doc魔盾安全分析报告 文件详细信息 特征
download 
Report Transcription
魔盾安全分析报告 文件详细信息 特征
魔盾安全分析报告
分析类型
开始时间
结束时间
持续时间
分析引擎版本
FILE
2016-06-02 09:50:33
2016-06-02 09:54:00
207 秒
1.4-Maldun
虚拟机机器名
标签
虚拟机管理
开机时间
关机时间
win7-sp1-x64
win7-sp1-x64
KVM
2016-06-02 09:51:31
2016-06-02 09:54:00
魔盾分数
10.0
Razy
文件详细信息
文件名
alotenq.exe
文件大小
2539008 字节
文件类型
PE32 executable (GUI) Intel 80386, for MS Windows
CRC32
CA4DB7C7
MD5
cd8c119e0af17373774970d74ba56c0c
SHA1
20a0b628c313f5891cb832ba589cc6dc97861d3f
SHA256
d9ea873ed0cbd6f08dbda805f1dee54aa06a6523eddc6ad7e4cdd572af6c9318
SHA512
755f22f3e362752e057e4ce5540c8521e5250afd1e40fcfd2f9464a226a476ec424938b38ac584dec81f99cab6accb95bcc752c0
80c312cd39b7924b780c4a67
Ssdeep
49152:mVxQBWOhbf3YAOES1wtLBmheG/Pcn+n1ho7ZwS5:6KBJhcAOExBBmthd
PEiD
无匹配
Yara
VirusTotal
DebuggerCheck__API ()
VirusTotal链接
VirusTotal扫描时间: 2016-05-28 18:56:50
扫描结果: 27/57
特征
创建RWX内存
发起了一些HTTP请求
url: http://www.msftncsi.com/ncsi.txt
二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 7.52, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size:
0x001c1400, virtual_size: 0x001c122c
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
MicroWorld-eScan: Gen:Variant.Razy.60045
McAfee: GenericR-HQT!CD8C119E0AF1
VIPRE: Trojan.Win32.Generic!BT
K7GW: Trojan ( 004dde001 )
Baidu: Win32.Trojan.WisdomEyes.151026.9950.9999
Symantec: Suspicious.Cloud.7.F
ESET-NOD32: Win32/SpamTool.Agent.NGI
Avast: Win32:Malware-gen
GData: Gen:Variant.Razy.60045
Kaspersky: Trojan.Win32.Yakes.psyu
BitDefender: Gen:Variant.Razy.60045
Rising: Malware.Generic!Djro4Zl3ZlF@2 (Thunder)
Ad-Aware: Gen:Variant.Razy.60045
Emsisoft: Gen:Variant.Razy.60045 (B)
F-Secure: Gen:Variant.Razy.60045
McAfee-GW-Edition: BehavesLike.Win32.Dropper.vc
Sophos: Mal/Generic-S
Cyren: W32/Trojan.PAQN-7976
Jiangmin: Trojan.Yakes.jqn
Arcabit: Trojan.Razy.DEA8D
AegisLab: Gen.Variant.Razy!c
ALYac: Gen:Variant.Razy.60045
AVware: Trojan.Win32.Generic!BT
Panda: Trj/GdSda.A
Ikarus: Trojan.SuspectCRC
Fortinet: W32/Yakes.PSYU!tr
Qihoo-360: Win32/Trojan.5cd
运行截图
网络分析
访问主机记录
直接访问
IP地址
国家名
否
96.7.54.90
United States
域名解析
域名
响应
www.msftncsi.com
CNAME a1961.g2.akamai.net
CNAME www.msftncsi.com.edgesuite.net
A 96.7.54.104
A 96.7.54.90
TCP连接
IP地址
端口
96.7.54.90
80
UDP连接
IP地址
端口
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.1
53
192.168.122.255
137
192.168.122.255
138
224.0.0.252
5355
224.0.0.252
5355
239.255.255.250
1900
52.169.179.91
123
192.168.122.69
53197
HTTP请求
URL
http://www.msftncsi.com/ncsi.txt
HTTP数据
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
静态分析
PE 信息
初始地址
0x00400000
入口地址
0x005bcf30
声明校验值
0x00000000
实际校验值
0x00276f0e
最低操作系统版本要求
5.0
编译时间
2016-05-26 17:16:03
图标
图标精确哈希值
210ece285eeeb03457d921de6e8e2660
图标相似性哈希值
8aead712f0b5e9484c1b93cabd7633c6
版本信息
LegalCopyright:
Copyright\xa9 2005-2015
InternalName:
FileVersion:
1.1.0.0
CompanyName:
LegalTrademarks:
Comments:
ProductName:
Advanced SystemCare 9
ProductVersion:
1.1.0.0
FileDescription:
Advanced SystemCare 9 DiskScan
OriginalFilename:
Translation:
0x0804 0x03a8
PE数据组成
名称
虚拟地址
虚拟大小
原始数据大小
特征
熵
(Entropy)
.text
0x00001000
0x001c122c
0x001c1400
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
7.52
.rdata
0x001c3000
0x0008f1c0
0x0008f200
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
4.30
.data
0x00253000
0x00016f54
0x00016e00
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
0.88
.rsrc
0x0026a000
0x00004550
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
5.64
资源
名称
偏移量
大小
语言
子语言
熵
(Entropy)
文件类型
RT_ICON
0x0026c520
0x00001ca8
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
5.12
data
RT_ICON
0x0026c520
0x00001ca8
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
5.12
data
RT_ICON
0x0026c520
0x00001ca8
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
5.12
data
RT_ICON
0x0026c520
0x00001ca8
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
5.12
data
RT_RCDATA
0x0026a338
0x0000012d
LANG_NEUTRAL
SUBLANG_NEUTRAL
5.35
data
RT_RCDATA
0x0026a338
0x0000012d
LANG_NEUTRAL
SUBLANG_NEUTRAL
5.35
data
RT_RCDATA
0x0026a338
0x0000012d
LANG_NEUTRAL
SUBLANG_NEUTRAL
5.35
data
RT_GROUP_ICON
0x0026e1c8
0x0000003e
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
2.76
MS Windows icon resource - 4
icons, 48x48, 256-colors
RT_VERSION
0x0026e208
0x000002ec
LANG_CHINESE
SUBLANG_CHINESE_SIMPLIFIED
3.33
data
RT_MANIFEST
0x0026e4f8
0x00000056
LANG_ENGLISH
SUBLANG_ENGLISH_US
4.66
ASCII text, with CRLF line
terminators
导入
库 KERNEL32.dll:
• 0x5c3194 - HeapSize
• 0x5c3198 - InitializeCriticalSectionAndSpinCount
• 0x5c319c - InterlockedDecrement
• 0x5c31a0 - InterlockedExchange
• 0x5c31a4 - InterlockedIncrement
• 0x5c31a8 - IsBadCodePtr
• 0x5c31ac - IsDebuggerPresent
• 0x5c31b0 - IsValidCodePage
• 0x5c31b4 - IsValidLanguageGroup
• 0x5c31b8 - LCMapStringA
• 0x5c31bc - LCMapStringW
• 0x5c31c0 - LeaveCriticalSection
• 0x5c31c4 - LoadLibraryA
• 0x5c31c8 - LoadLibraryExW
• 0x5c31cc - LoadLibraryW
• 0x5c31d0 - LoadModule
• 0x5c31d4 - LoadResource
• 0x5c31d8 - LocalCompact
• 0x5c31dc - LocalFileTimeToFileTime
• 0x5c31e0 - LocalFree
• 0x5c31e4 - LockResource
• 0x5c31e8 - MoveFileW
• 0x5c31ec - MulDiv
• 0x5c31f0 - MultiByteToWideChar
• 0x5c31f4 - OpenProcess
• 0x5c31f8 - OutputDebugStringW
• 0x5c31fc - Process32FirstW
• 0x5c3200 - Process32NextW
• 0x5c3204 - QueryPerformanceCounter
• 0x5c3208 - QueryPerformanceFrequency
• 0x5c320c - RaiseException
• 0x5c3210 - ReadConsoleOutputCharacterA
• 0x5c3214 - ReadFile
• 0x5c3218 - ReadProcessMemory
• 0x5c321c - RemoveDirectoryW
• 0x5c3220 - ResumeThread
• 0x5c3224 - RtlUnwind
• 0x5c3228 - SetCurrentDirectoryW
• 0x5c322c - SetEndOfFile
• 0x5c3230 - HeapReAlloc
• 0x5c3234 - SetEnvironmentVariableW
• 0x5c3238 - SetErrorMode
• 0x5c323c - SetEvent
• 0x5c3240 - SetFileAttributesW
• 0x5c3244 - SetFilePointer
• 0x5c3248 - SetFilePointerEx
• 0x5c324c - SetFileTime
• 0x5c3250 - SetHandleCount
• 0x5c3254 - SetLastError
• 0x5c3258 - SetPriorityClass
• 0x5c325c - SetStdHandle
• 0x5c3260 - SetSystemPowerState
• 0x5c3264 - SetUnhandledExceptionFilter
• 0x5c3268 - SetVolumeLabelW
• 0x5c326c - SizeofResource
• 0x5c3270 - Sleep
• 0x5c3274 - SystemTimeToFileTime
• 0x5c3278 - TerminateProcess
• 0x5c327c - TerminateThread
• 0x5c3280 - TlsAlloc
• 0x5c3284 - TlsFree
• 0x5c3288 - TlsGetValue
• 0x5c328c - TlsSetValue
• 0x5c3290 - UnhandledExceptionFilter
• 0x5c3294 - VirtualAlloc
• 0x5c3298 - VirtualAllocEx
• 0x5c329c - VirtualFree
• 0x5c32a0 - VirtualFreeEx
• 0x5c32a4 - WaitForSingleObject
• 0x5c32a8 - WideCharToMultiByte
• 0x5c32ac - WriteConsoleA
• 0x5c32b0 - WriteConsoleW
• 0x5c32b4 - WriteFile
• 0x5c32b8 - WritePrivateProfileSectionW
• 0x5c32bc - WritePrivateProfileStringW
• 0x5c32c0 - WriteProcessMemory
• 0x5c32c4 - lstrcmpiW
• 0x5c32c8 - HeapFree
• 0x5c32cc - HeapCreate
• 0x5c32d0 - HeapAlloc
• 0x5c32d4 - GlobalUnlock
• 0x5c32d8 - GlobalMemoryStatusEx
• 0x5c32dc - GlobalLock
• 0x5c32e0 - GlobalFree
• 0x5c32e4 - GlobalAlloc
• 0x5c32e8 - GetWindowsDirectoryW
• 0x5c32ec - GetVolumeInformationW
• 0x5c32f0 - GetVersionExW
• 0x5c32f4 - GetTimeZoneInformation
• 0x5c32f8 - GetTimeFormatA
• 0x5c32fc - GetTickCount
• 0x5c3300 - GetTempPathW
• 0x5c3304 - GetTempFileNameW
• 0x5c3308 - GetSystemTimeAsFileTime
• 0x5c330c - GetSystemTime
• 0x5c3310 - GetSystemInfo
• 0x5c3314 - GetSystemDirectoryW
• 0x5c3318 - GetStringTypeW
• 0x5c331c - GetStringTypeA
• 0x5c3320 - GetStdHandle
• 0x5c3324 - GetStartupInfoW
• 0x5c3328 - GetStartupInfoA
• 0x5c332c - GetShortPathNameW
• 0x5c3330 - GetProcessIoCounters
• 0x5c3334 - GetProcessHeap
• 0x5c3338 - GetProcAddress
• 0x5c333c - GetPrivateProfileStringW
• 0x5c3340 - GetPrivateProfileSectionW
• 0x5c3344 - GetPrivateProfileSectionNamesW
• 0x5c3348 - GetOEMCP
• 0x5c334c - GetModuleHandleW
• 0x5c3350 - GetModuleHandleA
• 0x5c3354 - GetModuleFileNameW
• 0x5c3358 - GetModuleFileNameA
• 0x5c335c - GetLocaleInfoA
• 0x5c3360 - GetLocalTime
• 0x5c3364 - GetLastError
• 0x5c3368 - GetFullPathNameW
• 0x5c336c - GetFileType
• 0x5c3370 - GetFileSize
• 0x5c3374 - GetFileAttributesW
• 0x5c3378 - GetExitCodeProcess
• 0x5c337c - GetEnvironmentVariableW
• 0x5c3380 - GetEnvironmentStringsW
• 0x5c3384 - GetDriveTypeW
• 0x5c3388 - GetDiskFreeSpaceW
• 0x5c338c - GetDiskFreeSpaceExW
• 0x5c3390 - GetDateFormatA
• 0x5c3394 - GetCurrentThreadId
• 0x5c3398 - GetCurrentThread
• 0x5c339c - GetCurrentProcessId
• 0x5c33a0 - GetCurrentProcess
• 0x5c33a4 - GetCurrentDirectoryW
• 0x5c33a8 - GetConsoleOutputCP
• 0x5c33ac - GetConsoleMode
• 0x5c33b0 - GetConsoleCP
• 0x5c33b4 - GetComputerNameW
• 0x5c33b8 - GetCompressedFileSizeW
• 0x5c33bc - GetCommandLineW
• 0x5c33c0 - GetCommTimeouts
• 0x5c33c4 - GetCPInfo
• 0x5c33c8 - GetACP
• 0x5c33cc - FreeLibrary
• 0x5c33d0 - FreeEnvironmentStringsW
• 0x5c33d4 - FormatMessageW
• 0x5c33d8 - FlushFileBuffers
• 0x5c33dc - FindResourceW
• 0x5c33e0 - FindNextFileW
• 0x5c33e4 - FindFirstVolumeMountPointW
• 0x5c33e8 - FindFirstFileW
• 0x5c33ec - FindClose
• 0x5c33f0 - FileTimeToSystemTime
• 0x5c33f4 - FileTimeToLocalFileTime
• 0x5c33f8 - ExitThread
• 0x5c33fc - ExitProcess
• 0x5c3400 - EnumResourceNamesW
• 0x5c3404 - EnumDateFormatsA
• 0x5c3408 - AreFileApisANSI
• 0x5c340c - EnterCriticalSection
• 0x5c3410 - DuplicateHandle
• 0x5c3414 - DeviceIoControl
• 0x5c3418 - DeleteFileW
• 0x5c341c - DeleteCriticalSection
• 0x5c3420 - CreateToolhelp32Snapshot
• 0x5c3424 - CreateThread
• 0x5c3428 - CreateProcessW
• 0x5c342c - CreatePipe
• 0x5c3430 - CreateHardLinkW
• 0x5c3434 - CreateFileW
• 0x5c3438 - CreateFileA
• 0x5c343c - CreateEventW
• 0x5c3440 - CreateDirectoryW
• 0x5c3444 - CopyFileW
• 0x5c3448 - CompareStringW
• 0x5c344c - CompareStringA
• 0x5c3450 - CloseHandle
• 0x5c3454 - Beep
• 0x5c3458 - SetEnvironmentVariableA
库 USER32.dll:
• 0x5c3514 - SetProcessWindowStation
• 0x5c3518 - SetRect
• 0x5c351c - SetTimer
• 0x5c3520 - SetUserObjectSecurity
• 0x5c3524 - SetWindowLongW
• 0x5c3528 - SetWindowPos
• 0x5c352c - SetWindowTextW
• 0x5c3530 - ShowCursor
• 0x5c3534 - ShowWindow
• 0x5c3538 - SubtractRect
• 0x5c353c - SystemParametersInfoW
• 0x5c3540 - TrackPopupMenuEx
• 0x5c3544 - TranslateAcceleratorW
• 0x5c3548 - TranslateMessage
• 0x5c354c - UnregisterHotKey
• 0x5c3550 - VkKeyScanW
• 0x5c3554 - WindowFromPoint
• 0x5c3558 - keybd_event
• 0x5c355c - mouse_event
• 0x5c3560 - wsprintfW
• 0x5c3564 - LoadIconA
• 0x5c3568 - GetKeyboardType
• 0x5c356c - GetMessagePos
• 0x5c3570 - GetLastActivePopup
• 0x5c3574 - CharLowerW
• 0x5c3578 - IsWindowVisible
• 0x5c357c - IsWindowEnabled
• 0x5c3580 - IsWindow
• 0x5c3584 - IsMenu
• 0x5c3588 - IsIconic
• 0x5c358c - IsDlgButtonChecked
• 0x5c3590 - IsDialogMessageW
• 0x5c3594 - IsClipboardFormatAvailable
• 0x5c3598 - IsCharUpperW
• 0x5c359c - IsCharLowerW
• 0x5c35a0 - IsCharAlphaW
• 0x5c35a4 - IsCharAlphaNumericW
• 0x5c35a8 - InvalidateRect
• 0x5c35ac - InsertMenuItemW
• 0x5c35b0 - InflateRect
• 0x5c35b4 - GetWindowThreadProcessId
• 0x5c35b8 - GetWindowTextW
• 0x5c35bc - GetWindowTextLengthW
• 0x5c35c0 - GetWindowRect
• 0x5c35c4 - GetWindowLongW
• 0x5c35c8 - GetUserObjectSecurity
• 0x5c35cc - GetSystemMetrics
• 0x5c35d0 - GetSysColorBrush
• 0x5c35d4 - GetSysColor
• 0x5c35d8 - GetSubMenu
• 0x5c35dc - GetProcessWindowStation
• 0x5c35e0 - GetParent
• 0x5c35e4 - GetMonitorInfoW
• 0x5c35e8 - GetMessageW
• 0x5c35ec - GetMessageTime
• 0x5c35f0 - GetMenuStringW
• 0x5c35f4 - GetMenuItemInfoW
• 0x5c35f8 - GetMenuItemID
• 0x5c35fc - GetMenuItemCount
• 0x5c3600 - GetMenu
• 0x5c3604 - GetKeyboardState
• 0x5c3608 - SetMenuItemInfoW
• 0x5c360c - GetKeyState
• 0x5c3610 - GetGUIThreadInfo
• 0x5c3614 - GetForegroundWindow
• 0x5c3618 - GetFocus
• 0x5c361c - GetDlgItem
• 0x5c3620 - GetDlgCtrlID
• 0x5c3624 - GetDesktopWindow
• 0x5c3628 - GetDC
• 0x5c362c - GetCursorPos
• 0x5c3630 - GetCursorInfo
• 0x5c3634 - GetClipboardData
• 0x5c3638 - GetClientRect
• 0x5c363c - GetClassNameW
• 0x5c3640 - GetClassLongW
• 0x5c3644 - GetCaretPos
• 0x5c3648 - GetAsyncKeyState
• 0x5c364c - GetActiveWindow
• 0x5c3650 - FrameRect
• 0x5c3654 - FlashWindow
• 0x5c3658 - FindWindowW
• 0x5c365c - FindWindowExW
• 0x5c3660 - FillRect
• 0x5c3664 - ExitWindowsEx
• 0x5c3668 - EnumWindows
• 0x5c366c - EnumThreadWindows
• 0x5c3670 - EnumChildWindows
• 0x5c3674 - EndPaint
• 0x5c3678 - EndDialog
• 0x5c367c - EnableWindow
• 0x5c3680 - EmptyClipboard
• 0x5c3684 - DrawTextW
• 0x5c3688 - DrawMenuBar
• 0x5c368c - DrawFrameControl
• 0x5c3690 - DrawFocusRect
• 0x5c3694 - DispatchMessageW
• 0x5c3698 - DialogBoxParamW
• 0x5c369c - DestroyWindow
• 0x5c36a0 - DestroyMenu
• 0x5c36a4 - DestroyIcon
• 0x5c36a8 - DestroyAcceleratorTable
• 0x5c36ac - DeleteMenu
• 0x5c36b0 - DefWindowProcW
• 0x5c36b4 - DefDlgProcW
• 0x5c36b8 - CreateWindowExW
• 0x5c36bc - CreatePopupMenu
• 0x5c36c0 - CreateMenu
• 0x5c36c4 - CreateIconFromResourceEx
• 0x5c36c8 - CreateAcceleratorTableW
• 0x5c36cc - CountClipboardFormats
• 0x5c36d0 - CopyRect
• 0x5c36d4 - CopyImage
• 0x5c36d8 - CloseWindowStation
• 0x5c36dc - SetMenuDefaultItem
• 0x5c36e0 - SetMenu
• 0x5c36e4 - SetLayeredWindowAttributes
• 0x5c36e8 - SetKeyboardState
• 0x5c36ec - SetForegroundWindow
• 0x5c36f0 - SetFocus
• 0x5c36f4 - SetCursor
• 0x5c36f8 - SetClipboardData
• 0x5c36fc - SetCapture
• 0x5c3700 - SetActiveWindow
• 0x5c3704 - SendMessageW
• 0x5c3708 - SendMessageTimeoutW
• 0x5c370c - SendInput
• 0x5c3710 - SendDlgItemMessageW
• 0x5c3714 - ScreenToClient
• 0x5c3718 - ReleaseDC
• 0x5c371c - ReleaseCapture
• 0x5c3720 - RegisterWindowMessageW
• 0x5c3724 - RegisterHotKey
• 0x5c3728 - RegisterClassExW
• 0x5c372c - RedrawWindow
• 0x5c3730 - PtInRect
• 0x5c3734 - PostQuitMessage
• 0x5c3738 - PostMessageW
• 0x5c373c - PeekMessageW
• 0x5c3740 - OpenWindowStationW
• 0x5c3744 - OpenDesktopW
• 0x5c3748 - OpenClipboard
• 0x5c374c - MoveWindow
• 0x5c3750 - MonitorFromRect
• 0x5c3754 - MonitorFromPoint
• 0x5c3758 - MessageBoxW
• 0x5c375c - MessageBoxA
• 0x5c3760 - MessageBeep
• 0x5c3764 - MapVirtualKeyW
• 0x5c3768 - LockWindowUpdate
• 0x5c376c - LoadStringW
• 0x5c3770 - LoadMenuIndirectA
• 0x5c3774 - LoadImageW
• 0x5c3778 - AdjustWindowRectEx
• 0x5c377c - AttachThreadInput
• 0x5c3780 - BeginPaint
• 0x5c3784 - BlockInput
• 0x5c3788 - CharLowerBuffW
• 0x5c378c - CharNextW
• 0x5c3790 - CharUpperBuffW
• 0x5c3794 - CheckMenuRadioItem
• 0x5c3798 - ClientToScreen
• 0x5c379c - CloseClipboard
• 0x5c37a0 - CloseDesktop
• 0x5c37a4 - LoadImageA
• 0x5c37a8 - LoadIconW
• 0x5c37ac - LoadCursorW
• 0x5c37b0 - KillTimer
• 0x5c37b4 - GetKeyboardLayoutNameW
• 0x5c37b8 - IsZoomed
• 0x5c37bc - GetWindowDC
库 GDI32.dll:
• 0x5c30d8 - GetMapMode
• 0x5c30dc - StrokePath
• 0x5c30e0 - StrokeAndFillPath
• 0x5c30e4 - StretchBlt
• 0x5c30e8 - StartDocA
• 0x5c30ec - SetViewportOrgEx
• 0x5c30f0 - SetTextColor
• 0x5c30f4 - SetPixel
• 0x5c30f8 - SetDCBrushColor
• 0x5c30fc - SetBkMode
• 0x5c3100 - SetBkColor
• 0x5c3104 - SelectObject
• 0x5c3108 - SelectFontLocal
• 0x5c310c - RoundRect
• 0x5c3110 - RemoveFontResourceExW
• 0x5c3114 - Rectangle
• 0x5c3118 - RectVisible
• 0x5c311c - PolyDraw
• 0x5c3120 - MoveToEx
• 0x5c3124 - LineTo
• 0x5c3128 - GetTextFaceW
• 0x5c312c - GetStockObject
• 0x5c3130 - GetPixel
• 0x5c3134 - GetObjectW
• 0x5c3138 - GetDeviceCaps
• 0x5c313c - GetDIBits
• 0x5c3140 - GdiGetLocalDC
• 0x5c3144 - GdiCreateLocalMetaFilePict
• 0x5c3148 - ExtCreatePen
• 0x5c314c - EngStrokeAndFillPath
• 0x5c3150 - EngGetPrinterDataFileName
• 0x5c3154 - EndPath
• 0x5c3158 - Ellipse
• 0x5c315c - DeleteObject
• 0x5c3160 - DeleteDC
• 0x5c3164 - DPtoLP
• 0x5c3168 - CreateSolidBrush
• 0x5c316c - CreatePen
• 0x5c3170 - CreateFontW
• 0x5c3174 - CreateDCW
• 0x5c3178 - CreateCompatibleDC
• 0x5c317c - CreateCompatibleBitmap
• 0x5c3180 - CloseFigure
• 0x5c3184 - BeginPath
• 0x5c3188 - GetTextExtentPoint32W
• 0x5c318c - AngleArc
库 COMDLG32.dll:
• 0x5c30cc - GetSaveFileNameW
• 0x5c30d0 - GetOpenFileNameW
库 ADVAPI32.dll:
• 0x5c3000 - AddAce
• 0x5c3004 - CloseServiceHandle
• 0x5c3008 - CopySid
• 0x5c300c - CreateProcessAsUserW
• 0x5c3010 - CreateProcessWithLogonW
• 0x5c3014 - DuplicateTokenEx
• 0x5c3018 - GetAce
• 0x5c301c - GetAclInformation
• 0x5c3020 - GetLengthSid
• 0x5c3024 - GetSecurityDescriptorDacl
• 0x5c3028 - GetTokenInformation
• 0x5c302c - RegOpenKeyA
• 0x5c3030 - RegQueryValueExA
• 0x5c3034 - UnlockServiceDatabase
• 0x5c3038 - SetSecurityDescriptorDacl
• 0x5c303c - RegSetValueW
• 0x5c3040 - RegSetValueExW
• 0x5c3044 - RegQueryValueExW
• 0x5c3048 - RegOpenKeyW
• 0x5c304c - RegOpenKeyExW
• 0x5c3050 - RegEnumValueW
• 0x5c3054 - RegEnumKeyExW
• 0x5c3058 - RegDeleteValueW
• 0x5c305c - RegDeleteKeyW
• 0x5c3060 - RegCreateKeyExW
• 0x5c3064 - RegConnectRegistryW
• 0x5c3068 - RegCloseKey
• 0x5c306c - OpenThreadToken
• 0x5c3070 - OpenSCManagerW
• 0x5c3074 - OpenProcessToken
• 0x5c3078 - LookupPrivilegeValueW
• 0x5c307c - LogonUserW
• 0x5c3080 - LockServiceDatabase
• 0x5c3084 - InitiateSystemShutdownExW
• 0x5c3088 - InitializeSecurityDescriptor
• 0x5c308c - InitializeAcl
• 0x5c3090 - GetUserNameW
• 0x5c3094 - AdjustTokenPrivileges
库 SHELL32.dll:
• 0x5c3460 - SHFormatDrive
• 0x5c3464 - Shell_NotifyIconA
• 0x5c3468 - ShellExecuteW
• 0x5c346c - ShellExecuteExW
• 0x5c3470 - ShellExecuteEx
• 0x5c3474 - DragFinish
• 0x5c3478 - DragQueryFileA
• 0x5c347c - DragQueryFileW
• 0x5c3480 - DragQueryPoint
• 0x5c3484 - ExtractAssociatedIconA
• 0x5c3488 - ExtractIconExA
• 0x5c348c - ExtractIconExW
• 0x5c3490 - ExtractIconW
• 0x5c3494 - FindExecutableW
• 0x5c3498 - SHAddToRecentDocs
• 0x5c349c - SHBindToParent
• 0x5c34a0 - SHBrowseForFolderW
• 0x5c34a4 - SHCreateDirectoryExW
• 0x5c34a8 - SHEmptyRecycleBinA
• 0x5c34ac - SHEmptyRecycleBinW
• 0x5c34b0 - SHFileOperationW
• 0x5c34b4 - Shell_NotifyIconW
• 0x5c34b8 - SHFreeNameMappings
• 0x5c34bc - SHGetDataFromIDListA
• 0x5c34c0 - SHGetDesktopFolder
• 0x5c34c4 - SHGetDiskFreeSpaceExA
• 0x5c34c8 - SHGetFileInfoW
• 0x5c34cc - SHGetFolderPathW
• 0x5c34d0 - SHGetIconOverlayIndexA
• 0x5c34d4 - SHGetMalloc
• 0x5c34d8 - SHGetPathFromIDList
• 0x5c34dc - SHGetPathFromIDListA
• 0x5c34e0 - SHGetPathFromIDListW
• 0x5c34e4 - SHGetSpecialFolderPathA
• 0x5c34e8 - SHGetSpecialFolderPathW
• 0x5c34ec - SHInvokePrinterCommandA
• 0x5c34f0 - SHIsFileAvailableOffline
• 0x5c34f4 - SHLoadNonloadedIconOverlayIdentifiers
库 ole32.dll:
• 0x5c37c4 - StringFromCLSID
• 0x5c37c8 - StringFromIID
• 0x5c37cc - OleSetMenuDescriptor
• 0x5c37d0 - OleSetContainedObject
• 0x5c37d4 - OleInitialize
• 0x5c37d8 - MkParseDisplayName
• 0x5c37dc - IIDFromString
• 0x5c37e0 - CreateStreamOnHGlobal
• 0x5c37e4 - CreateBindCtx
• 0x5c37e8 - CoUninitialize
• 0x5c37ec - CoTaskMemFree
• 0x5c37f0 - CoTaskMemAlloc
• 0x5c37f4 - CoSetProxyBlanket
• 0x5c37f8 - CoInitializeSecurity
• 0x5c37fc - CoInitialize
• 0x5c3800 - CoCreateInstanceEx
• 0x5c3804 - CoCreateInstance
• 0x5c3808 - CLSIDFromString
• 0x5c380c - CLSIDFromProgID
• 0x5c3810 - OleUninitialize
库 SHLWAPI.dll:
• 0x5c34fc - StrStrIA
• 0x5c3500 - StrStrA
• 0x5c3504 - StrRChrA
• 0x5c3508 - StrCmpNIA
• 0x5c350c - StrCmpNIW
库 COMCTL32.dll:
• 0x5c309c - ImageList_Create
• 0x5c30a0 - ImageList_Destroy
• 0x5c30a4 - ImageList_DragEnter
• 0x5c30a8 - ImageList_DragLeave
• 0x5c30ac - ImageList_DragMove
• 0x5c30b0 - ImageList_EndDrag
• 0x5c30b4 - ImageList_Remove
• 0x5c30b8 - ImageList_ReplaceIcon
• 0x5c30bc - ImageList_SetDragCursorImage
• 0x5c30c0 - ImageList_BeginDrag
• 0x5c30c4 - InitCommonControlsEx
投放文件
无信息
行为分析
互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息
进程
alotenq.exe
PID: 2448, 上一级进程 PID: 444
访问的文件
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
读取的文件
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
修改的文件 无信息
删除的文件 无信息
注册表键
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\interface\{d30c1661-cdaf-11d0-8a3e-00c04fc9e26e}
HKEY_LOCAL_MACHINE\Software\Classes\interface\{d30c1661-cdaf-11d0-8a3e-00c04fc9e26e}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\y
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\g
读取的注册表键
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\y
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\g
修改的注册表键 无信息
删除的注册表键 无信息
API解析
kernelbase.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.UnmapViewOfFile
kernel32.dll.VirtualProtect
kernel32.dll.LoadLibraryExA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateFileA
kernel32.dll.SetFilePointer
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.GetTempPathA
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernelbase.dll.VirtualAlloc
ws2_32.dll.#22
ws2_32.dll.#21
ws2_32.dll.#20
ws2_32.dll.#17
ws2_32.dll.#11
ws2_32.dll.#9
ws2_32.dll.#8
ws2_32.dll.#16
ws2_32.dll.#19
ws2_32.dll.#112
ws2_32.dll.#116
ws2_32.dll.#115
ws2_32.dll.WSASocketA
ws2_32.dll.WSASend
ws2_32.dll.WSAResetEvent
ws2_32.dll.WSARecv
ws2_32.dll.WSAGetOverlappedResult
ws2_32.dll.WSAEventSelect
ws2_32.dll.WSAEnumNetworkEvents
ws2_32.dll.WSACreateEvent
ws2_32.dll.WSACloseEvent
ws2_32.dll.#111
ws2_32.dll.#18
ws2_32.dll.#4
ws2_32.dll.#2
ws2_32.dll.#14
ws2_32.dll.#6
ws2_32.dll.#15
ws2_32.dll.#23
ws2_32.dll.#3
wininet.dll.InternetCloseHandle
wininet.dll.InternetConnectA
wininet.dll.InternetOpenUrlA
wininet.dll.InternetReadFile
wininet.dll.InternetQueryOptionA
wininet.dll.InternetSetOptionA
wininet.dll.HttpOpenRequestA
wininet.dll.HttpSendRequestA
wininet.dll.InternetOpenA
iphlpapi.dll.GetNetworkParams
iphlpapi.dll.GetIpAddrTable
rpcrt4.dll.RpcStringFreeA
rpcrt4.dll.UuidToStringA
rpcrt4.dll.UuidCreate
dnsapi.dll.DnsQuery_A
dnsapi.dll.DnsFree
kernel32.dll.GetOEMCP
kernel32.dll.GetCPInfo
kernel32.dll.ReadConsoleW
kernel32.dll.SetFilePointerEx
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.HeapSize
kernel32.dll.SetConsoleMode
kernel32.dll.GetStringTypeW
kernel32.dll.GetLocaleInfoW
kernel32.dll.InitializeCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.GetTickCount
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetLastError
kernel32.dll.Sleep
kernel32.dll.CreateThread
kernel32.dll.GetCurrentThreadId
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.TryEnterCriticalSection
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetTimeZoneInformation
kernel32.dll.GetLocaleInfoA
kernel32.dll.ReleaseSemaphore
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateSemaphoreA
kernel32.dll.GetCurrentProcess
kernel32.dll.CreateIoCompletionPort
kernel32.dll.GetQueuedCompletionStatus
kernel32.dll.PostQueuedCompletionStatus
kernel32.dll.RaiseException
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsValidLocale
kernel32.dll.LoadResource
kernel32.dll.SizeofResource
kernel32.dll.lstrcmpiA
kernel32.dll.FindResourceA
kernel32.dll.MultiByteToWideChar
kernel32.dll.WideCharToMultiByte
kernel32.dll.IsDBCSLeadByte
kernel32.dll.LockResource
kernel32.dll.ReadFile
kernel32.dll.MapViewOfFile
kernel32.dll.CreateFileMappingA
kernel32.dll.SetLastError
kernel32.dll.GetSystemTime
kernel32.dll.GetStdHandle
kernel32.dll.GetFileType
kernel32.dll.FindClose
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetCurrentProcessId
kernel32.dll.GlobalMemoryStatus
kernel32.dll.LoadLibraryA
kernel32.dll.FlushConsoleInputBuffer
kernel32.dll.ReadConsoleInputA
kernel32.dll.GetConsoleMode
kernel32.dll.SetConsoleCtrlHandler
kernel32.dll.HeapReAlloc
kernel32.dll.AreFileApisANSI
kernel32.dll.GetModuleHandleExW
kernel32.dll.ExitProcess
kernel32.dll.GetCommandLineA
kernel32.dll.VirtualQuery
kernel32.dll.GetSystemInfo
kernel32.dll.GetUserDefaultLCID
kernel32.dll.EnumSystemLocalesW
kernel32.dll.GetDateFormatW
kernel32.dll.GetTimeFormatW
kernel32.dll.LCMapStringW
kernel32.dll.CompareStringW
kernel32.dll.GetConsoleCP
kernel32.dll.DeleteFileW
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.FlushFileBuffers
kernel32.dll.LoadLibraryExW
kernel32.dll.SetStdHandle
kernel32.dll.FindFirstFileExW
kernel32.dll.GetDriveTypeW
kernel32.dll.SystemTimeToTzSpecificLocalTime
kernel32.dll.FileTimeToSystemTime
kernel32.dll.CreateFileW
kernel32.dll.WriteConsoleW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.GetFileInformationByHandle
kernel32.dll.PeekNamedPipe
kernel32.dll.GetFullPathNameW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.SetEndOfFile
kernel32.dll.FreeLibrary
kernel32.dll.IsValidCodePage
kernel32.dll.GetModuleHandleW
kernel32.dll.GetStartupInfoW
kernel32.dll.TlsFree
kernel32.dll.TlsSetValue
kernel32.dll.GetACP
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.RtlUnwind
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TerminateProcess
kernel32.dll.IsDebuggerPresent
kernel32.dll.OutputDebugStringW
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetProcessWindowStation
user32.dll.CharNextA
user32.dll.GetUserObjectInformationW
user32.dll.TranslateMessage
user32.dll.PostThreadMessageA
user32.dll.DispatchMessageA
user32.dll.GetMessageA
user32.dll.IsCharUpperA
user32.dll.MessageBoxA
user32.dll.PeekMessageA
user32.dll.DestroyWindow
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegDeleteValueA
advapi32.dll.RegDeleteKeyA
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegCloseKey
advapi32.dll.StartServiceCtrlDispatcherA
advapi32.dll.SetServiceStatus
advapi32.dll.RegisterServiceCtrlHandlerA
advapi32.dll.OpenServiceA
advapi32.dll.OpenSCManagerA
advapi32.dll.DeleteService
advapi32.dll.CreateServiceA
advapi32.dll.ControlService
advapi32.dll.CloseServiceHandle
advapi32.dll.RegSetValueExA
advapi32.dll.RegOpenKeyA
advapi32.dll.RegCreateKeyA
advapi32.dll.ReportEventA
advapi32.dll.RegisterEventSourceA
advapi32.dll.DeregisterEventSource
advapi32.dll.GetTokenInformation
advapi32.dll.OpenProcessToken
advapi32.dll.RegQueryInfoKeyW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemRealloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitialize
ole32.dll.CoCreateInstance
ole32.dll.CoUninitialize
oleaut32.dll.#277
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
©2016 上海魔盾信息科技有限公司