恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64	2016-09-06 14:58:18	2016-09-06 14:58:39	21 秒

魔盾分数

0.5

正常的

文件详细信息

文件名	IMEKLMG.EXE
文件大小	109424 字节
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
MD5	0a6e68708eef26cca18d4c1b53863d86
SHA1	016090804e5b6b81ba9b35ef6d4bcf4a4ee8d5c5
SHA256	c0bc822b34d603016748a790083fb2b18994490bda3b5173155acc2a57e54188
SHA512	4e5be0d160133f1bfc84f854b53b788662a493848a1866b85cbc88ba0d50eaf3344a7d232ec6a9ed66f7369d0c55ac2ec19302bb2733dbdf2c18d14032dab55c
CRC32	77A081FD
Ssdeep	3072:iHdKlbeb4Prnafea1sHRGayRBAG/e8f0w2Opjhmrnezg9oZ:iHQGTRBAGJCO4nlS
Yara	登录查看Yara规则
	样本下载提交漏报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址	0x140000000
入口地址	0x14000da50
声明校验值	0x00024ef7
实际校验值	0x00024ef7
最低操作系统版本要求	5.2
PDB路径	t:\ime\x64\ship\0\imeklmg.pdb\x004\ship\0\imeklmg.exe\bbtopt\imeklmgO.pdb
编译时间	2010-01-21 16:16:22

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
b25fd2838e0f55384edc56f6b57baaaf3690030a	Thu Jan 21 16:36:40 2010	是	无

证书链	Certificate Chain 1
发行给	Microsoft Root Authority
发行人	Microsoft Root Authority
有效期	Thu Dec 31 150000 2020
SHA1 哈希	a43489159a520f0d93d032ccaf37e7fe20a8b419

证书链	Certificate Chain 2
发行给	Microsoft Code Signing PCA
发行人	Microsoft Root Authority
有效期	Sat Aug 25 150000 2012
SHA1 哈希	3036e3b25b88a55b86fc90e6e9eaad5081445166

证书链	Certificate Chain 3
发行给	Microsoft Corporation
发行人	Microsoft Code Signing PCA
有效期	Tue Mar 08 064029 2011
SHA1 哈希	9617094a1cfb59ae7c1f7dfdb6739e4e7c40508f

证书链	Timestamp Chain 1
发行给	Microsoft Root Authority
发行人	Microsoft Root Authority
有效期	Thu Dec 31 150000 2020
SHA1 哈希	a43489159a520f0d93d032ccaf37e7fe20a8b419

证书链	Timestamp Chain 2
发行给	Microsoft Timestamping PCA
发行人	Microsoft Root Authority
有效期	Sun Sep 15 150000 2019
SHA1 哈希	3ea99a60058275e0ed83b892a909449f8c33b245

证书链	Timestamp Chain 3
发行给	Microsoft Time-Stamp Service
发行人	Microsoft Timestamping PCA
有效期	Fri Jul 26 031115 2013
SHA1 哈希	4d6f357f0e6434da97b1afc540fb6fdd0e85a89f

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x0000edab	0x0000ee00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.21
.rdata	0x00010000	0x000077e8	0x00007800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.34
.data	0x00018000	0x00001c58	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.71
.pdata	0x0001a000	0x00001164	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.76
.rsrc	0x0001c000	0x00000780	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.17
.reloc	0x0001d000	0x000001cc	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.87

覆盖

偏移量	0x00019400
大小	0x00001770

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x0001c0a0	0x00000488	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.49	data
RT_MANIFEST	0x0001c528	0x00000258	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.03	ASCII text, with CRLF line terminators

导入

库: USER32.dll:

• 0x140010000 EnumWindows

• 0x140010008 GetWindowThreadProcessId

• 0x140010010 FindWindowW

• 0x140010018 PostMessageW

• 0x140010020 LoadKeyboardLayoutW

• 0x140010028 SystemParametersInfoW

• 0x140010030 EnumDesktopWindows

• 0x140010038 OpenDesktopW

• 0x140010040 GetForegroundWindow

• 0x140010048 GetClassNameW

• 0x140010050 CloseDesktop

• 0x140010058 UnloadKeyboardLayout

库: USERENV.dll:

• 0x140010068 GetUserProfileDirectoryW

库: ADVAPI32.dll:

• 0x140010078 GetSidSubAuthority

• 0x140010080 GetSidSubAuthorityCount

• 0x140010088 IsValidSid

• 0x140010090 GetTokenInformation

• 0x140010098 DeregisterEventSource

• 0x1400100a0 ReportEventW

• 0x1400100a8 RegisterEventSourceW

• 0x1400100b0 OpenProcessToken

• 0x1400100b8 RegOpenKeyExW

• 0x1400100c0 RegQueryValueExW

• 0x1400100c8 RegCloseKey

• 0x1400100d0 RegCreateKeyExW

• 0x1400100d8 RegSetValueExW

• 0x1400100e0 RegEnumKeyExW

• 0x1400100e8 RegDeleteValueW

• 0x1400100f0 RegEnumValueW

• 0x1400100f8 RegQueryInfoKeyW

• 0x140010100 RegFlushKey

• 0x140010108 GetUserNameW

库: KERNEL32.dll:

• 0x140010118 GetCurrentProcessId

• 0x140010120 GetFileAttributesW

• 0x140010128 lstrlenW

• 0x140010130 GetCurrentProcess

• 0x140010138 CompareStringW

• 0x140010140 CloseHandle

• 0x140010148 WriteFile

• 0x140010150 lstrlenA

• 0x140010158 SetFilePointer

• 0x140010160 CreateFileW

• 0x140010168 WideCharToMultiByte

• 0x140010170 GetModuleFileNameW

• 0x140010178 FormatMessageW

• 0x140010180 GetLastError

• 0x140010188 GetVersionExW

• 0x140010190 GetUserDefaultLCID

• 0x140010198 GetSystemDefaultLCID

• 0x1400101a0 WaitForSingleObject

• 0x1400101a8 CreateProcessW

• 0x1400101b0 GetSystemDirectoryW

• 0x1400101b8 GetProcAddress

• 0x1400101c0 GetModuleHandleW

• 0x1400101c8 Sleep

• 0x1400101d0 OpenProcess

• 0x1400101d8 FreeLibrary

• 0x1400101e0 LoadLibraryW

• 0x1400101e8 GetTempPathW

• 0x1400101f0 GetTickCount

• 0x1400101f8 QueryPerformanceCounter

• 0x140010200 VirtualProtect

• 0x140010208 GetCurrentThreadId

• 0x140010210 ExpandEnvironmentStringsW

• 0x140010218 LeaveCriticalSection

• 0x140010220 GetSystemTimeAsFileTime

• 0x140010228 GetProcessHeap

• 0x140010230 HeapFree

• 0x140010238 HeapAlloc

• 0x140010240 GetStartupInfoW

• 0x140010248 TerminateProcess

• 0x140010250 UnhandledExceptionFilter

• 0x140010258 SetUnhandledExceptionFilter

• 0x140010260 IsDebuggerPresent

• 0x140010268 RtlVirtualUnwind

• 0x140010270 InitializeCriticalSection

• 0x140010278 RtlLookupFunctionEntry

• 0x140010280 RtlCaptureContext

• 0x140010288 LocalFree

• 0x140010290 DeleteCriticalSection

• 0x140010298 EnterCriticalSection

库: ole32.dll:

• 0x1400102a8 CoInitialize

• 0x1400102b0 CoUninitialize

• 0x1400102b8 StringFromGUID2

• 0x1400102c0 CoCreateInstance

库: PSAPI.DLL:

• 0x1400102d0 EnumProcessModules

• 0x1400102d8 GetModuleBaseNameW

库: MSVCR90.dll:

• 0x1400102e8 _cexit

• 0x1400102f0 exit

• 0x1400102f8 _wcmdln

• 0x140010300 _initterm

• 0x140010308 _initterm_e

• 0x140010310 _configthreadlocale

• 0x140010318 __setusermatherr

• 0x140010320 _commode

• 0x140010328 _fmode

• 0x140010330 _exit

• 0x140010338 __set_app_type

• 0x140010340 _unlock

• 0x140010348 __dllonexit

• 0x140010350 _lock

• 0x140010358 _onexit

• 0x140010360 _decode_pointer

• 0x140010368 __crt_debugger_hook

• 0x140010370 ?terminate@@YAXXZ

• 0x140010378 ?_type_info_dtor_internal_method@type_info@@QEAAXXZ

• 0x140010380 wcscpy_s

• 0x140010388 __C_specific_handler

• 0x140010390 __wgetmainargs

• 0x140010398 _amsg_exit

• 0x1400103a0 vswprintf_s

• 0x1400103a8 ??_U@YAPEAX_K@Z

• 0x1400103b0 wcstok_s

• 0x1400103b8 ??_V@YAXPEAX@Z

• 0x1400103c0 _wtoi

• 0x1400103c8 _wcsicmp

• 0x1400103d0 swscanf_s

• 0x1400103d8 memmove_s

• 0x1400103e0 wcscat_s

• 0x1400103e8 _encode_pointer

• 0x1400103f0 swprintf_s

• 0x1400103f8 memcpy

• 0x140010400 ??2@YAPEAX_K@Z

• 0x140010408 ??0exception@std@@QEAA@AEBV01@@Z

• 0x140010410 _CxxThrowException

• 0x140010418 ??0exception@std@@QEAA@XZ

• 0x140010420 __CxxFrameHandler3

• 0x140010428 ??1exception@std@@UEAA@XZ

• 0x140010430 ?what@exception@std@@UEBAPEBDXZ

• 0x140010438 ??0exception@std@@QEAA@AEBQEBD@Z

• 0x140010440 ??3@YAXPEAX@Z

• 0x140010448 memset

• 0x140010450 _vsnwprintf_s

• 0x140010458 wcsncpy_s

• 0x140010460 wcsncat_s

• 0x140010468 _invalid_parameter_noinfo

• 0x140010470 _XcptFilter

库: MSVCP90.dll:

• 0x140010480 ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z

• 0x140010488 ?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXAEAV12@@Z

• 0x140010490 ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@AEBV01@@Z

• 0x140010498 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@AEBV01@@Z

• 0x1400104a0 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ

• 0x1400104a8 ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z

• 0x1400104b0 ?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KXZ

• 0x1400104b8 ?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBAPEB_WXZ

• 0x1400104c0 ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ

• 0x1400104c8 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z

• 0x1400104d0 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ

• 0x1400104d8 ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ

• 0x1400104e0 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z

.text
`.rdata
@.data
.pdata
@.rsrc
@.reloc
t:\ime\x64\ship\0\imeklmg.pdb
4\ship\0\imeklmg.exe\bbtopt\imeklmgO.pdb
vector<T> too long
list<T> too long
IsWow64Process
reload_config
TF_CreateInputProcessorProfiles
+HeapSetInformation
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
invalid map/set<T> iterator
MSVCP90.dll
MSVCR90.dll
PSAPI.DLL
ole32.dll
KERNEL32.dll
ADVAPI32.dll
USERENV.dll
USER32.dll
EnumWindows
GetWindowThreadProcessId
FindWindowW
PostMessageW
LoadKeyboardLayoutW
SystemParametersInfoW
EnumDesktopWindows
OpenDesktopW
GetForegroundWindow
GetClassNameW
CloseDesktop
UnloadKeyboardLayout
GetUserProfileDirectoryW
GetSidSubAuthority
GetSidSubAuthorityCount
IsValidSid
GetTokenInformation
DeregisterEventSource
ReportEventW
RegisterEventSourceW
OpenProcessToken
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegEnumKeyExW
RegDeleteValueW
RegEnumValueW
RegQueryInfoKeyW
RegFlushKey
GetUserNameW
GetCurrentProcessId
GetFileAttributesW
lstrlenW
GetCurrentProcess
CompareStringW
CloseHandle
WriteFile
lstrlenA
SetFilePointer
CreateFileW
WideCharToMultiByte
GetModuleFileNameW
FormatMessageW
GetLastError
GetVersionExW
GetUserDefaultLCID
GetSystemDefaultLCID
WaitForSingleObject
CreateProcessW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleW
Sleep
OpenProcess
FreeLibrary
LoadLibraryW
GetTempPathW
GetTickCount
QueryPerformanceCounter
VirtualProtect
GetCurrentThreadId
ExpandEnvironmentStringsW
LeaveCriticalSection
GetSystemTimeAsFileTime
GetProcessHeap
HeapFree
HeapAlloc
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
InitializeCriticalSection
RtlLookupFunctionEntry
RtlCaptureContext
LocalFree
DeleteCriticalSection
EnterCriticalSection
CoInitialize
CoUninitialize
StringFromGUID2
CoCreateInstance
EnumProcessModules
GetModuleBaseNameW
_cexit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
_exit
__set_app_type
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
__crt_debugger_hook
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QEAAXXZ
wcscpy_s
__C_specific_handler
__wgetmainargs
_amsg_exit
vswprintf_s
??_U@YAPEAX_K@Z
wcstok_s
??_V@YAXPEAX@Z
_wtoi
_wcsicmp
swscanf_s
memmove_s
wcscat_s
_encode_pointer
swprintf_s
memcpy
??2@YAPEAX_K@Z
??0exception@std@@QEAA@AEBV01@@Z
_CxxThrowException
??0exception@std@@QEAA@XZ
__CxxFrameHandler3
??1exception@std@@UEAA@XZ
?what@exception@std@@UEBAPEBDXZ
??0exception@std@@QEAA@AEBQEBD@Z
??3@YAXPEAX@Z
memset
_vsnwprintf_s
wcsncpy_s
wcsncat_s
_invalid_parameter_noinfo
_XcptFilter
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXAEAV12@@Z
??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@AEBV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@AEBV01@@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z
?size@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KXZ
?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBAPEB_WXZ
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
.?AV?$comptr@UIEnumTfLanguageProfiles@@@Comutil@@
.?AV?$comptr@UITfInputProcessorProfiles@@@Comutil@@
.?AVCKeyboardLayoutUpdate@@
.?AVCKeyboardLayoutUpdateCHS@@
.?AVCKeyboardLayoutUpdateCHT@@
.?AVCKeyboardLayoutUpdateJPN@@
.?AVCKeyboardLayoutUpdateKOR@@
.?AVCDataUpdate@@
.?AVCDataUpdateJPN@@
.?AVCDataUpdateKOR@@
.?AVCDataUpdateCHS@@
.?AV?$comptr@UIComponentPathMgr@@@Comutil@@
.?AV?$comptr@UIUserProfileMgr@@@Comutil@@
.?AVCTask@@
.?AVCTaskSetPreload@@
.?AVCTaskUninstall@@
.?AVtype_info@@
.?AV_com_error@@
.?AVout_of_range@std@@
</assembly>
zw9gj
imtcj12.ime
imtcq12.ime
imtcc12.ime
imtcp12.ime
CINTLGNT.IME
TINTLGNT.IME
imsce14wr.ime
imsc14wr.ime
imsc12.ime
imsc40a.ime
PINTLGNT.IME
imkr12.ime
imekr70.ime
imekr61.ime
imjp12.ime
imjp9.ime
imjp81.ime
imjp8.ime
msimepad8UIMIFClass
msimepad9IFClass
msime_ImePad8_UIM_ShCltClass
msime_ImePad8_IMM_ShCltClass
msime_ImePad81_UIM_ShCltClass
msime_ImePad81_IMM_ShCltClass
msime98imepad
msime_ImePad8_UIM_ShSvrClass
msime_ImePad8_IMM_ShSvrClass
msime_ImePad81_UIM_ShSvrClass
msime_ImePad81_IMM_ShSvrClass
imjp12k.dll
Software\Microsoft\IMEJP\12.0\Window
imjp10k.dll
Software\Microsoft\IMEJP\10.0\Window
imjp9k.dll
Software\Microsoft\IMEJP\9.0\Window
imjp81k.dll
Software\Microsoft\IMEJP\8.1\Window
imjp8k.dll
Software\Microsoft\IMEJP\8.0\Window
\Local Settings\Temp\
Error:%04x(%d) %s
Set default Language Profile: Succeeded SetDefaultLanguageProfile
Set default Language Profile: Failed SetDefaultLanguageProfile
Enable Language Profile: Succeeded EnableLanguageProfile
Enable Language Profile: Failed EnableLanguageProfile
Disable Language Profile: Succeeded EnableLanguageProfile
Disable Language Profile: Failed EnableLanguageProfile
version
Unload zombie KL: Succeeded UnloadKeyboardLayout(%08x)
Unload zombie KL: Failed UnloadKeyboardLayout(%08x)
Fallback Old KL: Succeeded SystemParametersInfo(%08x)
Fallback Old KL: Failed SystemParemetersInfo(%08x)
imsc14.ime
imsce14.ime
CHS KL Fallback - End
CHS KL Fallback - Start
********************************************************
SetFallBack
Software\Microsoft\IMESC14
SetPreload
Profile
KeyboardLayout
CLSID
Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000804\{34745C63-B2F0-4784-8B67-5E12C8701A31}
CHS KL Update - End
CHS KL Update - Start
imtcj14.ime
imtcq14.ime
imtcp14.ime
imtcc14.ime
CHT KL Fallback - End
CHT KL Fallback - Start
Software\Microsoft\IMETC\14.0
CHT KL Update - End
CHT KL Update - Start
imjp14.ime
JPN KL Fallback - End
JPN KL Fallback - Start
Software\Microsoft\IMEJP\14.0
JPN KL Update - End
JPN KL Update - Start
Software\Microsoft\IMEJP
imkr14.ime
KOR KL Fallback - End
KOR KL Fallback - Start
Software\Microsoft\IMEKR\14.0
KOR KL Update - End
KOR KL Update - Start
Software\Microsoft\IMEKR
Migrated
/Migration
imjppdmg.exe
Show Status
Control Panel\Input Method
imkrmig.exe
"%s" %s
/f mr
IMSCDicCompiler.exe
IME File
System\CurrentControlSet\Control\Keyboard Layouts
Keyboard Layout\Preload
Set KL to preload as default: Succeeded to add KL(%s) to 1
Set KL to preload as default: Failed to add KL(%s) to 1
Load KL: Succeeded LoadKeyboardLayout(%s)
Load KL: Failed LoadKeyboardLayout(%s)
Notify default KL: Succeeded SystemParametersInfo(%s)
Notify default KL: Failed SystemParametersInfo(%s)
Load default KL: Succeeded LoadKeyboardLayout(%s)
Load default KL: Failed LoadKeyboardLayout(%s)
Set default KL: Succeeded SystemParametersInfo(%08x)
Set default KL: Failed SystemParametersInfo(%08x)
Zombie Register key %08x not exist
Zombie IME file: %s
Ime File
System\CurrentControlSet\Control\Keyboard Layouts\%08X
Remove KL from preload: Succeeded to delete KL from %s
Remove KL from preload: Failed to delete KL from %s
Unload old KL: Succeeded UnloadKeyboardLayout(%08x)
Unload old KL: Failed UnloadKeyboardLayout(%08x)
Remove zombie KL from preload: Succeeded to delete KL from %s
Remove zombie KL from preload: Failed to delete KL from %s
kernel32
winlogon.exe
default
AdviceDefault
SetDefault
Uninstall
FirstLaunch
IME2010imeklmg%08d.log
SYSTEM
EnableLUA
Software\Microsoft\Windows\CurrentVersion\Policies\System
ModulePath
Software\Microsoft\IMEJP\14.0\directories
Software\Microsoft\IMEKR\14.0\directories
MSCTF.DLL
kernel32.dll
InsecureQI
Software\Microsoft\Security
Software\Policies\Microsoft\Security
CLSIDInterfaceTest
%s %s %s
%d.%d.%d.%d
Wversion.dll
InprocServer32
{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
VS_VERSION_INFO
StringFileInfo
000004b0
CompanyName
Microsoft Corporation
FileDescription
Microsoft Office IME 2010
FileVersion
14.0.4734.1000
InternalName
imeklmg.exe
LegalCopyright
All rights reserved.
LegalTrademarks
Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(R) is a registered trademark of Microsoft Corporation.
OriginalFilename
imeklmg.exe
ProductName
Microsoft Office IME 2010
ProductVersion
14.0.4734.1000
VarFileInfo
Translation

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
MicroWorld-eScan	未发现病毒	20160905
nProtect	未发现病毒	20160905
CMC	未发现病毒	20160901
CAT-QuickHeal	未发现病毒	20160904
McAfee	未发现病毒	20160905
Malwarebytes	未发现病毒	20160904
VIPRE	未发现病毒	20160831
K7AntiVirus	未发现病毒	20160904
BitDefender	未发现病毒	20160905
K7GW	未发现病毒	20160904
TheHacker	未发现病毒	20160903
Baidu	未发现病毒	20160903
F-Prot	未发现病毒	20160905
Symantec	未发现病毒	20160905
ESET-NOD32	未发现病毒	20160904
TrendMicro-HouseCall	未发现病毒	20160905
Avast	未发现病毒	20160905
ClamAV	未发现病毒	20160905
Kaspersky	未发现病毒	20160905
Alibaba	未发现病毒	20160901
NANO-Antivirus	未发现病毒	20160904
ViRobot	未发现病毒	20160904
AegisLab	未发现病毒	20160904
Rising	未发现病毒	20160905
Ad-Aware	未发现病毒	20160905
Sophos	未发现病毒	20160905
Comodo	未发现病毒	20160904
F-Secure	未发现病毒	20160905
DrWeb	未发现病毒	20160905
Zillya	未发现病毒	20160902
TrendMicro	未发现病毒	20160905
McAfee-GW-Edition	未发现病毒	20160904
Emsisoft	未发现病毒	20160905
Cyren	未发现病毒	20160905
Jiangmin	未发现病毒	20160905
Avira	未发现病毒	20160904
Antiy-AVL	未发现病毒	20160905
Kingsoft	未发现病毒	20160905
Microsoft	未发现病毒	20160905
Arcabit	未发现病毒	20160905
SUPERAntiSpyware	未发现病毒	20160904
AhnLab-V3	未发现病毒	20160904
GData	未发现病毒	20160905
TotalDefense	未发现病毒	20160905
ALYac	未发现病毒	20160905
AVware	未发现病毒	20160905
VBA32	未发现病毒	20160902
Zoner	未发现病毒	20160904
Tencent	未发现病毒	20160905
Yandex	未发现病毒	20160904
Ikarus	未发现病毒	20160904
Fortinet	未发现病毒	20160905
AVG	未发现病毒	20160905
Panda	未发现病毒	20160904
Qihoo-360	未发现病毒	20160905

进程树

IMEKLMG.EXE id: 2200

搜索
IMEKLMG.EXE (2200)

IMEKLMG.EXE, PID: 2200, 上一级进程 PID: 1856

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.69	53444	23.32.241.24	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.69	52766	192.168.122.1	53
192.168.122.69	57129	192.168.122.1	53
192.168.122.69	58396	192.168.122.1	53
192.168.122.69	63333	192.168.122.1	53
192.168.122.69	137	192.168.122.255	137
192.168.122.69	5355	192.168.122.70	51435
192.168.122.69	53197	224.0.0.252	5355
192.168.122.69	64810	224.0.0.252	5355
192.168.122.69	50619	239.255.255.250	1900
192.168.122.69	123	52.169.179.91	123

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址	源端口	目标地址	目标端口
192.168.122.69	53444	23.32.241.24	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.69	52766	192.168.122.1	53
192.168.122.69	57129	192.168.122.1	53
192.168.122.69	58396	192.168.122.1	53
192.168.122.69	63333	192.168.122.1	53
192.168.122.69	137	192.168.122.255	137
192.168.122.69	5355	192.168.122.70	51435
192.168.122.69	53197	224.0.0.252	5355
192.168.122.69	64810	224.0.0.252	5355
192.168.122.69	50619	239.255.255.250	1900
192.168.122.69	123	52.169.179.91	123

HTTP 请求

URI	HTTP数据
URL专业沙箱检测 -> http://www.msftncsi.com/ncsi.txt	GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 4.705 seconds )

2.534 NetworkAnalysis
1.133 VirusTotal
0.456 Static
0.271 peid
0.194 TargetInfo
0.044 BehaviorAnalysis
0.024 AnalysisInfo
0.018 config_decoder
0.016 Strings
0.009 Debug
0.003 Dropped
0.002 Memory
0.001 ProcessMemory

Signatures ( 0.054 seconds )

0.012 antiav_detectreg
0.005 persistence_autorun
0.005 antiav_detectfile
0.005 infostealer_ftp
0.004 geodo_banking_trojan
0.003 infostealer_bitcoin
0.003 infostealer_im
0.002 tinba_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 infostealer_mail
0.001 betabot_behavior
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 modify_proxy
0.001 browser_security
0.001 ransomware_files

Reporting ( 1.301 seconds )

0.807 ReportPDF
0.482 ReportHTMLSummary
0.012 Malheur


Task ID	16178
Mongo ID	57ce69254d3bd048e4982980
Cuckoo release	1.4-Maldun