分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-04-19 22:01:12 2019-04-19 22:03:38 146 秒

魔盾分数

8.66

危险的

文件详细信息

文件名 旧爱万能助手V0.0.5.zip ==> \xbe\xc9\xb0\xae\xcd\xf2\xc4\xdc\xd6\xfa\xca\xd6V0.0.5.exe
文件大小 1974272 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cd05b257c0dfa19c4ebac7371c34ef99
SHA1 345de217b3a84318a1d0d9ec66e36cecc3f69fbb
SHA256 df35733d3eb05351cf3166cf61a822472d0e1f4e36419cf9d1fa75a8972a5982
SHA512 9879824978d7e6f8f20fc64a2be2c3054234a6e835cd8017ebcba19bf52413263c018938b8b27e363db3b0a3c8464b746c4e9901896bc6fd2952aafee606f366
CRC32 E1BFC887
Ssdeep 24576:kjAcpA0g8zw34d6obJDq+UUg7kM6wgTMvolOS8Um+Tg103nOY99RalwpWVtgoQG8:UAcpA0g803YpDqlPIqNom+Tg10ew7w0v
Yara
  • IsPE32 - Detected 32bit PE signature
  • IsWindowsGUI -
  • HasRichSignature - Detected Rich Signature
  • DebuggerTiming__Ticks -
  • create_process - Create a new process
  • network_http - Communications over HTTP
  • screenshot - Detected take screenshot function
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • change_win_registry - Change registries to affect system
  • win_private_profile - Affect private profile
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • Maldun_Anomoly_Combined_Activities_2 - Detects abnormal behaviors and together with network communications
  • Maldun_Anomoly_Combined_Activities_7 - Detects malicious behaviors from a small size app
  • without_attachments - Detected no presence of any attachment
  • maldoc_getEIP_method_1 -
  • with_images - Detected the presence of an or several images
  • with_urls - Detected the presence of an or several urls
  • Chinese_Hacktool_1014 - Detects a chinese hacktool with unknown use
  • Big_Numbers1 - Looks for big numbers 32:sized
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • CRC32_table - Look for CRC32 table
  • MD5_Constants - Look for MD5 constants
  • BASE64_table - Look for Base64 table
  • Maldun_Abnormal_Hash_alg - Detects program has the encryption or decription logic
样本下载

特征低危险等级 中危险等级 高危险等级

魔盾wping.org 域名信誉系统
Neutral: api.1fzlt.com
魔盾wping.org IP地址信誉系统
Neutral: 113.141.163.63
发起了一些HTTP请求
url: http://api.1fzlt.com/gengxin_api.php
生成可疑网络流量,可能被用来进行恶意活动
signature: ET POLICY Unsupported/Fake Windows NT Version 5.0
生成一个自己的复制文件
copy: C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x97\xa7\xe7\x88\xb1\xe4\xb8\x87\xe8\x83\xbd\xe5\x8a\xa9\xe6\x89\x8bV0.0.5.exe
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Rich Signature
Warning: Create a new process
Warning: Communications over HTTP
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Affect system registries
Warning: Affect private profile
Warning: Affect hook table
Critical: Detects abnormal behaviors and together with network communications
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Critical: maldoc_getEIP_method_1
Informational: Detected the presence of an or several images
Informational: Detected the presence of an or several urls
Warning: Detects a chinese hacktool with unknown use
Informational: Looks for big numbers 32:sized
Informational: Look for CRC32 [poly]
Informational: Look for CRC32 table
Informational: Look for MD5 constants
Informational: Look for Base64 table
Warning: Detects program has the encryption or decription logic

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
113.141.163.63 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.1fzlt.com A 113.141.163.63

摘要

C:\Users\test\AppData\Local\Temp\zip-tmp
C:\Users\test\AppData\Local\Temp\zip-tmp\atl.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\Fonts\staticcache.dat
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\\xe6\x97\xa7\xe7\x88\xb1\xe4\xb8\x87\xe8\x83\xbd\xe5\x8a\xa9\xe6\x89\x8bV0.0.5.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe9\xbb\x91\xe4\xbd\x93
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
atl.dll.AtlAxWinInit
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.EnableThemeDialogTexture
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmGetContext
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmReleaseContext
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
Local\MSCTF.Asm.MutexDefault1
没有信息显示.
V0.0.5.exeup!
g`Rax
(S`Te
没有防病毒引擎扫描信息!

进程树


旧爱万能助手V0.0.5.exe, PID: 2888, 上一级进程 PID: 2768

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
113.141.163.63 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 113.141.163.63 api.1fzlt.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
api.1fzlt.com A 113.141.163.63

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 113.141.163.63 api.1fzlt.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://api.1fzlt.com/gengxin_api.php
GET /gengxin_api.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: api.1fzlt.com
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

Timestamp Source IP Source Port Destination IP Destination Port Protocol SID Signature Category
2019-04-19 22:01:52.710538+0800 192.168.122.201 49161 113.141.163.63 80 TCP 2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0 Potential Corporate Privacy Violation

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 \xbe\xc9\xb0\xae\xcd\xf2\xc4\xdc\xd6\xfa\xca\xd6V0.0.5.exe
相关文件
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe6\x97\xa7\xe7\x88\xb1\xe4\xb8\x87\xe8\x83\xbd\xe5\x8a\xa9\xe6\x89\x8bV0.0.5.exe
文件大小 1974272 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cd05b257c0dfa19c4ebac7371c34ef99
SHA1 345de217b3a84318a1d0d9ec66e36cecc3f69fbb
SHA256 df35733d3eb05351cf3166cf61a822472d0e1f4e36419cf9d1fa75a8972a5982
CRC32 E1BFC887
Ssdeep 24576:kjAcpA0g8zw34d6obJDq+UUg7kM6wgTMvolOS8Um+Tg103nOY99RalwpWVtgoQG8:UAcpA0g803YpDqlPIqNom+Tg10ew7w0v
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载
暂时还没有评论。

Processing ( 28.102 seconds )

  • 15.5 Suricata
  • 6.289 NetworkAnalysis
  • 3.49 VirusTotal
  • 2.513 TargetInfo
  • 0.115 Dropped
  • 0.106 BehaviorAnalysis
  • 0.061 AnalysisInfo
  • 0.023 Strings
  • 0.003 Memory
  • 0.002 Static

Signatures ( 2.438 seconds )

  • 1.914 md_url_bl
  • 0.34 md_bad_drop
  • 0.029 antiav_detectreg
  • 0.023 md_domain_bl
  • 0.012 infostealer_ftp
  • 0.007 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.006 antianalysis_detectreg
  • 0.006 geodo_banking_trojan
  • 0.006 network_http
  • 0.006 ransomware_files
  • 0.005 api_spamming
  • 0.005 infostealer_bitcoin
  • 0.005 ransomware_extensions
  • 0.004 stealth_decoy_document
  • 0.004 antidbg_windows
  • 0.004 stealth_timeout
  • 0.004 infostealer_mail
  • 0.003 tinba_behavior
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 network_cnc_http
  • 0.001 ursnif_behavior
  • 0.001 dyre_behavior
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 shifu_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_blacklist
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.207 seconds )

  • 0.867 ReportHTMLSummary
  • 0.34 Malheur
Task ID 280295
Mongo ID 5cb9d55f2f8f2e044aa9bcdd
Cuckoo release 1.4-Maldun