
• 0x409260 - VerQueryValueA
• 0x409264 - GetFileVersionInfoSizeA
投放文件
down.png
文件名
相关文件
down.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png
文件大小
161 bytes
文件类型
PNG image data, 7 x 9, 8-bit/color RGBA, non-interlaced
MD5
bacb91b049e287a496f8d1e4fdb9dc05
SHA1
58d81b51a030d9f0dd5215b6ed73745a914a1509
SHA256
1eabe022a47d5c59432b0fef5048b399fafba4ac5d28e9e39ed90ffb11ac94a6
SHA512
3f4fdd0373aceba51aa8d2a2cb1e87ac811fce4289f5d3fffa0a69196d8d51be382c1c684babddd671594178bb9c0169382aa7ef1d202b2aab24ee1d5857e176
Ssdeep
3:yionv//thPly2tjllB9+o4RthwkBDsTBZtmkoml6gFe/JjjSjjBRuupJLblsg1p:6v/lhPxDERnDspzToAgJeNRugljp
Yara
无匹配
VirusTotal
搜索相关分析
img_01.png
文件名
相关文件
img_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png
文件大小
32408 bytes
文件类型
PNG image data, 146 x 137, 8-bit/color RGBA, non-interlaced
MD5
f87f1ae94b55f4ba074ed5c6fbc7444d
SHA1
669f67a6cbba8755df80a15b158ec691db632ec9
SHA256
e326c815d55b64ebbbe4f6b949c8c5796fda5119daba166c2117a5152d884b86
SHA512
eeabbf8e705b296d7f99f77cdce59693f2dcf760f17dffe6da0035b6954e1099890d3adef8291dfb5878dd7b3061fad106d14b070a37d803999f124254b62620
Ssdeep
384:NFEJHdNecVzE8z/tmz3uCztq2heiXU9GGXXm1xpUndwvau:XE8YzPb+Onk3+Yau
Yara
无匹配
VirusTotal
搜索相关分析
delete.png
文件名
相关文件
delete.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png
文件大小
496 bytes
文件类型
PNG image data, 36 x 10, 8-bit/color RGBA, non-interlaced
MD5
ba59b3cc9a1e75cc37fc468230ac3cff
SHA1
8db01447f16cc2c88ecfda8bd4261d73460d7e7d
SHA256
4762377c3cddd1f5d89c147f141b19c07407a5c2920254e328a9ded7129c9c17
SHA512
866a5b14105e91754fcb6f730bbb219b0a47b48afd6f7efb84ce7d12b7101181be5c55a2098f5e2b2daf04111b82df2f7680b719a7c3a778aab1621df6140ff6
Ssdeep
12:6v/7MU7disUzF5fPTcB65w0TaKJ07gIokL:ISFxbcB6nTZJ07gS
Yara
无匹配
VirusTotal
搜索相关分析
change.png
文件名
相关文件
change.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png
文件大小
311 bytes
文件类型
PNG image data, 180 x 30, 8-bit/color RGBA, non-interlaced
MD5
ac127c606b71870ece6ec2104105e951
SHA1
01a38d66c20114221279bb5828010f3c3d7db9bf
SHA256
ed1b029b0a819abb0a720eb402fa4fcbacb54873a10de15679d6cd02745c3180
SHA512
e5755bb7fa0e0707d032d14b9d7d1ba830eeb3ee77cfd6ad73702d3a9f3c013dbb370100c6197697eb1de709a3db5527f6d9f15549dfa9fb11b5df434f10f6ab
Ssdeep
6:6v/lhPu/+UyKftldpzmP+VjZ5BH9LsYKyHyHyHyHyHoM/dp:6v/7G/+U7dpjRHN9SSSStz
Yara
无匹配
VirusTotal
搜索相关分析
bg.png
文件名
相关文件
bg.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png
文件大小
25807 bytes
文件类型
PNG image data, 358 x 167, 8-bit/color RGBA, non-interlaced
MD5
1942305f9f8820603c75509fb6431899
SHA1
1ce893390141b72eacf3a57012b433d34e58751f
SHA256
48d17754b9becc369fd7732edd3290a4f5ffb16de775aed1d99443cafa76501e
SHA512
c9f236495453f56aaaaf51c45fd2df6b0d6267a7ea41a3b080fb8a2156c9a5fd719a05a258742e43d157cad1f5271005d1085019a757c3812eb33a82b509d466
Ssdeep
384:s50wftrV353Bp2oBJ9eQdKN2mOmVKbWhE5I1qL9:aZtV9emKNVi5I1G
Yara
无匹配
VirusTotal
搜索相关分析
input_01.png
文件名
相关文件
input_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png
文件大小
384 bytes
文件类型
PNG image data, 537 x 26, 8-bit/color RGBA, non-interlaced
MD5
ad21ecdcd2148b752efa6f430db4a437
SHA1
2533d2c20ec5818c4d6dd80a96da1501811bd6a8
SHA256
88d1521cf3fddd35b3da8e6b58684e3cd197d710af5374195717ae46140ea1d7
SHA512
10172cf9cd7275e41c968448856e96d785a40b7ca3f3cc5ed2d3b1a2d74d4f87409d650ff249b4e7e2865001babd21831cba115f74f47bd2a0b326664e4df9de
Ssdeep
6:6v/lhP0/lNVR/ChmVjnDq3Ij9EBUklOnMk8u7HkBmSiCoQ/3mlfL+X/76fL+X/7U:6v/7U/za3IGUsOnguwvv/3mlI6I6I6I0
Yara
无匹配
VirusTotal
搜索相关分析
System.dll
文件名
相关文件
System.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll
文件大小
11264 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
00a0194c20ee912257df53bfe258ee4a
SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
Ssdeep
192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Yara
无匹配
VirusTotal
搜索相关分析
info.png
文件名
相关文件
文件大小
info.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png
5692 bytes
文件类型
PNG image data, 210 x 47, 8-bit/color RGBA, non-interlaced
MD5
8752d7da1271f095aab6b53d5685f514
SHA1
434f5892a3af9e09e7282937b3cc8c912247e8a0
SHA256
cbe36e5e8339762698e01f0dd158243ea9902a522ba82183c803886214fe5388
SHA512
6ac19ba785ecbb3161c6b559235e3cda091b3720000a2f834e273d4f6ffd7c63aa5c53840833e1e389058fc4e49e60f40481b4558238b5d880c7358d2b1d1768
Ssdeep
96:YSDZ/I09Da01l+gmkyTt6Hk8nT7dxoPwUyfWHd+6fXqoZeHVTOgpxRj+Ywm+r9t2:YSDS0tKg9E05T7dmSW9+6fXqoY1TOgdf
Yara
无匹配
VirusTotal
搜索相关分析
finish.png
文件名
相关文件
finish.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png
文件大小
7542 bytes
文件类型
PNG image data, 600 x 60, 8-bit/color RGBA, non-interlaced
MD5
7d2eba4b389c538fdfa3277805fb648f
SHA1
3fe31b51310b0d961ca6da39edbd31ee5cf9f9f5
SHA256
a72a8324ab428723d50b2447b3eb444013d61c0d9cdc7a40a3bbaface028f7ec
SHA512
93aa003398c6d81d5b93976edc8f9b48ee3cef45e484ae136d1310a7ad65df8bfc18b2d93586647ab9f49ef99157cf93abcf5acfb71782e407b3925d48925e96
Ssdeep
192:8PVqda4SBVXeAEGBwC+d/G6DCNpdRIQ3d3Gdo:8PVXeATwCsjCRRf3D
Yara
无匹配
VirusTotal
搜索相关分析
jieya_button.png
文件名
相关文件
jieya_button.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png
文件大小
7909 bytes
文件类型
PNG image data, 800 x 60, 8-bit/color RGBA, non-interlaced
MD5
e1998a671f960dba6f1c16e4f1a46ba8
SHA1
2ed320dd71e47554b7a46a82ff22af7e4cf98519
SHA256
1d44ad0b56ff1340745ab37a0e7d0cf235731479be9b26462536905c33b88324
SHA512
24def5934434addc2db09aecf56bb27689b5ddfbc72fdb8b98710e72e18ef046c4c7e3f6a19cb0d1d0e2870cb9482e6c267f234ff44a75a017d2e9f57683d0d2
Ssdeep
192:wiBmA7T4b1CQ0oJ7r0VlCC2rMOAfxQxpebMRFxkCA28M:4A7T4b1QoNrLM5f4fu2
Yara
无匹配
VirusTotal
搜索相关分析
NSISdl.dll
文件名
相关文件
NSISdl.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll
文件大小
14848 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
254f13dfd61c5b7d2119eb2550491e1d
SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6
SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28
SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7
Ssdeep
192:t5ZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRYgsfA:fBo/680dCI5adOjFOg9//p27uNw2bo
Yara
无匹配
VirusTotal
搜索相关分析
cancel.png
文件名
相关文件
cancel.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png
文件大小
1284 bytes
文件类型
PNG image data, 69 x 12, 8-bit/color RGBA, non-interlaced
MD5
9f439310a422e58355ce87847765ff3d
SHA1
744ad30abb57de585974801a077e916321946091
SHA256
ba02da2548a4819f6db98cecf479ac8f1ff17fd2d88e2925b3d7c76a68f4d1ad
SHA512
6f8a1cf7ceea1fbf505688f8216476d5bbb99c015c45ba60da881783c6861bbe105a897cff4c913faed4b746ce3095d9ed70cf3695af6b8d01f99ddac0d4ca3f
Ssdeep
24:icy1he91Wwjx82lY2T3ouVJc/GyJ3VCy11zGASyrcTXMDm2nZ/3oR+pDSc:nwqQNn2xredJ3JbzF7Ag62nZvoMx
Yara
无匹配
VirusTotal
搜索相关分析
go.png
文件名
相关文件
go.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png
文件大小
6782 bytes
文件类型
PNG image data, 267 x 28, 8-bit/color RGBA, non-interlaced
MD5
d1b1b5339ff8b19f6b3cbdc2aad70a55
SHA1
7ee7ab4cf7cef934e1f7f6c7a110c3a3a320f011
SHA256
17354c20734c291b7d085a0da8c2629b9645ea5b450e0122f5fb3ba5d078a378
SHA512
dbd9bfd83204195e40b8ff6db5b0a8a6773f59a723201046d755d554d3238787e6d07079f7ad0da98f0a7f7ad9096e46060f2cc06fa71729fa440d1555dd50e1
Ssdeep
96:9Y2rbK9wffOm4F70XmjhU1pTwrR8uxUZZ0VZMLCnSGOiPG7yRVvYM7aHqJ+nYp6:96qO70ZDTUG4nSpie1jJYp6
Yara
无匹配
VirusTotal
搜索相关分析
azbconfig.ini
文件名
相关文件
azbconfig.ini
C:\Users\test\AppData\Roaming\azbconfig.ini
文件大小
98 bytes
文件类型
ASCII text, with CRLF line terminators
MD5
b8f0cd31172f859c0eed29931f9f7ad9
SHA1
cf8c6c5501e40a7c772d65e877ad002eacf811d5
SHA256
c663226d07c54b65c54f0afb4bd604dfa3e245f884ae1eaf2672aff41b7d9605
SHA512
bf7e9df3e7f8d5ccdee6f9be93c91bd4696380e6834101d2c968d2a32d05e3dc6585371e9a8ae2467c67c5c4dfe4924020f290bc20a9788e7bc11550ac6da189
Ssdeep
3:NUy6Jp5fgVJ8WvNxQEYrUyYfXJpgsHn:Gy6j2V+qBymXssH
Yara
无匹配
VirusTotal
搜索相关分析
up.png
文件名
相关文件
up.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png
文件大小
160 bytes
文件类型
PNG image data, 7 x 9, 8-bit/color RGBA, non-interlaced
MD5
355a128adabe5b32e3eed951feb2341a
SHA1
bf9ea6c62daf297c98edbf9a5667affd8151e59b
SHA256
b2ce7a9b5efc5ef16d013843438e24a649f2d3467435e3450de131a5e4b87430
SHA512
dad0f0129e1e8ba9ccf090917e66c768a3008d5a1a4ae4c7535d9e37853b013d88b20fdf16313c376829c51876b1f32dbe93c5ce3f01efae13c1fd75c1674561
Ssdeep
3:yionv//thPly2tjllB9+o4RthwkBDsTBZtnAkxXpuR6P6k2DkOUp9RGRB3AF8n1s:6v/lhPxDERnDspnAkZkcnMFwSn3PnYRz
Yara
无匹配
VirusTotal
搜索相关分析
FindProcDLL.dll
文件名
相关文件
FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll
文件大小
3584 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
8614c450637267afacad1645e23ba24a
SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
Ssdeep
48:SJp9bgAa4QYAOpO+k5SR4aV0GV/XamAKDNh7Mt:Ab+4Tptk5SR4gxV/XamBN
Yara
无匹配
VirusTotal
搜索相关分析
DialogEx.dll
文件名
相关文件
DialogEx.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll
文件大小
21504 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
2015bb43ab225bebd66bf474df424155
SHA1
3179aae8019577c720bafca7d126574d837ece00
SHA256
0af63a42fb77e2e31eccaea6953c86a461fa1fa82b2471e3493ee66f3e864f3e
SHA512
66567cb93231cfec913463cfc47343844931251ba8e83df0bc67d2ee42fd6fb2eb8d468c9e1af6d2a087701f2e9eb22f0f41bc573f2a471110c422bd54c0815e
Ssdeep
384:wPnkG6fcXeYBGD6Ngx4dwjgiQTr88zUUWh6XEK4EuN:GZXxBGD6NT+jjSrl/WnBT
Yara
无匹配
VirusTotal
搜索相关分析
kp1configuration.ini
文件名
相关文件
kp1configuration.ini
C:\Users\test\AppData\Roaming\kp1configuration.ini
文件大小
888 bytes
文件类型
ISO-8859 text, with CRLF line terminators
MD5
a7dd899310db0b1e7ea3d101d1910b77
SHA1
1d49466334b6851777ae81a33db5d068f94f987a
SHA256
47d2014804d2f41dc54cc0374c0dfddd02c1acd55e412013f1f3849334c47948
SHA512
378b530a28d980a0887a968f454ef61f38aa13b837a7e843e4520148c9d613a5c96af27b040126009fd091c17bab8d00638ae6a07b07d8153972bc3870d977f2
Ssdeep
12:RXHMFqjIOXGoQOXGcFhxKLG/KIHy69FPN4nrMnM3FHU4T3X0DF4Rzq0vhgFUs3J8:RjjI4GoQ4GJLbIHHCawrXFvBKibE0n
Yara
无匹配
VirusTotal
搜索相关分析
Banner.dll
文件名
相关文件
Banner.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll
文件大小
4096 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
91c9ee5005ac6cb4ec79a3b039b4c8df
SHA1
95a9c018b501b6697beca846a33955909c3f97be
SHA256
05838c8f81efbb98679010158f29cefd88a34fb1fe5d603e839dd406235ddf29
SHA512
41cc45a64fbe64cd83e704e87193004245f5d29f4f880921d041e5f2ceec86ca0653146e6477642eba73875b9d5f0d773b540436b19e4797def9c15d7618474b
Ssdeep
48:6zQCRj3ybzBhsNDt/fsgOTF3D3cHEvRugYy/CQBSz7as:x8jvkggVjcHGRunQa
Yara
无匹配
VirusTotal
搜索相关分析
CheckRunVirtual.dll
文件名
相关文件
CheckRunVirtual.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll
文件大小
32768 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
a0cb8030c255059749db3bffa0c78956
SHA1
8d945131c91a4bd99f53758d75691349cd4127cb
SHA256
bcd19389fd4e58e552fc45c4222eae3aa70f0e7e1573b2afc8e7ad433f131398
SHA512
b9ad84d528b7b4f95c1ee1b315bc7d76ff3c093e99bbc6b806517742320cd3a592ceb4ab407e1e003b3476e4ee5bc608029c102244ede5fee7fded8ac21e15d7
Ssdeep
384:9Rt4SLHEXLPdJtKP3Ko5wL19ODBg6ghwzlXR+1nu6EDHeMI1/NC3vy58Jv:9RthLyN9OmNhihmnTEDd3vy5q
Yara
VirusTotal
DebuggerCheck__API ()
搜索相关分析
bg_02.png
文件名
相关文件
bg_02.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png
文件大小
111909 bytes
文件类型
PNG image data, 585 x 390, 8-bit/color RGBA, non-interlaced
MD5
4835487b0286dff7cb758fc4cc4c6f3c
SHA1
215307b9c99c0a1040933318d06ab4831f568939
SHA256
5dacca188414a5f556097acfca2c5e8fdd696fc1d6cfb2e66bbd56af2b652235
SHA512
69bba5bf200ab34dd7406f8031818f82bc474bfa184f5b86d9a569ea5c494b7179749629ca9b12d588c13721080931c65fca08d014efaddc5d7137920f497e69
Ssdeep
3072:ce8khFO7qAGX3ysgfs74WfaqXuLFjW4hh:ce8GO7gyJm9QFThh
Yara
无匹配
VirusTotal
搜索相关分析
check-box2.png
文件名
相关文件
check-box2.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png
文件大小
438 bytes
文件类型
PNG image data, 91 x 13, 8-bit/color RGBA, non-interlaced
MD5
8f33bf9e8628c38fc69d167c80e3f396
SHA1
a631bcc319c9c3715b9166a75d862d2589699229
SHA256
55e1b9996f9ee6837d7a0841387f65940b13c6a94def79aaf60758b0d174e9e1
SHA512
7377701dd22537c504a79d03264ebbedffc8dffc1cbe7418af5ee08b2e761849fe64a876628896b10e92ec86eba4e215e83cc2d6c47f67e550d0ee9dc9a4b2f3
Ssdeep
12:6v/7uU7d/IknybWh7uvdq4lVeexPmHxrXdRB:CWknJuvg+VOHxTdRB
Yara
无匹配
VirusTotal
搜索相关分析
jindutiao.png
文件名
相关文件
jindutiao.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png
文件大小
1316 bytes
文件类型
PNG image data, 460 x 28, 8-bit/color RGBA, non-interlaced
MD5
9fbaa289c7a946e1224b65e89d4b14c5
SHA1
021f4ffaef2b3c9019a1b43817a46f07e23b879e
SHA256
f5c99243ea7f7209d1da544ae56e6ce898302cb10f5cdec1b10405d0f7ae51a8
SHA512
6aadc2ea1a836d2b8035b6bd85dbfdc74fff7e4fb3446c4f811c6332261680949096019c28c91b623ce516259977c0f159014583935fda0da751ab4e4578faf5
Ssdeep
24:Lm/6Bea5gzGVfsMVoL5j102R+MfZnOIuryMs4DRhcik7:Lm/6J5g+RG102RLZnOjyMNHe
Yara
无匹配
VirusTotal
搜索相关分析
check-box.png
文件名
相关文件
check-box.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png
文件大小
456 bytes
文件类型
PNG image data, 91 x 13, 8-bit/color RGBA, non-interlaced
MD5
05b58e6f1b294342ac1a0d48b60e736f
SHA1
ec7d6125ab69a0da9dd41c0aa9b1818604340af6
SHA256
c174d3fd88b0927826847c8e2c1e926f45f541ceccf1fa4632c9e33434db92c7
SHA512
168b6a77b99d9c0900c5c03e889ae350fea176ad7f328e2269aa26a68e67e118d8f7e1936a118ff2f51ad8218429ff107b80f0ce0e5d516367ccb686b44250a3
Ssdeep
6:6v/lhPpehUyKftldZsiXJaXgrnWWPi0kuchgiMljFXA5dJG1iGOPcHi9dmLup:6v/7uU7dZsiXJZrRiSFXAPJGoxB9dV
Yara
无匹配
VirusTotal
搜索相关分析
ToolTips.dll
文件名
相关文件
ToolTips.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll
文件大小
4608 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
9a0da2692764bb842411a8b9687ebbb7
SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd
SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb
SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed
Ssdeep
48:apm2+v7BWCLWQqLa7JZ0ZK59HXesxdrqZZSakw6/K:Ymjv7BWoTicJZ0ZKPHXVx1MOw6
Yara
无匹配
VirusTotal
搜索相关分析
行为分析
互斥量(Mutexes)
Local\MSCTF.Asm.MutexDefault1
DefaultTabtip-MainUI
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息
进程
672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin
访问的文件
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
\??\MountPointManager
C:\Users\test\AppData\Local\Temp\
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\nsu36A8.tmp
PID: 556, 上一级进程 PID: 1852
C:\Users\test\AppData\Local\Temp\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin
C:\Users\test\AppData\Local\Temp\nsf36E8.tmp
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll
C:\Users\test\AppData\Roaming\azbconfig.ini
C:\Users\test\AppData\Roaming\kp1configuration.ini
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\MSIMG32.dll
C:\Windows\System32\msimg32.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll
\DEVICE\NETBT_TCPIP_{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}
C:\Users\test\AppData\Local\Temp\RichEd20.DLL
C:\Windows\System32\riched20.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Program Files (x86)\hmrl
C:\Program Files (x86)
C:\
C:\Program Files (x86)\
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
读取的文件
\Device\KsecDD
C:\Windows\System32\shfolder.dll
C:\Users\test\AppData\Local\Temp\nsu36A8.tmp
C:\Users\test\AppData\Local\Temp\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin
C:\Users\test\AppData\Local\Temp\nsf36E8.tmp
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll
C:\Users\test\AppData\Roaming\azbconfig.ini
C:\Users\test\AppData\Roaming\kp1configuration.ini
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll
C:\Windows\System32\msimg32.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll
\DEVICE\NETBT_TCPIP_{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}
C:\Windows\System32\riched20.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png
修改的文件
C:\Users\test\AppData\Local\Temp\nsf36E8.tmp
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\CheckRunVirtual.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\Banner.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\NSISdl.dll
C:\Users\test\AppData\Roaming\azbconfig.ini
C:\Users\test\AppData\Roaming\kp1configuration.ini
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\DialogEx.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\bg_02.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\cancel.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\change.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\check-box2.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\delete.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\down.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\finish.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\go.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\img_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\info.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\input_01.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jieya_button.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\jindutiao.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\up.png
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp\ToolTips.dll
删除的文件
C:\Users\test\AppData\Local\Temp\nsu36A8.tmp
C:\Users\test\AppData\Local\Temp\nsu36F8.tmp
C:\Users\test\AppData\Roaming\azbconfig.ini
C:\Users\test\AppData\Roaming\kp1configuration.ini
注册表键
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\FindProcDLL.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Banner.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\672d19b395a61f8f084a4c7a38b017da54b27e7f339c4467d48ad1b695b77ccb.bin
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\INTERNET EXPLORER\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NSISdl.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DialogEx.dll
HKEY_CURRENT_USER\Software\hmrl\huamaorili
HKEY_CURRENT_USER\Software\hmrl\huamaorili\hmrlqd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33e35b0a-d1f6-4ab1-a1ae-56b8a256b787}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}\EnableDhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage\Bind
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CURRENT_USER\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ToolTips.dll
读取的注册表键
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\FindProcDLL.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Banner.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NSISdl.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DialogEx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{33E35B0A-D1F6-4AB1-A1AE-56B8A256B787}\EnableDhcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Linkage\Bind
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ToolTips.dll
修改的注册表键
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\INTERNET EXPLORER\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\KpPopupDlg.exe
HKEY_CURRENT_USER\Software\hmrl\huamaorili
HKEY_CURRENT_USER\Software\hmrl\huamaorili\hmrlqd
删除的注册表键 无信息
API解析
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
shfolder.dll.SHGetFolderPathA
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
checkrunvirtual.dll.IsRunVirtualPC
findprocdll.dll.FindProc
psapi.dll.EnumProcesses
psapi.dll.EnumProcessModules
psapi.dll.GetModuleBaseNameA
banner.dll.show
dwmapi.dll.DwmIsCompositionEnabled
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
nsisdl.dll.download_quiet
dnsapi.dll.DnsApiFree
dialogex.dll.Init
dialogex.dll.SetGlobalParam
system.dll.Call
iphlpapi.dll.GetAdaptersInfo
dhcpcsvc.dll.DhcpIsEnabled
iphlpapi.dll.ConvertInterfaceNameToLuidW
system.dll.Alloc
system.dll.Free
banner.dll.destroy
oleaut32.dll.#500
uxtheme.dll.OpenThemeData
uxtheme.dll.GetThemeBool
user32.dll.GetSystemMenu
user32.dll.DeleteMenu
dialogex.dll.LoadPng
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipDisposeImage
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipDrawImageRectI
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdiplusStartup
gdiplus.dll.GdiplusShutdown
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdi32.dll.CreatePatternBrush
gdi32.dll.DeleteObject
gdi32.dll.CreateRoundRectRgn
user32.dll.SetWindowRgn
dialogex.dll.OnClick
user32.dll.LoadCursorA
dialogex.dll.SetBtnImage
uxtheme.dll.IsThemePartDefined
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeColor
imm32.dll.ImmIsIME
kernel32.dll.GetDiskFreeSpaceExA
imm32.dll.ImmGetContext
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmReleaseContext
imm32.dll.ImmSetCompositionFontW
uxtheme.dll.DrawThemeBackground
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
shlwapi.dll.SHAutoComplete
ole32.dll.CoCreateInstance
comctl32.dll.#411
comctl32.dll.#410
ole32.dll.CLSIDFromString
uxtheme.dll.GetThemePartSize
uxtheme.dll.CloseThemeData
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeMargins
comctl32.dll.#413
user32.dll.SetWindowLongA
user32.dll.SetDlgItemTextA
dialogex.dll.CreateCtrl
comctl32.dll.#412
tooltips.dll.Modern
dialogex.dll.Create
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
©2016 上海魔盾信息科技有限公司