分析任务
| 分析类型 | 虚拟机标签 | 开始时间 | 结束时间 | 持续时间 |
|---|---|---|---|---|
| 文件 (Windows) | win7-sp1-x64 | 2016-11-12 22:56:37 | 2016-11-12 22:58:52 | 135 秒 |
魔盾分数
1.5
正常的
文件详细信息
| 文件名 | _shfoldr.dll |
|---|---|
| 文件大小 | 23312 字节 |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
| CRC32 | AE2C3EC2 |
| Ssdeep | 384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4 |
| Yara | 登录查看Yara规则 |
| 样本下载 提交漏报 |
登录查看威胁特征
运行截图
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
摘要
登录查看详细行为信息PE 信息
| 初始地址 | 0x71950000 |
|---|---|
| 入口地址 | 0x719527f6 |
| 声明校验值 | 0x00008df0 |
| 实际校验值 | 0x00008df0 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2001-07-24 10:12:21 |
| 导出DLL库名称 | SHFOLDER.dll |
版本信息
| LegalCopyright | |
|---|---|
| InternalName | |
| FileVersion | |
| CompanyName | |
| ProductName | |
| OleSelfRegister | |
| ProductVersion | |
| FileDescription | |
| OriginalFilename | |
| Translation |
PE 数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x00001e7b | 0x00002000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.93 |
| .data | 0x00003000 | 0x0000005c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.44 |
| .rsrc | 0x00004000 | 0x00002f10 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.58 |
| .reloc | 0x00007000 | 0x000001dc | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.80 |
覆盖
| 偏移量 | 0x00005a00 |
| 大小 | 0x00000110 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_STRING | 0x00005228 | 0x00000196 | LANG_SPANISH | SUBLANG_SPANISH_MODERN | 3.24 | data |
| RT_VERSION | 0x00004330 | 0x00000394 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.52 | data |
导入
库: KERNEL32.dll:
• 0x7195103c EnumResourceLanguagesW
• 0x71951040 EnumResourceNamesW
• 0x71951044 lstrcatA
• 0x71951048 lstrcpyA
• 0x7195104c CompareStringW
• 0x71951050 CreateDirectoryA
• 0x71951054 CreateDirectoryW
• 0x71951058 GetLastError
• 0x7195105c FindResourceExW
• 0x71951060 GetSystemDefaultLangID
• 0x71951064 GetFileAttributesA
• 0x71951068 GetFileAttributesW
• 0x7195106c GetSystemDirectoryA
• 0x71951070 GetSystemDirectoryW
• 0x71951074 IsBadWritePtr
• 0x71951078 DisableThreadLibraryCalls
• 0x7195107c GlobalAlloc
• 0x71951080 GlobalFree
• 0x71951084 GetWindowsDirectoryW
• 0x71951088 LoadResource
• 0x7195108c LockResource
• 0x71951090 lstrlenA
• 0x71951094 GetWindowsDirectoryA
• 0x71951098 ExpandEnvironmentStringsW
• 0x7195109c GetVersionExA
• 0x719510a0 lstrlenW
• 0x719510a4 MultiByteToWideChar
• 0x719510a8 GetProcAddress
• 0x719510ac LoadLibraryA
• 0x719510b0 FreeLibrary
• 0x719510b4 ExpandEnvironmentStringsA
• 0x719510b8 WideCharToMultiByte
• 0x719510bc lstrcpynW
库: ADVAPI32.dll:
• 0x71951000 InitializeSecurityDescriptor
• 0x71951004 SetSecurityDescriptorDacl
• 0x71951008 InitializeAcl
• 0x7195100c GetAce
• 0x71951010 SetFileSecurityW
• 0x71951014 AddAccessAllowedAce
• 0x71951018 RegSetValueExA
• 0x7195101c LookupAccountSidW
• 0x71951020 RegCreateKeyExA
• 0x71951024 RegOpenKeyA
• 0x71951028 RegSetValueExW
• 0x7195102c RegQueryValueExA
• 0x71951030 RegCloseKey
• 0x71951034 RegQueryValueExW
导出
| 序列 | 地址 | 名称 |
|---|---|---|
| 1 | 0x7195278e | SHGetFolderPathA |
| 2 | 0x71952705 | SHGetFolderPathW |
.text
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Common Administrative Tools
Common Programs
Common Documents
Common AppData
Administrative Tools
History
Cookies
Cache
Local AppData
AppData
My Music
My Pictures
Personal
DllGetVersion
shlwapi.dll
SHGetFolderPathW
shell32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
ProfileDirectory
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegValue
RegKey
Default
MustBeRelative
DefaultDir
LocalFile
CentralFile
*windir
WideCharToMultiByte
GetProcAddress
FreeLibrary
LoadLibraryA
GetVersionExA
MultiByteToWideChar
lstrlenW
lstrlenA
ExpandEnvironmentStringsW
GetWindowsDirectoryA
GetWindowsDirectoryW
LockResource
LoadResource
FindResourceExW
EnumResourceLanguagesW
GetSystemDefaultLangID
EnumResourceNamesW
lstrcatA
lstrcpyA
CompareStringW
CreateDirectoryA
CreateDirectoryW
GetLastError
ExpandEnvironmentStringsA
lstrcpynW
GetFileAttributesA
GetFileAttributesW
GetSystemDirectoryA
GetSystemDirectoryW
IsBadWritePtr
DisableThreadLibraryCalls
GlobalAlloc
GlobalFree
KERNEL32.dll
RegCloseKey
RegQueryValueExA
RegQueryValueExW
RegOpenKeyA
RegCreateKeyExA
RegSetValueExW
RegSetValueExA
AddAccessAllowedAce
LookupAccountSidW
GetAce
InitializeAcl
SetFileSecurityW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
ADVAPI32.dll
SHFOLDER.dll
SHGetFolderPathA
SHGetFolderPathW
70F0X0
819C9V9_9
dll\shfolder.dbg
All Users
n%USERPROFILE%
r%SYSTEMROOT%
CommonFilesDir
ProgramFilesDir
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Shell Folder Service
FileVersion
5.50.4807.2300
InternalName
shfolder
LegalCopyright
Copyright (C) Microsoft Corp. 1981-2001
OriginalFilename
shfolder.dll
ProductName
Microsoft(R) Windows (R) 2000 Operating System
ProductVersion
5.50.4807.2300
OleSelfRegister
VarFileInfo
Translation
My Music
sicas
My Music
Hudba
Musik
Eigene Musik
Oma musiikki
Ma musique
Musica
My Music
My Music
Mijn muziek
Min musikk
Moja muzyka
Min musik
My Music
Musika
Hudba
Moja glasba
| 防病毒引擎/厂商 | 病毒名/规则匹配 | 病毒库日期 |
|---|---|---|
| Bkav | 未发现病毒 | 20161108 |
| MicroWorld-eScan | 未发现病毒 | 20161108 |
| nProtect | 未发现病毒 | 20161108 |
| CMC | 未发现病毒 | 20161108 |
| CAT-QuickHeal | 未发现病毒 | 20161108 |
| McAfee | 未发现病毒 | 20161108 |
| Malwarebytes | 未发现病毒 | 20161108 |
| VIPRE | 未发现病毒 | 20161108 |
| AegisLab | 未发现病毒 | 20161108 |
| TheHacker | 未发现病毒 | 20161106 |
| K7GW | 未发现病毒 | 20161108 |
| K7AntiVirus | 未发现病毒 | 20161108 |
| TrendMicro | 未发现病毒 | 20161108 |
| Baidu | 未发现病毒 | 20161107 |
| F-Prot | 未发现病毒 | 20161108 |
| Symantec | 未发现病毒 | 20161108 |
| TotalDefense | 未发现病毒 | 20161108 |
| TrendMicro-HouseCall | 未发现病毒 | 20161108 |
| Avast | 未发现病毒 | 20161108 |
| ClamAV | 未发现病毒 | 20161108 |
| Kaspersky | 未发现病毒 | 20161108 |
| BitDefender | 未发现病毒 | 20161108 |
| NANO-Antivirus | 未发现病毒 | 20161108 |
| ViRobot | 未发现病毒 | 20161108 |
| Rising | 未发现病毒 | 20161108 |
| Ad-Aware | 未发现病毒 | 20161108 |
| Sophos | 未发现病毒 | 20161108 |
| Comodo | 未发现病毒 | 20161108 |
| F-Secure | 未发现病毒 | 20161108 |
| DrWeb | 未发现病毒 | 20161108 |
| Zillya | 未发现病毒 | 20161108 |
| Invincea | 未发现病毒 | 20161018 |
| McAfee-GW-Edition | 未发现病毒 | 20161108 |
| Emsisoft | 未发现病毒 | 20161108 |
| Cyren | 未发现病毒 | 20161108 |
| Jiangmin | 未发现病毒 | 20161108 |
| Avira | 未发现病毒 | 20161108 |
| Antiy-AVL | 未发现病毒 | 20161108 |
| Kingsoft | 未发现病毒 | 20161108 |
| Microsoft | 未发现病毒 | 20161108 |
| Arcabit | 未发现病毒 | 20161108 |
| SUPERAntiSpyware | 未发现病毒 | 20161108 |
| GData | 未发现病毒 | 20161108 |
| AhnLab-V3 | 未发现病毒 | 20161108 |
| ALYac | 未发现病毒 | 20161108 |
| AVware | 未发现病毒 | 20161108 |
| VBA32 | 未发现病毒 | 20161108 |
| Zoner | 未发现病毒 | 20161108 |
| ESET-NOD32 | 未发现病毒 | 20161108 |
| Tencent | 未发现病毒 | 20161108 |
| Yandex | 未发现病毒 | 20161108 |
| Ikarus | 未发现病毒 | 20161108 |
| Fortinet | 未发现病毒 | 20161108 |
| AVG | 未发现病毒 | 20161108 |
| Panda | 未发现病毒 | 20161108 |
| CrowdStrike | 未发现病毒 | 20161024 |
| Qihoo-360 | 未发现病毒 | 20161108 |
访问主机纪录 (可点击查询WPING实时安全评级)
无主机纪录.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
域名解析 (可点击查询WPING实时安全评级)
无域名信息.
TCP
无TCP连接纪录.
UDP
无UDP连接纪录.
HTTP 请求
未发现HTTP请求.
SMTP 流量
无SMTP流量.
IRC 流量
无IRC请求.
ICMP 流量
无ICMP流量.
CIF 报告
无 CIF 结果
网络警报
无警报
TLS
No TLS
Suricata HTTP
No Suricata HTTP
未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
| HTML 总结报告 (需15-60分钟同步) |
下载 |
|---|
Processing ( 33.552 seconds )
- 32.595 VirusTotal
- 0.309 Static
- 0.221 peid
- 0.187 TargetInfo
- 0.136 BehaviorAnalysis
- 0.044 NetworkAnalysis
- 0.024 AnalysisInfo
- 0.012 Strings
- 0.009 Debug
- 0.008 config_decoder
- 0.003 Dropped
- 0.002 Memory
- 0.002 ProcessMemory
Signatures ( 0.083 seconds )
- 0.019 antiav_detectreg
- 0.008 infostealer_ftp
- 0.006 md_bad_drop
- 0.005 persistence_autorun
- 0.005 antiav_detectfile
- 0.005 infostealer_im
- 0.004 stealth_timeout
- 0.004 antianalysis_detectreg
- 0.004 infostealer_mail
- 0.004 ransomware_files
- 0.003 infostealer_bitcoin
- 0.002 tinba_behavior
- 0.002 antivm_vbox_files
- 0.002 geodo_banking_trojan
- 0.002 disables_browser_warn
- 0.001 betabot_behavior
- 0.001 kibex_behavior
- 0.001 antianalysis_detectfile
- 0.001 banker_zeus_mutex
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 modify_proxy
- 0.001 browser_security
Reporting ( 1.527 seconds )
- 0.853 ReportPDF
- 0.66 ReportHTMLSummary
- 0.014 Malheur
| Task ID | 49133 |
|---|---|
| Mongo ID | 58272e504d3bd06eed9829a5 |
| Cuckoo release | 1.4-Maldun |
沪公网安备 31011502009736号