doc下载 - 魔盾安全分析
download 
Report Transcription
下载 - 魔盾安全分析
魔盾安全分析报告 分析类型 开始时间 结束时间 持续时间 分析引擎版本 FILE 2016-05-08 16:41:26 2016-05-08 17:15:39 2053 秒 1.4-Maldun 虚拟机机器名 标签 虚拟机管理 开机时间 关机时间 win7-sp1-x64 win7-sp1-x64 KVM 2016-05-08 16:41:27 2016-05-08 17:15:37 魔盾分数 10.0 恶意的 出错啦 :-( The analysis hit the critical timeout, terminating. 文件详细信息 文件名 31.25.vir 文件大小 798722 字节 文件类型 PE32 executable (GUI) Intel 80386, for MS Windows CRC32 590CD5A0 MD5 0fc3ea244ae1c03ea6a4b99f713fc72e SHA1 acd6208dbaad8e86d4e04edcf9e3485effccd5f4 SHA256 134ca1bedf0d82e97730ffe051830e74fb6d2626a2956f3bbb9460c18656a933 SHA512 a5da9f7368746756451fe592e60daa2da9cd9b780244596c48c90a8933e48cb0010e566675c762c8a79c5f0e874c9cbb1ff8d749e2fdfc250e3707cae1d658c8 Ssdeep 12288:MMU5PHE/dG8xXPSGjwklSVC0BsjKb6LkS6lLkZYePYILR3SuJ26fC2yae5EXG+X:MnEkkPSGRSVCCpOLTTZY5mcU69W PEiD 无匹配 Yara VirusTotal SEH__vba () VirusTotal链接 VirusTotal扫描时间: 2016-04-27 03:17:48 扫描结果: 35/57 特征 创建RWX内存 从文件自身的二进制镜像中读取数据 self_read: process: 31.25.vir, pid: 1064, offset: 0x00000000, length: 0x000c3002 发起了一些HTTP请求 url: http://www.msftncsi.com/ncsi.txt url: http://ip.telize.com/ url: http://zsn5qtrgfpu4tmpg.onion.lt/BXV6l9D-9MYqzf&9-K9FX2FkB898Oi=fK8dwduoM&daUQ9YCbvBj4=cs0h33m1&uW3Q-6L0DI+=iUUz7oUOnS-VkW&mbUlWqjl=i7Tn0SAhX+&xbA-8MYWR=wVN2gX6Tw1I6&DmTCXq08yWJyKoR=JQ url: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab url: http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx 二进制文件可能包含加密或压缩数据 section: name: .text, entropy: 7.80, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000be000, virtual_size: 0x000bd764 执行了一个进程并在其中注入代码(可能是在解包过程中) 检测到网络活动但没有显示在API日志中 文件已被至少十个VirusTotal上的反病毒引擎检测为病毒 Bkav: HW32.Packed.31C8 MicroWorld-eScan: Trojan.GenericKD.3172207 nProtect: Trojan.GenericKD.3172207 ALYac: Trojan.GenericKD.3172207 Malwarebytes: Ransom.CTBLocker Zillya: Trojan.CTBLocker.Win32.19 BitDefender: Trojan.GenericKD.3172207 K7GW: Riskware ( 0040eff71 ) K7AntiVirus: Riskware ( 0040eff71 ) Baidu: Win32.Trojan.WisdomEyes.151026.9950.9999 Symantec: Trojan.Cryptolocker.G Avast: Win32:Trojan-gen Kaspersky: Trojan-Ransom.Win32.Onion.vxg NANO-Antivirus: Trojan.Win32.Inject2.ebsznt ViRobot: Trojan.Win32.U.Upatre.798720[h] Rising: Malware.XPACK-HIE/Heur!1.9C48 Ad-Aware: Trojan.GenericKD.3172207 F-Secure: Trojan.GenericKD.3172207 DrWeb: Trojan.Inject2.20503 VIPRE: Trojan.Win32.Generic!BT Emsisoft: Trojan.GenericKD.3172207 (B) Jiangmin: Trojan.Onion.bx Avira: TR/Dropper.VB.yaks Arcabit: Trojan.Generic.D30676F SUPERAntiSpyware: Trojan.Agent/Gen-VB Microsoft: Ransom:Win32/Critroni AhnLab-V3: Malware/Gen.Generic AVware: Trojan.Win32.Generic!BT Panda: Trj/GdSda.A ESET-NOD32: Win32/Filecoder.CTBLocker.A Tencent: Win32.Trojan.Onion.Kfz Yandex: Trojan.Onion! GData: Trojan.GenericKD.3172207 AVG: Crypt_vb.IUI Qihoo-360: HEUR/QVM03.0.0000.Malware.Gen 通过洋葱(Tor)路由网关连接Tor隐藏服务 domain: domain: domain: domain: zsn5qtrgfpu4tmpg.tor2web.fi zsn5qtrgfpu4tmpg.tor2web.org zsn5qtrgfpu4tmpg.onion.cab zsn5qtrgfpu4tmpg.tor2web.blutmagie.de 异常的二进制特征 anomaly: Actual checksum does not match that reported in PE header 运行截图 网络分析 访问主机记录 直接访问 IP地址 国家名 是 86.59.21.38 Austria 否 82.94.251.220 Netherlands 是 74.125.23.113 United States 是 74.125.23.100 United States 否 59.63.197.13 China 否 58.211.137.192 China 否 38.229.70.4 United States 否 23.62.109.66 United States 是 193.23.244.244 Germany 是 154.35.32.5 United States 否 104.16.29.16 unknown 域名解析 域名 响应 www.msftncsi.com CNAME a1961.g2.akamai.net A 23.62.109.66 A 23.62.109.65 CNAME www.msftncsi.com.edgesuite.net dns.msftncsi.com A 131.107.255.255 dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 ip.telize.com A 180.168.41.175 zsn5qtrgfpu4tmpg.tor2web.fi A 194.150.168.74 CNAME tor2web.org zsn5qtrgfpu4tmpg.tor2web.blutmagie.de zsn5qtrgfpu4tmpg.onion.cab zsn5qtrgfpu4tmpg.tor2web.org A 38.229.70.4 zsn5qtrgfpu4tmpg.onion.lt A 82.94.251.220 secure2.alphassl.com A 104.16.28.16 A 104.16.29.16 www.download.windowsupdate.com CNAME fg.v4.download.windowsupdate.chinacache.net CNAME hpcc-download.telssr.chinacache.net CNAME 2-01-3cf7-0009.cdx.cedexis.net A 180.153.126.27 CNAME download030.telssr.chinacache.net A 59.63.197.13 ocsp.globalsign.com CNAME cdn.globalsigncdn.com A 58.211.137.192 TCP连接 IP地址 端口 104.16.29.16 80 180.168.41.175 80 180.168.41.175 80 180.168.41.175 443 180.168.41.175 80 180.168.41.175 80 180.168.41.175 80 23.62.109.66 80 38.229.70.4 443 58.211.137.192 80 59.63.197.13 80 82.94.251.220 80 82.94.251.220 443 UDP连接 IP地址 端口 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.1 53 192.168.122.255 137 192.168.122.255 138 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 224.0.0.252 5355 239.255.255.250 1900 40.69.40.157 123 192.168.122.69 49786 192.168.122.69 59349 192.168.122.69 59674 192.168.122.69 61705 192.168.122.69 62441 192.168.122.69 65112 HTTP请求 URL http://www.msftncsi.com/ncsi.txt HTTP 数据 GE T/ ncs i.tx tH TT P/1 .1 Co nn ect ion : Cl os e Us erAg ent :M icr os oft NC SI Ho st: ww w. ms ftn csi. co m http://ip.telize.com/ GE T/ HT TP/ 1.1 Ho st: ip.t eli ze. co m Ac ce pt: */* Us erAg ent :M ozi lla/ 5.0 (W ind ow sN T6 .1; W O W6 4) Ap ple We bKi t/5 37. 36 (K HT ML, lik eG ec ko) Ch ro me /31 .0. 16 50. 63 Saf ari/ 53 7.3 6 http://zsn5qtrgfpu4tmpg.onion.lt/BXV6l9D-9MYqzf&9-K9FX2FkB898Oi=fK8dwduoM&daUQ9YCbvBj4=cs0h33m1&uW3Q-6L0DI+=iUUz7oUOnS-VkW&mbUlWqjl=i7Tn0SAhX+&xbA-8MYWR=wVN2gX6Tw1I6&DmTCXq08yWJyKoR=JQ GE T/ BX V6l 9D -9 MY qzf &9 -K9 FX 2F kB 89 8Oi =f K8 dw du oM &d aU Q9 YC bv Bj4 =c s0 h3 3m 1& uW 3Q -6L 0DI += iU Uz 7o UO nSVk W & mb Ul Wq jl= i7T n0 SA hX +& xb A-8 -M YW R= wV N2 gX 6T w1 I6& D mT CX q0 8y WJ yK oR =J Q HT TP/ 1.1 Ref ere r: h ttp: //zs n5 qtr gfp u4t mp g.o nio n.lt / Ac ce pt: */* Co oki e: dis cla im er_ acc ept ed =tr ue Us erAg ent :M ozi lla/ 5.0 (W ind ow sN T6 .2; Wi n6 4; x6 4) Ap ple We bKi t/5 37. 36 (K HT ML, lik eG ec ko) Ch ro me /37 .0. 20 49. 0S afa ri/5 37. 36 Ho st: zsn 5qt rgf pu 4t mp g.o nio n.lt Ca ch e-C ont rol: no -ca ch e http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt GE T/ cac ert/ gs alp ha sh a2 g2r 1.c rt HT TP/ 1.1 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: sec ure 2.a lph ass l.c om http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab GE T/ ms do wn loa d/u pd ate /v3 /st ati c/tr ust edr /en /au thr oot stl. ca bH TT P/1 .1 Ca ch e-C ont rol: m axag e = 86 42 3 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: ww w. do wn loa d. wi nd ow su pd ate .co m http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx GE T /r oot r1/ ME ww SjB IM EY wR DA JBg Ur Dg MC Gg UA BB S3 V7 W2 nAf 4Fi MT jpD JKg 6% 2B Mg Gq MQ QU YH tm Gk UN l8q JU C9 9B M0 0q P% 2F 8% 2F Us CC wQ AA AA AA UR O8 DY xH TT P/1 .1 Co nn ect ion :K ee p-A liv e Ac ce pt: */* Us erAg ent :M icr os oft -Cr ypt oA PI/ 6.1 Ho st: ocs p.g lob als ign .co m ICMP请求 源地址 目标地址 ICMP类型 192.168.122.69 192.168.122.1 3 ICMP数据 静态分析 PE 信息 初始地址 0x00400000 入口地址 0x00401274 声明校验值 0x000cb36f 实际校验值 0x000ce0a2 最低操作系统版本要求 4.0 编译时间 2016-04-21 21:14:42 图标 图标精确哈希值 2467e4a06dbc1e0ae3435f8829675f3c 图标相似性哈希值 de9c167105975bd8ff15e19bc601558d 版本信息 Translation: 0x0c09 0x04b0 InternalName: Marshberries3 FileVersion: 1.00 CompanyName: Halon Krusk Comments: Geografierne ProductName: Pjattes ProductVersion: 1.00 FileDescription: Stagnantness5 OriginalFilename: Marshberries3.exe PE数据组成 名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy) .text 0x00001000 0x000bd764 0x000be000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.80 .data 0x000bf000 0x0000906c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00 .rsrc 0x000c9000 0x000028ac 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.87 覆盖 偏移量: 0x000c3000 大小: 0x00000002 资源 名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型 RT_ICON 0x000ca740 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 5.56 data RT_ICON 0x000ca740 0x00000ea8 LANG_NEUTRAL SUBLANG_NEUTRAL 5.56 data RT_GROUP_ICON 0x000cb5e8 0x00000022 LANG_NEUTRAL SUBLANG_NEUTRAL 2.41 MS Windows icon resource - 2 icons, 64x64, 256-colors RT_VERSION 0x000cb60c 0x000002a0 LANG_ENGLISH SUBLANG_ENGLISH_AUS 3.23 data 导入 库 MSVBVM60.DLL: • 0x401000 - __vbaR8FixI4 • 0x401004 - _CIcos • 0x401008 - _adj_fptan • 0x40100c - __vbaVarMove • 0x401010 - __vbaFreeVar • 0x401014 - None • 0x401018 - __vbaFreeVarList • 0x40101c - _adj_fdiv_m64 • 0x401020 - _adj_fprem1 • 0x401024 - __vbaStrCat • 0x401028 - __vbaSetSystemError • 0x40102c - __vbaHresultCheckObj • 0x401030 - _adj_fdiv_m32 • 0x401034 - __vbaAryDestruct • 0x401038 - None • 0x40103c - __vbaObjSet • 0x401040 - _adj_fdiv_m16i • 0x401044 - _adj_fdivr_m16i • 0x401048 - _CIsin • 0x40104c - None • 0x401050 - __vbaChkstk • 0x401054 - EVENT_SINK_AddRef • 0x401058 - __vbaGenerateBoundsError • 0x40105c - __vbaStrCmp • 0x401060 - __vbaAryConstruct2 • 0x401064 - DllFunctionCall • 0x401068 - _adj_fpatan • 0x40106c - None • 0x401070 - EVENT_SINK_Release • 0x401074 - _CIsqrt • 0x401078 - EVENT_SINK_QueryInterface • 0x40107c - __vbaExceptHandler • 0x401080 - __vbaStrToUnicode • 0x401084 - _adj_fprem • 0x401088 - _adj_fdivr_m64 • 0x40108c - __vbaFPException • 0x401090 - __vbaStrVarVal • 0x401094 - _CIlog • 0x401098 - None • 0x40109c - None • 0x4010a0 - _adj_fdiv_m32i • 0x4010a4 - _adj_fdivr_m32i • 0x4010a8 - _adj_fdivr_m32 • 0x4010ac - _adj_fdiv_r • 0x4010b0 - None • 0x4010b4 - None • 0x4010b8 - None • 0x4010bc - __vbaStrToAnsi • 0x4010c0 - __vbaVarDup • 0x4010c4 - __vbaStrComp • 0x4010c8 - None • 0x4010cc - _CIatan • 0x4010d0 - __vbaStrMove • 0x4010d4 - None • 0x4010d8 - _allmul • 0x4010dc - _CItan • 0x4010e0 - _CIexp • 0x4010e4 - __vbaFreeStr • 0x4010e8 - __vbaFreeObj 投放文件 无信息 行为分析 互斥量(Mutexes) lahcnybwiiiwgn 执行的命令 "C:\Users\test\AppData\Local\Temp\31.25.vir" 创建的服务 无信息 启动的服务 无信息 进程 31.25.vir PID: 888, 上一级进程 PID: 264 31.25.vir PID: 1064, 上一级进程 PID: 888 访问的文件 C:\Users\test\AppData\Local\Temp\IMM32.DLL C:\Windows\System32\imm32.dll \Device\KsecDD C:\Users\test\AppData\Local\Temp\31.25.vir.cfg C:\Windows\sysnative\C_932.NLS C:\Windows\sysnative\C_949.NLS C:\Windows\sysnative\C_950.NLS C:\Windows\System32\uxtheme.dll.Config C:\Windows\System32\uxtheme.dll C:\Users\test\AppData\Local\Temp\31.25.vir.Local\ C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll C:\Windows\WindowsShell.Manifest C:\Windows\Fonts\staticcache.dat C:\Users\test\AppData\Local\Temp\*.* C:\ C:\Users\test\AppData\Local\Temp C:\ProgramData\*.* C:\ProgramData\Adobe\lcwkzhh C:\ProgramData\alipay\lcwkzhh C:\ProgramData\Baidu\lcwkzhh C:\ProgramData\Microsoft\lcwkzhh C:\ProgramData\Microsoft Help\lcwkzhh C:\Users\test\AppData\Local\Temp\31.25.vir C:\Users\test\AppData\Local\Temp\mgusien.exe 读取的文件 \Device\KsecDD C:\Windows\System32\uxtheme.dll.Config C:\Windows\System32\uxtheme.dll C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll C:\Windows\WindowsShell.Manifest C:\Windows\Fonts\staticcache.dat C:\ProgramData\Adobe\lcwkzhh C:\ProgramData\alipay\lcwkzhh C:\ProgramData\Baidu\lcwkzhh C:\ProgramData\Microsoft\lcwkzhh C:\ProgramData\Microsoft Help\lcwkzhh C:\Users\test\AppData\Local\Temp\31.25.vir 修改的文件 C:\Users\test\AppData\Local\Temp\mgusien.exe 删除的文件 无信息 注册表键 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra HKEY_CURRENT_USER HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_CURRENT_USER\Software\Classes HKEY_CURRENT_USER\Software\Classes\AppID\31.25.vir HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable 读取的注册表键 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable 修改的注册表键 无信息 删除的注册表键 无信息 API解析 imm32.dll.ImmCreateContext imm32.dll.ImmDestroyContext imm32.dll.ImmGetContext imm32.dll.ImmReleaseContext imm32.dll.ImmAssociateContext imm32.dll.ImmGetConversionStatus imm32.dll.ImmSetConversionStatus imm32.dll.ImmGetOpenStatus imm32.dll.ImmSetOpenStatus imm32.dll.ImmSetCompositionFontA imm32.dll.ImmSetCompositionStringA imm32.dll.ImmGetCompositionStringA imm32.dll.ImmSetCompositionWindow imm32.dll.ImmEscapeA imm32.dll.ImmIsIME imm32.dll.ImmSetCandidateWindow imm32.dll.ImmNotifyIME imm32.dll.ImmSimulateHotKey cryptbase.dll.SystemFunction036 uxtheme.dll.ThemeInitApiHook user32.dll.IsProcessDPIAware oleaut32.dll.OleLoadPictureEx oleaut32.dll.DispCallFunc oleaut32.dll.LoadTypeLibEx oleaut32.dll.UnRegisterTypeLib oleaut32.dll.CreateTypeLib2 oleaut32.dll.VarDateFromUdate oleaut32.dll.VarUdateFromDate oleaut32.dll.GetAltMonthNames oleaut32.dll.VarNumFromParseNum oleaut32.dll.VarParseNumFromStr oleaut32.dll.VarDecFromR4 oleaut32.dll.VarDecFromR8 oleaut32.dll.VarDecFromDate oleaut32.dll.VarDecFromI4 oleaut32.dll.VarDecFromCy oleaut32.dll.VarR4FromDec oleaut32.dll.GetRecordInfoFromTypeInfo oleaut32.dll.GetRecordInfoFromGuids oleaut32.dll.SafeArrayGetRecordInfo oleaut32.dll.SafeArraySetRecordInfo oleaut32.dll.SafeArrayGetIID oleaut32.dll.SafeArraySetIID oleaut32.dll.SafeArrayCopyData oleaut32.dll.SafeArrayAllocDescriptorEx oleaut32.dll.SafeArrayCreateEx oleaut32.dll.VarFormat oleaut32.dll.VarFormatDateTime oleaut32.dll.VarFormatNumber oleaut32.dll.VarFormatPercent oleaut32.dll.VarFormatCurrency oleaut32.dll.VarWeekdayName oleaut32.dll.VarMonthName oleaut32.dll.VarAdd oleaut32.dll.VarAnd oleaut32.dll.VarCat oleaut32.dll.VarDiv oleaut32.dll.VarEqv oleaut32.dll.VarIdiv oleaut32.dll.VarImp oleaut32.dll.VarMod oleaut32.dll.VarMul oleaut32.dll.VarOr oleaut32.dll.VarPow oleaut32.dll.VarSub oleaut32.dll.VarXor oleaut32.dll.VarAbs oleaut32.dll.VarFix oleaut32.dll.VarInt oleaut32.dll.VarNeg oleaut32.dll.VarNot oleaut32.dll.VarRound oleaut32.dll.VarCmp oleaut32.dll.VarDecAdd oleaut32.dll.VarDecCmp oleaut32.dll.VarBstrCat oleaut32.dll.VarCyMulI4 oleaut32.dll.VarBstrCmp ole32.dll.CoCreateInstanceEx ole32.dll.CLSIDFromProgIDEx sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary user32.dll.GetSystemMetrics user32.dll.MonitorFromWindow user32.dll.MonitorFromRect user32.dll.MonitorFromPoint user32.dll.EnumDisplayMonitors user32.dll.GetMonitorInfoA imm32.dll.ImmGetDefaultIMEWnd dwmapi.dll.DwmIsCompositionEnabled lpk.dll.LpkEditControl comctl32.dll.HIMAGELIST_QueryInterface comctl32.dll.DrawShadowText comctl32.dll.DrawSizeBox comctl32.dll.DrawScrollBar comctl32.dll.SizeBoxHwnd comctl32.dll.ScrollBar_MouseMove comctl32.dll.ScrollBar_Menu comctl32.dll.HandleScrollCmd comctl32.dll.DetachScrollBars comctl32.dll.AttachScrollBars comctl32.dll.CCSetScrollInfo comctl32.dll.CCGetScrollInfo comctl32.dll.CCEnableScrollBar comctl32.dll.QuerySystemGestureStatus uxtheme.dll.#49 uxtheme.dll.CloseThemeData gdi32.dll.GetLayout gdi32.dll.GdiRealizationInfo gdi32.dll.FontIsLinked advapi32.dll.RegOpenKeyExW advapi32.dll.RegQueryInfoKeyW gdi32.dll.GetTextFaceAliasW advapi32.dll.RegEnumValueW advapi32.dll.RegCloseKey advapi32.dll.RegQueryValueExW advapi32.dll.RegQueryValueExA advapi32.dll.RegEnumKeyExW gdi32.dll.GdiIsMetaPrintDC user32.dll.FindWindowA user32.dll.ShowWindow kernel32.dll.NlsGetCacheUpdateCount kernel32.dll.GetCalendarInfoW ntdll.dll.RtlEnumProcessHeaps kernel32.dll.VirtualAllocEx advapi32.dll.RegOpenKeyExA kernel32.dll.CreateFileA kernel32.dll.WriteFile kernel32.dll.CloseHandle kernel32.dll.ReadFile kernel32.dll.GetFileSize kernel32.dll.UnmapViewOfFile kernel32.dll.VirtualProtectEx kernel32.dll.GetLongPathNameA kernel32.dll.TerminateProcess kernel32.dll.Sleep shell32.dll.ShellExecuteA user32.dll.EnumWindows kernel32.dll.GetCommandLineW kernel32.dll.CreateProcessW ntdll.dll.NtWriteVirtualMemory ntdll.dll.NtGetContextThread ntdll.dll.NtSetContextThread kernel32.dll.DebugActiveProcess ntdll.dll.NtResumeThread kernel32.dll.GetExitCodeProcess kernel32.dll.WaitForDebugEvent kernel32.dll.ContinueDebugEvent kernel32.dll.FindFirstFileExA kernel32.dll.GetDriveTypeA kernel32.dll.SetEnvironmentVariableA kernel32.dll.CompareStringW kernel32.dll.GetCurrentDirectoryW kernel32.dll.RaiseException kernel32.dll.SetEndOfFile kernel32.dll.GetFileInformationByHandle kernel32.dll.FileTimeToLocalFileTime kernel32.dll.FileTimeToSystemTime kernel32.dll.SetConsoleMode kernel32.dll.ReadConsoleInputA kernel32.dll.GetFileAttributesW kernel32.dll.ExitThread kernel32.dll.GetDateFormatA kernel32.dll.GetTimeFormatA kernel32.dll.CreateDirectoryW kernel32.dll.CreateMutexW kernel32.dll.OpenMutexW kernel32.dll.GetModuleHandleW kernel32.dll.WTSGetActiveConsoleSessionId kernel32.dll.OpenProcess kernel32.dll.ResumeThread kernel32.dll.GetModuleHandleA kernel32.dll.GetProcAddress kernel32.dll.LoadLibraryA kernel32.dll.WideCharToMultiByte kernel32.dll.ExitProcess kernel32.dll.VirtualProtect kernel32.dll.WriteProcessMemory kernel32.dll.FindFirstFileW kernel32.dll.VirtualAlloc kernel32.dll.HeapDestroy kernel32.dll.DeleteCriticalSection kernel32.dll.WaitForMultipleObjects kernel32.dll.HeapCreate kernel32.dll.GetDriveTypeW kernel32.dll.InitializeCriticalSection kernel32.dll.GetLogicalDriveStringsW kernel32.dll.SetThreadPriority kernel32.dll.GetTempPathW kernel32.dll.MoveFileExW kernel32.dll.WaitForSingleObject kernel32.dll.CreateThread kernel32.dll.TerminateThread kernel32.dll.MultiByteToWideChar kernel32.dll.GetTimeZoneInformation kernel32.dll.GetUserGeoID kernel32.dll.GetModuleFileNameW kernel32.dll.GetNativeSystemInfo kernel32.dll.GetVersionExW kernel32.dll.GetVersion kernel32.dll.GetCurrentThread kernel32.dll.LocalFree kernel32.dll.LocalAlloc kernel32.dll.GetLastError kernel32.dll.GetCurrentProcess kernel32.dll.Process32NextW kernel32.dll.Process32FirstW kernel32.dll.CreateToolhelp32Snapshot kernel32.dll.DeleteFileW kernel32.dll.SetFileTime kernel32.dll.SetFilePointer kernel32.dll.GetFileTime kernel32.dll.CreateFileW kernel32.dll.GetCurrentThreadId kernel32.dll.GetCurrentProcessId kernel32.dll.GetTickCount kernel32.dll.GetSystemTimeAsFileTime kernel32.dll.HeapFree kernel32.dll.GetProcessHeap kernel32.dll.FindClose kernel32.dll.FindNextFileW kernel32.dll.LeaveCriticalSection kernel32.dll.HeapReAlloc kernel32.dll.EnterCriticalSection kernel32.dll.SetErrorMode kernel32.dll.VirtualQuery kernel32.dll.CreateIoCompletionPort kernel32.dll.PostQueuedCompletionStatus kernel32.dll.ReleaseSemaphore kernel32.dll.CreateSemaphoreA kernel32.dll.GetQueuedCompletionStatus kernel32.dll.FlushConsoleInputBuffer kernel32.dll.GetVersionExA kernel32.dll.GlobalMemoryStatus kernel32.dll.GetSystemInfo kernel32.dll.FormatMessageW kernel32.dll.CreatePipe kernel32.dll.CreateProcessA kernel32.dll.GetFullPathNameA kernel32.dll.HeapAlloc kernel32.dll.GetSystemDirectoryW kernel32.dll.SetHandleInformation kernel32.dll.PeekNamedPipe kernel32.dll.FlushFileBuffers kernel32.dll.HeapSize kernel32.dll.IsProcessorFeaturePresent kernel32.dll.WriteConsoleW kernel32.dll.HeapSetInformation kernel32.dll.GetStartupInfoW kernel32.dll.UnhandledExceptionFilter kernel32.dll.SetUnhandledExceptionFilter kernel32.dll.IsDebuggerPresent kernel32.dll.GetCPInfo kernel32.dll.InterlockedIncrement kernel32.dll.InterlockedDecrement kernel32.dll.GetACP kernel32.dll.GetOEMCP kernel32.dll.IsValidCodePage kernel32.dll.TlsAlloc kernel32.dll.TlsGetValue kernel32.dll.TlsSetValue kernel32.dll.TlsFree kernel32.dll.SetLastError kernel32.dll.GetStdHandle kernel32.dll.FreeEnvironmentStringsW kernel32.dll.GetEnvironmentStringsW kernel32.dll.SetHandleCount kernel32.dll.InitializeCriticalSectionAndSpinCount kernel32.dll.GetFileType kernel32.dll.QueryPerformanceCounter kernel32.dll.GetConsoleCP kernel32.dll.GetConsoleMode kernel32.dll.LCMapStringW kernel32.dll.GetStringTypeW kernel32.dll.SetConsoleCtrlHandler kernel32.dll.FreeLibrary kernel32.dll.LoadLibraryW kernel32.dll.RtlUnwind kernel32.dll.SetStdHandle user32.dll.EndPaint user32.dll.DestroyWindow user32.dll.PostQuitMessage user32.dll.SetTimer user32.dll.DefWindowProcW user32.dll.DrawTextW user32.dll.GetDC user32.dll.ReleaseDC user32.dll.MoveWindow user32.dll.SetWindowTextA user32.dll.GetDesktopWindow user32.dll.OemToCharW user32.dll.SetWindowTextW user32.dll.GetWindowTextW user32.dll.GetUserObjectInformationW user32.dll.GetProcessWindowStation user32.dll.SetWindowRgn user32.dll.CreateIconFromResource user32.dll.LoadCursorW user32.dll.RegisterClassExW user32.dll.CreateWindowExW user32.dll.UpdateWindow user32.dll.GetMessageW user32.dll.TranslateMessage user32.dll.DispatchMessageW user32.dll.GetClientRect user32.dll.wsprintfW user32.dll.OpenWindowStationW user32.dll.RedrawWindow user32.dll.FindWindowW user32.dll.FindWindowExW user32.dll.SetThreadDesktop user32.dll.OpenDesktopW user32.dll.UnregisterClassW user32.dll.BeginPaint user32.dll.SendMessageW user32.dll.SetProcessWindowStation gdi32.dll.SetDIBits gdi32.dll.CreateCompatibleDC gdi32.dll.CreateCompatibleBitmap gdi32.dll.CreateRoundRectRgn gdi32.dll.SetBkColor gdi32.dll.CreateFontW gdi32.dll.TextOutW gdi32.dll.GetTextExtentPointW gdi32.dll.SetTextColor gdi32.dll.SetBkMode gdi32.dll.BitBlt gdi32.dll.GetTextExtentPoint32W gdi32.dll.SelectObject advapi32.dll.SetSecurityDescriptorGroup advapi32.dll.CryptSetHashParam advapi32.dll.CryptReleaseContext advapi32.dll.CryptSignHashA advapi32.dll.CryptAcquireContextA advapi32.dll.CryptCreateHash advapi32.dll.CreateProcessAsUserW advapi32.dll.DuplicateTokenEx advapi32.dll.RegSetValueExW advapi32.dll.RegCreateKeyExW advapi32.dll.AdjustTokenPrivileges advapi32.dll.LookupPrivilegeValueW advapi32.dll.GetUserNameW advapi32.dll.CryptAcquireContextW advapi32.dll.FreeSid advapi32.dll.AccessCheck advapi32.dll.IsValidSecurityDescriptor advapi32.dll.SetSecurityDescriptorOwner advapi32.dll.SetSecurityDescriptorDacl advapi32.dll.AddAccessAllowedAce advapi32.dll.InitializeAcl advapi32.dll.GetLengthSid advapi32.dll.InitializeSecurityDescriptor advapi32.dll.AllocateAndInitializeSid advapi32.dll.DuplicateToken advapi32.dll.OpenThreadToken advapi32.dll.GetSidSubAuthority advapi32.dll.GetTokenInformation advapi32.dll.OpenProcessToken advapi32.dll.CryptGenRandom advapi32.dll.CryptDestroyKey advapi32.dll.CryptDecrypt advapi32.dll.CryptDestroyHash shell32.dll.ShellExecuteW shell32.dll.SHGetFolderPathW ole32.dll.CoUninitialize ole32.dll.CoCreateInstance ole32.dll.CoInitializeSecurity ole32.dll.CoInitialize ole32.dll.CoInitializeEx oleaut32.dll.#2 ws2_32.dll.#7 ws2_32.dll.#2 ws2_32.dll.#21 ws2_32.dll.#112 ws2_32.dll.#22 ws2_32.dll.#20 ws2_32.dll.#17 ws2_32.dll.WSAIoctl ws2_32.dll.#13 ws2_32.dll.#1 ws2_32.dll.#111 ws2_32.dll.#15 ws2_32.dll.#6 ws2_32.dll.#52 ws2_32.dll.#8 ws2_32.dll.#9 ws2_32.dll.#116 ws2_32.dll.#57 ws2_32.dll.#23 ws2_32.dll.getaddrinfo ws2_32.dll.#4 ws2_32.dll.freeaddrinfo ws2_32.dll.#19 ws2_32.dll.#18 ws2_32.dll.#10 ws2_32.dll.#16 ws2_32.dll.#11 ws2_32.dll.#3 ws2_32.dll.#14 ws2_32.dll.#115 wtsapi32.dll.WTSQueryUserToken wtsapi32.dll.WTSFreeMemory wtsapi32.dll.WTSEnumerateSessionsW comctl32.dll.InitCommonControlsEx wininet.dll.InternetOpenA wininet.dll.InternetConnectA wininet.dll.HttpOpenRequestA wininet.dll.InternetSetOptionA wininet.dll.HttpSendRequestA wininet.dll.InternetReadFile wininet.dll.InternetCloseHandle crypt32.dll.CertFreeCertificateContext kernel32.dll.FlsAlloc kernel32.dll.FlsGetValue kernel32.dll.FlsSetValue kernel32.dll.FlsFree sechost.dll.LookupAccountNameLocalW advapi32.dll.LookupAccountSidW sechost.dll.LookupAccountSidLocalW sspicli.dll.GetUserNameExW xmllite.dll.CreateXmlWriter xmllite.dll.CreateXmlWriterOutputWithEncodingName oleaut32.dll.#500 ©2016 上海魔盾信息科技有限公司
Similar documents
魔盾安全分析报告文件详细信息特征
AVG: Inject3.AJIL
Panda: Trj/CI.A
Qihoo-360: QVM42.0.Malware.Gen
生成一个自己的复制文件
copy: C:\Users\test\AppData\Local\Temp\mgusien.exe
魔盾安全分析报告 文件详细信息 特征 运行截图 网络分析 UDP连接
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
