分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-03-18 01:02:46 2019-03-18 01:03:29 43 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 荒野奇迹.exe
文件大小 1032192 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 72af624597dda546eb312044b5110aec
SHA1 2a2bc7e782c3c30f084a0287efbb5186d6828b5a
SHA256 be57625dd38ee61d799fff4083646c9d13ed55488642c3d696f5c822ba7aff84
SHA512 6f1303f3661e254a96cc9e967af82117c18a8bdb2dc8c9c0c08526221c514c3f2f296a7a212e9417119841b0b349b8e12d9ad98715a8838d39ccd60a5d941cae
CRC32 87B78A11
Ssdeep 12288:zt0swH2/zTIAp24DolMUN9y/DhNyTxy4NZopcuCTo:J/TIY2MolMUHy7hQly4NZm/
Yara
  • Detected 32bit PE signature
  • Detected Rich Signature
  • Code injection with CreateRemoteThread in a remote process
  • Create a new process
  • Detected escalate priviledges function
  • Detected take screenshot function
  • Run a keylogger
  • Affect system registries
  • Change registries to affect system
  • Affect system token
  • Affect private profile
  • Affect private profile
  • Affect hook table
  • Detects malicious behaviors from a small size app
  • Detected no presence of any attachment
  • Detected the presence of an or several images
  • Detected the presence of an or several urls
  • Looks for big numbers 32:sized
  • Look for CRC32 [poly]
  • Look for CRC32 table
  • Look for MD5 constants
  • Detects program has the encryption or decription logic
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\user32.DLL
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\user32.dll
C:\Users\test\AppData\Local\Temp\dwmapi.dll
C:\Users\test\AppData\Local\Temp\d3d9.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\____________.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\LoadDebugRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\ForceDriverFlagsOff
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectDraw\GammaCalibrator
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers\SoftwareOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\UseVSConverter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\UsePSConverter
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\LoadDebugRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\ForceDriverFlagsOff
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\Drivers\SoftwareOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\UseVSConverter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Direct3D\UsePSConverter
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
d3d9.dll.Direct3DCreate9
kernel32.dll.GetCurrentProcess
user32.dll.SetWindowLongA
user32.dll.SetLayeredWindowAttributes
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
kernel32.dll.CloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
user32.dll.EnumWindows
user32.dll.IsWindowVisible
user32.dll.GetWindowTextA
advapi32.dll.RegCloseKey
user32.dll.GetClassNameA
user32.dll.GetWindowThreadProcessId
advapi32.dll.RegQueryValueExW
kernel32.dll.OpenProcess
user32.dll.GetClientRect
user32.dll.GetWindowRect
kernel32.dll.CreateThread
advapi32.dll.RegQueryValueExA
kernel32.dll.ReadProcessMemory
advapi32.dll.RegEnumKeyExW
kernel32.dll.LoadLibraryA
kernel32.dll.Sleep
kernel32.dll.GetProcAddress
shlwapi.dll.StrToIntExA
kernel32.dll.lstrcpyn
gdi32.dll.GetTextExtentExPointWPri
user32.dll.CallWindowProcA
kernel32.dll.WriteProcessMemory
user32.dll.GetWindowInfo
user32.dll.MoveWindow
kernel32.dll.WaitForSingleObject
user32.dll.RegisterClassExA
user32.dll.CreateWindowExA
comctl32.dll.RegisterClassNameW
user32.dll.DefWindowProcA
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
user32.dll.SetWindowPos
user32.dll.ShowWindow
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.UpdateWindow
dwmapi.dll.DwmExtendFrameIntoClientArea
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
user32.dll.BringWindowToTop
user32.dll.GetMessageA
user32.dll.TranslateMessage
user32.dll.DispatchMessageA
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500
Local\MSCTF.Asm.MutexDefault1
Local\__DDrawExclMode__
Local\__DDrawCheckExclMode__

PE 信息

初始地址 0x00400000
入口地址 0x0048656e
声明校验值 0x00000000
实际校验值 0x00104ac8
最低操作系统版本要求 4.0
编译时间 2019-01-06 12:58:51
载入哈希 032850badba9dbed7d407801c1002f4d

版本信息

LegalCopyright
FileVersion
CompanyName
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000a4a62 0x000a5000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.64
.rdata 0x000a6000 0x0002379a 0x00024000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.70
.data 0x000ca000 0x000434ea 0x0001c000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.00
.rsrc 0x0010e000 0x000156d0 0x00016000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.22

导入

库: WINMM.dll:
0x4a6610 midiStreamOut
0x4a6620 waveOutWrite
0x4a6624 waveOutPause
0x4a6628 waveOutReset
0x4a662c waveOutClose
0x4a6630 waveOutGetNumDevs
0x4a6634 waveOutOpen
0x4a6638 midiStreamStop
0x4a663c midiOutReset
0x4a6640 midiStreamClose
0x4a6644 midiStreamRestart
0x4a664c midiStreamOpen
0x4a6650 midiStreamProperty
库: WS2_32.dll:
0x4a6668 WSACleanup
0x4a666c closesocket
0x4a6670 getpeername
0x4a6674 accept
0x4a6678 WSAAsyncSelect
0x4a667c recvfrom
0x4a6680 ioctlsocket
0x4a6684 inet_ntoa
0x4a6688 recv
库: KERNEL32.dll:
0x4a6178 TerminateProcess
0x4a617c SetLastError
0x4a6184 GetVersion
0x4a6190 GetFileSize
0x4a6198 lstrcmpiA
0x4a61a0 GetACP
0x4a61a4 HeapSize
0x4a61a8 RaiseException
0x4a61ac GetLocalTime
0x4a61b0 GetSystemTime
0x4a61b4 RtlUnwind
0x4a61b8 GetStartupInfoA
0x4a61bc GetOEMCP
0x4a61c0 GetCPInfo
0x4a61c4 GetProcessVersion
0x4a61c8 SetErrorMode
0x4a61cc GlobalFlags
0x4a61d0 GetCurrentThread
0x4a61d4 GetFileTime
0x4a61d8 TlsGetValue
0x4a61dc LocalReAlloc
0x4a61e0 TlsSetValue
0x4a61e4 TlsFree
0x4a61e8 GlobalHandle
0x4a61ec TlsAlloc
0x4a61f0 LocalAlloc
0x4a61f4 lstrcmpA
0x4a61f8 GlobalGetAtomNameA
0x4a61fc GlobalAddAtomA
0x4a6200 GlobalFindAtomA
0x4a6204 GlobalDeleteAtom
0x4a6208 SetEndOfFile
0x4a620c UnlockFile
0x4a6210 LockFile
0x4a6214 FlushFileBuffers
0x4a6218 DuplicateHandle
0x4a621c lstrcpynA
0x4a6228 LocalFree
0x4a622c SetFilePointer
0x4a6230 WideCharToMultiByte
0x4a6234 MultiByteToWideChar
0x4a6238 GetCurrentProcess
0x4a623c GetSystemDirectoryA
0x4a6240 CreateSemaphoreA
0x4a6244 ResumeThread
0x4a6248 ReleaseSemaphore
0x4a6254 GetProfileStringA
0x4a6258 WriteFile
0x4a6260 CreateFileA
0x4a6264 SetEvent
0x4a6268 FindResourceA
0x4a626c LoadResource
0x4a6270 LockResource
0x4a6274 ReadFile
0x4a6278 GetModuleFileNameA
0x4a627c GetCurrentThreadId
0x4a6280 ExitProcess
0x4a6284 GlobalSize
0x4a6288 GlobalFree
0x4a6294 lstrcatA
0x4a6298 InterlockedExchange
0x4a629c lstrlenA
0x4a62a0 WinExec
0x4a62a4 lstrcpyA
0x4a62a8 FindNextFileA
0x4a62ac GlobalReAlloc
0x4a62b0 HeapFree
0x4a62b4 HeapReAlloc
0x4a62b8 GetProcessHeap
0x4a62bc HeapAlloc
0x4a62c0 GetFullPathNameA
0x4a62c4 FreeLibrary
0x4a62c8 LoadLibraryA
0x4a62cc GetLastError
0x4a62d0 GetVersionExA
0x4a62d8 CreateThread
0x4a62dc CreateEventA
0x4a62e0 Sleep
0x4a62e4 GlobalAlloc
0x4a62e8 GlobalLock
0x4a62ec GlobalUnlock
0x4a62f0 FindFirstFileA
0x4a62f4 FindClose
0x4a62f8 GetFileAttributesA
0x4a6304 GetModuleHandleA
0x4a6308 GetProcAddress
0x4a630c MulDiv
0x4a6310 GetCommandLineA
0x4a6314 GetTickCount
0x4a6318 WaitForSingleObject
0x4a631c CloseHandle
0x4a6330 SetHandleCount
0x4a6334 GetStdHandle
0x4a6338 GetFileType
0x4a6340 HeapDestroy
0x4a6344 HeapCreate
0x4a6348 VirtualFree
0x4a6350 LCMapStringA
0x4a6354 LCMapStringW
0x4a6358 VirtualAlloc
0x4a635c IsBadWritePtr
0x4a6364 GetStringTypeA
0x4a6368 GetStringTypeW
0x4a636c CompareStringA
0x4a6370 CompareStringW
0x4a6374 IsBadReadPtr
0x4a6378 IsBadCodePtr
0x4a637c SetStdHandle
0x4a6380 GetSystemInfo
库: USER32.dll:
0x4a63a4 SetFocus
0x4a63a8 IsIconic
0x4a63ac PeekMessageA
0x4a63b0 SetMenu
0x4a63b4 GetMenu
0x4a63b8 GetActiveWindow
0x4a63bc GetWindow
0x4a63c4 SetWindowRgn
0x4a63c8 GetMessagePos
0x4a63cc ScreenToClient
0x4a63d4 CopyRect
0x4a63d8 DeleteMenu
0x4a63dc GetSystemMenu
0x4a63e0 DefWindowProcA
0x4a63e4 GetClassInfoA
0x4a63e8 IsZoomed
0x4a63ec PostQuitMessage
0x4a63f4 GetKeyState
0x4a63fc IsWindowEnabled
0x4a6400 ShowWindow
0x4a6408 LoadImageA
0x4a6410 ClientToScreen
0x4a6414 EnableMenuItem
0x4a6418 GetSubMenu
0x4a641c GetDlgCtrlID
0x4a6424 CreateMenu
0x4a6428 AppendMenuA
0x4a642c CreatePopupMenu
0x4a6430 LoadBitmapA
0x4a6434 WinHelpA
0x4a6438 KillTimer
0x4a643c SetTimer
0x4a6440 ReleaseCapture
0x4a6444 GetCapture
0x4a6448 SetCapture
0x4a644c GetScrollRange
0x4a6450 SetScrollRange
0x4a6454 SetScrollPos
0x4a6458 SetRect
0x4a645c InflateRect
0x4a6460 IntersectRect
0x4a6464 DestroyIcon
0x4a6468 PtInRect
0x4a646c GetSysColorBrush
0x4a6470 OffsetRect
0x4a6474 IsWindowVisible
0x4a6478 EnableWindow
0x4a647c RedrawWindow
0x4a6480 GetWindowLongA
0x4a6484 SetWindowLongA
0x4a6488 GetSysColor
0x4a648c SetActiveWindow
0x4a6490 SetCursorPos
0x4a6494 LoadCursorA
0x4a6498 SetCursor
0x4a649c GetDC
0x4a64a0 FillRect
0x4a64a4 IsRectEmpty
0x4a64a8 ReleaseDC
0x4a64ac IsChild
0x4a64b0 DestroyMenu
0x4a64b4 SetForegroundWindow
0x4a64b8 GetWindowRect
0x4a64bc EqualRect
0x4a64c0 UpdateWindow
0x4a64c4 ValidateRect
0x4a64c8 InvalidateRect
0x4a64cc GetClientRect
0x4a64d0 GetFocus
0x4a64d4 GetParent
0x4a64d8 GetTopWindow
0x4a64dc PostMessageA
0x4a64e0 IsWindow
0x4a64e4 SetParent
0x4a64e8 DestroyCursor
0x4a64ec SendMessageA
0x4a64f0 SetWindowPos
0x4a64f4 MessageBoxA
0x4a64f8 GetCursorPos
0x4a64fc GetSystemMetrics
0x4a6500 EmptyClipboard
0x4a6504 SetClipboardData
0x4a6508 OpenClipboard
0x4a650c GetClipboardData
0x4a6510 CloseClipboard
0x4a6514 wsprintfA
0x4a6518 DrawIconEx
0x4a6528 SetRectEmpty
0x4a652c DispatchMessageA
0x4a6530 GetMessageA
0x4a6534 WindowFromPoint
0x4a6538 DrawFocusRect
0x4a653c DrawEdge
0x4a6540 DrawFrameControl
0x4a6544 TranslateMessage
0x4a6548 LoadIconA
0x4a654c GetForegroundWindow
0x4a6550 GetDesktopWindow
0x4a6554 GetClassNameA
0x4a6558 GetDlgItem
0x4a655c GetWindowTextA
0x4a6560 UnregisterClassA
0x4a6564 ModifyMenuA
0x4a656c CharUpperA
0x4a6570 GetWindowDC
0x4a6574 BeginPaint
0x4a6578 EndPaint
0x4a657c TabbedTextOutA
0x4a6580 DrawTextA
0x4a6584 GrayStringA
0x4a6588 DestroyWindow
0x4a6590 EndDialog
0x4a6594 GetNextDlgTabItem
0x4a6598 GetWindowPlacement
0x4a65a0 GetLastActivePopup
0x4a65a4 GetMessageTime
0x4a65a8 RemovePropA
0x4a65ac CallWindowProcA
0x4a65b0 GetPropA
0x4a65b4 UnhookWindowsHookEx
0x4a65b8 SetPropA
0x4a65bc GetClassLongA
0x4a65c0 CallNextHookEx
0x4a65c4 SetWindowsHookExA
0x4a65c8 CreateWindowExA
0x4a65cc GetMenuItemID
0x4a65d0 GetMenuItemCount
0x4a65d4 RegisterClassA
0x4a65d8 GetScrollPos
0x4a65dc AdjustWindowRectEx
0x4a65e0 MapWindowPoints
0x4a65e4 SendDlgItemMessageA
0x4a65e8 ScrollWindowEx
0x4a65ec IsDialogMessageA
0x4a65f0 SetWindowTextA
0x4a65f4 MoveWindow
0x4a65f8 CheckMenuItem
0x4a65fc SetMenuItemBitmaps
0x4a6600 GetMenuState
0x4a6608 LoadStringA
库: GDI32.dll:
0x4a602c Escape
0x4a6030 ExtTextOutA
0x4a6034 TextOutA
0x4a6038 RectVisible
0x4a603c PtVisible
0x4a6040 GetViewportExtEx
0x4a6044 ExtSelectClipRgn
0x4a6048 EndDoc
0x4a604c DeleteDC
0x4a6050 StartDocA
0x4a6054 StartPage
0x4a6058 BitBlt
0x4a605c CreateCompatibleDC
0x4a6060 Ellipse
0x4a6064 Rectangle
0x4a6068 LPtoDP
0x4a606c DPtoLP
0x4a6070 GetCurrentObject
0x4a6074 RoundRect
0x4a6078 GetTextMetricsA
0x4a6080 GetDeviceCaps
0x4a6084 CreatePolygonRgn
0x4a6088 GetClipRgn
0x4a608c SetStretchBltMode
0x4a6094 SetBkColor
0x4a6098 LineTo
0x4a609c MoveToEx
0x4a60a0 ExcludeClipRect
0x4a60a4 GetClipBox
0x4a60a8 ScaleWindowExtEx
0x4a60ac SetWindowExtEx
0x4a60b0 SetWindowOrgEx
0x4a60b4 EndPage
0x4a60b8 CreateFontIndirectA
0x4a60bc GetStockObject
0x4a60c0 CreateSolidBrush
0x4a60c4 FillRgn
0x4a60c8 CreateRectRgn
0x4a60cc CombineRgn
0x4a60d0 PatBlt
0x4a60d4 CreatePen
0x4a60d8 GetObjectA
0x4a60dc SelectObject
0x4a60e0 CreateBitmap
0x4a60e4 CreateDCA
0x4a60ec GetPolyFillMode
0x4a60f0 GetStretchBltMode
0x4a60f4 GetROP2
0x4a60f8 GetBkColor
0x4a60fc GetBkMode
0x4a6100 GetTextColor
0x4a6104 CreateRoundRectRgn
0x4a6108 CreateEllipticRgn
0x4a610c PathToRegion
0x4a6110 EndPath
0x4a6114 BeginPath
0x4a6118 ScaleViewportExtEx
0x4a611c SetViewportExtEx
0x4a6120 OffsetViewportOrgEx
0x4a6124 SetViewportOrgEx
0x4a6128 SetMapMode
0x4a612c SetTextColor
0x4a6130 SetROP2
0x4a6134 SetPolyFillMode
0x4a6138 GetWindowOrgEx
0x4a613c GetViewportOrgEx
0x4a6140 GetWindowExtEx
0x4a6144 SelectClipRgn
0x4a6148 RealizePalette
0x4a614c SelectPalette
0x4a6150 StretchBlt
0x4a6154 CreatePalette
0x4a615c CreateDIBitmap
0x4a6160 GetDIBits
0x4a6164 SetBkMode
0x4a6168 RestoreDC
0x4a616c SaveDC
0x4a6170 DeleteObject
库: WINSPOOL.DRV:
0x4a6658 OpenPrinterA
0x4a665c DocumentPropertiesA
0x4a6660 ClosePrinter
库: ADVAPI32.dll:
0x4a6000 RegQueryValueExA
0x4a6004 RegOpenKeyExA
0x4a6008 RegSetValueExA
0x4a600c RegQueryValueA
0x4a6010 RegCreateKeyExA
0x4a6014 RegOpenKeyA
0x4a6018 RegCloseKey
库: SHELL32.dll:
0x4a6398 ShellExecuteA
0x4a639c Shell_NotifyIconA
库: ole32.dll:
0x4a66a4 CLSIDFromString
0x4a66a8 OleUninitialize
0x4a66ac OleInitialize
库: OLEAUT32.dll:
0x4a6388 LoadTypeLib
0x4a638c RegisterTypeLib
0x4a6390 UnRegisterTypeLib
库: COMCTL32.dll:
0x4a6020 None
0x4a6024 ImageList_Destroy
库: comdlg32.dll:
0x4a6690 ChooseColorA
0x4a6694 GetFileTitleA
0x4a6698 GetSaveFileNameA
0x4a669c GetOpenFileNameA

.text
`.rdata
@.data
.rsrc
VMProtect begin
SEBEGN
SEENDP
VMProtect end
L$(h`[A
8`}<j
T$th
D$@Sj
L$8h
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20190314
TotalDefense Win32/Oflwr.A!crypt 20190316
MicroWorld-eScan 未发现病毒 20190316
CMC 未发现病毒 20190316
CAT-QuickHeal Trojan.FlyStudio 20190315
McAfee PUP-XEY-DN 20190316
Malwarebytes 未发现病毒 20190316
Zillya 未发现病毒 20190315
SUPERAntiSpyware 未发现病毒 20190314
Trustlook 未发现病毒 20190316
Alibaba 未发现病毒 20190306
K7GW Trojan ( 005246d51 ) 20190315
K7AntiVirus Trojan ( 005246d51 ) 20190316
TheHacker 未发现病毒 20190315
Baidu 未发现病毒 20190306
NANO-Antivirus Trojan.Win32.Dwn.fnuycu 20190316
Cyren W32/S-1885075c!Eldorado 20190316
ESET-NOD32 a variant of Win32/Packed.FlyStudio.AA potentially unwanted 20190316
Zoner 未发现病毒 20190316
TrendMicro-HouseCall TROJ_GEN.R002H06CA19 20190316
Avast Win32:Evo-gen [Susp] 20190316
ClamAV Win.Malware.Zusy-6840460-0 20190316
Kaspersky 未发现病毒 20190316
BitDefender 未发现病毒 20190316
Babable 未发现病毒 20180918
Paloalto generic.ml 20190316
AegisLab 未发现病毒 20190316
Tencent 未发现病毒 20190316
Ad-Aware 未发现病毒 20190316
Sophos Generic PUA CK (PUA) 20190316
Comodo Worm.Win32.Dropper.RA@1qraug 20190316
F-Secure 未发现病毒 20190316
DrWeb 未发现病毒 20190316
VIPRE 未发现病毒 20190315
Invincea heuristic 20190313
McAfee-GW-Edition BehavesLike.Win32.Generic.fh 20190316
Trapmine 未发现病毒 20190301
Emsisoft 未发现病毒 20190316
SentinelOne DFI - Malicious PE 20190311
Avast-Mobile 未发现病毒 20190316
Jiangmin 未发现病毒 20190316
Avira 未发现病毒 20190316
Antiy-AVL GrayWare/Win32.FlyStudio.a 20190316
Kingsoft 未发现病毒 20190316
Endgame malicious (high confidence) 20190215
Microsoft Trojan:Win32/Tiggre!rfn 20190316
ViRobot 未发现病毒 20190315
ZoneAlarm 未发现病毒 20190316
GData 未发现病毒 20190316
TACHYON 未发现病毒 20190316
AhnLab-V3 未发现病毒 20190316
Acronis suspicious 20190313
VBA32 未发现病毒 20190315
ALYac 未发现病毒 20190316
MAX 未发现病毒 20190316
Arcabit 未发现病毒 20190316
Rising PUF.Hacktool!1.B2A6 (C64:YzY0Okt7O4CZMFVo) 20190316
Yandex 未发现病毒 20190315
Ikarus 未发现病毒 20190316
eGambit 未发现病毒 20190316
Fortinet 未发现病毒 20190316
AVG Win32:Evo-gen [Susp] 20190316
Cybereason malicious.782c3c 20190314
Panda 未发现病毒 20190316
CrowdStrike win/malicious_confidence_80% (W) 20190212
Qihoo-360 HEUR/QVM07.1.A316.Malware.Gen 20190316

进程树


____________.exe, PID: 2448, 上一级进程 PID: 2296

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 24.714 seconds )

  • 15.532 Suricata
  • 4.658 Static
  • 1.827 TargetInfo
  • 1.499 VirusTotal
  • 0.421 peid
  • 0.357 NetworkAnalysis
  • 0.281 BehaviorAnalysis
  • 0.119 AnalysisInfo
  • 0.014 Strings
  • 0.003 Memory
  • 0.003 config_decoder

Signatures ( 0.429 seconds )

  • 0.186 md_bad_drop
  • 0.029 antiav_detectreg
  • 0.021 md_url_bl
  • 0.02 md_domain_bl
  • 0.014 api_spamming
  • 0.012 stealth_timeout
  • 0.012 infostealer_ftp
  • 0.01 stealth_decoy_document
  • 0.008 anomaly_persistence_autorun
  • 0.008 antiav_detectfile
  • 0.007 infostealer_im
  • 0.007 ransomware_extensions
  • 0.007 ransomware_files
  • 0.005 injection_createremotethread
  • 0.005 infostealer_bitcoin
  • 0.005 infostealer_mail
  • 0.004 antivm_vbox_libs
  • 0.003 tinba_behavior
  • 0.003 injection_runpe
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 exec_crash
  • 0.002 cerber_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 antiemu_wine_func
  • 0.001 network_tor
  • 0.001 bootkit
  • 0.001 antiav_avast_libs
  • 0.001 mimics_filetime
  • 0.001 stealth_file
  • 0.001 antivm_vmware_libs
  • 0.001 process_interest
  • 0.001 injection_explorer
  • 0.001 reads_self
  • 0.001 ursnif_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 shifu_behavior
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 vawtrak_behavior
  • 0.001 virus
  • 0.001 kovter_behavior
  • 0.001 hancitor_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 malicious_drop_executable_file_to_temp_folder
  • 0.001 office_security
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 1.041 seconds )

  • 0.82 ReportHTMLSummary
  • 0.221 Malheur
Task ID 261725
Mongo ID 5c8e7e012e06331e55055a93
Cuckoo release 1.4-Maldun