银狐1x

xiaozhu009

https://wwbxq.lanzouq.com/iYp2w3jne65g



https://www.virustotal.com/gui/f ... cb47a5747/detection

wowocock

木马会利用组策略禁止一堆安全软件，同时写入计划任务启动回写。需要清除注册表和木马计划任务文件。
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{01d2e4f7-f182-4e34-ba78-d54dcdc18107}]
"Description"=""
"ItemData"="C:\\Program Files\\ESET"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{05ba51c5-eb80-4c10-a6c4-20e0f0500cd8}]
"Description"=""
"ItemData"="C:\\ProgramData\\Tencent\\Yuanbao"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0627e59d-22a8-4a24-8949-a4acf3fa4bc1}]
"Description"=""
"ItemData"="C:\\Program Files\\Windows Defender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{08532edc-b3ce-4a3f-ba5c-299ced063f49}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Mcafee"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0baf0d3b-5789-4fc6-8e56-1f7012909ef5}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\360\\360sd"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{0d307d67-0a02-4683-9bba-019b1cb3b9cd}]
"Description"=""
"ItemData"="C:\\Program Files\\Symantec"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{16a09230-3c62-4eb7-8a04-397c52471420}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\ESET"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{1f20bb85-63b1-4816-a9e2-ebc252f814ab}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360huabao"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{215a934a-5625-4a8c-ad03-4fde51b69a82}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Avast Software"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{2f97115e-29c0-4f9a-b3eb-da0372ed51ba}]
"Description"=""
"ItemData"="C:\\Program Files\\Avast Software\\Avast Software"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{32fc2c38-0460-4f14-b3c2-2610168af6fe}]
"Description"=""
"ItemData"="C:\\ProgramData\\Tencent\\QQPCMgr"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{36fd7d06-5da0-4c63-b4dd-12ff1a5d0994}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Symantec"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{3ceba8c4-16a2-4cc7-bb35-1270f6df4c50}]
"Description"=""
"ItemData"="C:\\Program Files\\Kingsoft"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{41a2b9a5-801a-4671-bf8c-b1fb6259dab3}]
"Description"=""
"ItemData"="C:\\Program Files\\Tencent\\Yuanbao"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{43e175fc-fa6d-409f-accd-6181e5e17b11}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Windows Defender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{4e587f4d-e896-47e0-a9bf-9f5dabd819d9}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Kingsoft"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{65dd609b-86bc-4718-a3f9-b923c42f1211}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Kaspersky Lab"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6a0a2fd4-747e-437c-94ae-5f659db59246}]
"Description"=""
"ItemData"="C:\\Program Files\\AVG"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{6fec81fb-7251-4e2a-89ed-125dd35a3ffd}]
"Description"=""
"ItemData"="C:\\ProgramData\\Bitdefender Agent"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{70792552-3519-49bc-aabd-28b2e33c72bc}]
"Description"=""
"ItemData"="C:\\Program Files\\Mcafee"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{72edded5-a0bc-45a2-a986-300d444d9083}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\AVG"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{74e42d5f-54b7-4e4d-8793-2446313c0752}]
"Description"=""
"ItemData"="C:\\Program Files\\Bitdefender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{77ff0f96-8911-490e-8a69-f50d9dfcee0a}]
"Description"=""
"ItemData"="C:\\Program Files\\Avast Software"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{7916f23a-70df-4288-baa7-ac3e041c0830}]
"Description"=""
"ItemData"="C:\\Program Files\\Kaspersky Lab"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{79ce2e69-3c22-4d09-a2c0-9bafbce8710e}]
"Description"=""
"ItemData"="C:\\Program Files\\Tencent\\QQPCMgr"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{82e81c15-a2b2-47da-98bd-848c9bd8f660}]
"Description"=""
"ItemData"="C:\\Program Files\\360\\360Safe"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8ac73a53-9de6-4bc2-96a0-b6daafa6911d}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360Login"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8be9c97d-269f-459e-bf1e-dabf5ed640c6}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Common Files\\Bitdefender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8cc95fb9-da2e-413f-a239-dfddb0ba5650}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Tencent\\Yuanbao"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{8ed0cb1e-0eb3-4380-8ba0-d592287b51b2}]
"Description"=""
"ItemData"="C:\\Program Files\\Norton"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9882c312-10b5-4d9b-b995-d1d5f45bbf08}]
"Description"=""
"ItemData"="C:\\ProgramData\\Microsoft\\Windows Defender\\Platform"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9a030980-ec1f-4e69-a22c-533b085cd355}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\2345Soft"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9d37c916-5fc9-4f35-a06b-4169fad4b298}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Bitdefender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{9e3f17d5-423c-4969-94fc-6db007e7a2a2}]
"Description"=""
"ItemData"="C:\\Program Files\\Huorong"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{aa5518f9-005b-4404-ac98-c759b8e6830d}]
"Description"=""
"ItemData"="C:\\Program Files\\360\\360sd"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{acd879ca-e7e3-47f9-9445-119d248d221b}]
"Description"=""
"ItemData"="C:\\ProgramData\\Bitdefender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{b1934063-d968-4f66-bd80-1f0aa33bd87f}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360DesktopLite"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c1977f4d-bb5f-42e3-98cf-30bf8029177c}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Huorong"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{c50aacd2-1539-4205-bb36-32020f2a2bf1}]
"Description"=""
"ItemData"="C:\\Program Files\\Common Files\\Bitdefender"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ce390006-2a13-4b66-b342-f4d4fe00da96}]
"Description"=""
"ItemData"="C:\\Program Files\\2345Soft"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ceeaf4bb-0f04-4557-8d11-153a0a0034fa}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360mobilemgr"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{cf225d56-4433-451b-b15a-755256fded22}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360Safe"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d46bb673-5384-4b6f-9e7a-5711baf52e95}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Norton"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{d6786ddd-9a2c-4bd6-91d0-fd1429820c53}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\360\\360Safe"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{da9e09e1-c81e-47b9-b1d5-2c6cd44f4a88}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Trend Micro"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ebd993a0-9e9b-40a6-b77d-a69818bb5cb3}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Tencent\\QQPCMgr"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f2152564-1302-4d4a-bbe2-61a48febfeaf}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360Game5"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f37e25e0-fd35-43bd-b7c4-59d2020fa0a1}]
"Description"=""
"ItemData"="C:\\Program Files (x86)\\Avast Software\\Avast Software"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{f874f1a8-a347-40c8-9cce-c3f66fd86d3e}]
"Description"=""
"ItemData"="C:\\Program Files\\Trend Micro"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{fe270cc8-0644-468b-b798-8d5809d3ab2f}]
"Description"=""
"ItemData"="C:\\ProgramData\\Kingsoft"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\0\Paths\{ff52411a-fb92-43bd-bdab-1daef5a866c4}]
"Description"=""
"ItemData"="C:\\Users\\yhg\\AppData\\Roaming\\360Quarant"
"LastModified"=hex(b):1d,41,a6,69,00,00,00,00
"SaferFlags"=dword:00000000

WGC_ZY

卡巴：
Type: Trojan
Name: Backdoor.Win32.Xkcp.cek
Precision: Exactly
Threat level: High
Object type: File
Object name: AISafeSDK64.dll
Object path: C:\Users\Zhang\Downloads\【薪資調整通知】
MD5 of an object: 80CFB32B29B00D05415B4990DA151DA7


ESSP：
kill同文件。

浦北光

KSNdll不受信任，解压杀

事件: 检测到恶意对象
用户: WIN-OU3QDS5P7I8\Administrator
用户类型: 活动用户
应用程序名称: SearchProtocolHost.exe
应用程序路径: C:\Windows\System32
组件: 文件威胁防护
结果说明: 检测到
类型: 木马程序
名称: UDS:Backdoor.Win32.Xkcp.cek
精确度: 确切
威胁级别: 高
对象类型: 文件
对象名称: AISafeSDK64.dll
对象路径: C:\Users\Administrator\Downloads\【薪資調整通知】
SHA256: 08F8A286B6CD9AB0291E3B0E5F5D2FDCE22024ACC167634DE0AD83BCB47A5747
MD5: 80CFB32B29B00D05415B4990DA151DA7
原因: 云保护

lingchenheiye

ESU解压杀dll

心醉咖啡

360扫描miss

ababababab

360扫描Miss
虚拟机内运行360杀毒被断网后关闭，无法再次打开

ababababab

火绒扫描Miss
运行后Kill衍生物

病毒名称：HackTool/W64.ProcessHacker.b
病毒ID：368E7D6B0EA612E6
病毒路径：C:\Users\Bilib\AppData\Local\Temp\setup.exe
操作类型：修改
操作结果：已处理，删除文件

进程ID：10888
操作进程：C:\Users\Bilib\Desktop\【薪資調整通知】\【薪資調整通知】.exe
操作进程命令行："C:\Users\Bilib\Desktop\【薪資調整通知】\【薪資調整通知】.exe"
父进程ID：5404
父进程：C:\Windows\explorer.exe

陌染淡殇

浦北光 发表于 2026-3-2 22:19
KSNdll不受信任，解压杀

事件: 检测到恶意对象

卡巴21.3，解压不报，右扫不报，右键信誉安全啊

莒县小哥

陌染淡殇 发表于 2026-3-3 10:00
卡巴21.3，解压不报，右扫不报，右键信誉安全啊

dll不受信任

wowocock

if ( (unsigned int)sub_140002990(argc, argv, envp) )

__int64 sub_140002990()
{
  __int64 v1; // rax
  __int64 v2; // rdx
  __int64 v3; // rbx
  unsigned __int8 v4; // al
  WCHAR Filename[264]; // [rsp+20h] [rbp-228h] BYREF

  memset(Filename, 0, 0x208ui64);
  GetModuleFileNameW(hModule, Filename, 0x104u);
  PathAppendW(Filename, L"..\\AISafeSDK64.dll");
  if ( (unsigned int)sub_14000B2E0(&unk_140055240, Filename) && (unsigned int)sub_14000B490(&unk_140055660, Filename) )
    return 1i64;
  v1 = sub_140008BE0(&qword_1400536A0, "    未成功初始化所有功能模块!");
  LOBYTE(v2) = 10;
  v3 = v1;
  v4 = sub_140009C90(v1 + *(int *)(*(_QWORD *)v1 + 4i64), v2);
  sub_1400099D0(v3, v4);
  sub_140007DE0(v3);
  return 0i64;
}

__int64 __fastcall sub_14000B2E0(__int64 a1, const WCHAR *a2)
{
  HMODULE LibraryW; // rax
  FARPROC AIGetFrameObject; // rsi
  __int64 result; // rax

  LibraryW = LoadLibraryW(a2);
  *(_QWORD *)(a1 + 16) = LibraryW;
  if ( !LibraryW )
    return 0i64;
  AIGetFrameObject = GetProcAddress(LibraryW, "AIGetFrameObject");
  if ( !AIGetFrameObject )
    return 0i64;
  memset((void *)(a1 + 28), 0, 0x404ui64);
  *(_DWORD *)(a1 + 24) = 1032;
  result = ((__int64 (__fastcall *)(__int64))AIGetFrameObject)(a1 + 24);
  *(_DWORD *)(a1 + 8) = result;
  return result;
}
我也是服了，在入口点直接加载当前目录下的AISafeSDK64.dll，然后调用里面的函数，现在360都成这样了，记得当年我们都要求，所有DLL禁止使用导入方式，动态加载，同时加载DLL都会调用360内部的加载验证函数验证360签名后，才能加载，不应该被利用的，我还在360的时候，都好几次发现类似的问题，督促他们去修正，现在走了后，估计也没人管了，木马都嗨起来了。