这是软件的分析报告
首页
安全工具
安全热点
上传历史
文件检测评级:
高度风险
文件名称: Re-Loader%EF%BC%883.0+...%BB%E5%B7%A5%E5%85%B7.zip
下载电脑管家
上传分析其他文件>
基本信息
关键行为
进程行为
文件行为
网络行为
注册表行为
其他行为
进程树
基本信息
文件名称:
Re-Loader%EF%BC%883.0+...%BB%E5%B7%A5%E5%85%B7.zip
MD5: a5a3644dc745f318ff9721b51ce62096
文件类型: zip
上传时间: 2017-08-16 14:32:32
出品公司: N/A
版本: N/A
壳或编译器信息: COMPILER:PE+(32)
子文件信息: 详情
关键行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x000008f4
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x000008f4
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x000008f4
行为描述: 常规加载驱动
详情信息:
\??\C:\Windows\ipsec32.sys
行为描述: 获取TickCount值
详情信息:
TickCount = 131625, SleepMilliseconds = 60000.
TickCount = 131640, SleepMilliseconds = 60000.
TickCount = 131656, SleepMilliseconds = 60000.
TickCount = 131687, SleepMilliseconds = 60000.
TickCount = 131703, SleepMilliseconds = 60000.
TickCount = 131937, SleepMilliseconds = 60000.
TickCount = 131953, SleepMilliseconds = 60000.
TickCount = 131984, SleepMilliseconds = 60000.
TickCount = 132140, SleepMilliseconds = 60000.
TickCount = 132156, SleepMilliseconds = 60000.
TickCount = 132203, SleepMilliseconds = 60000.
TickCount = 132250, SleepMilliseconds = 60000.
TickCount = 132453, SleepMilliseconds = 60000.
TickCount = 132468, SleepMilliseconds = 60000.
TickCount = 132484, SleepMilliseconds = 60000.
行为描述: 查找PE资源信息
详情信息:
(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 140(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x1388b97e, EDX = 0x0000003b
EAX = 0x163bb8fa, EDX = 0x0000003b
EAX = 0x163bb946, EDX = 0x0000003b
EAX = 0x18c388cf, EDX = 0x0000003b
EAX = 0x289f2455, EDX = 0x0000003b
EAX = 0x289f24a1, EDX = 0x0000003b
EAX = 0x4d9129ce, EDX = 0x0000003b
EAX = 0x4d912a1a, EDX = 0x0000003b
EAX = 0x4d912a66, EDX = 0x0000003b
EAX = 0x4d912ab2, EDX = 0x0000003b
行为描述: 创建系统服务
详情信息:
[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
进程行为
行为描述: 跨进程写入数据
详情信息:
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x00050000, Size = 0x00000020 TargetPID = 0x000008f4
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x00050020, Size = 0x00000034 TargetPID = 0x000008f4
TargetProcess = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, WriteAddress = 0x7ffdb238, Size = 0x00000004 TargetPID = 0x000008f4
行为描述: 创建新文件进程
详情信息:
[0x000008f4]ImagePath = C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe, CmdLine = "C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe"
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 创建文件
详情信息:
C:\Windows\libegl.dll
C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe
C:\Windows\ipsec32.sys
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\wpad[1].dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
行为描述: 创建可执行文件
详情信息:
C:\Windows\libegl.dll
C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe
C:\Windows\ipsec32.sys
行为描述: 查找文件
详情信息:
FileName = C:\Windows\libegl.zh-CN
FileName = C:\Windows\libegl.zh-Hans
FileName = C:\Windows\libegl.zh
FileName = C:\Windows\libegl.en-US
FileName = C:\Windows\libegl.en
FileName = C:\Windows\libegl.CHS
FileName = C:\Windows\libegl.CH
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Windows\system32\Ras\*.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
FileName = C:\Users\Administrator\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
FileName = C:\Users
FileName = C:\Users\Administrator\AppData
FileName = C:\Users\Administrator\AppData\Local
行为描述: 删除文件
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\wpad[1].dat
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2KQWVTOD\api[1]
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb
行为描述: 设置特殊文件夹属性
详情信息:
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5
行为描述: 修改文件内容
详情信息:
C:\Windows\libegl.dll ---> Offset = 0
C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe ---> Offset = 0
C:\Windows\ipsec32.sys ---> Offset = 0
C:\Windows\WindowsUpdate.log ---> Offset = 53248
C:\Windows\WindowsUpdate.log ---> Offset = 54288
C:\Windows\WindowsUpdate.log ---> Offset = 54408
C:\Windows\WindowsUpdate.log ---> Offset = 54492
C:\Windows\WindowsUpdate.log ---> Offset = 54575
C:\Windows\WindowsUpdate.log ---> Offset = 54631
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 0
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 393216
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 131072
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb ---> Offset = 65536
网络行为
行为描述: 联网打开网址
详情信息:
InternetOpenUrlA: http://u.****om/gameall/api?a=s&nm=hhhhh&q=c52&v=1.0.0&s3=0&m=08-00-27-48-89-80, hInternet = 0x00cc0004, Flags = 0x00000001
InternetOpenUrlA: http://**.133.40.**:128/wpad.dat, hInternet = 0x00cc0008, Flags = 0x00000010
行为描述: 打开HTTP连接
详情信息:
InternetOpenA: UserAgent: Re-LoaderByR@1n, hSession = 0x00cc0004
InternetOpenA: UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0), hSession = 0x00cc0008
行为描述: 建立到一个指定的套接字连接
详情信息:
URL: wpad, IP: **.133.40.**:128, SOCKET = 0x0000041c
URL: u.****om, IP: **.133.40.**:80, SOCKET = 0x00000424
行为描述: 读取网络文件
详情信息:
hFile = 0x00cc0010, BytesToRead =4010, BytesRead = 4010.
行为描述: 发送HTTP包
详情信息:
GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32; Trident/4.0) Host: **.133.40.**:128
GET /gameall/api?a=s&nm=hhhhh&q=c52&v=1.0.0&s3=0&m=08-00-27-48-89-80 HTTP/1.1 User-Agent: Re-LoaderByR@1n Host: u.****om
行为描述: 按名称获取主机地址
详情信息:
GetAddrInfoW: a-PC
GetAddrInfoW: wpad
GetAddrInfoW: u.****om
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows Script\Settings\JITDebug
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASAPI32\FileDirectory
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\EnableFileTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\EnableConsoleTracing
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\FileTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\ConsoleTracingMask
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\MaxFileSize
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Tracing\Re-LoaderByR@1n_RASMANCS\FileDirectory
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-*\RefCount
行为描述: 删除注册表键值
详情信息:
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
\REGISTRY\USER\S-*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BITS\Performance\PerfMMFileName
其他行为
行为描述: 检测自身是否被调试
详情信息:
IsDebuggerPresent
行为描述: 创建互斥体
详情信息:
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
RasPbFile
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
IESQMMUTEX_0_208
Local\!IETld!Mutex
Global\WindowsUpdateTracingMutex
行为描述: 常规加载驱动
详情信息:
\??\C:\Windows\ipsec32.sys
行为描述: 打开互斥体
详情信息:
Local\MSCTF.Asm.MutexDefault1
Local\_!MSFTHISTORY!_
Local\c:!users!administrator!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!administrator!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!administrator!appdata!local!microsoft!windows!history!history.ie5!
Local\WininetStartupMutex
Local\WininetConnectionMutex
Local\WininetProxyRegistryMutex
Local\!IETld!Mutex
行为描述: 启动系统服务
详情信息:
[服务启动成功]: , ipsec32.sys, \??\C:\Windows\ipsec32.sys
行为描述: 窗口信息
详情信息:
Pid = 2620, Hwnd=0x20186, Text = 1:, ClassName = Static.
Pid = 2620, Hwnd=0x20184, Text = load, ClassName = Button.
Pid = 2620, Hwnd=0x20182, Text = 1, ClassName = Button.
Pid = 2620, Hwnd=0x20180, Text = 2, ClassName = Button.
Pid = 2620, Hwnd=0x201ba, Text = 3, ClassName = Button.
Pid = 2620, Hwnd=0x201e6, Text = 4, ClassName = Button.
Pid = 2620, Hwnd=0x30172, Text = C:\Users\Administrator\Desktop, ClassName = MFCEditBrowse.
行为描述: 获取TickCount值
详情信息:
TickCount = 131625, SleepMilliseconds = 60000.
TickCount = 131640, SleepMilliseconds = 60000.
TickCount = 131656, SleepMilliseconds = 60000.
TickCount = 131687, SleepMilliseconds = 60000.
TickCount = 131703, SleepMilliseconds = 60000.
TickCount = 131937, SleepMilliseconds = 60000.
TickCount = 131953, SleepMilliseconds = 60000.
TickCount = 131984, SleepMilliseconds = 60000.
TickCount = 132140, SleepMilliseconds = 60000.
TickCount = 132156, SleepMilliseconds = 60000.
TickCount = 132203, SleepMilliseconds = 60000.
TickCount = 132250, SleepMilliseconds = 60000.
TickCount = 132453, SleepMilliseconds = 60000.
TickCount = 132468, SleepMilliseconds = 60000.
TickCount = 132484, SleepMilliseconds = 60000.
行为描述: 调整进程token权限
详情信息:
SE_SECURITY_PRIVILEGE
SE_ASSIGNPRIMARYTOKEN_PRIVILEGE
SE_MANAGE_VOLUME_PRIVILEGE
行为描述: 打开事件
详情信息:
HookSwitchHookEnabledEvent
\KernelObjects\MaximumCommitCondition
MSFT.VSA.COM.DISABLE.2620
MSFT.VSA.IEC.STATUS.6c736db0
Local\MSCTF.CtfActivated.Default1
Local\MSCTF.AsmCacheReady.Default1
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
Global\SvcctrlStartEvent_A3752DX
SC_AutoStartComplete
行为描述: 查找PE资源信息
详情信息:
(FindResourceExExW) hModule = 0x00000000, ResName: 95(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 140(ID), ResType: WIN32EXE
(FindResourceExExW) hModule = 0x00000000, ResName: 97(ID), ResType: WIN32EXE
行为描述: 可执行文件签名信息
详情信息:
C:\Windows\libegl.dll(签名验证: 未通过)
C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe(签名验证: 未通过)
C:\Windows\ipsec32.sys(签名验证: 未通过)
行为描述: 调用Sleep函数
详情信息:
[1]: MilliSeconds = 60000.
[2]: MilliSeconds = 60000.
[3]: MilliSeconds = 60000.
[4]: MilliSeconds = 60000.
[5]: MilliSeconds = 60000.
[6]: MilliSeconds = 0.
[7]: MilliSeconds = 60000.
[8]: MilliSeconds = 60000.
[9]: MilliSeconds = 60000.
[10]: MilliSeconds = 60000.
行为描述: 可执行文件MD5
详情信息:
C:\Windows\libegl.dll ---> 65b2f8a9e6d8975b740d3653d0b074bd
C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe ---> f7b368a33ea9ca184679e132806b414f
C:\Windows\ipsec32.sys ---> 41c44e42120549e5222c3c6a2b5ad3b4
行为描述: 直接获取CPU时钟
详情信息:
EAX = 0x1388b97e, EDX = 0x0000003b
EAX = 0x163bb8fa, EDX = 0x0000003b
EAX = 0x163bb946, EDX = 0x0000003b
EAX = 0x18c388cf, EDX = 0x0000003b
EAX = 0x289f2455, EDX = 0x0000003b
EAX = 0x289f24a1, EDX = 0x0000003b
EAX = 0x4d9129ce, EDX = 0x0000003b
EAX = 0x4d912a1a, EDX = 0x0000003b
EAX = 0x4d912a66, EDX = 0x0000003b
EAX = 0x4d912ab2, EDX = 0x0000003b
行为描述: 创建系统服务
详情信息:
[服务创建成功]: ipsec32.sys, C:\Windows\ipsec32.sys
行为描述: 加载新释放的文件
详情信息:
Image: C:\Windows\libegl.dll.
Image: C:\Users\Administrator\AppData\Local\%temp%\b70c_unzip\Re-Loader(3.0 Beta3)KMS激活工具\supportf35.exe.
进程树
Copyright©1998 - 2017 Tencent.All Rights Reserved
腾讯公司 版权所有
|