魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2022-05-28 00:19:50	2022-05-28 00:22:02	132 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2022-05-28 00:19:52	2022-05-28 00:22:03

魔盾分数
10.0 恶意的

文件详细信息

文件名	QQDADAOVIP.exe
文件大小	606208 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	D5DA79D1
MD5	bda56cf30bea451439455567cc37db53
SHA1	1f822bdf2a03e0795b2fd99ad3c6e91dbc375b05
SHA256	a45f7196b6e0b4a96a50bb6866b7d1becc6109120dee21dc8e6f79f8b21a2667
SHA512	ee0929f726431b9ede7fc1078b9ad57e4a093609aca15d7139ea5a1c63694c68276615561ae845feb83eb31b8d0cdb6c582cdf131009662ff7fad7e968516cb0
Ssdeep	6144:ZbTaWWBAOKaJyzHS9qef9PEr5rAN2Y4p3czFcyD8iG7jopq1B1tRQqpu5+X:ZEKfzS9Hf56CSyDWHGq1Fr
PEiD	无匹配
Yara	MD5_Constants (Look for MD5 constants) with_images (Detected the presence of an or several images) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature) DebuggerTiming__Ticks (Detected timing ticks function) disable_registry (Disable Registry editor) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) persistence (Detected function for installing itself for autorun at Windows startup) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Logging_Persistence (Spotted postential abnormal behaviors, like logging and persistenc3) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

对一个无法找到的进程进行重复搜索，可能希望以startbrowser=1选项运行

创建一个隐藏文件或系统文件

file: C:\Windows\System32\long.ico

可疑的样本异常终止

魔盾安全Yara规则检测结果 - 高危

Warning: Disable Registry editor

Warning: Detected function for installing itself for autorun at Windows startup

Critical: Spotted postential abnormal behaviors, like logging and persistenc3

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

将自己装载到Windows开机自动启动项目

key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\long

data: C:\Users\test\AppData\Local\Temp\QQDADAOVIP.exe

对一些具体的运行中的进程呈现出兴趣

process: lsass.exe

process: explorer.exe

运行截图

网络分析

TCP连接

IP地址	端口
23.55.220.27	80

UDP连接

IP地址	端口
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00447192
声明校验值	0x00000000
实际校验值	0x0009aefa
最低操作系统版本要求	4.0
编译时间	2013-03-14 21:55:06
载入哈希	f6db569c26db90c77fc24bafaf1610e5
图标
图标精确哈希值	7bdbe8603eae61b51da840097545794b
图标相似性哈希值	a0d71d3b5a41797c8892e8b6bc319940

版本信息

LegalCopyright:	\xe5\xe6\xe7\xe7
FileVersion:	1.0.0.0
CompanyName:	\xe5\xe6\xe7\xe7
Comments:	\xe6\xe7\xe5\xe4\xe7\xe6\xe8\xe8\xe7\xe5(http://www.eyuyan.com)
ProductName:	\xe5\xe6\xe7\xe7
ProductVersion:	1.0.0.0
FileDescription:	\xe5\xe6\xe7\xe7
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00064812	0x00065000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.55
.rdata	0x00066000	0x00018c54	0x00019000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.73
.data	0x0007f000	0x0002aaea	0x0000f000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.78
.rsrc	0x000aa000	0x0000530c	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.74

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x000aab78	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x000aab78	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x000aab78	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
RT_CURSOR	0x000ab068	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.74	data
RT_CURSOR	0x000ab068	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.74	data
RT_CURSOR	0x000ab068	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.74	data
RT_CURSOR	0x000ab068	0x000000b4	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.74	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x000ac770	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_ICON	0x000accc4	0x000006a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.28	dBase III DBT, version number 0, next free block index 40, 1st item "\013x\270\263"
RT_ICON	0x000accc4	0x000006a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.28	dBase III DBT, version number 0, next free block index 40, 1st item "\013x\270\263"
RT_ICON	0x000accc4	0x000006a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.28	dBase III DBT, version number 0, next free block index 40, 1st item "\013x\270\263"
RT_MENU	0x000ad378	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_MENU	0x000ad378	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x000ae5c0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x000af008	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_GROUP_CURSOR	0x000af054	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000af054	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000af054	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON	0x000af0a0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x000af0a0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x000af0a0	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x000af0b4	0x00000258	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.61	data

导入

库 WINMM.dll:

• 0x46662c - midiStreamOut

• 0x466630 - midiOutPrepareHeader

• 0x466634 - waveOutOpen

• 0x466638 - midiOutUnprepareHeader

• 0x46663c - midiStreamOpen

• 0x466640 - midiStreamProperty

• 0x466644 - waveOutReset

• 0x466648 - waveOutPause

• 0x46664c - waveOutWrite

• 0x466650 - waveOutPrepareHeader

• 0x466654 - waveOutUnprepareHeader

• 0x466658 - midiStreamStop

• 0x46665c - midiOutReset

• 0x466660 - midiStreamClose

• 0x466664 - midiStreamRestart

• 0x466668 - waveOutGetNumDevs

• 0x46666c - waveOutClose

库 WS2_32.dll:

• 0x466684 - WSAAsyncSelect

• 0x466688 - closesocket

• 0x46668c - WSACleanup

• 0x466690 - recvfrom

• 0x466694 - ioctlsocket

• 0x466698 - inet_ntoa

• 0x46669c - recv

• 0x4666a0 - accept

• 0x4666a4 - getpeername

库 KERNEL32.dll:

• 0x466184 - MultiByteToWideChar

• 0x466188 - SetLastError

• 0x46618c - GetTimeZoneInformation

• 0x466190 - GetVersion

• 0x466194 - HeapSize

• 0x466198 - RaiseException

• 0x46619c - GetLocalTime

• 0x4661a0 - GetSystemTime

• 0x4661a4 - RtlUnwind

• 0x4661a8 - GetStartupInfoA

• 0x4661ac - GetOEMCP

• 0x4661b0 - GetCPInfo

• 0x4661b4 - GetProcessVersion

• 0x4661b8 - SetErrorMode

• 0x4661bc - GlobalFlags

• 0x4661c0 - GetCurrentThread

• 0x4661c4 - GetFileTime

• 0x4661c8 - TlsGetValue

• 0x4661cc - LocalReAlloc

• 0x4661d0 - TlsSetValue

• 0x4661d4 - TlsFree

• 0x4661d8 - GlobalHandle

• 0x4661dc - TlsAlloc

• 0x4661e0 - LocalAlloc

• 0x4661e4 - lstrcmpA

• 0x4661e8 - GlobalGetAtomNameA

• 0x4661ec - GlobalAddAtomA

• 0x4661f0 - GlobalFindAtomA

• 0x4661f4 - GlobalDeleteAtom

• 0x4661f8 - lstrcmpiA

• 0x4661fc - SetEndOfFile

• 0x466200 - UnlockFile

• 0x466204 - LockFile

• 0x466208 - FlushFileBuffers

• 0x46620c - DuplicateHandle

• 0x466210 - lstrcpynA

• 0x466214 - FileTimeToLocalFileTime

• 0x466218 - FileTimeToSystemTime

• 0x46621c - LocalFree

• 0x466220 - WideCharToMultiByte

• 0x466224 - InterlockedDecrement

• 0x466228 - InterlockedIncrement

• 0x46622c - OpenProcess

• 0x466230 - TerminateProcess

• 0x466234 - GetCurrentProcess

• 0x466238 - GetFileSize

• 0x46623c - SetFilePointer

• 0x466240 - CreateToolhelp32Snapshot

• 0x466244 - Process32First

• 0x466248 - Process32Next

• 0x46624c - CreateSemaphoreA

• 0x466250 - ResumeThread

• 0x466254 - ReleaseSemaphore

• 0x466258 - EnterCriticalSection

• 0x46625c - LeaveCriticalSection

• 0x466260 - GetProfileStringA

• 0x466264 - WriteFile

• 0x466268 - ReadFile

• 0x46626c - GetLastError

• 0x466270 - WaitForMultipleObjects

• 0x466274 - CreateFileA

• 0x466278 - SetEvent

• 0x46627c - FindResourceA

• 0x466280 - LoadResource

• 0x466284 - LockResource

• 0x466288 - GetModuleFileNameA

• 0x46628c - GetCurrentThreadId

• 0x466290 - ExitProcess

• 0x466294 - GlobalSize

• 0x466298 - GlobalFree

• 0x46629c - DeleteCriticalSection

• 0x4662a0 - InitializeCriticalSection

• 0x4662a4 - lstrcatA

• 0x4662a8 - WinExec

• 0x4662ac - lstrcpyA

• 0x4662b0 - FindNextFileA

• 0x4662b4 - InterlockedExchange

• 0x4662b8 - GlobalReAlloc

• 0x4662bc - HeapFree

• 0x4662c0 - HeapReAlloc

• 0x4662c4 - GetProcessHeap

• 0x4662c8 - HeapAlloc

• 0x4662cc - GetFullPathNameA

• 0x4662d0 - FreeLibrary

• 0x4662d4 - LoadLibraryA

• 0x4662d8 - lstrlenA

• 0x4662dc - GetVersionExA

• 0x4662e0 - WritePrivateProfileStringA

• 0x4662e4 - CreateThread

• 0x4662e8 - CreateEventA

• 0x4662ec - Sleep

• 0x4662f0 - GlobalAlloc

• 0x4662f4 - GlobalLock

• 0x4662f8 - GlobalUnlock

• 0x4662fc - FindFirstFileA

• 0x466300 - FindClose

• 0x466304 - SetFileAttributesA

• 0x466308 - GetFileAttributesA

• 0x46630c - SetCurrentDirectoryA

• 0x466310 - GetVolumeInformationA

• 0x466314 - GetModuleHandleA

• 0x466318 - GetProcAddress

• 0x46631c - MulDiv

• 0x466320 - GetCommandLineA

• 0x466324 - GetTickCount

• 0x466328 - WaitForSingleObject

• 0x46632c - CloseHandle

• 0x466330 - GetACP

• 0x466334 - UnhandledExceptionFilter

• 0x466338 - FreeEnvironmentStringsA

• 0x46633c - FreeEnvironmentStringsW

• 0x466340 - GetEnvironmentStrings

• 0x466344 - GetEnvironmentStringsW

• 0x466348 - SetHandleCount

• 0x46634c - GetStdHandle

• 0x466350 - GetFileType

• 0x466354 - GetEnvironmentVariableA

• 0x466358 - HeapDestroy

• 0x46635c - HeapCreate

• 0x466360 - VirtualFree

• 0x466364 - SetEnvironmentVariableA

• 0x466368 - LCMapStringA

• 0x46636c - LCMapStringW

• 0x466370 - VirtualAlloc

• 0x466374 - IsBadWritePtr

• 0x466378 - SetUnhandledExceptionFilter

• 0x46637c - GetStringTypeA

• 0x466380 - GetStringTypeW

• 0x466384 - CompareStringA

• 0x466388 - CompareStringW

• 0x46638c - IsBadReadPtr

• 0x466390 - IsBadCodePtr

• 0x466394 - SetStdHandle

库 USER32.dll:

• 0x4663b8 - IsIconic

• 0x4663bc - SetFocus

• 0x4663c0 - GetActiveWindow

• 0x4663c4 - GetWindow

• 0x4663c8 - DestroyAcceleratorTable

• 0x4663cc - PeekMessageA

• 0x4663d0 - SetMenu

• 0x4663d4 - GetMenu

• 0x4663d8 - DefWindowProcA

• 0x4663dc - GetClassInfoA

• 0x4663e0 - DeleteMenu

• 0x4663e4 - GetSystemMenu

• 0x4663e8 - IsZoomed

• 0x4663ec - PostQuitMessage

• 0x4663f0 - CopyAcceleratorTableA

• 0x4663f4 - GetKeyState

• 0x4663f8 - TranslateAcceleratorA

• 0x4663fc - IsWindowEnabled

• 0x466400 - ShowWindow

• 0x466404 - LoadImageA

• 0x466408 - EnumDisplaySettingsA

• 0x46640c - ClientToScreen

• 0x466410 - EnableMenuItem

• 0x466414 - GetSubMenu

• 0x466418 - GetDlgCtrlID

• 0x46641c - CreateAcceleratorTableA

• 0x466420 - CreateMenu

• 0x466424 - SetWindowRgn

• 0x466428 - GetMessagePos

• 0x46642c - ScreenToClient

• 0x466430 - ChildWindowFromPointEx

• 0x466434 - CopyRect

• 0x466438 - LoadBitmapA

• 0x46643c - ModifyMenuA

• 0x466440 - KillTimer

• 0x466444 - SetTimer

• 0x466448 - ReleaseCapture

• 0x46644c - GetCapture

• 0x466450 - SetCapture

• 0x466454 - GetScrollRange

• 0x466458 - SetScrollRange

• 0x46645c - SetScrollPos

• 0x466460 - InflateRect

• 0x466464 - SetRect

• 0x466468 - IntersectRect

• 0x46646c - GetSysColorBrush

• 0x466470 - DestroyIcon

• 0x466474 - PtInRect

• 0x466478 - OffsetRect

• 0x46647c - IsWindowVisible

• 0x466480 - EnableWindow

• 0x466484 - RedrawWindow

• 0x466488 - GetWindowLongA

• 0x46648c - SetWindowLongA

• 0x466490 - GetSysColor

• 0x466494 - SetActiveWindow

• 0x466498 - SetCursorPos

• 0x46649c - LoadCursorA

• 0x4664a0 - SetCursor

• 0x4664a4 - GetDC

• 0x4664a8 - FillRect

• 0x4664ac - IsRectEmpty

• 0x4664b0 - ReleaseDC

• 0x4664b4 - IsChild

• 0x4664b8 - DestroyMenu

• 0x4664bc - SetForegroundWindow

• 0x4664c0 - GetWindowRect

• 0x4664c4 - EqualRect

• 0x4664c8 - UpdateWindow

• 0x4664cc - ValidateRect

• 0x4664d0 - InvalidateRect

• 0x4664d4 - GetClientRect

• 0x4664d8 - GetFocus

• 0x4664dc - GetParent

• 0x4664e0 - GetTopWindow

• 0x4664e4 - PostMessageA

• 0x4664e8 - IsWindow

• 0x4664ec - SetParent

• 0x4664f0 - DestroyCursor

• 0x4664f4 - SendMessageA

• 0x4664f8 - SetWindowPos

• 0x4664fc - MessageBoxA

• 0x466500 - GetCursorPos

• 0x466504 - GetSystemMetrics

• 0x466508 - EmptyClipboard

• 0x46650c - SetClipboardData

• 0x466510 - OpenClipboard

• 0x466514 - GetClipboardData

• 0x466518 - CloseClipboard

• 0x46651c - wsprintfA

• 0x466520 - AppendMenuA

• 0x466524 - CreatePopupMenu

• 0x466528 - DrawIconEx

• 0x46652c - CreateIconFromResource

• 0x466530 - CreateIconFromResourceEx

• 0x466534 - RegisterClipboardFormatA

• 0x466538 - SetRectEmpty

• 0x46653c - GetMessageA

• 0x466540 - WindowFromPoint

• 0x466544 - DrawFocusRect

• 0x466548 - DrawEdge

• 0x46654c - DrawFrameControl

• 0x466550 - LoadIconA

• 0x466554 - TranslateMessage

• 0x466558 - SystemParametersInfoA

• 0x46655c - GetDesktopWindow

• 0x466560 - GetClassNameA

• 0x466564 - GetWindowThreadProcessId

• 0x466568 - FindWindowA

• 0x46656c - GetDlgItem

• 0x466570 - GetWindowTextA

• 0x466574 - WinHelpA

• 0x466578 - UnregisterClassA

• 0x46657c - DispatchMessageA

• 0x466580 - GetWindowTextLengthA

• 0x466584 - CharUpperA

• 0x466588 - GetWindowDC

• 0x46658c - BeginPaint

• 0x466590 - EndPaint

• 0x466594 - TabbedTextOutA

• 0x466598 - DrawTextA

• 0x46659c - GrayStringA

• 0x4665a0 - DestroyWindow

• 0x4665a4 - CreateDialogIndirectParamA

• 0x4665a8 - EndDialog

• 0x4665ac - GetNextDlgTabItem

• 0x4665b0 - GetWindowPlacement

• 0x4665b4 - RegisterWindowMessageA

• 0x4665b8 - GetForegroundWindow

• 0x4665bc - GetLastActivePopup

• 0x4665c0 - GetMessageTime

• 0x4665c4 - RemovePropA

• 0x4665c8 - CallWindowProcA

• 0x4665cc - GetPropA

• 0x4665d0 - UnhookWindowsHookEx

• 0x4665d4 - SetPropA

• 0x4665d8 - GetClassLongA

• 0x4665dc - CallNextHookEx

• 0x4665e0 - SetWindowsHookExA

• 0x4665e4 - CreateWindowExA

• 0x4665e8 - GetMenuItemID

• 0x4665ec - GetMenuItemCount

• 0x4665f0 - RegisterClassA

• 0x4665f4 - GetScrollPos

• 0x4665f8 - AdjustWindowRectEx

• 0x4665fc - MapWindowPoints

• 0x466600 - SendDlgItemMessageA

• 0x466604 - ScrollWindowEx

• 0x466608 - IsDialogMessageA

• 0x46660c - SetWindowTextA

• 0x466610 - MoveWindow

• 0x466614 - CheckMenuItem

• 0x466618 - SetMenuItemBitmaps

• 0x46661c - GetMenuState

• 0x466620 - GetMenuCheckMarkDimensions

• 0x466624 - LoadStringA

库 GDI32.dll:

• 0x466028 - GetTextMetricsA

• 0x46602c - Escape

• 0x466030 - ExtTextOutA

• 0x466034 - TextOutA

• 0x466038 - RectVisible

• 0x46603c - PtVisible

• 0x466040 - GetViewportExtEx

• 0x466044 - ExtSelectClipRgn

• 0x466048 - CreateSolidBrush

• 0x46604c - GetStockObject

• 0x466050 - CreateFontIndirectA

• 0x466054 - EndPage

• 0x466058 - EndDoc

• 0x46605c - DeleteDC

• 0x466060 - StartDocA

• 0x466064 - StartPage

• 0x466068 - BitBlt

• 0x46606c - GetPixel

• 0x466070 - CreateCompatibleDC

• 0x466074 - Ellipse

• 0x466078 - Rectangle

• 0x46607c - DPtoLP

• 0x466080 - GetCurrentObject

• 0x466084 - RoundRect

• 0x466088 - GetTextExtentPoint32A

• 0x46608c - GetDeviceCaps

• 0x466090 - CreateDIBSection

• 0x466094 - CreateRectRgnIndirect

• 0x466098 - SetBkColor

• 0x46609c - LineTo

• 0x4660a0 - MoveToEx

• 0x4660a4 - ExcludeClipRect

• 0x4660a8 - GetClipBox

• 0x4660ac - ScaleWindowExtEx

• 0x4660b0 - CombineRgn

• 0x4660b4 - CreateRectRgn

• 0x4660b8 - FillRgn

• 0x4660bc - PatBlt

• 0x4660c0 - CreatePen

• 0x4660c4 - GetObjectA

• 0x4660c8 - SelectObject

• 0x4660cc - CreateBitmap

• 0x4660d0 - CreateDCA

• 0x4660d4 - CreateCompatibleBitmap

• 0x4660d8 - GetPolyFillMode

• 0x4660dc - GetStretchBltMode

• 0x4660e0 - GetROP2

• 0x4660e4 - GetBkColor

• 0x4660e8 - GetBkMode

• 0x4660ec - GetTextColor

• 0x4660f0 - CreateRoundRectRgn

• 0x4660f4 - CreateEllipticRgn

• 0x4660f8 - PathToRegion

• 0x4660fc - EndPath

• 0x466100 - BeginPath

• 0x466104 - GetWindowOrgEx

• 0x466108 - GetViewportOrgEx

• 0x46610c - GetWindowExtEx

• 0x466110 - GetDIBits

• 0x466114 - RealizePalette

• 0x466118 - SetWindowExtEx

• 0x46611c - SetWindowOrgEx

• 0x466120 - ScaleViewportExtEx

• 0x466124 - SetViewportExtEx

• 0x466128 - OffsetViewportOrgEx

• 0x46612c - SetViewportOrgEx

• 0x466130 - SetMapMode

• 0x466134 - SelectPalette

• 0x466138 - StretchBlt

• 0x46613c - CreatePalette

• 0x466140 - GetSystemPaletteEntries

• 0x466144 - CreateDIBitmap

• 0x466148 - DeleteObject

• 0x46614c - SelectClipRgn

• 0x466150 - CreatePolygonRgn

• 0x466154 - SetPixel

• 0x466158 - SetStretchBltMode

• 0x46615c - LPtoDP

• 0x466160 - GetClipRgn

• 0x466164 - SetTextColor

• 0x466168 - SetROP2

• 0x46616c - SetPolyFillMode

• 0x466170 - SetBkMode

• 0x466174 - RestoreDC

• 0x466178 - SaveDC

• 0x46617c - ExtCreateRegion

库 WINSPOOL.DRV:

• 0x466674 - OpenPrinterA

• 0x466678 - DocumentPropertiesA

• 0x46667c - ClosePrinter

库 ADVAPI32.dll:

• 0x466000 - RegCloseKey

• 0x466004 - RegOpenKeyExA

• 0x466008 - RegSetValueExA

• 0x46600c - RegCreateKeyA

• 0x466010 - RegQueryValueA

• 0x466014 - RegCreateKeyExA

库 SHELL32.dll:

• 0x4663ac - ShellExecuteA

• 0x4663b0 - Shell_NotifyIconA

库 ole32.dll:

• 0x4666c0 - CLSIDFromString

• 0x4666c4 - OleUninitialize

• 0x4666c8 - OleInitialize

库 OLEAUT32.dll:

• 0x46639c - LoadTypeLib

• 0x4663a0 - RegisterTypeLib

• 0x4663a4 - UnRegisterTypeLib

库 COMCTL32.dll:

• 0x46601c - None

• 0x466020 - ImageList_Destroy

库 comdlg32.dll:

• 0x4666ac - ChooseColorA

• 0x4666b0 - GetOpenFileNameA

• 0x4666b4 - GetSaveFileNameA

• 0x4666b8 - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

QQDADAOVIP.exe PID: 2544, 上一级进程 PID: 2192

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\
C:\Windows\System32\taskmgr.exe
C:\Windows\System32\long.ico

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\taskmgr.exe

修改的文件

C:\Windows\System32\long.ico

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\long
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\QQDADAOVIP.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\long
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\C\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\D\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\E\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\F\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\G\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\H\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\S\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\T\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\I\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\J\DefaultIcon\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\K\DefaultIcon\(Default)

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy