魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2019-07-21 15:09:10 | 2019-07-21 15:09:46 | 36 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2019-07-21 15:09:17 | None |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | 造梦西游4辅助.exe |
|---|---|
| 文件大小 | 1118208 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 7714B156 |
| MD5 | e2215941187c5cc085213c892f2a3770 |
| SHA1 | 3ba72fb87ca8c9c157b400bfd207666c08ef9cd4 |
| SHA256 | ba2e1e53d32041e050a345e4c85ddc148642833b537fcdf830432178071d7b41 |
| SHA512 | abf12e4ed4e05fc844b4c79f0785a63c606c38fbfb3884a8c4a83cb922f5a15518f5736afac59bee1c9b4d7418de6e063927c870657a3c43e19f710dd25f474a |
| Ssdeep | 24576:7SSCltWoTOwzOnqtSBgi2cYKIi8IQTZiUytYp2v:79CjOwfEBgi+KIi8xI5 |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | 无此文件扫描结果 |
特征
创建RWX内存
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 6.89, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00072000, virtual_size: 0x00071d34
可能通过原始硬盘更改安装了内核劫持(bookit)组件
尝试重启虚拟运行环境
将自己装载到Windows开机自动启动项目
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System
data: C:\Program Files\System.dll
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Warning: Create a new process
Warning: Install itself for autorun at Windows startup
Warning: Detected escalate priviledges function
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Affect system registries
Warning: Affect system token
Warning: Affect private profile
Warning: Affect hook table
Critical: Detects abnormal behaviors all together
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Critical: maldoc_getEIP_method_1
Informational: Detected the presence of an or several images
Informational: Detected the presence of an or several urls
Informational: Looks for big numbers 32:sized
Warning: List of primes [long]
Informational: Look for CRC32 [poly]
Informational: Look for CRC32 table
Informational: Look for CRC32b [poly]
Informational: Look for MD5 constants
Informational: Look for DES [sbox]
Warning: RsaRef2 NN_modExp
Warning: RsaEuro NN_modMult
Warning: Detects program has the encryption or decription logic
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00465c8d |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x001147ee |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2019-06-07 12:31:14 |
| 载入哈希 | 631ec8c42832be6c9e1a0f47baa95965 |
版本信息
| LegalCopyright: | \u672c\u6e90\u7801\u6765\u81eawww.xiaodao.la |
| FileVersion: | 1.0.0.0 |
| CompanyName: | \u672c\u6e90\u7801\u6765\u81eawww.xiaodao.la |
| Comments: | \u672c\u6e90\u7801\u6765\u81eawww.xiaodao.la |
| ProductName: | \u6613\u8bed\u8a00\u7a0b\u5e8f |
| ProductVersion: | 1.0.0.0 |
| FileDescription: | \u672c\u6e90\u7801\u6765\u81eawww.xiaodao.la |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00083e9e | 0x00084000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.56 |
| .rdata | 0x00085000 | 0x00071d34 | 0x00072000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.89 |
| .data | 0x000f7000 | 0x000450aa | 0x00014000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.87 |
| .rsrc | 0x0013d000 | 0x00005b6c | 0x00006000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.77 |
导入
库 WINMM.dll:
• 0x48562c - midiStreamOut
• 0x485630 - midiOutPrepareHeader
• 0x485634 - waveOutUnprepareHeader
• 0x485638 - waveOutPrepareHeader
• 0x48563c - waveOutWrite
• 0x485640 - waveOutPause
• 0x485644 - waveOutReset
• 0x485648 - waveOutClose
• 0x48564c - waveOutGetNumDevs
• 0x485650 - waveOutOpen
• 0x485654 - midiStreamStop
• 0x485658 - midiOutReset
• 0x48565c - midiStreamClose
• 0x485660 - midiStreamRestart
• 0x485664 - midiOutUnprepareHeader
• 0x485668 - midiStreamOpen
• 0x48566c - midiStreamProperty
库 WS2_32.dll:
• 0x485684 - WSACleanup
• 0x485688 - closesocket
• 0x48568c - getpeername
• 0x485690 - accept
• 0x485694 - WSAAsyncSelect
• 0x485698 - recvfrom
• 0x48569c - ioctlsocket
• 0x4856a0 - inet_ntoa
• 0x4856a4 - recv
库 KERNEL32.dll:
• 0x48518c - SetLastError
• 0x485190 - GetTimeZoneInformation
• 0x485194 - GetVersion
• 0x485198 - GetACP
• 0x48519c - HeapSize
• 0x4851a0 - RaiseException
• 0x4851a4 - GetLocalTime
• 0x4851a8 - RtlUnwind
• 0x4851ac - GetStartupInfoA
• 0x4851b0 - GetOEMCP
• 0x4851b4 - GetCPInfo
• 0x4851b8 - GetProcessVersion
• 0x4851bc - SetErrorMode
• 0x4851c0 - GlobalFlags
• 0x4851c4 - GetCurrentThread
• 0x4851c8 - GetFileTime
• 0x4851cc - TlsGetValue
• 0x4851d0 - LocalReAlloc
• 0x4851d4 - TlsSetValue
• 0x4851d8 - TlsFree
• 0x4851dc - GlobalHandle
• 0x4851e0 - TlsAlloc
• 0x4851e4 - LocalAlloc
• 0x4851e8 - lstrcmpA
• 0x4851ec - GlobalGetAtomNameA
• 0x4851f0 - GlobalAddAtomA
• 0x4851f4 - GlobalFindAtomA
• 0x4851f8 - GlobalDeleteAtom
• 0x4851fc - lstrcmpiA
• 0x485200 - SetEndOfFile
• 0x485204 - UnlockFile
• 0x485208 - LockFile
• 0x48520c - FlushFileBuffers
• 0x485210 - DuplicateHandle
• 0x485214 - lstrcpynA
• 0x485218 - FileTimeToLocalFileTime
• 0x48521c - FileTimeToSystemTime
• 0x485220 - LocalFree
• 0x485224 - InterlockedDecrement
• 0x485228 - InterlockedIncrement
• 0x48522c - TerminateProcess
• 0x485230 - GetFileSize
• 0x485234 - SetFilePointer
• 0x485238 - WideCharToMultiByte
• 0x48523c - MultiByteToWideChar
• 0x485240 - GetCurrentProcess
• 0x485244 - SetSystemPowerState
• 0x485248 - CreateSemaphoreA
• 0x48524c - ResumeThread
• 0x485250 - ReleaseSemaphore
• 0x485254 - EnterCriticalSection
• 0x485258 - LeaveCriticalSection
• 0x48525c - GetProfileStringA
• 0x485260 - WriteFile
• 0x485264 - WaitForMultipleObjects
• 0x485268 - CreateFileA
• 0x48526c - SetEvent
• 0x485270 - FindResourceA
• 0x485274 - LoadResource
• 0x485278 - LockResource
• 0x48527c - ReadFile
• 0x485280 - GetModuleFileNameA
• 0x485284 - GetCurrentThreadId
• 0x485288 - ExitProcess
• 0x48528c - GlobalSize
• 0x485290 - GlobalFree
• 0x485294 - DeleteCriticalSection
• 0x485298 - InitializeCriticalSection
• 0x48529c - lstrcatA
• 0x4852a0 - lstrlenA
• 0x4852a4 - WinExec
• 0x4852a8 - lstrcpyA
• 0x4852ac - InterlockedExchange
• 0x4852b0 - FindNextFileA
• 0x4852b4 - GlobalReAlloc
• 0x4852b8 - HeapFree
• 0x4852bc - HeapReAlloc
• 0x4852c0 - GetProcessHeap
• 0x4852c4 - HeapAlloc
• 0x4852c8 - GetFullPathNameA
• 0x4852cc - FreeLibrary
• 0x4852d0 - LoadLibraryA
• 0x4852d4 - GetLastError
• 0x4852d8 - GetVersionExA
• 0x4852dc - WritePrivateProfileStringA
• 0x4852e0 - CreateThread
• 0x4852e4 - CreateEventA
• 0x4852e8 - Sleep
• 0x4852ec - GlobalAlloc
• 0x4852f0 - GlobalLock
• 0x4852f4 - GlobalUnlock
• 0x4852f8 - FindFirstFileA
• 0x4852fc - FindClose
• 0x485300 - GetFileAttributesA
• 0x485304 - CopyFileA
• 0x485308 - SetCurrentDirectoryA
• 0x48530c - GetVolumeInformationA
• 0x485310 - GetModuleHandleA
• 0x485314 - GetProcAddress
• 0x485318 - MulDiv
• 0x48531c - GetCommandLineA
• 0x485320 - GetTickCount
• 0x485324 - CreateProcessA
• 0x485328 - WaitForSingleObject
• 0x48532c - CloseHandle
• 0x485330 - UnhandledExceptionFilter
• 0x485334 - FreeEnvironmentStringsA
• 0x485338 - FreeEnvironmentStringsW
• 0x48533c - GetEnvironmentStrings
• 0x485340 - GetEnvironmentStringsW
• 0x485344 - SetHandleCount
• 0x485348 - GetStdHandle
• 0x48534c - GetFileType
• 0x485350 - GetEnvironmentVariableA
• 0x485354 - HeapDestroy
• 0x485358 - HeapCreate
• 0x48535c - VirtualFree
• 0x485360 - SetEnvironmentVariableA
• 0x485364 - LCMapStringA
• 0x485368 - LCMapStringW
• 0x48536c - VirtualAlloc
• 0x485370 - IsBadWritePtr
• 0x485374 - SetUnhandledExceptionFilter
• 0x485378 - GetStringTypeA
• 0x48537c - GetStringTypeW
• 0x485380 - CompareStringA
• 0x485384 - CompareStringW
• 0x485388 - IsBadReadPtr
• 0x48538c - IsBadCodePtr
• 0x485390 - SetStdHandle
• 0x485394 - GetSystemTime
库 USER32.dll:
• 0x4853b8 - GetMenu
• 0x4853bc - SetMenu
• 0x4853c0 - PeekMessageA
• 0x4853c4 - IsIconic
• 0x4853c8 - SetFocus
• 0x4853cc - GetActiveWindow
• 0x4853d0 - DeleteMenu
• 0x4853d4 - GetSystemMenu
• 0x4853d8 - DefWindowProcA
• 0x4853dc - GetClassInfoA
• 0x4853e0 - IsZoomed
• 0x4853e4 - PostQuitMessage
• 0x4853e8 - CopyAcceleratorTableA
• 0x4853ec - GetKeyState
• 0x4853f0 - TranslateAcceleratorA
• 0x4853f4 - IsWindowEnabled
• 0x4853f8 - ShowWindow
• 0x4853fc - SystemParametersInfoA
• 0x485400 - LoadImageA
• 0x485404 - EnumDisplaySettingsA
• 0x485408 - ClientToScreen
• 0x48540c - EnableMenuItem
• 0x485410 - GetSubMenu
• 0x485414 - GetDlgCtrlID
• 0x485418 - CreateAcceleratorTableA
• 0x48541c - CreateMenu
• 0x485420 - ModifyMenuA
• 0x485424 - AppendMenuA
• 0x485428 - GetWindow
• 0x48542c - DestroyAcceleratorTable
• 0x485430 - SetWindowRgn
• 0x485434 - GetMessagePos
• 0x485438 - ScreenToClient
• 0x48543c - CreatePopupMenu
• 0x485440 - CopyRect
• 0x485444 - LoadBitmapA
• 0x485448 - WinHelpA
• 0x48544c - KillTimer
• 0x485450 - SetTimer
• 0x485454 - ReleaseCapture
• 0x485458 - GetCapture
• 0x48545c - SetCapture
• 0x485460 - GetScrollRange
• 0x485464 - SetScrollRange
• 0x485468 - SetScrollPos
• 0x48546c - SetRect
• 0x485470 - InflateRect
• 0x485474 - IntersectRect
• 0x485478 - GetSysColorBrush
• 0x48547c - DestroyIcon
• 0x485480 - PtInRect
• 0x485484 - OffsetRect
• 0x485488 - IsWindowVisible
• 0x48548c - EnableWindow
• 0x485490 - RedrawWindow
• 0x485494 - GetWindowLongA
• 0x485498 - SetWindowLongA
• 0x48549c - GetSysColor
• 0x4854a0 - SetActiveWindow
• 0x4854a4 - SetCursorPos
• 0x4854a8 - LoadCursorA
• 0x4854ac - SetCursor
• 0x4854b0 - GetDC
• 0x4854b4 - FillRect
• 0x4854b8 - IsRectEmpty
• 0x4854bc - ReleaseDC
• 0x4854c0 - IsChild
• 0x4854c4 - DestroyMenu
• 0x4854c8 - SetForegroundWindow
• 0x4854cc - GetWindowRect
• 0x4854d0 - EqualRect
• 0x4854d4 - UpdateWindow
• 0x4854d8 - ValidateRect
• 0x4854dc - InvalidateRect
• 0x4854e0 - GetClientRect
• 0x4854e4 - GetFocus
• 0x4854e8 - GetParent
• 0x4854ec - GetTopWindow
• 0x4854f0 - PostMessageA
• 0x4854f4 - IsWindow
• 0x4854f8 - SetParent
• 0x4854fc - DestroyCursor
• 0x485500 - SendMessageA
• 0x485504 - SetWindowPos
• 0x485508 - MessageBoxA
• 0x48550c - GetCursorPos
• 0x485510 - GetSystemMetrics
• 0x485514 - EmptyClipboard
• 0x485518 - SetClipboardData
• 0x48551c - OpenClipboard
• 0x485520 - GetClipboardData
• 0x485524 - CloseClipboard
• 0x485528 - wsprintfA
• 0x48552c - WaitForInputIdle
• 0x485530 - DrawIconEx
• 0x485534 - CreateIconFromResource
• 0x485538 - CreateIconFromResourceEx
• 0x48553c - RegisterClipboardFormatA
• 0x485540 - SetRectEmpty
• 0x485544 - DispatchMessageA
• 0x485548 - GetMessageA
• 0x48554c - DrawFocusRect
• 0x485550 - DrawEdge
• 0x485554 - DrawFrameControl
• 0x485558 - TranslateMessage
• 0x48555c - LoadIconA
• 0x485560 - GetForegroundWindow
• 0x485564 - ExitWindowsEx
• 0x485568 - GetDesktopWindow
• 0x48556c - GetClassNameA
• 0x485570 - GetDlgItem
• 0x485574 - GetWindowTextA
• 0x485578 - ChildWindowFromPointEx
• 0x48557c - UnregisterClassA
• 0x485580 - WindowFromPoint
• 0x485584 - GetWindowTextLengthA
• 0x485588 - CharUpperA
• 0x48558c - GetWindowDC
• 0x485590 - BeginPaint
• 0x485594 - EndPaint
• 0x485598 - TabbedTextOutA
• 0x48559c - DrawTextA
• 0x4855a0 - GrayStringA
• 0x4855a4 - DestroyWindow
• 0x4855a8 - CreateDialogIndirectParamA
• 0x4855ac - EndDialog
• 0x4855b0 - GetNextDlgTabItem
• 0x4855b4 - GetWindowPlacement
• 0x4855b8 - RegisterWindowMessageA
• 0x4855bc - GetLastActivePopup
• 0x4855c0 - GetMessageTime
• 0x4855c4 - RemovePropA
• 0x4855c8 - CallWindowProcA
• 0x4855cc - GetPropA
• 0x4855d0 - UnhookWindowsHookEx
• 0x4855d4 - SetPropA
• 0x4855d8 - GetClassLongA
• 0x4855dc - CallNextHookEx
• 0x4855e0 - SetWindowsHookExA
• 0x4855e4 - CreateWindowExA
• 0x4855e8 - GetMenuItemID
• 0x4855ec - GetMenuItemCount
• 0x4855f0 - RegisterClassA
• 0x4855f4 - GetScrollPos
• 0x4855f8 - AdjustWindowRectEx
• 0x4855fc - MapWindowPoints
• 0x485600 - SendDlgItemMessageA
• 0x485604 - ScrollWindowEx
• 0x485608 - IsDialogMessageA
• 0x48560c - SetWindowTextA
• 0x485610 - MoveWindow
• 0x485614 - CheckMenuItem
• 0x485618 - SetMenuItemBitmaps
• 0x48561c - GetMenuState
• 0x485620 - GetMenuCheckMarkDimensions
• 0x485624 - LoadStringA
库 GDI32.dll:
• 0x485040 - PtVisible
• 0x485044 - GetViewportExtEx
• 0x485048 - ExtSelectClipRgn
• 0x48504c - CombineRgn
• 0x485050 - CreateRectRgn
• 0x485054 - FillRgn
• 0x485058 - CreateSolidBrush
• 0x48505c - GetStockObject
• 0x485060 - CreateFontIndirectA
• 0x485064 - EndPage
• 0x485068 - EndDoc
• 0x48506c - DeleteDC
• 0x485070 - StartDocA
• 0x485074 - StartPage
• 0x485078 - BitBlt
• 0x48507c - CreateCompatibleDC
• 0x485080 - Ellipse
• 0x485084 - Rectangle
• 0x485088 - RectVisible
• 0x48508c - DPtoLP
• 0x485090 - GetCurrentObject
• 0x485094 - RoundRect
• 0x485098 - GetTextExtentPoint32A
• 0x48509c - GetDeviceCaps
• 0x4850a0 - SetBkColor
• 0x4850a4 - LineTo
• 0x4850a8 - MoveToEx
• 0x4850ac - ExcludeClipRect
• 0x4850b0 - GetClipBox
• 0x4850b4 - ScaleWindowExtEx
• 0x4850b8 - SetWindowExtEx
• 0x4850bc - SetWindowOrgEx
• 0x4850c0 - TextOutA
• 0x4850c4 - ExtTextOutA
• 0x4850c8 - Escape
• 0x4850cc - GetTextMetricsA
• 0x4850d0 - PatBlt
• 0x4850d4 - CreatePen
• 0x4850d8 - GetObjectA
• 0x4850dc - SelectObject
• 0x4850e0 - CreateBitmap
• 0x4850e4 - CreateDCA
• 0x4850e8 - CreateCompatibleBitmap
• 0x4850ec - GetPolyFillMode
• 0x4850f0 - GetStretchBltMode
• 0x4850f4 - GetROP2
• 0x4850f8 - GetBkColor
• 0x4850fc - GetBkMode
• 0x485100 - GetTextColor
• 0x485104 - CreateRoundRectRgn
• 0x485108 - CreateEllipticRgn
• 0x48510c - PathToRegion
• 0x485110 - EndPath
• 0x485114 - BeginPath
• 0x485118 - GetWindowOrgEx
• 0x48511c - GetViewportOrgEx
• 0x485120 - ScaleViewportExtEx
• 0x485124 - SetViewportExtEx
• 0x485128 - OffsetViewportOrgEx
• 0x48512c - SetViewportOrgEx
• 0x485130 - SetMapMode
• 0x485134 - SetTextColor
• 0x485138 - SetROP2
• 0x48513c - SetPolyFillMode
• 0x485140 - GetWindowExtEx
• 0x485144 - GetDIBits
• 0x485148 - RealizePalette
• 0x48514c - SelectPalette
• 0x485150 - StretchBlt
• 0x485154 - CreatePalette
• 0x485158 - GetSystemPaletteEntries
• 0x48515c - CreateDIBitmap
• 0x485160 - DeleteObject
• 0x485164 - SelectClipRgn
• 0x485168 - CreatePolygonRgn
• 0x48516c - CreateRectRgnIndirect
• 0x485170 - SetStretchBltMode
• 0x485174 - LPtoDP
• 0x485178 - GetClipRgn
• 0x48517c - SetBkMode
• 0x485180 - RestoreDC
• 0x485184 - SaveDC
库 WINSPOOL.DRV:
• 0x485674 - OpenPrinterA
• 0x485678 - DocumentPropertiesA
• 0x48567c - ClosePrinter
库 ADVAPI32.dll:
• 0x485000 - RegQueryValueExA
• 0x485004 - RegOpenKeyExA
• 0x485008 - RegSetValueExA
• 0x48500c - RegCreateKeyA
• 0x485010 - RegDeleteValueA
• 0x485014 - RegDeleteKeyA
• 0x485018 - RegQueryValueA
• 0x48501c - AdjustTokenPrivileges
• 0x485020 - LookupPrivilegeValueA
• 0x485024 - OpenProcessToken
• 0x485028 - RegCreateKeyExA
• 0x48502c - RegCloseKey
库 SHELL32.dll:
• 0x4853ac - ShellExecuteA
• 0x4853b0 - Shell_NotifyIconA
库 ole32.dll:
• 0x4856c0 - CLSIDFromString
• 0x4856c4 - OleUninitialize
• 0x4856c8 - OleInitialize
库 OLEAUT32.dll:
• 0x48539c - LoadTypeLib
• 0x4853a0 - RegisterTypeLib
• 0x4853a4 - UnRegisterTypeLib
库 COMCTL32.dll:
• 0x485034 - None
• 0x485038 - ImageList_Destroy
库 comdlg32.dll:
• 0x4856ac - ChooseColorA
• 0x4856b0 - GetFileTitleA
• 0x4856b4 - GetSaveFileNameA
• 0x4856b8 - GetOpenFileNameA
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
无信息
创建的服务
无信息
启动的服务
无信息
进程
____________4______.exe PID: 2680, 上一级进程 PID: 2296
访问的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\
- C:\Users\test\AppData\Local\Temp\ExtraDll.dll
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\Users\test\AppData\Local\Temp\kernel32.dll
- \??\physicaldrive0
- C:\Users\test\AppData\Local\Temp\____________4______.exe
- C:\Program Files\System.dll
- C:\Program Files\360.dll
读取的文件
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\ExtraDll.dll
- \??\physicaldrive0
- C:\Users\test\AppData\Local\Temp\____________4______.exe
修改的文件
- C:\Users\test\AppData\Local\Temp\ExtraDll.dll
- \??\physicaldrive0
- C:\Program Files\System.dll
- C:\Program Files\360.dll
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\ExecAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\MonAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\SiteAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\UDiskAccess
- HKEY_LOCAL_MACHINE\software\microsoft\windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System
修改的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\ExecAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\MonAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\SiteAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\safemon\UDiskAccess
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System
删除的注册表键
无信息
API解析
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- kernel32.dll.LoadLibraryA
- kernel32.dll.VirtualAlloc
- kernel32.dll.GetModuleHandleA
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.LocalAlloc
- kernel32.dll.LocalFree
- kernel32.dll.CreateFileA
- kernel32.dll.SetFilePointer
- kernel32.dll.ReadFile
- kernel32.dll.CloseHandle
- kernel32.dll.WriteFile