魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-12-15 20:12:00 | 2017-12-15 20:14:26 | 146 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp03-1 | win7-sp1-x64-hpdapp03-1 | KVM | 2017-12-15 20:12:08 | 2017-12-15 20:14:24 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | fd5d49ef96facbecf46f625fca0fa16da2cdb85f67f0053db5eb51f617be12a6 |
|---|---|
| 文件大小 | 1607680 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | D1D5F516 |
| MD5 | 3edec580845d7ab85fa893afb391fbfb |
| SHA1 | 7f6f48c9fb0e8ab8dae274430e9fd4f7e166ad7c |
| SHA256 | fd5d49ef96facbecf46f625fca0fa16da2cdb85f67f0053db5eb51f617be12a6 |
| SHA512 | edb87114244e4e569515271f7b4bceae9d9aee30f050e68387110124c6f78af781cdd97c57ae27e2d0dfd94408db9959f8cfdd9b6369c53199bbe2f080e515a6 |
| Ssdeep | 24576:JkBi7xaP/HHsRn49iWMWQ89uh9xVCjZrR6mwESF9lvE3G+ne9MDvyxoZu:pgcF4g29MxUP6lvl90Xu |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2017-12-11 08:53:00 扫描结果: 20/67 |
特征
通过进程尝试延迟分析任务
Process: tasklist.exe tried to sleep 60 seconds, actually delayed analysis time by 0 seconds
对一些具体的运行中的进程呈现出兴趣
process: fd5d49ef96facbecf46f625fca0fa16da2cdb85f67f0053db5eb51f617be12a6.exe
一个进程创建了一个隐藏窗口
Process: fd5d49ef96facbecf46f625fca0fa16da2cdb85f67f0053db5eb51f617be12a6.exe -> C:\Windows\system32\tasklist.exe
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Trojan.GenericKD.6291367
Cylance: Unsafe
Invincea: heuristic
Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9996
Symantec: Trojan.Gen.8!cloud
TrendMicro-HouseCall: Suspicious_GEN.F47V1206
GData: Trojan.GenericKD.6291367
Kaspersky: Trojan-PSW.Win32.Agent.aqbn
BitDefender: Trojan.GenericKD.6291367
Ad-Aware: Trojan.GenericKD.6291367
F-Secure: Trojan.GenericKD.6291367
Emsisoft: Trojan.GenericKD.6291367 (B)
Arcabit: Trojan.Generic.D5FFFA7
AegisLab: Troj.Gen!c
ZoneAlarm: Trojan-PSW.Win32.Agent.aqbn
MAX: malware (ai score=82)
Ikarus: Trojan-PSW.Win32.Agent
Cybereason: malicious.9fb0e8
CrowdStrike: malicious_confidence_90% (W)
Qihoo-360: Win32/Trojan.PSW.dba
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0041415f |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x0018d655 |
| 最低操作系统版本要求 | 5.1 |
| 编译时间 | 2016-11-29 15:33:13 |
| 载入哈希 | 1b84a4a4f89d8f45e0392a49b1b9e126 |
| 图标 |  |
| 图标精确哈希值 | dce4f534231da9f6466692da63b15437 |
| 图标相似性哈希值 | f040508e8938ab75e43873764e8fe09b |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0002ea3b | 0x0002ec00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.54 |
| .rdata | 0x00030000 | 0x0000bbf8 | 0x0000bc00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.77 |
| .data | 0x0003c000 | 0x0000452c | 0x00001c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.98 |
| .rsrc | 0x00041000 | 0x00149640 | 0x00149800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.67 |
| .reloc | 0x0018b000 | 0x00002778 | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.58 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x00189fd0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.12 | GLS_BINARY_LSB_FIRST |
| RT_ACCELERATOR | 0x0014dd30 | 0x00000008 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.00 | data |
| RT_RCDATA | 0x000eef30 | 0x0005ee00 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.65 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| RT_RCDATA | 0x000eef30 | 0x0005ee00 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.65 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| RT_GROUP_ICON | 0x0018a438 | 0x00000084 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.05 | MS Windows icon resource - 9 icons, 256x256 |
| RT_MANIFEST | 0x0018a4c0 | 0x0000017d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.91 | XML 1.0 document text |
导入
库 KERNEL32.dll:
• 0x43002c - GetCurrentProcess
• 0x430030 - GetFileAttributesA
• 0x430034 - SetDllDirectoryA
• 0x430038 - CreateProcessA
• 0x43003c - ReadFile
• 0x430040 - FindFirstFileA
• 0x430044 - GetLastError
• 0x430048 - FindNextFileA
• 0x43004c - GetModuleHandleA
• 0x430050 - CloseHandle
• 0x430054 - LoadLibraryW
• 0x430058 - GetVersionExA
• 0x43005c - FindResourceA
• 0x430060 - FindFirstFileW
• 0x430064 - SetFilePointer
• 0x430068 - PeekNamedPipe
• 0x43006c - FreeLibrary
• 0x430070 - LoadResource
• 0x430074 - CreateDirectoryW
• 0x430078 - SetHandleInformation
• 0x43007c - WaitForSingleObject
• 0x430080 - GetModuleHandleW
• 0x430084 - GetTickCount
• 0x430088 - WriteFile
• 0x43008c - InitializeCriticalSection
• 0x430090 - WideCharToMultiByte
• 0x430094 - TerminateThread
• 0x430098 - Sleep
• 0x43009c - SizeofResource
• 0x4300a0 - GetSystemWindowsDirectoryA
• 0x4300a4 - LeaveCriticalSection
• 0x4300a8 - GetModuleFileNameW
• 0x4300ac - GetSystemDirectoryA
• 0x4300b0 - CreateFileW
• 0x4300b4 - lstrlenW
• 0x4300b8 - EnterCriticalSection
• 0x4300bc - FindClose
• 0x4300c0 - GetLocalTime
• 0x4300c4 - InterlockedExchangeAdd
• 0x4300c8 - LockResource
• 0x4300cc - WaitForMultipleObjects
• 0x4300d0 - CreatePipe
• 0x4300d4 - FindNextFileW
• 0x4300d8 - DeleteCriticalSection
• 0x4300dc - DeleteFileW
• 0x4300e0 - GetCurrentProcessId
• 0x4300e4 - CreateThread
• 0x4300e8 - GetComputerNameA
• 0x4300ec - CreateFileA
• 0x4300f0 - SetEndOfFile
• 0x4300f4 - WriteConsoleW
• 0x4300f8 - SetStdHandle
• 0x4300fc - OutputDebugStringW
• 0x430100 - LoadLibraryExW
• 0x430104 - HeapReAlloc
• 0x430108 - GetConsoleCP
• 0x43010c - FlushFileBuffers
• 0x430110 - ReadConsoleW
• 0x430114 - GetConsoleMode
• 0x430118 - SetFilePointerEx
• 0x43011c - HeapSize
• 0x430120 - GetOEMCP
• 0x430124 - GetACP
• 0x430128 - IsValidCodePage
• 0x43012c - FreeEnvironmentStringsW
• 0x430130 - GetEnvironmentStringsW
• 0x430134 - GetSystemTimeAsFileTime
• 0x430138 - QueryPerformanceCounter
• 0x43013c - GetModuleFileNameA
• 0x430140 - GetFileType
• 0x430144 - GetStdHandle
• 0x430148 - GetProcessHeap
• 0x43014c - GetModuleHandleExW
• 0x430150 - ExitProcess
• 0x430154 - GetCurrentThreadId
• 0x430158 - EnumSystemLocalesW
• 0x43015c - GetUserDefaultLCID
• 0x430160 - IsValidLocale
• 0x430164 - ExpandEnvironmentStringsW
• 0x430168 - DeleteFileA
• 0x43016c - GetTempPathA
• 0x430170 - LoadLibraryA
• 0x430174 - GetTempFileNameA
• 0x430178 - CopyFileA
• 0x43017c - GetProcAddress
• 0x430180 - MultiByteToWideChar
• 0x430184 - ExpandEnvironmentStringsA
• 0x430188 - GetLocaleInfoW
• 0x43018c - LCMapStringW
• 0x430190 - GetStartupInfoW
• 0x430194 - TlsFree
• 0x430198 - TlsSetValue
• 0x43019c - TlsGetValue
• 0x4301a0 - TlsAlloc
• 0x4301a4 - TerminateProcess
• 0x4301a8 - InitializeCriticalSectionAndSpinCount
• 0x4301ac - GetVolumeInformationA
• 0x4301b0 - SetDllDirectoryW
• 0x4301b4 - EncodePointer
• 0x4301b8 - DecodePointer
• 0x4301bc - GetStringTypeW
• 0x4301c0 - GetCommandLineA
• 0x4301c4 - HeapAlloc
• 0x4301c8 - HeapFree
• 0x4301cc - IsDebuggerPresent
• 0x4301d0 - IsProcessorFeaturePresent
• 0x4301d4 - RaiseException
• 0x4301d8 - RtlUnwind
• 0x4301dc - GetCPInfo
• 0x4301e0 - UnhandledExceptionFilter
• 0x4301e4 - SetUnhandledExceptionFilter
• 0x4301e8 - SetLastError
库 USER32.dll:
• 0x4301f8 - RegisterClassA
• 0x4301fc - GetWindowThreadProcessId
• 0x430200 - SetClipboardViewer
• 0x430204 - OpenClipboard
• 0x430208 - ToUnicodeEx
• 0x43020c - DispatchMessageA
• 0x430210 - RegisterRawInputDevices
• 0x430214 - DefWindowProcA
• 0x430218 - ChangeClipboardChain
• 0x43021c - CreateWindowExA
• 0x430220 - GetKeyNameTextW
• 0x430224 - GetKeyState
• 0x430228 - CharUpperA
• 0x43022c - DestroyWindow
• 0x430230 - CloseClipboard
• 0x430234 - SetTimer
• 0x430238 - RegisterClassExA
• 0x43023c - PostQuitMessage
• 0x430240 - GetRawInputData
• 0x430244 - SendNotifyMessageA
• 0x430248 - KillTimer
• 0x43024c - GetMessageA
• 0x430250 - SendMessageA
• 0x430254 - TranslateMessage
• 0x430258 - GetKeyboardState
• 0x43025c - GetForegroundWindow
• 0x430260 - GetGUIThreadInfo
• 0x430264 - GetKeyboardLayout
• 0x430268 - SetWindowLongA
• 0x43026c - CharLowerA
• 0x430270 - GetWindowLongA
• 0x430274 - GetClipboardData
• 0x430278 - GetWindowTextW
库 ADVAPI32.dll:
• 0x430000 - RegOpenKeyExA
• 0x430004 - CredEnumerateA
• 0x430008 - RegSetValueExA
• 0x43000c - RegCloseKey
• 0x430010 - CredFree
• 0x430014 - RegCreateKeyExA
库 CRYPT32.dll:
• 0x43001c - CryptUnprotectData
库 SHLWAPI.dll:
• 0x4301f0 - StrChrNW
库 WININET.dll:
• 0x430280 - HttpQueryInfoA
• 0x430284 - InternetConnectA
• 0x430288 - InternetCrackUrlA
• 0x43028c - InternetReadFile
• 0x430290 - InternetSetOptionA
• 0x430294 - HttpOpenRequestA
• 0x430298 - HttpSendRequestA
• 0x43029c - InternetOpenA
• 0x4302a0 - InternetCloseHandle
库 urlmon.dll:
• 0x4302a8 - ObtainUserAgentString
库 IPHLPAPI.DLL:
• 0x430024 - GetAdaptersInfo
投放文件
s.dll
| 文件名 | s.dll |
|---|---|
| 相关文件 |
|
| 文件大小 | 711680 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 0d4f0ac0e5ab51206dd4e1e3eadf5edd |
| SHA1 | 697b93d8f05017e123936acb2f3acb29bbc5e4f2 |
| SHA256 | 85c5f49206fd46492223a0635071891998ea9aaab5e5e730ba822015e7a3e149 |
| SHA512 | b63b255806aa92db7a219ed78773219368c62d6eb73de635ad00c334a71495ca23858a4de2fde0dae6e2d669a2b5b66f2b3f2e52b06672fcf41d06052d71e3f8 |
| Ssdeep | 12288:6/OrQHn/MBR+E492qwb1qpQg5J5OhNGQ+sg95IhRf+lMGgV94jZrALRmKTxvm:6/HHsRn49iWMWQ89uh9xVCjZrR6m |
| VirusTotal | 搜索相关分析 |
F.dll
| 文件名 | F.dll |
|---|---|
| 相关文件 |
|
| 文件大小 | 388608 bytes |
| 文件类型 | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
| MD5 | 6dca5649679fc7ce121c5983badcd244 |
| SHA1 | 0b72029463878b16b9297dc57f030809d5f4fed4 |
| SHA256 | 2060da10d075c6d8b04953f5b2283c62c8c6e2230975289b2b2164505cf9f59b |
| SHA512 | 1be960d78beff0adbb539c4cce44ec08b3c675e4312e710087f507be60a877f6ccdaac9b5fbd2e46127aa6d80d5066900ca6f4166e215a92ea50716f22787df8 |
| Ssdeep | 6144:z0Vyut6SF9Fx1xhEvTkfM0FAFTuQOYgcMAY9jvHzDHfTzGuC5Evi1nU9iDApvIhg:AVRt6SF9lvE3MT+n |
| VirusTotal | 搜索相关分析 |
Pid
| 文件名 | Pid |
|---|---|
| 相关文件 |
|
| 文件大小 | 3047 bytes |
| 文件类型 | ISO-8859 text, with CRLF line terminators |
| MD5 | 335d2bea77fac894ba233523ce2aaf1a |
| SHA1 | d954824a1ad2329bf45b3d78e716f6fed74ce5a0 |
| SHA256 | 812338176f2f7de10e74982211344de8c4904fb28c1933c59a037db04e7c4fa6 |
| SHA512 | c7cecb8418ce621262004d6ceeafc9d8711b3a6dd6f69c38357a2657b7de70e0bfad9e9d708d61ca33a2dadd9da88f5c098e92cfe6fc84836df7be79d09da822 |
| Ssdeep | 48:hEt2JVvvOmVpV5A5dzKbiq9AjsrTgwI22pmTn4Jw4Pje:hU2JV3ZVpV5A5dzKbiq9QsrTgwI22pmT |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
fd5d49ef96facbecf46f625fca0fa16da2cdb85f67f0053db5eb51f617be12a6.exe PID: 2036, 上一级进程 PID: 272
tasklist.exe PID: 1664, 上一级进程 PID: 2036
访问的文件
- C:\Users\test\AppData\Local\Mozilla
- C:\Users\test\AppData\Local\Mozilla\Service
- C:\Users\test\AppData\Local\Mozilla\Service\s.dll
- C:\Users\test\AppData\Local\Mozilla\Service\F.dll
- C:\Users\test\AppData\Local\Mozilla\Service\L
- C:\Users\test\AppData\Local\Mozilla\Service\MService.exe
- C:\Users\test\AppData\Local\Mozilla\Service\L\Pid
- \Device\NamedPipe\
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\System32\wbem\zh-CN\wmiutils.dll.mui
- C:\Windows\System32\wbem\zh-Hans\wmiutils.dll.mui
- C:\Windows\System32\wbem\zh\wmiutils.dll.mui
- C:\Windows\System32\wbem\en-US\wmiutils.dll.mui
读取的文件
- C:\Users\test\AppData\Local\Mozilla\Service\s.dll
- C:\Users\test\AppData\Local\Mozilla\Service\F.dll
- C:\Users\test\AppData\Local\Mozilla\Service\MService.exe
- \Device\NamedPipe\
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\System32\wbem\zh-CN\wmiutils.dll.mui
- C:\Windows\System32\wbem\zh-Hans\wmiutils.dll.mui
- C:\Windows\System32\wbem\zh\wmiutils.dll.mui
- C:\Windows\System32\wbem\en-US\wmiutils.dll.mui
修改的文件
- C:\Users\test\AppData\Local\Mozilla\Service\s.dll
- C:\Users\test\AppData\Local\Mozilla\Service\F.dll
- C:\Users\test\AppData\Local\Mozilla\Service\L\Pid
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Classes
- HKEY_CURRENT_USER\Software\Classes\AppID\tasklist.exe
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
- HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
- HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
- HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
- HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
- HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh-Hans
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\zh
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\Logging
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsFree
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.CreateEventExW
- kernel32.dll.CreateSemaphoreExW
- kernel32.dll.SetThreadStackGuarantee
- kernel32.dll.CreateThreadpoolTimer
- kernel32.dll.SetThreadpoolTimer
- kernel32.dll.WaitForThreadpoolTimerCallbacks
- kernel32.dll.CloseThreadpoolTimer
- kernel32.dll.CreateThreadpoolWait
- kernel32.dll.SetThreadpoolWait
- kernel32.dll.CloseThreadpoolWait
- kernel32.dll.FlushProcessWriteBuffers
- kernel32.dll.FreeLibraryWhenCallbackReturns
- kernel32.dll.GetCurrentProcessorNumber
- kernel32.dll.GetLogicalProcessorInformation
- kernel32.dll.CreateSymbolicLinkW
- kernel32.dll.EnumSystemLocalesEx
- kernel32.dll.CompareStringEx
- kernel32.dll.GetDateFormatEx
- kernel32.dll.GetLocaleInfoEx
- kernel32.dll.GetTimeFormatEx
- kernel32.dll.GetUserDefaultLocaleName
- kernel32.dll.IsValidLocaleName
- kernel32.dll.LCMapStringEx
- kernel32.dll.GetTickCount64
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- cryptbase.dll.SystemFunction036
- sechost.dll.LookupAccountNameLocalW
- advapi32.dll.LookupAccountSidW
- sechost.dll.LookupAccountSidLocalW
- winsta.dll.WinStationFreeMemory
- winsta.dll.WinStationCloseServer
- winsta.dll.WinStationOpenServerW
- winsta.dll.WinStationFreeGAPMemory
- winsta.dll.WinStationGetAllProcesses
- winsta.dll.WinStationNameFromLogonIdW
- winsta.dll.WinStationEnumerateProcesses
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- kernel32.dll.GetThreadPreferredUILanguages
- kernel32.dll.SetThreadPreferredUILanguages
- kernel32.dll.LocaleNameToLCID
- kernel32.dll.LCIDToLocaleName
- kernel32.dll.GetSystemDefaultLocaleName
- oleaut32.dll.#283
- oleaut32.dll.#284
- oleaut32.dll.#2
- advapi32.dll.CreateWellKnownSid
- rpcrt4.dll.RpcStringBindingComposeW
- rpcrt4.dll.RpcBindingFromStringBindingW
- rpcrt4.dll.RpcStringFreeW
- rpcrt4.dll.RpcBindingSetAuthInfoExW
- rpcrt4.dll.NdrClientCall2
- rpcrt4.dll.RpcBindingFree
- ntdll.dll.EtwUnregisterTraceGuids
- oleaut32.dll.#500
- cryptsp.dll.CryptReleaseContext