魔盾安全分析报告文件详细信息特征

Transcription

魔盾安全分析报告文件详细信息特征

魔盾安全分析报告
分析类型
开始时间
结束时间
持续时间
分析引擎版本
FILE
2016-05-04 14:56:24
2016-05-04 14:58:47
143 秒
1.4-Maldun
虚拟机机器名
标签
虚拟机管理
开机时间
关机时间
win7-sp1-x64-1
win7-sp1-x64-1
KVM
2016-05-04 14:56:25
2016-05-04 14:58:46
魔盾分数
10.0
恶意的
文件详细信息
文件名
Factuur_09480602.pdf.exe
文件大小
742541 字节
文件类型
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
CRC32
6E46EFA8
MD5
f3669aa9d7272d0db49bcd97b65ea23b
SHA1
9cb87d56e5c51ceb26d9da945a139855329fa549
SHA256
faf62fde4104945b85f6c1381c3009d5f676fe8adf0cd0c2f0e15931f3c41f73
SHA512
97d16c26a144f5dbb9de0360896758936ac064c51358da23db4a3574825cb136cf218a452d603eb4059164f376d5f0a0509e9e99
b5d11271ca6e1960f8d2bb45
Ssdeep
12288:GkirMt70NAthrkeKqt9ICRUBioUwc7Phuuo23IKDIRKYfJf2:GkirAtRtKqzkiNbZ94AYBf2
PEiD
无匹配
Yara
无Yara规则匹配
VirusTotal
VirusTotal链接
VirusTotal扫描时间: 2016-05-03 13:51:31
扫描结果: 38/57
特征
创建RWX内存
从文件自身的二进制镜像中读取数据
self_read: process: Factuur_09480602.pdf.exe, pid: 2512, offset: 0x00000000, length: 0x0000c400
self_read: process: Factuur_09480602.pdf.exe, pid: 2512, offset: 0x0000c21c, length: 0x000a9271
self_read: process: Factuur_09480602.pdf.exe, pid: 1940, offset: 0x00000000, length: 0x000b548d
尝试模仿一个 PDF document 的文件扩展名，通过使用 'pdf' 在文件名中
执行了一个进程并在其中注入代码（可能是在解包过程中）
检测到网络活动但没有显示在API日志中
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.StatulisC.Trojan
MicroWorld-eScan: Trojan.GenericKD.3150143
nProtect: Trojan.GenericKD.3150143
CAT-QuickHeal: TrojanRansom.Onion.r5
ALYac: Trojan.GenericKD.3150143
Malwarebytes: Trojan.Kovter.Generic
VIPRE: Trojan.Win32.Generic.pak!cobra
K7GW: Trojan ( 004e294d1 )
K7AntiVirus: Trojan ( 004e294d1 )
Symantec: Trojan.Gen
ESET-NOD32: a variant of Generik.GQZQICK
Avast: Win32:Malware-gen
GData: Trojan.GenericKD.3150143
Kaspersky: Trojan-Ransom.NSIS.Onion.ncm
BitDefender: Trojan.GenericKD.3150143
NANO-Antivirus: Trojan.Win32.Encoder.ebqmyp
Tencent: Win32.Trojan.Bp-generic.Wpav
Ad-Aware: Trojan.GenericKD.3150143
Emsisoft: Trojan.GenericKD.3150143 (B)
F-Secure: Trojan.GenericKD.3150629
DrWeb: Trojan.Encoder.858
Zillya: Trojan.Onion.Win32.918
TrendMicro: TROJ_GEN.R0CCC0DDD16
McAfee-GW-Edition: BehavesLike.Win32.Ransom.bc
Sophos: Troj/Ransom-CVG
Cyren: W32/Trojan.RTRZ-0424
Arcabit: Trojan.Generic.D30113F
ViRobot: Trojan.Win32.Z.Agent.742541[h]
Microsoft: Ransom:Win32/Critroni.B
AhnLab-V3: Malware/Gen.Generic
McAfee: RDN/Ransom
AVware: Trojan.Win32.Generic.pak!cobra
Yandex: Trojan.Steamilik!
Ikarus: Trojan.Win32.Steamilik
Fortinet: Malicious_Behavior.VEX.89
AVG: Inject3.AJIL
Panda: Trj/CI.A
Qihoo-360: QVM42.0.Malware.Gen
生成一个自己的复制文件
copy: C:\Users\test\AppData\Local\Temp\mgusien.exe
运行截图
网络分析
访问主机记录
直接访问
IP地址
国家名
是
23.41.176.45
United States
是
74.125.23.138
United States
是
74.125.23.113
United States
是
74.125.23.102
United States
是
74.125.23.101
United States
是
74.125.23.100
United States
UDP连接
IP地址
端口
192.168.122.1
53
192.168.122.1
53
192.168.122.255
138
静态分析
PE 信息
初始地址
0x00400000
入口地址
0x00403217
声明校验值
0x00000000
实际校验值
0x000c0bed
最低操作系统版本要求
4.0
编译时间
2014-10-07 12:40:17
图标
图标精确哈希值
9c24fac0d4a2cfd0100bcfcb83a9ca33
图标相似性哈希值
c680bc2cc6d7fc57335e6ed3cb09c9ec
PE数据组成
名称
虚拟地址
虚拟大小
原始数据大小
特征
熵
(Entropy)
.text
0x00001000
0x00005bf4
0x00005c00
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
6.48
.rdata
0x00007000
0x000011ce
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
5.24
.data
0x00009000
0x0001a7f8
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
5.03
.ndata
0x00024000
0x00008000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
0.00
.rsrc
0x0002c000
0x00004a35
0x00004c00
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
3.86
覆盖
偏移量:
0x0000c200
大小:
0x000a928d
资源
名称
偏移量
大小
语言
子语言
熵
(Entropy)
文件类型
RT_ICON
0x0002c1c0
0x00004228
LANG_ENGLISH
SUBLANG_ENGLISH_US
3.51
dBase IV DBT of \200.DBF, blocks size 64, block
length 16384, next free block index 40, 1st
item "\377\377\377"
RT_DIALOG
0x000306bc
0x00000060
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.49
data
RT_DIALOG
0x000306bc
0x00000060
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.49
data
RT_DIALOG
0x000306bc
0x00000060
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.49
data
RT_DIALOG
0x000306bc
0x00000060
LANG_ENGLISH
SUBLANG_ENGLISH_US
2.49
data
RT_GROUP_ICON
0x0003071c
0x00000014
LANG_ENGLISH
SUBLANG_ENGLISH_US
1.92
MS Windows icon resource - 1 icon
RT_MANIFEST
0x00030730
0x00000305
LANG_ENGLISH
SUBLANG_ENGLISH_US
5.27
XML document text
导入
库 KERNEL32.dll:
• 0x407060 - GetTickCount
• 0x407064 - GetFullPathNameA
• 0x407068 - MoveFileA
• 0x40706c - SetCurrentDirectoryA
• 0x407070 - GetFileAttributesA
• 0x407074 - GetLastError
• 0x407078 - CreateDirectoryA
• 0x40707c - SetFileAttributesA
• 0x407080 - SearchPathA
• 0x407084 - GetShortPathNameA
• 0x407088 - CreateFileA
• 0x40708c - GetFileSize
• 0x407090 - GetModuleFileNameA
• 0x407094 - ReadFile
• 0x407098 - GetCurrentProcess
• 0x40709c - CopyFileA
• 0x4070a0 - ExitProcess
• 0x4070a4 - SetEnvironmentVariableA
• 0x4070a8 - Sleep
• 0x4070ac - CloseHandle
• 0x4070b0 - GetCommandLineA
• 0x4070b4 - SetErrorMode
• 0x4070b8 - LoadLibraryA
• 0x4070bc - lstrlenA
• 0x4070c0 - lstrcpynA
• 0x4070c4 - GetDiskFreeSpaceA
• 0x4070c8 - GlobalUnlock
• 0x4070cc - GlobalLock
• 0x4070d0 - CreateThread
• 0x4070d4 - CreateProcessA
• 0x4070d8 - RemoveDirectoryA
• 0x4070dc - GetTempFileNameA
• 0x4070e0 - lstrcpyA
• 0x4070e4 - lstrcatA
• 0x4070e8 - GetSystemDirectoryA
• 0x4070ec - GetVersion
• 0x4070f0 - GetProcAddress
• 0x4070f4 - GlobalAlloc
• 0x4070f8 - CompareFileTime
• 0x4070fc - SetFileTime
• 0x407100 - ExpandEnvironmentStringsA
• 0x407104 - lstrcmpiA
• 0x407108 - lstrcmpA
• 0x40710c - WaitForSingleObject
• 0x407110 - GlobalFree
• 0x407114 - GetExitCodeProcess
• 0x407118 - GetModuleHandleA
• 0x40711c - GetTempPathA
• 0x407120 - GetWindowsDirectoryA
• 0x407124 - LoadLibraryExA
• 0x407128 - FindFirstFileA
• 0x40712c - FindNextFileA
• 0x407130 - DeleteFileA
• 0x407134 - SetFilePointer
• 0x407138 - WriteFile
• 0x40713c - FindClose
• 0x407140 - WritePrivateProfileStringA
• 0x407144 - MultiByteToWideChar
• 0x407148 - MulDiv
• 0x40714c - GetPrivateProfileStringA
• 0x407150 - FreeLibrary
库 USER32.dll:
• 0x407174 - CreateWindowExA
• 0x407178 - EndDialog
• 0x40717c - ScreenToClient
• 0x407180 - GetWindowRect
• 0x407184 - EnableMenuItem
• 0x407188 - GetSystemMenu
• 0x40718c - SetClassLongA
• 0x407190 - IsWindowEnabled
• 0x407194 - SetWindowPos
• 0x407198 - GetSysColor
• 0x40719c - GetWindowLongA
• 0x4071a0 - SetCursor
• 0x4071a4 - LoadCursorA
• 0x4071a8 - CheckDlgButton
• 0x4071ac - GetMessagePos
• 0x4071b0 - LoadBitmapA
• 0x4071b4 - CallWindowProcA
• 0x4071b8 - IsWindowVisible
• 0x4071bc - CloseClipboard
• 0x4071c0 - GetDC
• 0x4071c4 - SystemParametersInfoA
• 0x4071c8 - RegisterClassA
• 0x4071cc - TrackPopupMenu
• 0x4071d0 - AppendMenuA
• 0x4071d4 - CreatePopupMenu
• 0x4071d8 - GetSystemMetrics
• 0x4071dc - SetDlgItemTextA
• 0x4071e0 - GetDlgItemTextA
• 0x4071e4 - MessageBoxIndirectA
• 0x4071e8 - CharPrevA
• 0x4071ec - DispatchMessageA
• 0x4071f0 - PeekMessageA
• 0x4071f4 - ReleaseDC
• 0x4071f8 - EnableWindow
• 0x4071fc - InvalidateRect
• 0x407200 - SendMessageA
• 0x407204 - DefWindowProcA
• 0x407208 - BeginPaint
• 0x40720c - GetClientRect
• 0x407210 - FillRect
• 0x407214 - DrawTextA
• 0x407218 - GetClassInfoA
• 0x40721c - DialogBoxParamA
• 0x407220 - CharNextA
• 0x407224 - ExitWindowsEx
• 0x407228 - DestroyWindow
• 0x40722c - CreateDialogParamA
• 0x407230 - SetTimer
• 0x407234 - GetDlgItem
• 0x407238 - wsprintfA
• 0x40723c - SetForegroundWindow
• 0x407240 - ShowWindow
• 0x407244 - IsWindow
• 0x407248 - LoadImageA
• 0x40724c - SetWindowLongA
• 0x407250 - SetClipboardData
• 0x407254 - EmptyClipboard
• 0x407258 - OpenClipboard
• 0x40725c - EndPaint
• 0x407260 - PostQuitMessage
• 0x407264 - FindWindowExA
• 0x407268 - SendMessageTimeoutA
• 0x40726c - SetWindowTextA
库 GDI32.dll:
• 0x40703c - SelectObject
• 0x407040 - SetBkMode
• 0x407044 - CreateFontIndirectA
• 0x407048 - SetTextColor
• 0x40704c - DeleteObject
• 0x407050 - GetDeviceCaps
• 0x407054 - CreateBrushIndirect
• 0x407058 - SetBkColor
库 SHELL32.dll:
• 0x407158 - SHGetSpecialFolderLocation
• 0x40715c - SHGetPathFromIDListA
• 0x407160 - SHBrowseForFolderA
• 0x407164 - SHGetFileInfoA
• 0x407168 - ShellExecuteA
• 0x40716c - SHFileOperationA
库 ADVAPI32.dll:
• 0x407000 - RegCloseKey
• 0x407004 - RegOpenKeyExA
• 0x407008 - RegDeleteKeyA
• 0x40700c - RegDeleteValueA
• 0x407010 - RegEnumValueA
• 0x407014 - RegCreateKeyExA
• 0x407018 - RegSetValueExA
• 0x40701c - RegQueryValueExA
• 0x407020 - RegEnumKeyA
库 COMCTL32.dll:
• 0x407028 - ImageList_Create
• 0x40702c - ImageList_AddMasked
• 0x407030 - ImageList_Destroy
• 0x407034 - None
库 ole32.dll:
• 0x407284 - CoCreateInstance
• 0x407288 - CoTaskMemFree
• 0x40728c - OleInitialize
• 0x407290 - OleUninitialize
库 VERSION.dll:
• 0x407274 - GetFileVersionInfoSizeA
• 0x407278 - GetFileVersionInfoA
• 0x40727c - VerQueryValueA
投放文件
Hinayana.dll
文件名
相关文件
Hinayana.dll
C:\Users\test\AppData\Roaming\Hinayana.dll
文件大小
8704 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
893b9bfaf09e2795f2aeaca7c97eb8bd
SHA1
c426245a28ba6191dac71e263c9766f802eae725
SHA256
02a5ee6c9e41b9665f2e6b87bc9352ae7fd8d1257ec058f0133ba5d8e0b98ec8
SHA512
4a80a86b897451e422d062ebc291dcadeded5ac6fe03d4899af69d10dabfda6e6aec5cb030c099815c3a993ea3abb6edb298e67
820ca63f54958f51a5229dc75
Ssdeep
192:70SdeO2y4z94bV+8e5m7fxLT8ihYNpfg:u9ijTxcihYffg
Yara
无匹配
VirusTotal
搜索相关分析
System.dll
文件名
相关文件
System.dll
C:\Users\test\AppData\Roaming\System.dll
文件大小
11264 bytes
文件类型
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5
883eff06ac96966270731e4e22817e11
SHA1
523c87c98236cbc04430e87ec19b977595092ac8
SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af
4e91c298ba51e28109a390
Ssdeep
96:UPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+l:UPtkuWJX7zB3kGwfy0nyUVsxCjOMb1u
Yara
无匹配
VirusTotal
搜索相关分析
olink.lang.fallback.sequence.xml
文件名
相关文件
olink.lang.fallback.sequence.xml
C:\Users\test\AppData\Roaming\olink.lang.fallback.sequence.xml
文件大小
3225 bytes
文件类型
HTML document, ASCII text
MD5
a29ae6b99ab34923686b06694320ebe7
SHA1
482a8ada65985d189cbff15166645e74474e2828
SHA256
b83b1ee4a1a47958eb630b285d379b712af80216697e355c61648d4d2797d682
SHA512
3aa51e5e0eb09867e620127d9d5e79c2b9362ac2c2572d63464376f9ea9a0600fd8297eedc254240669f0f92ee18a0b3c4dcf88e
2e9ce6654acf0bddf6ec0b1d
Ssdeep
48:B6CatuxO57AOmnr0pNH0AWK+wGtAFheGEWgi2/XUX5Aar8wXACgCcW75wtsXB+Fv:B6Cah578YNUAB+wGtEEi2/5x3tsXoFv
Yara
无匹配
VirusTotal
搜索相关分析
htmlhelp.button.jump1.xml
文件名
相关文件
htmlhelp.button.jump1.xml
C:\Users\test\AppData\Roaming\htmlhelp.button.jump1.xml
文件大小
931 bytes
文件类型
HTML document, ASCII text
MD5
cd4e62cafe8d87d0a9a608877ec10156
SHA1
47ed56c7802d144b9f19de5c3c82720f5ae79564
SHA256
8d507582aeb225c227ce58932cc1956fd612032163c8407d9318bd76fd57d8ce
SHA512
d11948ca912a0d78a96da4b431fbbc566bbb697e43878bb26e9c0022a09858e66673c518d9961d7aee0a4c6889c49b5af0e926f
138a37b631a37a457d2ddf2f3
Ssdeep
12:B97AMW3FYpTRynMfamzRIQJaF9t4Y45XMWEtcAWEQ+AVf1mJXWlG6:B97AMv1RyMvzRIbFI1MWEUEvxWlV
Yara
无匹配
VirusTotal
搜索相关分析
mgusien.exe
文件名
相关文件
mgusien.exe
C:\Users\test\AppData\Local\Temp\mgusien.exe
文件大小
742541 bytes
文件类型
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5
f3669aa9d7272d0db49bcd97b65ea23b
SHA1
9cb87d56e5c51ceb26d9da945a139855329fa549
SHA256
faf62fde4104945b85f6c1381c3009d5f676fe8adf0cd0c2f0e15931f3c41f73
SHA512
97d16c26a144f5dbb9de0360896758936ac064c51358da23db4a3574825cb136cf218a452d603eb4059164f376d5f0a0509e9e99
b5d11271ca6e1960f8d2bb45
Ssdeep
12288:GkirMt70NAthrkeKqt9ICRUBioUwc7Phuuo23IKDIRKYfJf2:GkirAtRtKqzkiNbZ94AYBf2
Yara
无匹配
VirusTotal
搜索相关分析
500-17.htm
文件名
相关文件
500-17.htm
C:\Users\test\AppData\Roaming\500-17.htm
文件大小
669371 bytes
文件类型
data
MD5
a9880ab8a111de0b335270465edaae39
SHA1
6ed679e0081c66f2d16a11c6960ff534a668a5ba
SHA256
4807df85f8f22c49c257467b799d413bd3fdc5e5a83a51562fa14ff20c44b511
SHA512
5d506e11080d43ecf4f2482a01c53ba4c15afae7540b8fde5bf2236aeccc512a24ac0b817f1515bc1be2be7ece1931ff923676d879
74c99a2456ad0dbf0c5ab4
Ssdeep
12288:bedSjCB6xnzHwYiHUGA9UJ0WtTWK2CQeEFkmzJvCOEOR682qT/GAKauD:bedxB6hL/UJtTbLxEFk8vCOEOs8/Gfa6
Yara
无匹配
VirusTotal
搜索相关分析
ArilStealthNephropathy
文件名
相关文件
ArilStealthNephropathy
C:\Users\test\AppData\Roaming\ArilStealthNephropathy
文件大小
1521 bytes
文件类型
data
MD5
bb42ac656ca8987293e2efa9de95f947
SHA1
6fee95a0c27efa9677fa898535cb084cdde3adad
SHA256
57ae5316f8ffb2b2500b1ab4e689ece881d3035acfbe96f1ed11cc12d7c642f4
SHA512
ae0eb17db8386aa3056f2f66fb4c0c98d41ab4e1eadae6d00cc67429a7d4c4f0505357f5cb37d4a5bc59aa1b790ad65bfb4b3ef8a
1c9ffe16f807ce740b487b6
Ssdeep
24:IrPPvwEVGDVGaKto6x8iAOblOIPikwFKjOfhcbpAicvAqS+3VcVIvlc0fiW0HlZs:PEVGDVNKyg8TyPikwF4OJcVA4+Wivlcc
Yara
无匹配
VirusTotal
搜索相关分析
appbar.eve
文件名
相关文件
appbar.eve
C:\Users\test\AppData\Roaming\appbar.eve
文件大小
3336 bytes
文件类型
ASCII text, with very long lines, with CRLF line terminators
MD5
411d6db1d5d113a3a67180a4c397744b
SHA1
740b6607247d1effb6f34b0117ed1018179e64c7
SHA256
1cabd4a66164c69b74872badcee0fff5d0965d0cf53b320a13a522b37926c644
SHA512
23b57656501670e0af2c215ac880837755f8c32013ba6017f2a8357e635b701e714f4dfa29d1a7ebf435bb0345347cb1c4a8a1761
d263674b9e19f460d745624
Ssdeep
48:N7FIggjnP6GK1GpU5GDWQ+oHWW7ymn4raYtFbVZVf2p/4/6kkLCx:ZOggjnSGXpLDWQ+MZiaGFbzmkkLG
Yara
无匹配
VirusTotal
搜索相关分析
Monochromatic Artistic.hdt
文件名
相关文件
Monochromatic Artistic.hdt
C:\Users\test\AppData\Roaming\Monochromatic Artistic.hdt
文件大小
112 bytes
文件类型
data
MD5
a7083a1006c7d7fa41dd67dca98384d3
SHA1
0e33d2481903382f702fe77b020c36dc271e82a8
SHA256
03e5f17eb8b361f044dd3f2c4efc6ff51ee3591768f245e74017e3c673f12a39
SHA512
3b0d2718cd44479bfe4f45e6b16cd69d6b27e2e043cd06c98b3a27b838c932f7a1a97e7bce84993ede2bab512df4c1232136facca
4997b9e6a1e07d346083116
Ssdeep
3:bflHlxl3C7HTl/flt3TE/5at/ntu1/nN/kOi9n:brct/Iys1/OV
Yara
无匹配
VirusTotal
搜索相关分析
行为分析
互斥量(Mutexes)
lahcnybwiiiwgn
执行的命令
"C:\Users\test\AppData\Local\Temp\Factuur_09480602.pdf.exe"
创建的服务无信息
启动的服务无信息
进程
PID: 2512, 上一级进程 PID: 2256
PID: 1940, 上一级进程 PID: 2512
访问的文件
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
C:\Users\test\AppData\Local\Temp\
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\nsg4FE4.tmp
C:\Users\test\AppData\Local\Temp\Factuur_09480602.pdf.exe
C:\Users\test\AppData\Local\Temp\nsl5004.tmp
C:\Windows\
\??\MountPointManager
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Roaming
C:\Users\test\AppData\Local\Temp\System.dll
C:\Windows\System32\System.dll
C:\Windows\system\System.dll
C:\Windows\System.dll
C:\Users\test\AppData\Local\Temp\Hinayana.DLL
C:\Windows\System32\Hinayana.DLL
C:\Windows\system\Hinayana.DLL
C:\Windows\Hinayana.DLL
C:\ProgramData\*.*
C:\ProgramData\Adobe\lcwkzhh
C:\ProgramData\alipay\lcwkzhh
C:\ProgramData\Baidu\lcwkzhh
C:\ProgramData\Microsoft\lcwkzhh
C:\ProgramData\Microsoft Help\lcwkzhh
读取的文件
\Device\KsecDD
C:\Windows\System32\shfolder.dll
C:\Users\test\AppData\Local\Temp\Factuur_09480602.pdf.exe
C:\Windows\
C:\ProgramData\Adobe\lcwkzhh
C:\ProgramData\alipay\lcwkzhh
C:\ProgramData\Baidu\lcwkzhh
C:\ProgramData\Microsoft\lcwkzhh
C:\ProgramData\Microsoft Help\lcwkzhh
修改的文件
C:\Windows\
删除的文件
注册表键
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838806e6f6e6963}\
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Factuur_09480602.pdf.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
读取的注册表键
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
修改的注册表键无信息
删除的注册表键无信息
API解析
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
shfolder.dll.SHGetFolderPathA
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
kernel32.dll.GetUserDefaultUILanguage
setupapi.dll.CM_Get_Device_Interface_List_ExW
system.dll.Call
hinayana.dll.Orthopsychiatry
kernel32.dll.GetFileSize
kernel32.dll.LocalAlloc
kernel32.dll.CreateProcessA
kernel32.dll.GetModuleFileNameA
kernel32.dll.VirtualAllocEx
kernel32.dll.VirtualAlloc
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.WriteProcessMemory
kernel32.dll.SetThreadContext
kernel32.dll.ResumeThread
kernel32.dll.Sleep
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
oleaut32.dll.#500
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.FindFirstFileExA
kernel32.dll.GetDriveTypeA
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.CompareStringW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.RaiseException
kernel32.dll.SetEndOfFile
kernel32.dll.GetFileInformationByHandle
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.CreateFileA
kernel32.dll.SetConsoleMode
kernel32.dll.ReadConsoleInputA
kernel32.dll.GetFileAttributesW
kernel32.dll.ExitThread
kernel32.dll.GetDateFormatA
kernel32.dll.GetTimeFormatA
kernel32.dll.CreateDirectoryW
kernel32.dll.CreateMutexW
kernel32.dll.OpenMutexW
kernel32.dll.GetModuleHandleW
kernel32.dll.WTSGetActiveConsoleSessionId
kernel32.dll.CreateProcessW
kernel32.dll.OpenProcess
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryA
kernel32.dll.WideCharToMultiByte
kernel32.dll.ExitProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.VirtualProtect
kernel32.dll.FindFirstFileW
kernel32.dll.HeapDestroy
kernel32.dll.DeleteCriticalSection
kernel32.dll.WaitForMultipleObjects
kernel32.dll.HeapCreate
kernel32.dll.GetDriveTypeW
kernel32.dll.InitializeCriticalSection
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.SetThreadPriority
kernel32.dll.GetTempPathW
kernel32.dll.MoveFileExW
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateThread
kernel32.dll.TerminateThread
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetUserGeoID
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetVersionExW
kernel32.dll.GetVersion
kernel32.dll.GetCurrentThread
kernel32.dll.LocalFree
kernel32.dll.GetLastError
kernel32.dll.GetCurrentProcess
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.DeleteFileW
kernel32.dll.SetFileTime
kernel32.dll.WriteFile
kernel32.dll.SetFilePointer
kernel32.dll.GetFileTime
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.CreateFileW
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetTickCount
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.FindClose
kernel32.dll.FindNextFileW
kernel32.dll.LeaveCriticalSection
kernel32.dll.HeapReAlloc
kernel32.dll.EnterCriticalSection
kernel32.dll.SetErrorMode
kernel32.dll.VirtualQuery
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
kernel32.dll.ReleaseSemaphore
kernel32.dll.CreateSemaphoreA
kernel32.dll.GetQueuedCompletionStatus
kernel32.dll.FlushConsoleInputBuffer
kernel32.dll.GetVersionExA
kernel32.dll.GlobalMemoryStatus
kernel32.dll.GetSystemInfo
kernel32.dll.FormatMessageW
kernel32.dll.CreatePipe
kernel32.dll.GetFullPathNameA
kernel32.dll.HeapAlloc
kernel32.dll.GetSystemDirectoryW
kernel32.dll.SetHandleInformation
kernel32.dll.PeekNamedPipe
kernel32.dll.FlushFileBuffers
kernel32.dll.HeapSize
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.WriteConsoleW
kernel32.dll.GetCommandLineW
kernel32.dll.HeapSetInformation
kernel32.dll.GetStartupInfoW
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.TerminateProcess
kernel32.dll.GetCPInfo
kernel32.dll.InterlockedIncrement
kernel32.dll.InterlockedDecrement
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.TlsAlloc
kernel32.dll.TlsGetValue
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.SetLastError
kernel32.dll.GetStdHandle
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.SetHandleCount
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetFileType
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetConsoleCP
kernel32.dll.GetConsoleMode
kernel32.dll.LCMapStringW
kernel32.dll.GetStringTypeW
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.FreeLibrary
kernel32.dll.LoadLibraryW
kernel32.dll.RtlUnwind
kernel32.dll.SetStdHandle
user32.dll.EndPaint
user32.dll.DestroyWindow
user32.dll.PostQuitMessage
user32.dll.SetTimer
user32.dll.DefWindowProcW
user32.dll.DrawTextW
user32.dll.GetDC
user32.dll.ReleaseDC
user32.dll.MoveWindow
user32.dll.ShowWindow
user32.dll.SetWindowTextA
user32.dll.GetDesktopWindow
user32.dll.OemToCharW
user32.dll.SetWindowTextW
user32.dll.GetWindowTextW
user32.dll.GetUserObjectInformationW
user32.dll.GetProcessWindowStation
user32.dll.SetWindowRgn
user32.dll.CreateIconFromResource
user32.dll.LoadCursorW
user32.dll.RegisterClassExW
user32.dll.CreateWindowExW
user32.dll.UpdateWindow
user32.dll.GetMessageW
user32.dll.TranslateMessage
user32.dll.DispatchMessageW
user32.dll.GetClientRect
user32.dll.wsprintfW
user32.dll.OpenWindowStationW
user32.dll.RedrawWindow
user32.dll.FindWindowW
user32.dll.FindWindowExW
user32.dll.SetThreadDesktop
user32.dll.OpenDesktopW
user32.dll.UnregisterClassW
user32.dll.BeginPaint
user32.dll.SendMessageW
user32.dll.SetProcessWindowStation
gdi32.dll.SetDIBits
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.CreateRoundRectRgn
gdi32.dll.SetBkColor
gdi32.dll.CreateFontW
gdi32.dll.TextOutW
gdi32.dll.GetTextExtentPointW
gdi32.dll.SetTextColor
gdi32.dll.SetBkMode
gdi32.dll.BitBlt
gdi32.dll.GetTextExtentPoint32W
gdi32.dll.SelectObject
advapi32.dll.SetSecurityDescriptorGroup
advapi32.dll.CryptSetHashParam
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptSignHashA
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
advapi32.dll.CreateProcessAsUserW
advapi32.dll.DuplicateTokenEx
advapi32.dll.RegSetValueExW
advapi32.dll.RegCreateKeyExW
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.GetUserNameW
advapi32.dll.CryptAcquireContextW
advapi32.dll.FreeSid
advapi32.dll.AccessCheck
advapi32.dll.IsValidSecurityDescriptor
advapi32.dll.SetSecurityDescriptorOwner
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.InitializeAcl
advapi32.dll.GetLengthSid
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.DuplicateToken
advapi32.dll.OpenThreadToken
advapi32.dll.GetSidSubAuthority
advapi32.dll.GetTokenInformation
advapi32.dll.OpenProcessToken
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExA
advapi32.dll.RegOpenKeyExA
advapi32.dll.CryptGenRandom
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptDecrypt
advapi32.dll.CryptDestroyHash
shell32.dll.ShellExecuteW
shell32.dll.SHGetFolderPathW
shell32.dll.ShellExecuteA
ole32.dll.CoUninitialize
ole32.dll.CoInitializeSecurity
ole32.dll.CoInitialize
ole32.dll.CoInitializeEx
oleaut32.dll.#2
ws2_32.dll.#7
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#112
ws2_32.dll.#22
ws2_32.dll.#20
ws2_32.dll.#17
ws2_32.dll.WSAIoctl
ws2_32.dll.#13
ws2_32.dll.#1
ws2_32.dll.#111
ws2_32.dll.#15
ws2_32.dll.#6
ws2_32.dll.#52
ws2_32.dll.#8
ws2_32.dll.#9
ws2_32.dll.#116
ws2_32.dll.#57
ws2_32.dll.#23
ws2_32.dll.getaddrinfo
ws2_32.dll.#4
ws2_32.dll.freeaddrinfo
ws2_32.dll.#19
ws2_32.dll.#18
ws2_32.dll.#10
ws2_32.dll.#16
ws2_32.dll.#11
ws2_32.dll.#3
ws2_32.dll.#14
ws2_32.dll.#115
wtsapi32.dll.WTSQueryUserToken
wtsapi32.dll.WTSFreeMemory
wtsapi32.dll.WTSEnumerateSessionsW
comctl32.dll.InitCommonControlsEx
wininet.dll.InternetOpenA
wininet.dll.InternetConnectA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionA
wininet.dll.HttpSendRequestA
wininet.dll.InternetReadFile
wininet.dll.InternetCloseHandle
crypt32.dll.CertFreeCertificateContext
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
sspicli.dll.GetUserNameExW
xmllite.dll.CreateXmlWriter
xmllite.dll.CreateXmlWriterOutputWithEncodingName
©2016 上海魔盾信息科技有限公司

魔盾安全分析报告文件详细信息特征

Transcription

Similar documents

下载 - 魔盾安全分析