魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-09-14 23:07:10	2020-09-14 23:09:21	131 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2020-09-14 23:07:11	2020-09-14 23:09:22

魔盾分数
10.0 恶意的

文件详细信息

文件名	海豚轰死你.exe
文件大小	15314944 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	A6812FB5
MD5	4d551b29cb5c447354a1d9b644e16205
SHA1	0f1a06dedd68e53c1b3b26d5b224671d87df0737
SHA256	0f782120d9a8b06e90d982352af6034e95c5d532a53d5f7a2cbfec3f07218b4b
SHA512	cc4f403401a93312fc8ec7932c33dd7dd60d22caba923b993dc3143d32d39a9f7b91e4916d6ad6688b52bbea98420c5e97f113319eea84e9eaa55d8c9bc45928
Ssdeep	196608:+GRcB0Gi7xTsoATRf8nONFR/CM69fKZjRQVrHTPHkbszbr9cT/:a0GUxeinSFR/T6ZKFRSzPHkieD
PEiD	无匹配
Yara	CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) BLOWFISH_Constants (Look for Blowfish constants) MD5_Constants (Look for MD5 constants) RIPEMD160_Constants (Look for RIPEMD-160 constants) SHA1_Constants (Look for SHA1 constants) DES_sbox (Look for DES [sbox]) RijnDael_AES (Look for RijnDael AES) BASE64_table (Look for Base64 table) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature) DebuggerHiding__Thread () DebuggerTiming__Ticks (Detected timing ticks function) anti_dbg (Detected self protection if being debugged) antisb_sandboxie (Anti-Sandbox checks for Sandboxie) disable_dep (Bypass DEP) inject_thread (Detected code injection function with CreateRemoteThread in a remote process) network_tcp_socket (Detected network communications over RAW socket) network_dns (Detected network communications use DNS) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_files_operation (Affect private profile) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	无此文件扫描结果

特征

创建RWX内存

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 7.78, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x003a6000, virtual_size: 0x003a51c6

section: name: gYSGHq0, entropy: 7.87, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00582000, virtual_size: 0x00581ba3

section: name: gYSGHq1, entropy: 7.65, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00200000, virtual_size: 0x001ff420

查询磁盘信息，可能被用来实现反虚拟机

尝试阻止沙箱线程以防止恶意行为被记录

魔盾安全Yara规则检测结果 - 高危

Warning: Bypass DEP

Warning: Detected code injection function with CreateRemoteThread in a remote process

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 125.56.201.138 CNAME a1983.dscd.akamai.net A 23.32.248.8

TCP连接

IP地址	端口
23.32.248.8	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0112627b
声明校验值	0x00000000
实际校验值	0x00ea7a73
最低操作系统版本要求	5.0
编译时间	2020-07-08 14:22:45
载入哈希	45c7ebea18f4d3cec379390db60527ad
图标
图标精确哈希值	95144fda7ebfb87afe3872f0af1c77e7
图标相似性哈希值	3956442f35fb7fd15a70bfd8ebabae7f
导出DLL库名称	MZ\x90

版本信息

LegalCopyright:	\xe6\xe8\xe8\xe6\xe4
FileVersion:	1.0.0.0
CompanyName:	\xe6\xe8\xe8\xe6\xe4
Comments:	\xe6\xe8\xe8\xe6\xe4
ProductName:	\xe6\xe8\xe8\xe6\xe4
ProductVersion:	1.0.0.0
FileDescription:	\xe6\xe8\xe8\xe6\xe4
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x003083f6	0x00309000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.27
.rdata	0x0030a000	0x003a51c6	0x003a6000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.78
.data	0x006b0000	0x0009ed88	0x00066000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.49
gYSGHq0	0x0074f000	0x00581ba3	0x00582000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.87
gYSGHq1	0x00cd1000	0x001ff420	0x00200000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	7.65
.rsrc	0x00ed1000	0x00002f2d	0x00003000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.56

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_ICON	0x00ed161c	0x000024e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.60	data
RT_ICON	0x00ed161c	0x000024e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.60	data
RT_ICON	0x00ed161c	0x000024e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.60	data
RT_GROUP_ICON	0x00ed3b2c	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00ed3b2c	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x00ed3b2c	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x00ed3b40	0x00000220	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.52	data
RT_MANIFEST	0x00ed3d60	0x000001cd	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.08	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 kernel32.dll:

• 0x11e2000 - GetVersion

• 0x11e2004 - GetVersionExA

库 user32.dll:

• 0x11e200c - ShowWindow

库 gdi32.dll:

• 0x11e2014 - SelectObject

库 gdiplus.dll:

• 0x11e201c - GdipCreateFromHDC

库 ole32.dll:

• 0x11e2024 - OleUninitialize

库 imm32.dll:

• 0x11e202c - ImmSetCompositionWindow

库 shell32.dll:

• 0x11e2034 - ShellExecuteA

库 shlwapi.dll:

• 0x11e203c - PathFileExistsA

库 winmm.dll:

• 0x11e2044 - PlaySoundA

库 kernel32.dll:

• 0x11e204c - GetVersionExA

• 0x11e2050 - GetVersion

库 user32.dll:

• 0x11e2058 - LoadBitmapA

库 gdi32.dll:

• 0x11e2060 - TextOutA

库 winmm.dll:

• 0x11e2068 - midiStreamOut

库 WINSPOOL.DRV:

• 0x11e2070 - DocumentPropertiesA

库 ADVAPI32.dll:

• 0x11e2078 - RegCloseKey

库 shell32.dll:

• 0x11e2080 - ShellExecuteA

库 OLEAUT32.dll:

• 0x11e2088 - LoadTypeLib

库 COMCTL32.dll:

• 0x11e2090 - None

库 WS2_32.dll:

• 0x11e2098 - inet_ntoa

库 comdlg32.dll:

• 0x11e20a0 - GetFileTitleA

库 WTSAPI32.dll:

• 0x11e20a8 - WTSSendMessageW

库 kernel32.dll:

• 0x11e20b0 - VirtualQuery

库 user32.dll:

• 0x11e20b8 - GetUserObjectInformationW

库 kernel32.dll:

• 0x11e20c0 - LocalAlloc

• 0x11e20c4 - LocalFree

• 0x11e20c8 - GetModuleFileNameW

• 0x11e20cc - GetProcessAffinityMask

• 0x11e20d0 - SetProcessAffinityMask

• 0x11e20d4 - SetThreadAffinityMask

• 0x11e20d8 - Sleep

• 0x11e20dc - ExitProcess

• 0x11e20e0 - FreeLibrary

• 0x11e20e4 - LoadLibraryA

• 0x11e20e8 - GetModuleHandleA

• 0x11e20ec - GetProcAddress

库 user32.dll:

• 0x11e20f4 - GetProcessWindowStation

• 0x11e20f8 - GetUserObjectInformationW

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

_______________.exe PID: 2384, 上一级进程 PID: 2188

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\AGENCYR.TTF
C:\Windows\Fonts\simsun.ttc
C:\Users\test\AppData\Local\Temp\ws2_32.dll
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\10146c7.tmp
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Users\test\AppData\Local\Temp\kernel32.DLL
C:\Users\test\AppData\Local\Temp\GdiPlus.dll
C:\Users\test\AppData\Local\Temp\gdiplus.DLL
C:\Users\test\AppData\Local\Temp\ole32.dll
C:\Users\test\AppData\Local\Temp\user32.DLL
C:\Users\test\AppData\Local\Temp\user32.dll
C:\Users\test\AppData\Local\Temp\Kernel32.dll
C:\Users\test\Documents\hthsn.ini
C:\Users\test\AppData\Local\Temp\ole32.DLL
C:
C:\Users\test\AppData\Local\Temp\Kernel32.DLL
\??\PhysicalDrive0
C:\Users\test\AppData\Local\Temp\winspool.drv

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\simsun.ttc
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\msyhbd.ttf
C:\Users\test\Documents\hthsn.ini

修改的文件

C:\Users\test\AppData\Local\GDIPFONTCACHEV1.DAT

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\_______________.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804

读取的注册表键

HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
msimg32.dll.AlphaBlend
gdi32.dll.CreateSolidBrush
user32.dll.LoadCursorA
gdiplus.dll.GdipCreateStringFormat
gdiplus.dll.GdipCreateFontFamilyFromName
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
gdiplus.dll.GdipCreateFont
gdiplus.dll.GdipDeleteFontFamily
gdiplus.dll.GdipSetStringFormatAlign
gdiplus.dll.GdipSetStringFormatLineAlign
kernel32.dll.GetCurrentProcessId
ws2_32.dll.WSAStartup
kernel32.dll.VirtualAlloc
kernel32.dll.RtlMoveMemory
user32.dll.RegisterClassExA
user32.dll.DefWindowProcA
user32.dll.SetPropA
user32.dll.GetPropA
gdi32.dll.CreateRectRgn
kernel32.dll.GlobalUnlock
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdi32.dll.SetRectRgn
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
gdiplus.dll.GdipMeasureString
gdiplus.dll.GdipDrawString
gdiplus.dll.GdipGraphicsClear
gdi32.dll.CreateRoundRectRgn
user32.dll.SetWindowRgn
user32.dll.GetClassLongA
user32.dll.SetClassLongA
gdiplus.dll.GdipDrawImageRectRectI
gdiplus.dll.GdipCreateCachedBitmap
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipDrawCachedBitmap
gdiplus.dll.GdipDrawImageRectI
user32.dll.GetWindowLongA
user32.dll.SetWindowLongA
user32.dll.SetWindowPos
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.FillRect
gdi32.dll.SelectClipRgn
gdiplus.dll.GdipGetPropertyItemSize
oleaut32.dll.#9
oleaut32.dll.#8
oleaut32.dll.#12
gdiplus.dll.GdipImageGetFrameCount
gdiplus.dll.GdipImageSelectActiveFrame
gdiplus.dll.GdipCreatePath
gdiplus.dll.GdipAddPathArc
gdiplus.dll.GdipClosePathFigure
gdiplus.dll.GdipCreateTexture
gdiplus.dll.GdipFillPath
gdiplus.dll.GdipDeletePath
gdi32.dll.CombineRgn
gdi32.dll.FillRgn
gdiplus.dll.GdipSetClipRectI
gdiplus.dll.GdipResetClip
gdiplus.dll.GdipSetStringFormatMeasurableCharacterRanges
gdiplus.dll.GdipCreateRegion
gdiplus.dll.GdipMeasureCharacterRanges
gdiplus.dll.GdipDeleteRegion
gdiplus.dll.GdipSetInterpolationMode
gdiplus.dll.GdipSetPixelOffsetMode
gdiplus.dll.GdipCreateHBITMAPFromBitmap
gdiplus.dll.GdipFillRectangleI
gdiplus.dll.GdipCreatePen1
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
user32.dll.GetParent
user32.dll.EnumChildWindows
user32.dll.SetParent
gdiplus.dll.GdipSetSmoothingMode
kernel32.dll.GlobalAlloc
ole32.dll.CreateStreamOnHGlobal
kernel32.dll.GlobalLock
kernel32.dll.GetCurrentProcess
kernel32.dll.lstrcpynA
kernel32.dll.WriteProcessMemory
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipGetImageGraphicsContext
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipDrawImageRectRect
gdiplus.dll.GdipFillEllipse
user32.dll.CallWindowProcA
kernel32.dll.GlobalFree
gdiplus.dll.GdipDisposeImage
gdiplus.dll.GdipDeleteBrush
user32.dll.SetTimer
kernel32.dll.GetStartupInfoA
kernel32.dll.IsDebuggerPresent
kernel32.dll.VirtualFree
user32.dll.GetDesktopWindow
user32.dll.GetWindow
user32.dll.GetWindowTextLengthA
user32.dll.GetWindowTextA
user32.dll.GetClassNameA
user32.dll.GetMenu
user32.dll.GetMenuItemCount
user32.dll.GetSubMenu
user32.dll.GetMenuStringA
ole32.dll.CoInitialize
kernel32.dll.CreateFileA
kernel32.dll.DeviceIoControl
kernel32.dll.CloseHandle
kernel32.dll.IsBadReadPtr
kernel32.dll.HeapFree
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
gdiplus.dll.GdipBitmapGetPixel
gdiplus.dll.GdipGetImageHorizontalResolution
gdiplus.dll.GdipGetImageVerticalResolution
gdiplus.dll.GdipBitmapSetResolution
gdiplus.dll.GdipCreateMatrix
gdiplus.dll.GdipTranslateMatrix
gdiplus.dll.GdipRotateMatrix
gdiplus.dll.GdipSetWorldTransform
gdiplus.dll.GdipDrawImage
gdiplus.dll.GdipResetWorldTransform
gdiplus.dll.GdipDeleteMatrix
user32.dll.KillTimer
gdiplus.dll.GdipDeleteCachedBitmap

魔盾安全分析报告

10.0

恶意的

文件详细信息

特征

运行截图

网络分析

域名解析

TCP连接

UDP连接

HTTP请求

静态分析

PE 信息

版本信息

PE数据组成

资源

导入

投放文件

行为分析

进程

_______________.exe PID: 2384, 上一级进程 PID: 2188