ee80d0878f881cc2dfb0f998d5a5e5b96141f280d462bd866a2d4ccaf3fa1fae

Sharing

Copy URL

Twitter E-mail

General

Target

ee80d0878f881cc2dfb0f998d5a5e5b96141f280d462bd866a2d4ccaf3fa1fae
Size

97KB
MD5

9e0313e0d84a552aa5d3f41b3c35695f
SHA1

c4b173db02d226dd5b43f466db31c0ce0bfc2be3
SHA256

ee80d0878f881cc2dfb0f998d5a5e5b96141f280d462bd866a2d4ccaf3fa1fae
SHA512

dec5344fad9242c3ea60ba6ff3993c637f165cfeaae80d0e9d5cfd258f33656764de340e736802c30d5935e9b7fbb00b14e58ef33b9a3c36c566fbd397bbd74c
SSDEEP

1536:1hvlMs4I2g+snoFDypgHmjEzxaqGMBBAe+v8ZPRvuIsi0wvDffEsUokWd+5eY:15sv2noFDUE/G4BAe+vGNDky+5n

Score

N/A

Malware Config

Signatures

Files

ee80d0878f881cc2dfb0f998d5a5e5b96141f280d462bd866a2d4ccaf3fa1fae
.zip
WIN10 WIN11 简易优化技巧.txt
sguard_limit.exe
.exe windows x64

e86bc744a75d37c994b3fb1ba8f3ce9c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

OpenServiceA
RegSetValueExA
StartServiceA
ControlService
DeleteService
RegCreateKeyExA
OpenSCManagerA
CloseServiceHandle
QueryServiceStatus
RegCloseKey
CreateServiceA
RegDeleteValueA
RegOpenKeyExA
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

kernel32

GetPrivateProfileStringA
DeviceIoControl
Sleep
GetLastError
MoveFileExA
CreateFileA
CloseHandle
SetThreadPriority
SuspendThread
ResumeThread
GetCurrentThread
QueryThreadCycleTime
OpenProcess
LoadLibraryA
GetThreadContext
GetProcAddress
FreeLibrary
FlushInstructionCache
SetThreadContext
Thread32Next
Thread32First
CreateToolhelp32Snapshot
OpenThread
GetModuleFileNameA
Process32First
GetCurrentProcess
TerminateProcess
ExpandEnvironmentStringsA
WritePrivateProfileStringA
WaitForSingleObject
GetCurrentThreadId
ReleaseMutex
GetModuleHandleA
DeleteFileA
Process32Next
LocalFree
FormatMessageA
GetCompressedFileSizeA
GetPrivateProfileIntA
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
MultiByteToWideChar
GetFileInformationByHandleEx
AreFileApisANSI
GetFileAttributesExW
CreateMutexA
CreateDirectoryW
CreateFileW

user32

DestroyMenu
DefWindowProcA
SetWindowTextA
SetDlgItemTextW
RegisterWindowMessageA
TrackPopupMenu
DialogBoxParamA
SetDlgItemTextA
EndDialog
PostMessageA
SetWindowPos
MessageBoxA
SetProcessDPIAware
LoadIconA
DestroyWindow
GetDlgItemInt
AppendMenuA
CheckMenuItem
PostQuitMessage
AppendMenuW
SetForegroundWindow
GetCursorPos
CreatePopupMenu
CreateWindowExA
GetClassLongPtrA
DispatchMessageA
ShowWindow
TranslateMessage
RegisterClassA
GetMessageA

shell32

ord680
Shell_NotifyIconA
ShellExecuteA
SHGetFolderPathA

msvcp140

_Mtx_lock
_Mtx_init_in_situ
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
_Mtx_destroy_in_situ
_Cnd_do_broadcast_at_thread_exit
_Thrd_detach
_Thrd_id
_Thrd_join
?_Winerror_map@std@@YAHH@Z
?_Random_device@std@@YAIXZ
?_Xlength_error@std@@YAXPEBD@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Syserror_map@std@@YAPEBDH@Z

msvcp140_atomic_wait

__std_atomic_notify_all_direct
__std_atomic_wait_direct

comctl32

ord345

vcruntime140_1

__CxxFrameHandler4

vcruntime140

__std_exception_copy
__std_terminate
strrchr
__C_specific_handler
_CxxThrowException
__current_exception
__current_exception_context
memset
memcpy
memmove
__std_exception_destroy
memcmp

api-ms-win-crt-stdio-l1-1-0

fclose
__stdio_common_vsprintf
__stdio_common_vfprintf
__p__commode
_set_fmode
setbuf
fopen

api-ms-win-crt-runtime-l1-1-0

_initialize_onexit_table
_register_onexit_function
_initialize_narrow_environment
_configure_narrow_argv
terminate
_beginthreadex
_crt_atexit
_invalid_parameter_noinfo_noreturn
_cexit
_seh_filter_exe
_register_thread_local_exe_atexit_callback
_c_exit
_set_app_type
_exit
exit
_initterm_e
_initterm
_get_narrow_winmain_command_line

api-ms-win-crt-heap-l1-1-0

_set_new_mode
malloc
_callnewh
free

api-ms-win-crt-time-l1-1-0

_localtime64
_time64

api-ms-win-crt-locale-l1-1-0

_configthreadlocale
___lc_codepage_func

api-ms-win-crt-string-l1-1-0

_stricmp
strcmp

api-ms-win-crt-math-l1-1-0

__setusermatherr
ceilf

Sections

.text
Size: 65KB - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 188B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
sguard_limit.sys
.exe windows x64

c13d29f90e52595accf8ead9896805e5

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

Issuer

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Not Before

20-05-2013 00:00

Not After

20-05-2014 23:59

Subject

CN=Shenzhen yundian Technology Co.\, Ltd,O=Shenzhen yundian Technology Co.\, Ltd,L=Shenzhen,ST=Guangdong,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

Issuer

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=Thawte Code Signing CA - G2,O=Thawte\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

22-02-2011 19:31

Not After

22-02-2021 19:41

Subject

CN=thawte Primary Root CA,OU=Certification Services Division+OU=(c) 2006 thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

Issuer

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01-01-2000 00:00

Not After

31-12-2099 23:59

Subject

CN=Fake TimeStamp Responder,OU=timestamp.pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

1e:b1:32:d5
Certificate

Issuer

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01-01-2000 00:00

Not After

31-12-2099 23:59

Subject

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1e:b1:32:d5:7e:79:68:96
Certificate

Issuer

CN=JemmyLoveJenny EV Root CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Not Before

01-01-2000 00:00

Not After

31-12-2099 23:59

Subject

CN=JemmyLoveJenny SHA1 TimeStamping Services CA,OU=pki.jemmylovejenny.tk,O=JemmyLoveJenny PKI Service,C=CN

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bb:6c:f9:56:b8:8a:93:5a:c4:a0:cf:00:37:9d:44:59:78:3d:50:7b
Signer

Actual PE Digest

bb:6c:f9:56:b8:8a:93:5a:c4:a0:cf:00:37:9d:44:59:78:3d:50:7b

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Shenzhen yundian Technology Co.\, Ltd,O=Shenzhen yundian Technology Co.\, Ltd,L=Shenzhen,ST=Guangdong,C=CN

21-05-2013 00:00
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

strcpy_s
strstr
wcscpy_s
_wcsicmp
RtlInitUnicodeString
RtlGetVersion
ExAllocatePoolWithTag
ExFreePoolWithTag
MmGetSystemRoutineAddress
IofCompleteRequest
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
IoGetCurrentProcess
ObfDereferenceObject
ZwClose
MmIsAddressValid
ZwOpenProcess
RtlNtStatusToDosError
PsLookupProcessByProcessId
ZwAllocateVirtualMemory
ZwQueryVirtualMemory
ZwQuerySystemInformation
MmCopyVirtualMemory
PsSuspendProcess
PsResumeProcess
KeBugCheckEx

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 980B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 994B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
常见问题（必看）.docx
.docx office2007

Sharing

General

Malware Config

Signatures

Files

e86bc744a75d37c994b3fb1ba8f3ce9c

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

user32

shell32

msvcp140

msvcp140_atomic_wait

comctl32

vcruntime140_1

vcruntime140

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-locale-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

Sections

.text Size: 65KB - Virtual size: 64KB

.rdata Size: 32KB - Virtual size: 32KB

.data Size: 2KB - Virtual size: 3KB

.pdata Size: 3KB - Virtual size: 2KB

.rsrc Size: 58KB - Virtual size: 57KB

.reloc Size: 512B - Virtual size: 188B

c13d29f90e52595accf8ead9896805e5

Code Sign

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99Certificate

Extended Key Usages

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5eCertificate

Extended Key Usages

Key Usages

61:1f:b0:a4:00:00:00:00:00:1dCertificate

Key Usages

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6Certificate

Extended Key Usages

Key Usages

1e:b1:32:d5Certificate

Key Usages

1e:b1:32:d5:7e:79:68:96Certificate

Extended Key Usages

Key Usages

bb:6c:f9:56:b8:8a:93:5a:c4:a0:cf:00:37:9d:44:59:78:3d:50:7bSigner

Signature Validations

Verification

21-05-2013 00:00 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 980B

.pdata Size: 512B - Virtual size: 240B

INIT Size: 1024B - Virtual size: 994B

.reloc Size: 512B - Virtual size: 32B

.text
Size: 65KB - Virtual size: 64KB

.rdata
Size: 32KB - Virtual size: 32KB

.data
Size: 2KB - Virtual size: 3KB

.pdata
Size: 3KB - Virtual size: 2KB

.rsrc
Size: 58KB - Virtual size: 57KB

.reloc
Size: 512B - Virtual size: 188B

4e:fa:7e:7b:ba:65:ec:1a:b7:74:f2:b3:13:57:d5:99
Certificate

47:97:4d:78:73:a5:bc:ab:0d:2f:b3:70:19:2f:ce:5e
Certificate

61:1f:b0:a4:00:00:00:00:00:1d
Certificate

1e:b1:32:d5:7e:79:68:96:0d:f2:6e:85:4e:b0:dd:a6
Certificate

1e:b1:32:d5
Certificate

1e:b1:32:d5:7e:79:68:96
Certificate

bb:6c:f9:56:b8:8a:93:5a:c4:a0:cf:00:37:9d:44:59:78:3d:50:7b
Signer

21-05-2013 00:00
Valid: false

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 980B

.pdata
Size: 512B - Virtual size: 240B

INIT
Size: 1024B - Virtual size: 994B

.reloc
Size: 512B - Virtual size: 32B