魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-09-06 14:38:41 | 2016-09-06 14:39:03 | 22 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-09-06 14:38:42 | 2016-09-06 14:39:01 |
| 魔盾分数 |
|---|
0.5正常的 |
文件详细信息
| 文件名 | IMEDICTUPDATEUI.EXE |
|---|---|
| 文件大小 | 267632 字节 |
| 文件类型 | PE32+ executable (GUI) x86-64, for MS Windows |
| CRC32 | 9E56DE59 |
| MD5 | cdb887cb2b9efd31e3735a1ecb0e2c9d |
| SHA1 | 597613448e278acd610995ced18df3ab223d5dca |
| SHA256 | 8cd47560bcd497af11d590c2bc72dffa4feb0b56087267e06dfb34a2b8c21fee |
| SHA512 | 74f584f2a2d82fa190aedf545c6600658f2f53c8a736813136d5581f6a5c2fc6e1c5c8dc9a5786dbda7c6adfdb5af8855b8eacc3fdac72c815bda2225a736e8f |
| Ssdeep | 3072:56aXfwzNRkBl2yKvskfdY43O+U7ITzOAWe7LiCeeOWo8qmu+wS9H6XpDXcmHb9ot:Vfwz+l2yKvDdY43OETKkeeOdlS9H6TxC |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2016-04-28 22:50:03 扫描结果: 0/56 |
特征
创建RWX内存
运行截图
网络分析
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 224.0.0.252 | 5355 |
| 224.0.0.252 | 5355 |
| 239.255.255.250 | 1900 |
| 52.169.179.91 | 123 |
静态分析
PE 信息
| 初始地址 | 0x140000000 |
|---|---|
| 入口地址 | 0x140013a28 |
| 声明校验值 | 0x0004a46f |
| 实际校验值 | 0x0004a46f |
| 最低操作系统版本要求 | 5.2 |
| PDB路径 | t:\ime\x64\ship\0\imedictupdateui.pdb\x00\imedictupdateui.exe\bbtopt\imedictupdateuiO.pdb |
| 编译时间 | 2010-01-21 16:16:08 |
| 图标 |  |
| 图标精确哈希值 | 302fb3ad0be913818f0e53d6ebdf00ec |
| 图标相似性哈希值 | be14047913ab6ebf264ad52502eb4fe1 |
版本信息
| LegalCopyright: | \xa9 2010 Microsoft Corporation. All rights reserved. |
| InternalName: | IMEDictUpdateUI.exe |
| FileVersion: | 14.0.4734.1000 |
| CompanyName: | Microsoft Corporation |
| LegalTrademarks: | Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(R) is a registered trademark of Microsoft Corporation. |
| ProductName: | Microsoft Office IME 2010 |
| ProductVersion: | 14.0.4734.1000 |
| FileDescription: | Microsoft Office IME 2010 |
| OriginalFilename: | IMEDictUpdateUI.exe |
| Translation: | 0x0000 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x0001b0db | 0x0001b200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.13 |
| .rdata | 0x0001d000 | 0x0000bb88 | 0x0000bc00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.23 |
| .data | 0x00029000 | 0x000026b8 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.45 |
| .pdata | 0x0002c000 | 0x000021fc | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.14 |
| .rsrc | 0x0002f000 | 0x00014ef0 | 0x00015000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.82 |
| .reloc | 0x00044000 | 0x00000268 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.96 |
覆盖
| 偏移量: | 0x0003fe00 |
| 大小: | 0x00001770 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_ICON | 0x0003bff8 | 0x00000468 | LANG_NEUTRAL | SUBLANG_DEFAULT | 4.35 | GLS_BINARY_LSB_FIRST |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_DIALOG | 0x0003ce80 | 0x00000100 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.07 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_STRING | 0x0004356c | 0x0000011e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 5.35 | data |
| RT_GROUP_ICON | 0x000436e8 | 0x0000005a | LANG_NEUTRAL | SUBLANG_DEFAULT | 2.95 | MS Windows icon resource - 6 icons, 48x48, 256-colors |
| RT_GROUP_ICON | 0x000436e8 | 0x0000005a | LANG_NEUTRAL | SUBLANG_DEFAULT | 2.95 | MS Windows icon resource - 6 icons, 48x48, 256-colors |
| RT_VERSION | 0x00043744 | 0x000004a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.50 | data |
| RT_MANIFEST | 0x00043bec | 0x00000302 | LANG_NEUTRAL | SUBLANG_DEFAULT | 5.06 | ASCII text, with very long lines, with no line terminators |
导入
库 KERNEL32.dll:
• 0x14001d000 - GlobalFree
• 0x14001d008 - GetModuleHandleW
• 0x14001d010 - GetProcAddress
• 0x14001d018 - GetSystemDefaultLangID
• 0x14001d020 - CreateThread
• 0x14001d028 - WaitForMultipleObjects
• 0x14001d030 - ReleaseMutex
• 0x14001d038 - WaitForSingleObject
• 0x14001d040 - CreateMutexW
• 0x14001d048 - SetEvent
• 0x14001d050 - CreateEventW
• 0x14001d058 - SizeofResource
• 0x14001d060 - GetCommandLineW
• 0x14001d068 - LocalFree
• 0x14001d070 - GetVersionExW
• 0x14001d078 - GetSystemDefaultLCID
• 0x14001d080 - CompareStringW
• 0x14001d088 - GetModuleFileNameW
• 0x14001d090 - CreateProcessW
• 0x14001d098 - CloseHandle
• 0x14001d0a0 - ExpandEnvironmentStringsW
• 0x14001d0a8 - GetLastError
• 0x14001d0b0 - lstrlenW
• 0x14001d0b8 - GetSystemTime
• 0x14001d0c0 - SystemTimeToFileTime
• 0x14001d0c8 - FindResourceExW
• 0x14001d0d0 - LoadResource
• 0x14001d0d8 - LockResource
• 0x14001d0e0 - QueryPerformanceCounter
• 0x14001d0e8 - HeapSize
• 0x14001d0f0 - HeapReAlloc
• 0x14001d0f8 - HeapDestroy
• 0x14001d100 - RtlCaptureContext
• 0x14001d108 - RtlLookupFunctionEntry
• 0x14001d110 - RtlVirtualUnwind
• 0x14001d118 - IsDebuggerPresent
• 0x14001d120 - SetUnhandledExceptionFilter
• 0x14001d128 - UnhandledExceptionFilter
• 0x14001d130 - GetCurrentProcess
• 0x14001d138 - TerminateProcess
• 0x14001d140 - GetStartupInfoW
• 0x14001d148 - Sleep
• 0x14001d150 - LoadLibraryW
• 0x14001d158 - HeapAlloc
• 0x14001d160 - HeapFree
• 0x14001d168 - GetProcessHeap
• 0x14001d170 - GetSystemTimeAsFileTime
• 0x14001d178 - GetCurrentProcessId
• 0x14001d180 - GetCurrentThreadId
• 0x14001d188 - GetTickCount
• 0x14001d190 - VirtualProtect
库 USER32.dll:
• 0x14001d1a0 - LoadStringW
• 0x14001d1a8 - SetWindowTextW
• 0x14001d1b0 - PostMessageW
• 0x14001d1b8 - GetDlgItem
• 0x14001d1c0 - GetClientRect
• 0x14001d1c8 - EnableWindow
• 0x14001d1d0 - SetDlgItemTextW
• 0x14001d1d8 - CreateDialogIndirectParamW
• 0x14001d1e0 - DialogBoxIndirectParamW
• 0x14001d1e8 - GetWindowLongPtrW
• 0x14001d1f0 - SetWindowLongPtrW
• 0x14001d1f8 - GetParent
• 0x14001d200 - GetWindowRect
• 0x14001d208 - SetWindowPos
• 0x14001d210 - DestroyWindow
• 0x14001d218 - EndDialog
• 0x14001d220 - MessageBoxW
• 0x14001d228 - IsWindow
• 0x14001d230 - SendMessageW
库 ADVAPI32.dll:
• 0x14001d240 - ReportEventW
• 0x14001d248 - ControlService
• 0x14001d250 - OpenSCManagerW
• 0x14001d258 - OpenServiceW
• 0x14001d260 - StartServiceW
• 0x14001d268 - CloseServiceHandle
• 0x14001d270 - RegEnumValueW
• 0x14001d278 - RegEnumKeyExW
• 0x14001d280 - RegCloseKey
• 0x14001d288 - RegQueryValueExW
• 0x14001d290 - RegSetValueExW
• 0x14001d298 - RegCreateKeyExW
• 0x14001d2a0 - RegOpenKeyExW
• 0x14001d2a8 - DeregisterEventSource
• 0x14001d2b0 - RegisterEventSourceW
• 0x14001d2b8 - OpenProcessToken
• 0x14001d2c0 - GetSidSubAuthority
• 0x14001d2c8 - GetSidSubAuthorityCount
• 0x14001d2d0 - IsValidSid
• 0x14001d2d8 - GetTokenInformation
• 0x14001d2e0 - ConvertStringSecurityDescriptorToSecurityDescriptorW
• 0x14001d2e8 - ConvertSidToStringSidW
库 ole32.dll:
• 0x14001d2f8 - CoInitializeEx
• 0x14001d300 - CLSIDFromProgID
• 0x14001d308 - CoCreateInstance
• 0x14001d310 - CoUninitialize
库 OLEAUT32.dll:
• 0x14001d320 - None
• 0x14001d328 - None
• 0x14001d330 - None
库 SHELL32.dll:
• 0x14001d340 - CommandLineToArgvW
• 0x14001d348 - None
• 0x14001d350 - ShellExecuteW
库 SHLWAPI.dll:
• 0x14001d360 - SHDeleteKeyW
库 MSVCR90.dll:
• 0x14001d370 - exit
• 0x14001d378 - _wcmdln
• 0x14001d380 - _initterm
• 0x14001d388 - _initterm_e
• 0x14001d390 - _configthreadlocale
• 0x14001d398 - __setusermatherr
• 0x14001d3a0 - _commode
• 0x14001d3a8 - _fmode
• 0x14001d3b0 - _encode_pointer
• 0x14001d3b8 - __set_app_type
• 0x14001d3c0 - __crt_debugger_hook
• 0x14001d3c8 - ?terminate@@YAXXZ
• 0x14001d3d0 - _unlock
• 0x14001d3d8 - __dllonexit
• 0x14001d3e0 - _lock
• 0x14001d3e8 - _onexit
• 0x14001d3f0 - _decode_pointer
• 0x14001d3f8 - ?_type_info_dtor_internal_method@type_info@@QEAAXXZ
• 0x14001d400 - _cexit
• 0x14001d408 - _exit
• 0x14001d410 - _XcptFilter
• 0x14001d418 - __C_specific_handler
• 0x14001d420 - __wgetmainargs
• 0x14001d428 - memmove_s
• 0x14001d430 - _wcstoi64
• 0x14001d438 - _wtoi
• 0x14001d440 - ??_U@YAPEAX_K@Z
• 0x14001d448 - ??_V@YAXPEAX@Z
• 0x14001d450 - _vsnwprintf_s
• 0x14001d458 - wcsncat_s
• 0x14001d460 - ??0exception@std@@QEAA@AEBV01@@Z
• 0x14001d468 - _invalid_parameter_noinfo
• 0x14001d470 - ??0exception@std@@QEAA@XZ
• 0x14001d478 - ??1exception@std@@UEAA@XZ
• 0x14001d480 - ?what@exception@std@@UEBAPEBDXZ
• 0x14001d488 - ??0exception@std@@QEAA@AEBQEBD@Z
• 0x14001d490 - memset
• 0x14001d498 - wcsncpy_s
• 0x14001d4a0 - ??2@YAPEAX_K@Z
• 0x14001d4a8 - vswprintf_s
• 0x14001d4b0 - _vscwprintf
• 0x14001d4b8 - _CxxThrowException
• 0x14001d4c0 - memcpy_s
• 0x14001d4c8 - __CxxFrameHandler3
• 0x14001d4d0 - ??3@YAXPEAX@Z
• 0x14001d4d8 - _amsg_exit
库 MSVCP90.dll:
• 0x14001d4e8 - ?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2_KB
• 0x14001d4f0 - ?swap@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAXAEAV12@@Z
• 0x14001d4f8 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@AEBV01@@Z
• 0x14001d500 - ??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
• 0x14001d508 - ??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PEB_W@Z
• 0x14001d510 - ?length@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KXZ
• 0x14001d518 - ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@AEBV01@@Z
• 0x14001d520 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@PEBD@Z
• 0x14001d528 - ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEBAPEBDXZ
• 0x14001d530 - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@XZ
• 0x14001d538 - ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QEAA@AEBV01@@Z
• 0x14001d540 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@PEB_W@Z
• 0x14001d548 - ?find@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBA_KAEBV12@_K@Z
• 0x14001d550 - ??$?M_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NAEBV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@0@Z
• 0x14001d558 - ?c_str@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEBAPEB_WXZ
• 0x14001d560 - ??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
• 0x14001d568 - ??4?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAAAEAV01@PEB_W@Z
• 0x14001d570 - ??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QEAA@XZ
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
IMEDICTUPDATEUI.EXE PID: 852, 上一级进程 PID: 1672
访问的文件
- \Device\KsecDD
读取的文件
- \Device\KsecDD
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.HeapSetInformation
- cryptbase.dll.SystemFunction036
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- oleaut32.dll.#500