4ge[ec9c60][a4527f][2f0bc7][174731]

显示全部楼层 · 发表于 2007-7-21 15:02:35

Trojan.Win32.Agent.iok
Trojan.PSW.Win32.AskTao.af
漏杀的上报

显示全部楼层 · 发表于 2007-7-21 15:12:58

運行dh.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 15:03:08 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\dh.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:03:08 创建注册表值    操作:阻止
进程路径:D:\桌面\virus\ec9c604\dh.exe
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
注册表名称:RAV008C
注册表数据:C:\windows\system32\RAV008C.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2007-07-21 15:03:13 运行应用程序    操作:允许
进程路径:D:\桌面\virus\ec9c604\dh.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:所有程序规则->*

2007-07-21 15:03:13 修改文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:03:13 创建注册表值    操作:阻止
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
注册表名称:RAV008C
注册表数据:C:\windows\system32\RAV008C.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2007-07-21 15:03:17 运行应用程序    操作:阻止
进程路径:D:\桌面\virus\ec9c604\dh.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c del "D:\桌面\virus\ec9c604\dh.exe"
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

2007-07-21 15:03:17 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:所有程序规则->*

2007-07-21 15:03:17 修改文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:03:19 创建注册表值    操作:阻止
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
注册表名称:RAV008C
注册表数据:C:\windows\system32\RAV008C.exe
触发规则:所有程序规则->自動運行_普通模式->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*

2007-07-21 15:03:19 运行应用程序    操作:阻止
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
文件路径:C:\windows\system32\cmd.exe
命令行:/c del "C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe"
触发规则:所有程序规则->系統程序->%windir%\system32\cmd.exe

2007-07-21 15:03:19 运行应用程序    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\RAV008C.exe
触发规则:所有程序规则->*

1.他會在C\windows\system32\生成
RAV008C.exe
2.他會创建注册表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
RAV008C
C:\windows\system32\RAV008C.exe
3.他會運行C\windows\system32\RAV008C.exe
4.RAV008C.exe會修改自己
5.RAV008C.exe會创建注册表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
RAV008C
C:\windows\system32\RAV008C.exe
6.他會運行C:\windows\system32\cmd.exe
/c del "D:\桌面\virus\ec9c604\dh.exe"
7.RAV008C.exe會運行並修改自己
8.RAV008C.exe會创建注册表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Run
RAV008C
C:\windows\system32\RAV008C.exe
9.RAV008C.exe會運行C:\windows\system32\cmd.exe
/c del "C:\windows\system32\RAV008C.exe"
10.就這樣一直下去

显示全部楼层 · 发表于 2007-7-21 15:28:35

運行mh.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 15:15:41 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mh.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:41 运行应用程序    操作:允许
进程路径:D:\桌面\virus\ec9c604\mh.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
命令行:"D:\桌面\virus\ec9c604\mh.exe"
触发规则:黑名单->禁止运行->%systemdrive%\*\Temp*\*

2007-07-21 15:15:42 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\D\桌面\virus\ec9c604\mh.exe
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:42 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Privilege.dat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:43 修改文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Privilege.dat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:43 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\LYLOADER.EXE
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:43 删除文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Privilege.dat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:43 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32LYLOADER.EXE
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\Privilege.dat
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYMANGR.DLL
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\LYMANGR.DLL
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\MSDEG32.DLL
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\MSDEG32.DLL
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 创建文件    操作:允许
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\REGKEY.hiv
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:15:44 修改注册表内容    操作:阻止
进程路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\LYLOADER.EXE
注册表路径:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\policies\Explorer\Run
注册表名称:*
触发规则:所有程序规则->其他重要項->*\Software\Microsoft\Windows\Currentversion\Policies*

1.他會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成並
LYLOADER.EXE
2.他會運行C:\Documents and Settings\HungAndy\Local Settings\Temp\LYLOADER.EXE
"D:\桌面\virus\ec9c604\mh.exe"
3.LYLOADER.EXE會在C\生成
Privilege.dat
4.LYLOADER.EXE會在C\windows\system32\生成
LYLOADER.EXE
5.LYLOADER.EXE會刪除C\Privilege.dat
6.LYLOADER.EXE會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
LYMANGR.DLL
7.LYLOADER.EXE會在C\windows\system32\生成
LYMANGR.DLL
8.LYLOADER.EXE會在C:\Documents and Settings\HungAndy\Local Settings\Temp\生成
MSDEG32.DLL
9.LYLOADER.EXE會在C\windows\system32\生成
MSDEG32.DLL
REGKEY.hiv
10.LYLOADER.EXE會修改注册表内容
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\policies\Explorer\Run
*

显示全部楼层 · 发表于 2007-7-21 15:35:24

運行mminstall.exe，發現下列行為，被EQ-Secure RC4攔截！

2007-07-21 15:29:36 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\D\Favorites\彶紲.url
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:37 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\mmrk4pr0.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:37 修改文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\mmrk4pr0.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:38 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\k63upqm.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:38 修改文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\drivers\k63upqm.sys
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:48 创建文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\y57nqms.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

2007-07-21 15:29:48 修改文件    操作:允许
进程路径:D:\桌面\virus\ec9c604\mminstall.exe
文件路径:C:\Documents and Settings\HungAndy\Application Data\Sandbox\DefaultBox\drive\C\windows\system32\y57nqms.dll
触发规则:黑名单->白名單->C:\Documents and Settings\HungAndy\Application Data\Sandbox\*

1.他會先連網
2.他會在D\Favorites\生成
彶紲.url
3.他會在C\windows\system32\drivers\生成並修改
mmrk4pr0.sys
k63upqm.sys
4.他會在C\windows\system32\生成並修改
y57nqms.dll

彶紲.url的結構

[InternetShortcut]
URL=hxxp://www.6781.com/?001

显示全部楼层 · 发表于 2007-7-21 15:39:33

===================================================================================================
NVCOD On Demand Scanner 5.80.02
NSE revision 5.91.02
nvcbin.def revision 5.90.00 of 2007/07/19 17:24:52 (812833 variants)
nvcmacro.def revision 5.90.00 of 2007/06/29 06:32:19 (20341 variants)
Total number of variants: 833174
Command line: "@C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~OD81.tmp"
===================================================================================================
   Time  Filename                                                    Virus name
---------------------------------------------------------------------------------------------------
- Scanning files matching: F:\v\4.zip
   22157 ms F:\v\4.zip : 123.exe                                        Virus W32/Hupigon.gen67 ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Creating several executable files on hard-drive.
* File length:       82944 bytes.
[ Changes to filesystem ]
* Deletes directory C:\WINDOWS\TEMP\IXP0.TMP.
* Creates directory C:\WINDOWS\TEMP\IXP0.TMP.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\TMP4351$.TMP.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\avp.exe.
* Creates file C:\WINDOWS\TEMP\IXP0.TMP\b-mke.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\b-mke.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\avp.exe.
* Deletes file C:\WINDOWS\TEMP\IXP0.TMP\TMP4351$.TMP.
* Deletes directory C:\WINDOWS\TEMP\IXP0.TMP\.
* Creates file C:\WINDOWS\winllogon.exe.
* Creates file C:\WINDOWS\Deleteme.bat.
[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Sets value "wextract_cleanup0"="rundll32.exe C:\WINDOWS\SYSTEM32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP0.TMP\"" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Deletes value "wextract_cleanup0" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
* Creates key "HKLM\System\CurrentControlSet\Services\IE_WinServerName".
* Sets value "ImagePath"="C:\WINDOWS\winllogon.exe" in key "HKLM\System\CurrentControlSet\Services\IE_WinServerName".
* Sets value "DisplayName"="Windows CreaterIE" in key "HKLM\System\CurrentControlSet\Services\IE_WinServerName".
[ Process/window information ]
* Attempts to access service "IE_WinServerName".
* Creates service "IE_WinServerName (Windows CreaterIE)" as "C:\WINDOWS\winllogon.exe".
)
   1328 ms F:\v\4.zip : mh.exe                                        Virus W32/Suspicious_U.gen.dropper ( [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Accesses executable file from resource section.
* Creating several executable files on hard-drive.
* File length:       14848 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\LYLOADER.EXE.
* Deletes file c:\sample.exe.
* Creates file C:\Privilege.dat.
* Creates file C:\WINDOWS\SYSTEM32\LYLOADER.EXE.
* Deletes file C:\Privilege.dat.
* Creates file C:\WINDOWS\TEMP\LYMANGR.DLL.
* Creates file C:\WINDOWS\SYSTEM32\LYMANGR.DLL.
* Creates file C:\WINDOWS\TEMP\MSDEG32.DLL.
* Creates file C:\WINDOWS\SYSTEM32\MSDEG32.DLL.
* Creates file C:\WINDOWS\SYSTEM32\REGKEY.hiv.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\LYLOADER.EXE (11340 bytes) : W32/Suspicious_U.gen.
)
      0 ms F:\v\4.zip : dh.exe                                        Security Risk W32/Suspicious_U.gen ()
   625 ms F:\v\4.zip : mminstall.exe
      0 ms F:\v\4.zip
      0 ms F:\v\4.zip:Zone.Identifier
- File F:\v\4.zip quarantined.
- File F:\v\4.zip quarantined.
- File F:\v\4.zip quarantined.
===================================================================================================
The scanning started: 2007/07/21 15:33:26
            ended: 2007/07/21 15:33:50
Logged on as       : Administrator
on hostname       : BE29C0E1C4C9406
Scanning results:
Total number of files found..............................:    6
Number of files scanned..................................:    6
Number of files/directories skipped due to exclude list..:    0
Number of files that could not be opened.................:    0
Number of archive files unpacked.........................:    1
Number of archive files not unpacked.....................:    0
Number of infections.....................................:    3
Copyright (c) 1993-2005 Norman ASA.

显示全部楼层 · 发表于 2007-7-21 18:03:57

4.zip
  [0] Archive type: ZIP
  --> mh.exe
   [DETECTION] Contains suspicious code HEUR/Malware
  --> dh.exe
   [DETECTION] Is the Trojan horse TR/PSW.Agent.rwa

显示全部楼层 · 发表于 2007-7-21 18:34:24

用F-secure扫描后一个不报,解压后运行隔离两个,系统控制阻止两个.

显示全部楼层 · 发表于 2007-7-21 19:32:01

123.exe直接ignore..

Scan performed at: 2007-7-21 19:29:00
Scanning Log
NOD32 version 2410 (20070720) NT
Command line: F:\4
Operating memory - is OK

Date: 21.7.2007 Time: 19:29:03
Anti-Stealth technology is enabled.
Scanned disks, folders and files: F:\4\
F:\4\dh.exe - a variant of Win32/PSW.OnLineGames.NCU trojan
F:\4\mh.exe - a variant of Win32/PSW.Agent.NEC trojan
F:\4\mminstall.exe - a variant of Win32/TrojanDownloader.QQHelper.NDF trojan
Number of scanned files: 4
Number of threats found: 3

显示全部楼层 · 发表于 2007-7-21 22:41:32

Hello,

123.exed - Trojan.BAT.KillAV.ec,
dh.exed - Trojan-PSW.Win32.OnLineGames.es,
mh.exed - Trojan-PSW.Win32.OnLineGames.nn,
mminstall.exed - Trojan-Downloader.Win32.QQHelper.xf

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Denis Maslennikov
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

显示全部楼层 · 发表于 2007-7-21 23:47:12

FS all pass

[病毒样本] 4ge[ec9c60][a4527f][2f0bc7][174731]