比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-04-08 23:22:44 2021-04-08 23:24:50 126 秒

魔盾分数

2.9

可疑的

文件详细信息

文件名 RegCool.exe
文件大小 645883 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5a571b3ff715e1257404ceec115d8a8d
SHA1 bfdd0161f1645a4a1d5392b0f16957761ae9ad17
SHA256 bcc23324b896724031cbe3cf6ccabd7989502f940cbc3246b459c4247f1bb5e2
SHA512 a2d3c7e91465363cdf24226a8b24f23ded3bd1960e0e9914c0481145bc73fa178735440906f5ac12420fe2866a9873c12e42dba7769dfadf3993dc4414531a1f
CRC32 F445090E
Ssdeep 12288:JFYByswyyyyxyyyyyyyRYYYYjYYYYYYjYYrYYYYYYjYYYYYYYrYYjYYYYYYjYYY+:kByswyyyyxyyyyyyyRYYYYjYYYYYYjY3
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 104.91.68.27
A 104.91.68.75

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00403384
声明校验值 0x00000000
实际校验值 0x000ac2dd
最低操作系统版本要求 4.0
编译时间 2019-12-16 08:50:50
载入哈希 7c2c71dfce9a27650634dc8b1ca03bf0
图标
图标精确哈希值 2c779fd77bc369ff3caf58d8cd846469
图标相似性哈希值 920e834209c9f719bc12bc1f22494515

版本信息

FileVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000060e4 0x00006200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.42
.rdata 0x00008000 0x0000123e 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.03
.data 0x0000a000 0x0001a838 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.22
.ndata 0x00025000 0x00008000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0002d000 0x00028508 0x00028600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.42

覆盖

偏移量 0x00030400
大小 0x0006d6fb

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_ICON 0x00054c50 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 3.08 GLS_BINARY_LSB_FIRST
RT_DIALOG 0x000552d8 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 data
RT_DIALOG 0x000552d8 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 data
RT_DIALOG 0x000552d8 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 data
RT_GROUP_ICON 0x00055338 0x00000084 LANG_ENGLISH SUBLANG_ENGLISH_US 2.52 MS Windows icon resource - 9 icons, 256x256
RT_VERSION 0x000553c0 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.98 data

导入

库: KERNEL32.dll:
0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
库: USER32.dll:
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
库: GDI32.dll:
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
库: SHELL32.dll:
0x40816c ShellExecuteExA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
库: ADVAPI32.dll:
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
库: COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 None
0x408044 ImageList_Destroy
库: ole32.dll:
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance
.text
`.rdata
@.data
.ndata
.rsrc
;5lGB
;5lGB
s495lGB
;5lGB
#5 GB
vX95(GB
Vh`GB
;=lGB
Ph:S@
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
NTMARTA
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
GetDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteExA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetFileSecurityA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
\Temp
NSIS Error
%u.%u%s%s
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownA
RegDeleteKeyExA
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExA
SetDefaultDllDirectories
KERNEL32
*?|<>/":
%s%s.dll
;!w|&4tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5qw$3
&3tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5tz%5
没有防病毒引擎扫描信息!

进程树

RegCool.exe, PID: 2484, 上一级进程 PID: 2148
RegCool.exe, PID: 2712, 上一级进程 PID: 2484
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.91.68.75 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 104.91.68.27
A 104.91.68.75

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 104.91.68.75 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 16.567 seconds )

  • 12.21 Suricata
  • 1.287 VirusTotal
  • 0.823 Static
  • 0.764 NetworkAnalysis
  • 0.681 BehaviorAnalysis
  • 0.407 peid
  • 0.37 TargetInfo
  • 0.012 AnalysisInfo
  • 0.01 Strings
  • 0.002 Memory
  • 0.001 config_decoder

Signatures ( 1.713 seconds )

  • 1.404 md_url_bl
  • 0.043 api_spamming
  • 0.036 stealth_decoy_document
  • 0.033 stealth_timeout
  • 0.027 antiav_detectreg
  • 0.012 infostealer_ftp
  • 0.011 md_domain_bl
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.006 infostealer_mail
  • 0.005 bootkit
  • 0.005 infostealer_browser
  • 0.005 mimics_filetime
  • 0.005 reads_self
  • 0.005 anomaly_persistence_autorun
  • 0.005 antidbg_windows
  • 0.005 virus
  • 0.005 antianalysis_detectreg
  • 0.005 geodo_banking_trojan
  • 0.005 infostealer_bitcoin
  • 0.005 ransomware_files
  • 0.004 antivm_generic_disk
  • 0.004 ransomware_extensions
  • 0.003 stealth_file
  • 0.003 ipc_namedpipe
  • 0.003 infostealer_browser_password
  • 0.003 antivm_vbox_files
  • 0.003 network_http
  • 0.002 tinba_behavior
  • 0.002 sets_autoconfig_url
  • 0.002 antivm_generic_scsi
  • 0.002 hancitor_behavior
  • 0.002 securityxploded_modules
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 antiemu_wine_func
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 disables_spdy
  • 0.001 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.001 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.001 maldun_anomaly_massive_file_ops
  • 0.001 injection_createremotethread
  • 0.001 antivm_generic_services
  • 0.001 ransomware_message
  • 0.001 antivm_vbox_window
  • 0.001 betabot_behavior
  • 0.001 ransomeware_modifies_desktop_wallpaper
  • 0.001 kibex_behavior
  • 0.001 anormaly_invoke_kills
  • 0.001 disables_wfp
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 kovter_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.582 seconds )

  • 0.58 ReportHTMLSummary
  • 0.002 Malheur
Task ID 628812
Mongo ID 606f20607e769a06aceb2b5d
Cuckoo release 1.4-Maldun