魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2019-09-16 18:22:31 2019-09-16 18:24:47 136 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-hpdapp01-1 win7-sp1-x64-hpdapp01-1 KVM 2019-09-16 18:22:39 2019-09-16 18:24:49
魔盾分数

10.0

Pcclient

文件详细信息

文件名 Yoayakoae.psd
文件大小 2896384 字节
文件类型 PE32 executable (DLL) (console) Intel 80386, for MS Windows
CRC32 029C2CE3
MD5 2482500ad2cac1c0d9a0ff48ef0dece7
SHA1 bac29f214f1cf80647da7d77e3372ad9f869cab7
SHA256 8fe835c07a3662545e5b4893253bc10996cc7007b49ec661f5cc5a6382a821e9
SHA512 b40a3a6e781d1d04405092db0f7198143fa73ae0c7a875feb8091ac579e27060522ae866bd8f619efc38e655fe79a50e0eba93da0aa21668ea138a8028989813
Ssdeep 6144:JJVGpxx9b3wZuwm4GPZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZx:JJI3L3+LC
PEiD 无匹配
Yara
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • network_tcp_socket (Communications over RAW socket)
  • sniff_audio (Record Audio)
  • rat_webcam (Remote Administration toolkit using webcam)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • escalate_priv (Detected escalate priviledges function)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_token (Affect system token)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • with_images (Detected the presence of an or several images)
  • gh0st ()
  • Armadillov1xxv2xx ()
  • IsPE32 (Detected 32bit PE signature)
  • IsDLL (Detect DLL signature)
  • IsConsole (Detected Console program signature)
  • IsPacked (Detected Entropy signature)
  • HasOverlay (Detected Overlay signature)
  • HasRichSignature (Detected Rich Signature)
VirusTotal 无此文件扫描结果

特征

创建RWX内存
魔盾wping.org 域名信誉系统
Neutral: xiaoyuqaz.xyz
魔盾wping.org IP地址信誉系统
Neutral: 183.224.86.202
强制将一个创建的进程加载为另一个不相关进程的子进程
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
创建一个隐藏文件或系统文件
file: C:\Program Files (x86)\Ddcm\Yoayakoae.psd
将自己装载到Windows开机自动启动项目
service name: Doyraf Txlnvsdl Ore
service path: %SystemRoot%\System32\svchost.exe -k imgsvc
通过进程尝试长时间延迟分析任务
Process: svchost.exe tried to sleep 234 seconds, actually delayed analysis time by 0 seconds
创建常见PcClient互斥量(mutex)或相应的文件变动
魔盾安全Yara规则检测结果 - 高危

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
183.224.86.202 China

域名解析

域名 响应
xiaoyuqaz.xyz A 183.224.86.202

UDP连接

IP地址 端口
192.168.122.1 53

静态分析

PE 信息

初始地址 0x10000000
入口地址 0x1001297a
声明校验值 0x00000000
实际校验值 0x002c4fb7
最低操作系统版本要求 4.0
编译时间 2011-03-03 22:21:34
载入哈希 7c6587f80cfc7217c35267a25d2d65bd
导出DLL库名称 \x38\x31\x31\x31\x34\x31\x31\x31

版本信息

LegalCopyright: ? 2010 Sogou.com Inc. All rights reserved.
InternalName: SogouPY SogouTSF
FileVersion: 5.0.0.3787
CompanyName: Sogou.com Inc.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: \u641c\u72d7\u62fc\u97f3\u8f93\u5165\u6cd5
SpecialBuild:
ProductVersion: 5.0.0.3787
FileDescription: \u641c\u72d7\u62fc\u97f3\u8f93\u5165\u6cd5 \u8bed\u8a00\u680f\u652f\u6301
OriginalFilename: SogouTSF.dll
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00011ec0 0x00012000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.46
.rdata 0x00013000 0x00002e0c 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.14
.data 0x00016000 0x00002ea0 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.34
.rsrc 0x00019000 0x00000760 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.01
.reloc 0x0001a000 0x000012e8 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.94

覆盖

偏移量: 0x0001afd4
大小: 0x002a822c

导入

库 KERNEL32.dll:
0x10013090 - FindNextFileA
0x10013094 - LocalReAlloc
0x10013098 - FindFirstFileA
0x1001309c - LocalAlloc
0x100130a0 - RemoveDirectoryA
0x100130a4 - GetFileSize
0x100130a8 - CreateFileA
0x100130ac - ReadFile
0x100130b0 - SetFilePointer
0x100130b4 - WriteFile
0x100130b8 - MoveFileA
0x100130bc - lstrcatA
0x100130c0 - GetSystemDirectoryA
0x100130c4 - CreateProcessA
0x100130c8 - ExitProcess
0x100130cc - Process32Next
0x100130d0 - lstrcmpiA
0x100130d4 - Process32First
0x100130d8 - CreateToolhelp32Snapshot
0x100130dc - HeapFree
0x100130e0 - MapViewOfFile
0x100130e4 - CreateFileMappingA
0x100130e8 - UnmapViewOfFile
0x100130ec - GetLogicalDriveStringsA
0x100130f0 - GlobalFree
0x100130f4 - GlobalUnlock
0x100130f8 - GlobalLock
0x100130fc - GlobalAlloc
0x10013100 - GlobalSize
0x10013104 - GetStartupInfoA
0x10013108 - WaitForMultipleObjects
0x1001310c - LocalSize
0x10013110 - TerminateProcess
0x10013114 - OpenProcess
0x10013118 - GetCurrentThreadId
0x1001311c - GlobalMemoryStatus
0x10013120 - GetSystemInfo
0x10013124 - GetComputerNameA
0x10013128 - LocalFree
0x1001312c - OpenEventA
0x10013130 - SetErrorMode
0x10013134 - GetCurrentProcess
0x10013138 - GetWindowsDirectoryA
0x1001313c - SetFileAttributesA
0x10013140 - CopyFileA
0x10013144 - ExpandEnvironmentStringsA
0x10013148 - GetModuleFileNameA
0x1001314c - GetVolumeInformationA
0x10013150 - GetDiskFreeSpaceExA
0x10013154 - GetDriveTypeA
0x10013158 - lstrlenA
0x1001315c - lstrcpyA
0x10013160 - GetFileAttributesA
0x10013164 - CreateDirectoryA
0x10013168 - DeleteFileA
0x1001316c - GetProcessHeap
0x10013170 - HeapAlloc
0x10013174 - GetCurrentProcessId
0x10013178 - GetLocalTime
0x1001317c - GetTickCount
0x10013180 - CancelIo
0x10013184 - InterlockedExchange
0x10013188 - ResetEvent
0x1001318c - GetLastError
0x10013190 - VirtualAlloc
0x10013194 - EnterCriticalSection
0x10013198 - LeaveCriticalSection
0x1001319c - VirtualFree
0x100131a0 - DeleteCriticalSection
0x100131a4 - CreateThread
0x100131a8 - ResumeThread
0x100131ac - SetEvent
0x100131b0 - WaitForSingleObject
0x100131b4 - GetProcAddress
0x100131b8 - Sleep
0x100131bc - TerminateThread
0x100131c0 - GetVersionExA
0x100131c4 - FindClose
0x100131c8 - CloseHandle
0x100131cc - FreeLibrary
0x100131d0 - LoadLibraryA
0x100131d4 - GetModuleHandleA
0x100131d8 - CreateEventA
库 USER32.dll:
0x10013288 - LoadMenuA
0x1001328c - RegisterClassA
0x10013290 - LoadIconA
0x10013294 - CreateWindowExA
0x10013298 - CloseWindow
0x1001329c - IsWindow
0x100132a0 - PostMessageA
0x100132a4 - OpenDesktopA
0x100132a8 - GetThreadDesktop
0x100132ac - GetUserObjectInformationA
0x100132b0 - OpenInputDesktop
0x100132b4 - SetThreadDesktop
0x100132b8 - CloseDesktop
0x100132bc - IsWindowVisible
0x100132c0 - ExitWindowsEx
0x100132c4 - GetCursorPos
0x100132c8 - GetCursorInfo
0x100132cc - DestroyCursor
0x100132d0 - ReleaseDC
0x100132d4 - GetDesktopWindow
0x100132d8 - GetDC
0x100132dc - SetRect
0x100132e0 - GetSystemMetrics
0x100132e4 - GetClipboardData
0x100132e8 - OpenClipboard
0x100132ec - EmptyClipboard
0x100132f0 - SetClipboardData
0x100132f4 - CloseClipboard
0x100132f8 - mouse_event
0x100132fc - SetCursorPos
0x10013300 - WindowFromPoint
0x10013304 - SetCapture
0x10013308 - DispatchMessageA
0x1001330c - TranslateMessage
0x10013310 - GetMessageA
0x10013314 - CharNextA
0x10013318 - wsprintfA
0x1001331c - GetWindowTextA
0x10013320 - MessageBoxA
0x10013324 - LoadCursorA
0x10013328 - BlockInput
0x1001332c - SendMessageA
0x10013330 - keybd_event
0x10013334 - MapVirtualKeyA
0x10013338 - GetWindowThreadProcessId
库 GDI32.dll:
0x10013088 - GetStockObject
库 ADVAPI32.dll:
0x10013000 - OpenProcessToken
0x10013004 - RegDeleteKeyA
0x10013008 - RegRestoreKeyA
0x1001300c - RegSaveKeyA
0x10013010 - RegCloseKey
0x10013014 - RegQueryValueExA
0x10013018 - RegOpenKeyExA
0x1001301c - CloseEventLog
0x10013020 - ClearEventLogA
0x10013024 - OpenEventLogA
0x10013028 - RegSetValueExA
0x1001302c - RegCreateKeyExA
0x10013030 - CloseServiceHandle
0x10013034 - DeleteService
0x10013038 - OpenServiceA
0x1001303c - OpenSCManagerA
0x10013040 - FreeSid
0x10013044 - SetSecurityDescriptorDacl
0x10013048 - AddAccessAllowedAce
0x1001304c - InitializeAcl
0x10013050 - GetLengthSid
0x10013054 - AllocateAndInitializeSid
0x10013058 - InitializeSecurityDescriptor
0x1001305c - RegOpenKeyA
0x10013060 - SetServiceStatus
0x10013064 - RegisterServiceCtrlHandlerA
0x10013068 - UnlockServiceDatabase
0x1001306c - ChangeServiceConfig2A
0x10013070 - LockServiceDatabase
0x10013074 - CreateServiceA
0x10013078 - StartServiceA
0x1001307c - AdjustTokenPrivileges
0x10013080 - LookupPrivilegeValueA
库 SHELL32.dll:
0x10013280 - SHGetSpecialFolderPathA
库 MSVCRT.dll:
0x1001320c - sprintf
0x10013210 - strncpy
0x10013214 - free
0x10013218 - malloc
0x1001321c - _except_handler3
0x10013220 - strrchr
0x10013224 - _beginthreadex
0x10013228 - atoi
0x1001322c - _stricmp
0x10013230 - _access
0x10013234 - srand
0x10013238 - calloc
0x1001323c - ??1type_info@@UAE@XZ
0x10013240 - _initterm
0x10013244 - _adjust_fdiv
0x10013248 - rand
0x1001324c - _CxxThrowException
0x10013250 - strstr
0x10013254 - _ftol
0x10013258 - ??2@YAPAXI@Z
0x1001325c - ??3@YAXPAX@Z
0x10013260 - puts
0x10013264 - __CxxFrameHandler
0x10013268 - memmove
0x1001326c - putchar
0x10013270 - wcstombs
0x10013274 - _strrev
0x10013278 - ceil
库 WS2_32.dll:
0x10013340 - sendto
0x10013344 - WSASocketA
0x10013348 - htonl
0x1001334c - getsockname
0x10013350 - inet_addr
0x10013354 - send
0x10013358 - closesocket
0x1001335c - select
0x10013360 - recv
0x10013364 - socket
0x10013368 - gethostbyname
0x1001336c - htons
0x10013370 - setsockopt
0x10013374 - WSAIoctl
0x10013378 - WSACleanup
0x1001337c - WSAStartup
0x10013380 - connect
库 MSVCP60.dll:
0x100131e0 - ?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
0x100131e4 - ?_Xran@std@@YAXXZ
0x100131e8 - ?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
0x100131ec - ?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
0x100131f0 - ?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
0x100131f4 - ?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
0x100131f8 - ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
0x100131fc - ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
0x10013200 - ?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
0x10013204 - ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z

导出

序列 地址 名称
1 0x1000b820 EndWork
2 0x1000b820 Runing
3 0x1000b840 ServiceMain
4 0x1000b820 Working

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令
  • C:\Windows\SysWOW64\svchost.exe -k imgsvc
创建的服务
  • Doyraf Txlnvsdl Ore
启动的服务
  • Doyraf Txlnvsdl Ore

进程

rundll32.exe PID: 2480, 上一级进程 PID: 2332

services.exe PID: 428, 上一级进程 PID: 332

svchost.exe PID: 2664, 上一级进程 PID: 428

访问的文件
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Users\test\AppData\Local\Temp\MSVCP60.dll
  • C:\Windows\System32\msvcp60.dll
  • C:\Windows\System32\syslog.dat
  • C:\Users\test\AppData\Local\Temp
  • C:\Program Files (x86)
  • C:\Program Files (x86)\Ddcm
  • C:\Program Files (x86)\Ddcm\Yoayakoae.psd
  • C:\Net-Temp.ini
  • C:\Windows\Temp
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\program files (x86)\Ddcm\yoayakoae.psd
  • C:\program files (x86)\Ddcm\MSVCP60.dll
  • C:\NT_Path.jpg
读取的文件
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.123.Manifest
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.124.Manifest
  • C:\Users\test\AppData\Local\Temp\Yoayakoae.psd.dll.2.Manifest
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\System32\msvcp60.dll
  • C:\Net-Temp.ini
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\program files (x86)\Ddcm\yoayakoae.psd
  • C:\NT_Path.jpg
修改的文件
  • C:\Net-Temp.ini
  • C:\Program Files (x86)\Ddcm\Yoayakoae.psd
删除的文件
  • C:\Windows\System32\syslog.dat
  • C:\Program Files (x86)\Ddcm\Yoayakoae.psd
  • C:\Net-Temp.ini
注册表键
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Yoayakoae.psd.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Doyraf Txlnvsdl Ore
  • HKEY_LOCAL_MACHINE\SOFTWARE\38644058
  • HKEY_LOCAL_MACHINE\SOFTWARE\38644058\Parameters
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\38644058\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  • HKEY_LOCAL_MACHINE\SOFTWARE\311485774
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\311485774\imgsvc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\WOW64
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_USERS\S-1-5-18
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\.DEFAULT\Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Environment
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\NoInteractiveServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\imgsvc
  • HKEY_CURRENT_USER
  • HKEY_USERS\.DEFAULT\Control Panel\International
  • HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\sList
  • HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
  • HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
  • HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
  • HKEY_USERS\.DEFAULT\Control Panel\International\s1159
  • HKEY_USERS\.DEFAULT\Control Panel\International\s2359
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
  • HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
  • HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
  • HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
  • HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceManifest
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceMain
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Doyraf Txlnvsdl Ore\Parameters
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Yoayakoae.psd.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\311485774\imgsvc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\WOW64
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\NoInteractiveServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\imgsvc
  • HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\sList
  • HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
  • HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
  • HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
  • HKEY_USERS\.DEFAULT\Control Panel\International\s1159
  • HKEY_USERS\.DEFAULT\Control Panel\International\s2359
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
  • HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
  • HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
  • HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
  • HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceManifest
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Doyraf Txlnvsdl Ore\Parameters\ServiceMain
修改的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\38644058
  • HKEY_LOCAL_MACHINE\SOFTWARE\38644058\Parameters
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\38644058\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\311485774
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\311485774\imgsvc
删除的注册表键 无信息
API解析
  • avicap32.dll.capGetDriverDescriptionA
  • yoayakoae.psd.dll.#1
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • yoayakoae.psd.ServiceMain
  • kernel32.dll.InitializeCriticalSection
  • ws2_32.dll.connect