KIS missed
Have sent to KL.
分析:
反编译器评高度风险
[mw_shl_code=css,true]基本信息
文件名称:
setup.exe
MD5: e5f557cfddb1d4ea0c97918d23b7e13a
文件类型: EXE
上传时间: 2015-08-06 16:41:01
出品公司: 天王影音
版本: 0.0.0.0---
壳或编译器信息: COMPILER:Borland Delphi 2.0 [Overlay]
关键行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.API..OOPIG
MSCTF.MarshalInterface.FileMap.API.B.OOPIG
MSCTF.MarshalInterface.FileMap.API.C.OOPIG
MSCTF.MarshalInterface.FileMap.API.D.OOPIG
MSCTF.MarshalInterface.FileMap.API.E.OPPIG
MSCTF.MarshalInterface.FileMap.API.F.OPPIG
MSCTF.MarshalInterface.FileMap.API.G.OPPIG
MSCTF.Shared.SFM.API
MSCTF.MarshalInterface.FileMap.API.H.GPENG
MSCTF.MarshalInterface.FileMap.API.I.GPENG
MSCTF.MarshalInterface.FileMap.API.J.GPENG
MSCTF.MarshalInterface.FileMap.API.K.GPENG
MSCTF.MarshalInterface.FileMap.API.L.GPENG
MSCTF.MarshalInterface.FileMap.API.M.GPENG
行为描述: 在桌面创建快捷方式
详情信息:
C:\Documents and Settings\All Users\桌面\天王影音.lnk
行为描述: 修改注册表_IE首页
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Main\Start Page
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,ComboLBox]
[Window,Class] = [安装 - 天王影音,TWizardForm]
行为描述: 按名称获取主机地址
详情信息:
nat.toutsocial.com
tj.toutsocial.com
进程行为
行为描述: 创建进程
详情信息:
ImagePath = C:\WINDOWS\system32\regsvr32.exe, CmdLine = "regsvr32.exe" /s "C:\Program Files\twplayer\nptwplay.dll
行为描述: 创建新文件进程
详情信息:
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-PCPJR.tmp\sample.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-PCPJR.tmp\sample.tmp" /SL5="$301E4,4998501,56320,c:\%temp%\1438850532.025248.exe"
ImagePath = C:\Program Files\twplayer\twplay.exe, CmdLine = "C:\Program Files\twplayer\twplay.exe" -install
ImagePath = C:\Program Files\twplayer\twplay.exe, CmdLine = "C:\Program Files\twplayer\twplay.exe"
ImagePath = C:\Program Files\twplayer\netengine.exe, CmdLine = "C:\Program Files\twplayer\netengine.exe" "㤳扦〴摦㉡㝣昲扤㝡扣ㄵㅥ㙥㕢㘱慢㐸㐵㉦"
行为描述: 枚举进程
详情信息:
N/A
文件行为
行为描述: 在系统敏感位置(如开始菜单等)释放链接或快捷方式
详情信息:
C:\Documents and Settings\All Users\「开始」菜单\程序\天王影音\天王影音.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\天王影音\卸载 天王影音.lnk
行为描述: 创建可执行文件
详情信息:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-PCPJR.tmp\sample.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-FJIPG.tmp\_isetup\_shfoldr.dll
C:\Program Files\twplayer\is-CTVU5.tmp
C:\Program Files\twplayer\is-8P5OL.tmp
C:\Program Files\twplayer\is-TFVDE.tmp
C:\Program Files\twplayer\is-54M6L.tmp
C:\Program Files\twplayer\is-7J0QT.tmp
C:\Program Files\twplayer\is-JQPFE.tmp
C:\Program Files\twplayer\is-NPE2C.tmp
C:\Program Files\twplayer\is-MTRU8.tmp
C:\Program Files\twplayer\is-3HBRU.tmp
C:\Program Files\twplayer\is-NVOBI.tmp
C:\Program Files\twplayer\is-LBF1U.tmp
C:\Program Files\twplayer\is-091R2.tmp
行为描述: 查找文件
详情信息:
FileName = C:\DOCUME~1
FileName = C:\DOCUME~1\ADMINI~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-PCPJR.tmp
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-PCPJR.tmp\sample.tmp
FileName = C:\Documents and Settings
FileName = C:\Documents and Settings\Administrator
FileName = C:\Documents and Settings\Administrator\「开始」菜单
FileName = C:\Documents and Settings\Administrator\「开始」菜单\程序
FileName = C:\*.*
FileName = C:\Program Files\twplayer\unins???.*
FileName = C:\Program Files\twplayer\twplay.exe
FileName = C:\Program Files
FileName = C:\Program Files\twplayer
行为描述: 在桌面创建快捷方式
详情信息:
C:\Documents and Settings\All Users\桌面\天王影音.lnk
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.API..OOPIG
MSCTF.MarshalInterface.FileMap.API.B.OOPIG
MSCTF.MarshalInterface.FileMap.API.C.OOPIG
MSCTF.MarshalInterface.FileMap.API.D.OOPIG
MSCTF.MarshalInterface.FileMap.API.E.OPPIG
MSCTF.MarshalInterface.FileMap.API.F.OPPIG
MSCTF.MarshalInterface.FileMap.API.G.OPPIG
MSCTF.Shared.SFM.API
MSCTF.MarshalInterface.FileMap.API.H.GPENG
MSCTF.MarshalInterface.FileMap.API.I.GPENG
MSCTF.MarshalInterface.FileMap.API.J.GPENG
MSCTF.MarshalInterface.FileMap.API.K.GPENG
MSCTF.MarshalInterface.FileMap.API.L.GPENG
MSCTF.MarshalInterface.FileMap.API.M.GPENG
行为描述: 重命名文件
详情信息:
C:\Program Files\twplayer\is-CTVU5.tmp ---> C:\Program Files\twplayer\unins000.exe
C:\Program Files\twplayer\is-8P5OL.tmp ---> C:\Program Files\twplayer\twplay.exe
C:\Program Files\twplayer\is-TFVDE.tmp ---> C:\Program Files\twplayer\DuiLib_u.dll
C:\Program Files\twplayer\is-54M6L.tmp ---> C:\Program Files\twplayer\mediainfo.dll
C:\Program Files\twplayer\is-7J0QT.tmp ---> C:\Program Files\twplayer\natudp.dll
C:\Program Files\twplayer\is-JQPFE.tmp ---> C:\Program Files\twplayer\netengine.exe
C:\Program Files\twplayer\is-NPE2C.tmp ---> C:\Program Files\twplayer\nptwplay.dll
C:\Program Files\twplayer\is-MTRU8.tmp ---> C:\Program Files\twplayer\p2pengine.dll
C:\Program Files\twplayer\is-3HBRU.tmp ---> C:\Program Files\twplayer\twplay.exe
C:\Program Files\twplayer\is-NVOBI.tmp ---> C:\Program Files\twplayer\update.exe
C:\Program Files\twplayer\is-LBF1U.tmp ---> C:\Program Files\twplayer\videoplayer.dll
C:\Program Files\twplayer\is-091R2.tmp ---> C:\Program Files\twplayer\videoreader.dll
C:\Program Files\twplayer\config\is-DTE6V.tmp ---> C:\Program Files\twplayer\config\HotKey.dat
C:\Program Files\twplayer\config\is-5RS9O.tmp ---> C:\Program Files\twplayer\config\P2PKernel.ini
C:\Program Files\twplayer\config\is-BTRRS.tmp ---> C:\Program Files\twplayer\config\system.ini
行为描述: 修改文件内容
详情信息:
C:\Program Files\twplayer\config\is-DTE6V.tmp---> Offset = 0
C:\Program Files\twplayer\config\is-5RS9O.tmp---> Offset = 0
C:\Program Files\twplayer\config\is-BTRRS.tmp---> Offset = 0
C:\Program Files\twplayer\language\is-J4VBQ.tmp---> Offset = 0
C:\Program Files\twplayer\language\is-INL5O.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-CIVQO.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-UCH3V.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-A8RJ9.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-DES63.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-QL43B.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-74CHU.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-R5386.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-P3QPL.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-SFMS9.tmp---> Offset = 0
C:\Program Files\twplayer\skin\default\is-MPB1I.tmp---> Offset = 0
行为描述: 修改新生成的可执行文件
详情信息:
C:\Program Files\twplayer\is-CTVU5.tmp---> Offset = 725217
网络行为
行为描述: 发送一个已连接的套接字数据
详情信息:
SOCKET = 0x00000170, TotalSize = 202, Offset = 0, ReadSize = 202.
SOCKET = 0x00000170, TotalSize = 59, Offset = 0, ReadSize = 59.
SOCKET = 0x000000e0, TotalSize = 69, Offset = 0, ReadSize = 69.
行为描述: 建立到一个指定的套接字连接
详情信息:
219.133.40.1:12344
127.0.0.1:9000
行为描述: 按名称获取主机地址
详情信息:
nat.toutsocial.com
tj.toutsocial.com
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: Setup Version
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: App Path
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: Icon Group
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: User
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: Selected Tasks
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: Deselected Tasks
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Inno Setup: Language
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\DisplayName
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\UninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\QuietUninstallString
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\DisplayVersion
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\Publisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\URLInfoAbout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{922D5D74-5408-433F-8E64-9BFEC2289E1E}_is1\HelpLink
行为描述: 修改注册表_IE首页
详情信息:
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Internet Explorer\Main\Start Page
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
其他行为
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.API
SHIMLIB_LOG_MUTEX
DDrawWindowListMutex
__DDrawExclMode__
__DDrawCheckExclMode__
DDrawDriverObjectListMutex
DirectSound DllMain mutex (0x00000FF0)
DirectSound DllMain mutex (0x000008DC)
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,Auto-Suggest Dropdown]
[Window,Class] = [,ComboLBox]
[Window,Class] = [安装 - 天王影音,TWizardForm]
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 窗口信息
详情信息:
Pid = 2284, Hwnd=0x4021e, Text = 欢迎使用 天王影音 安装向导 , ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x50216, Text = 现在将安装 天王影音 版本 2.0.2 到您的电脑中。 推荐您在继续安装前关闭所有其它应用程序。 单击“下一步”继续,或单击“取消”退, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x601ae, Text = C:\Program Files\twplayer, ClassName = TEdit.
Pid = 2284, Hwnd=0x501bc, Text = 下一步(&N) >, ClassName = TNewButton.
Pid = 2284, Hwnd=0x50230, Text = 取消, ClassName = TNewButton.
Pid = 2284, Hwnd=0x50252, Text = 安装 - 天王影音, ClassName = TWizardForm.
Pid = 2284, Hwnd=0x60212, Text = 许可协议, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x50208, Text = 继续安装前请阅读下列重要信息。, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x60214, Text = 请仔细阅读下列许可协议。您在继续安装前必须同意这些协议条款。, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x4023c, Text = 我同意此协议(&A), ClassName = TNewRadioButton.
Pid = 2284, Hwnd=0xc0210, Text = 我不同意此协议(&D), ClassName = TNewRadioButton.
Pid = 2284, Hwnd=0x301f0, Text = < 上一步(&B), ClassName = TNewButton.
Pid = 2284, Hwnd=0x60212, Text = 选择目标位置, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x50208, Text = 您想将 天王影音 安装在什么地方?, ClassName = TNewStaticText.
Pid = 2284, Hwnd=0x301dc, Text = 安装程序将安装 天王影音 到下列文件夹中。, ClassName = TNewStaticText.
行为描述: 获取系统权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE
SE_DEBUG_PRIVILEGE
行为描述: 枚举窗口
详情信息:
N/A[/mw_shl_code]
运行截图
 |
楼主: 老吴聊金陵
发表于 2015-8-6 16:44:35
楼主