分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-04-26 01:46:54 2019-04-26 01:47:47 53 秒

魔盾分数

8.15

危险的

文件详细信息

文件名 V4Panda.exe
文件大小 6844416 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d21f0d0f9e292967634525f406192426
SHA1 b59f5403fb7715ee5482ac5ca2ced0717fdd45d2
SHA256 1f9db5895c152c00e235584745e9386e04a60b02b77cda8513db75b853d66576
SHA512 4ea044b52278ad284b23c44c3d129c05cb49a17b3072fc9347b8f6c0339ce10afe35c9e3113b9f5f4889457897dc08f96da1a0d2cb811d814be0d1a07d337c35
CRC32 2DDBA844
Ssdeep 196608:E6SiJr+5GatPhPDBaZ8MRaTYNMgas3zBsk:BJrhehkZ8XT+Os3zB
Yara
  • Detected 32bit PE signature
  • Detected Entropy signature
  • Detected Rich Signature
  • Checks if being debugged
  • Anti-Sandbox checks for Sandboxie
  • Create a new process
  • Communications over HTTP
  • Communications over RAW socket
  • Detected take screenshot function
  • Run a keylogger
  • Malware can spread east-west file
  • Create or check mutex
  • Affect system registries
  • Change registries to affect system
  • Affect system token
  • Affect private profile
  • Affect private profile
  • Affect hook table
  • Detects abnormal behaviors and together with network communications
  • Detects mallicious behaviors
  • Detects malicious behaviors from a small size app
  • Detected no presence of any attachment
  • Detected the presence of an or several images
  • Detected the presence of an or several urls
  • Looks for big numbers 32:sized
  • Look for CRC32 [poly]
  • Look for CRC32 table
  • Look for MD5 constants
  • Look for RIPEMD-160 constants
  • Look for SHA1 constants
  • Look for Base64 table
  • Look for Random function
  • Detects program has the encryption or decription logic
样本下载 提交误报

特征低危险等级 中危险等级 高危险等级

二进制文件可能包含加密或压缩数据
section: name: .GERHJK4, entropy: 7.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00351000, virtual_size: 0x00350cb5
section: name: .GERHJK4, entropy: 7.70, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x001f4000, virtual_size: 0x001f3040
异常的二进制特征
anomaly: Found duplicated section names
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Entropy signature
Informational: Detected Rich Signature
Warning: Create a new process
Warning: Communications over HTTP
Warning: Communications over RAW socket
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Malware can spread east-west file
Warning: Affect system registries
Warning: Affect system token
Warning: Affect private profile
Warning: Affect hook table
Critical: Detects abnormal behaviors and together with network communications
Critical: Detects mallicious behaviors
Critical: Detects malicious behaviors from a small size app
Informational: Detected no presence of any attachment
Critical: maldoc_getEIP_method_1
Informational: Detected the presence of an or several images
Informational: Detected the presence of an or several urls
Informational: Looks for big numbers 32:sized
Informational: Look for CRC32 [poly]
Informational: Look for CRC32 table
Informational: Look for MD5 constants
Informational: Look for RIPEMD-160 constants
Informational: Look for SHA1 constants
Informational: Look for Base64 table
Informational: Look for Random function
Warning: Detects program has the encryption or decription logic

运行截图

没有可用的屏幕截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\V4Panda.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x00400000
入口地址 0x00a40628
声明校验值 0x00000000
实际校验值 0x00694554
最低操作系统版本要求 5.0
编译时间 2019-04-25 23:43:20
载入哈希 6ff280506440edf12bb262ad35d6e01f

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000a9e9a 0x000aa000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x000ab000 0x00073862 0x00074000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.76
.data 0x0011f000 0x0003712a 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.07
.GERHJK4 0x00157000 0x00350cb5 0x00351000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.83
.GERHJK4 0x004a8000 0x001f3040 0x001f4000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.70
.rsrc 0x0069c000 0x00010028 0x00011000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.16

导入

库: SHLWAPI.dll:
0x918000 SHDeleteKeyA
0x918004 SHDeleteValueA
库: WINMM.dll:
0x918014 waveOutWrite
0x918018 waveOutPause
0x91801c waveOutReset
0x918020 waveOutClose
0x918024 waveOutGetNumDevs
0x918028 waveOutOpen
0x918030 midiStreamOut
0x918034 midiStreamStop
0x918038 midiOutReset
0x91803c midiStreamClose
0x918040 midiStreamRestart
0x918048 midiStreamOpen
0x91804c midiStreamProperty
库: WS2_32.dll:
0x918054 WSACleanup
0x918058 WSAStartup
0x91805c gethostbyname
0x918060 closesocket
0x918064 getpeername
0x918068 WSAAsyncSelect
0x91806c recvfrom
0x918070 ioctlsocket
0x918074 inet_ntoa
0x918078 recv
0x91807c accept
库: KERNEL32.dll:
0x918084 SetFilePointer
0x918088 GetFileSize
0x91808c TerminateProcess
0x918090 SetLastError
0x918098 GetACP
0x91809c HeapSize
0x9180a0 RaiseException
0x9180a4 GetLocalTime
0x9180a8 GetSystemTime
0x9180ac RtlUnwind
0x9180b0 GetStartupInfoA
0x9180b4 GetOEMCP
0x9180b8 GetCPInfo
0x9180bc GetProcessVersion
0x9180c0 SetErrorMode
0x9180c4 GlobalFlags
0x9180c8 GetCurrentThread
0x9180cc GetFileTime
0x9180d0 TlsGetValue
0x9180d4 LocalReAlloc
0x9180d8 TlsSetValue
0x9180dc TlsFree
0x9180e0 GlobalHandle
0x9180e4 TlsAlloc
0x9180e8 LocalAlloc
0x9180ec lstrcmpA
0x9180f0 GlobalGetAtomNameA
0x9180f4 GlobalAddAtomA
0x9180f8 GlobalFindAtomA
0x9180fc GlobalDeleteAtom
0x918100 lstrcmpiA
0x918104 SetEndOfFile
0x918108 UnlockFile
0x91810c LockFile
0x918110 FlushFileBuffers
0x918114 DuplicateHandle
0x918118 lstrcpynA
0x918124 LocalFree
0x918130 WideCharToMultiByte
0x918134 MultiByteToWideChar
0x918138 GetCurrentProcess
0x918140 CreateSemaphoreA
0x918144 ResumeThread
0x918148 ReleaseSemaphore
0x918154 GetProfileStringA
0x918158 WriteFile
0x91815c ReadFile
0x918164 CreateFileA
0x918168 SetEvent
0x91816c FindResourceA
0x918170 LoadResource
0x918174 LockResource
0x918178 lstrlenW
0x91817c RemoveDirectoryA
0x918180 GetModuleFileNameA
0x918184 GetCurrentThreadId
0x918188 ExitProcess
0x91818c GlobalSize
0x918190 GlobalFree
0x91819c lstrcatA
0x9181a0 lstrlenA
0x9181a4 WinExec
0x9181a8 lstrcpyA
0x9181ac FindNextFileA
0x9181b0 GetDriveTypeA
0x9181b4 GlobalReAlloc
0x9181b8 HeapFree
0x9181bc HeapReAlloc
0x9181c0 GetProcessHeap
0x9181c4 InterlockedExchange
0x9181c8 HeapAlloc
0x9181cc GetUserDefaultLCID
0x9181d0 GetFullPathNameA
0x9181d4 FreeLibrary
0x9181d8 LoadLibraryA
0x9181dc GetLastError
0x9181e0 GetVersionExA
0x9181e8 CreateThread
0x9181ec CreateEventA
0x9181f0 Sleep
0x9181f8 GlobalAlloc
0x9181fc GlobalLock
0x918200 GlobalUnlock
0x918204 GetTempPathA
0x918208 FindFirstFileA
0x91820c FindClose
0x918210 SetFileAttributesA
0x918214 GetFileAttributesA
0x918218 DeleteFileA
0x918228 GetModuleHandleA
0x91822c GetProcAddress
0x918230 MulDiv
0x918234 GetCommandLineA
0x918238 GetTickCount
0x91823c CreateProcessA
0x918240 WaitForSingleObject
0x918244 CloseHandle
0x91825c SetHandleCount
0x918260 GetStdHandle
0x918264 GetFileType
0x91826c HeapDestroy
0x918270 HeapCreate
0x918274 VirtualFree
0x91827c LCMapStringA
0x918280 LCMapStringW
0x918284 VirtualAlloc
0x918288 IsBadWritePtr
0x918290 GetStringTypeA
0x918294 GetStringTypeW
0x918298 CompareStringA
0x91829c CompareStringW
0x9182a0 IsBadReadPtr
0x9182a4 IsBadCodePtr
0x9182a8 SetStdHandle
0x9182ac GetVersion
库: USER32.dll:
0x9182b4 SetWindowRgn
0x9182bc GetWindow
0x9182c0 GetActiveWindow
0x9182c4 SetFocus
0x9182c8 IsIconic
0x9182cc PeekMessageA
0x9182d0 SetMenu
0x9182d4 GetMenu
0x9182d8 GetMessagePos
0x9182dc ScreenToClient
0x9182e4 CopyRect
0x9182e8 LoadBitmapA
0x9182ec GetSysColorBrush
0x9182f0 GetKeyState
0x9182f4 DefWindowProcA
0x9182f8 GetClassInfoA
0x9182fc LoadImageA
0x918304 ClientToScreen
0x918308 EnableMenuItem
0x91830c GetSubMenu
0x918310 GetDlgCtrlID
0x918314 IsZoomed
0x918318 PostQuitMessage
0x918324 IsWindowEnabled
0x918328 ShowWindow
0x918334 CreateMenu
0x918338 ModifyMenuA
0x91833c AppendMenuA
0x918340 WinHelpA
0x918344 KillTimer
0x918348 SetTimer
0x91834c ReleaseCapture
0x918350 GetCapture
0x918354 SetCapture
0x918358 GetScrollRange
0x91835c SetScrollRange
0x918360 SetScrollPos
0x918364 SetRect
0x918368 InflateRect
0x91836c IntersectRect
0x918370 LoadStringA
0x918378 GetMenuState
0x91837c DestroyIcon
0x918380 PtInRect
0x918384 OffsetRect
0x918388 IsWindowVisible
0x91838c EnableWindow
0x918390 RedrawWindow
0x918394 GetWindowLongA
0x918398 SetWindowLongA
0x91839c GetSysColor
0x9183a0 SetActiveWindow
0x9183a4 SetCursorPos
0x9183a8 LoadCursorA
0x9183ac SetCursor
0x9183b0 GetDC
0x9183b4 FillRect
0x9183b8 IsRectEmpty
0x9183bc ReleaseDC
0x9183c0 IsChild
0x9183c4 DestroyMenu
0x9183c8 SetForegroundWindow
0x9183cc GetWindowRect
0x9183d0 EqualRect
0x9183d4 UpdateWindow
0x9183d8 ValidateRect
0x9183dc InvalidateRect
0x9183e0 GetClientRect
0x9183e4 GetFocus
0x9183e8 GetParent
0x9183ec GetTopWindow
0x9183f0 PostMessageA
0x9183f4 IsWindow
0x9183f8 SetParent
0x9183fc DestroyCursor
0x918400 SendMessageA
0x918404 SetWindowPos
0x918408 MessageBoxA
0x91840c GetCursorPos
0x918410 GetSystemMetrics
0x918414 EmptyClipboard
0x918418 SetClipboardData
0x91841c OpenClipboard
0x918420 GetClipboardData
0x918424 CloseClipboard
0x918428 wsprintfA
0x91842c WaitForInputIdle
0x918430 CreatePopupMenu
0x918434 DrawIconEx
0x918440 SetRectEmpty
0x918444 DispatchMessageA
0x918448 GetMessageA
0x91844c WindowFromPoint
0x918450 DrawFocusRect
0x918454 DrawEdge
0x918458 DrawFrameControl
0x91845c LoadIconA
0x918460 TranslateMessage
0x918464 GetForegroundWindow
0x918468 GetDesktopWindow
0x91846c GetClassNameA
0x918470 GetDlgItem
0x918474 GetWindowTextA
0x918478 UnregisterClassA
0x918484 CharUpperA
0x918488 GetWindowDC
0x91848c BeginPaint
0x918490 EndPaint
0x918494 TabbedTextOutA
0x918498 DrawTextA
0x91849c GrayStringA
0x9184a0 DestroyWindow
0x9184a8 EndDialog
0x9184ac GetNextDlgTabItem
0x9184b0 GetWindowPlacement
0x9184b8 GetLastActivePopup
0x9184bc GetMessageTime
0x9184c0 RemovePropA
0x9184c4 CallWindowProcA
0x9184c8 GetPropA
0x9184cc UnhookWindowsHookEx
0x9184d0 SetPropA
0x9184d4 GetClassLongA
0x9184d8 CallNextHookEx
0x9184dc SetWindowsHookExA
0x9184e0 CreateWindowExA
0x9184e4 GetMenuItemID
0x9184e8 GetMenuItemCount
0x9184ec RegisterClassA
0x9184f0 GetScrollPos
0x9184f4 AdjustWindowRectEx
0x9184f8 MapWindowPoints
0x9184fc SendDlgItemMessageA
0x918500 ScrollWindowEx
0x918504 IsDialogMessageA
0x918508 SetWindowTextA
0x91850c MoveWindow
0x918510 CheckMenuItem
0x918514 SetMenuItemBitmaps
库: GDI32.dll:
0x91851c Escape
0x918520 ExtTextOutA
0x918524 TextOutA
0x918528 RectVisible
0x91852c PtVisible
0x918530 GetViewportExtEx
0x918534 ExtSelectClipRgn
0x918538 LineTo
0x91853c MoveToEx
0x918540 BitBlt
0x918544 CreateCompatibleDC
0x918548 Ellipse
0x91854c Rectangle
0x918550 LPtoDP
0x918554 DPtoLP
0x918558 GetCurrentObject
0x91855c RoundRect
0x918560 GetTextMetricsA
0x918568 GetDeviceCaps
0x91856c CreatePalette
0x918570 CreateDIBitmap
0x918574 DeleteObject
0x918578 SelectClipRgn
0x91857c CreatePolygonRgn
0x918580 GetClipRgn
0x918584 SetStretchBltMode
0x91858c SetBkColor
0x918590 ExcludeClipRect
0x918594 GetClipBox
0x918598 ScaleWindowExtEx
0x91859c SetWindowExtEx
0x9185a0 SetWindowOrgEx
0x9185a4 ScaleViewportExtEx
0x9185a8 SetViewportExtEx
0x9185ac OffsetViewportOrgEx
0x9185b0 SetViewportOrgEx
0x9185b4 SetMapMode
0x9185b8 SetTextColor
0x9185bc StartPage
0x9185c0 StartDocA
0x9185c4 DeleteDC
0x9185c8 EndDoc
0x9185cc EndPage
0x9185d0 GetObjectA
0x9185d4 GetStockObject
0x9185d8 CreateFontIndirectA
0x9185dc CreateSolidBrush
0x9185e0 FillRgn
0x9185e4 CreateRectRgn
0x9185e8 CombineRgn
0x9185ec PatBlt
0x9185f0 CreatePen
0x9185f4 SelectObject
0x9185f8 CreateBitmap
0x9185fc CreateDCA
0x918604 GetPolyFillMode
0x918608 GetStretchBltMode
0x91860c GetROP2
0x918610 GetBkColor
0x918614 GetBkMode
0x918618 GetTextColor
0x91861c GetWindowOrgEx
0x918620 SetROP2
0x918624 SetPolyFillMode
0x918628 SetBkMode
0x91862c RestoreDC
0x918630 SaveDC
0x918634 GetViewportOrgEx
0x918638 GetWindowExtEx
0x91863c CreateRoundRectRgn
0x918640 CreateEllipticRgn
0x918644 PathToRegion
0x918648 EndPath
0x91864c BeginPath
0x918650 GetDIBits
0x918654 RealizePalette
0x918658 SelectPalette
0x918660 StretchBlt
库: WINSPOOL.DRV:
0x918668 OpenPrinterA
0x91866c DocumentPropertiesA
0x918670 ClosePrinter
库: ADVAPI32.dll:
0x918678 FreeSid
0x91867c RegQueryValueExA
0x918680 RegOpenKeyExA
0x918684 RegSetValueExA
0x918688 RegDeleteValueA
0x91868c RegDeleteKeyA
0x918690 RegQueryValueA
0x918694 RegCreateKeyExA
0x918698 GetUserNameA
0x91869c RegGetKeySecurity
0x9186a4 InitializeAcl
0x9186a8 AddAce
0x9186b4 RegCloseKey
0x9186c0 GetSidSubAuthority
0x9186c4 GetTokenInformation
0x9186c8 GetLengthSid
0x9186cc CopySid
0x9186d0 RegSetKeySecurity
0x9186d4 RegQueryInfoKeyA
0x9186d8 RegEnumKeyA
0x9186dc OpenProcessToken
库: SHELL32.dll:
0x9186e4 ShellExecuteA
0x9186e8 Shell_NotifyIconA
0x9186ec SHEmptyRecycleBinA
库: ole32.dll:
0x9186f8 CLSIDFromProgID
0x9186fc OleRun
0x918700 CoCreateInstance
0x918704 CLSIDFromString
0x918708 OleUninitialize
0x91870c OleInitialize
库: OLEAUT32.dll:
0x918714 VariantChangeType
0x918718 VariantClear
0x91871c UnRegisterTypeLib
0x918720 LoadTypeLib
0x918724 LHashValOfNameSys
0x918728 RegisterTypeLib
0x91872c SysAllocString
0x918730 VariantInit
0x918734 VariantCopyInd
库: COMCTL32.dll:
0x91873c None
0x918740 ImageList_Destroy
库: WININET.dll:
0x918748 DeleteUrlCacheEntry
库: comdlg32.dll:
0x918758 ChooseColorA
0x91875c GetFileTitleA
0x918760 GetSaveFileNameA
0x918764 GetOpenFileNameA
库: WTSAPI32.dll:
0x91876c WTSSendMessageW
库: KERNEL32.dll:
0x918774 VirtualQuery
0x91877c GetModuleHandleA
0x918780 CreateEventA
0x918784 GetModuleFileNameW
0x918788 LoadLibraryA
0x91878c TerminateProcess
0x918790 GetCurrentProcess
0x918798 Thread32First
0x91879c GetCurrentProcessId
0x9187a0 GetCurrentThreadId
0x9187a4 OpenThread
0x9187a8 Thread32Next
0x9187ac CloseHandle
0x9187b0 SuspendThread
0x9187b4 ResumeThread
0x9187b8 WriteProcessMemory
0x9187bc GetSystemInfo
0x9187c0 VirtualAlloc
0x9187c4 VirtualProtect
0x9187c8 VirtualFree
0x9187d4 GetCurrentThread
0x9187dc Sleep
0x9187e0 FreeLibrary
0x9187e4 GetTickCount
0x9187e8 GlobalFree
0x9187ec GetProcAddress
0x9187f0 LocalAlloc
0x9187f4 LocalFree
0x9187f8 ExitProcess
0x91880c GetModuleHandleW
0x918810 LoadResource
0x918814 MultiByteToWideChar
0x918818 FindResourceExW
0x91881c FindResourceExA
0x918820 WideCharToMultiByte
0x918824 GetThreadLocale
0x918828 GetUserDefaultLCID
0x918830 EnumResourceNamesA
0x918834 EnumResourceNamesW
0x918840 EnumResourceTypesA
0x918844 EnumResourceTypesW
0x918848 CreateFileW
0x91884c LoadLibraryW
0x918850 GetLastError
0x918854 FlushFileBuffers
0x918858 CreateFileA
0x91885c WriteConsoleW
0x918860 GetConsoleOutputCP
0x918864 WriteConsoleA
0x918868 GetCommandLineA
0x91886c RaiseException
0x918870 RtlUnwind
0x918874 HeapFree
0x918878 GetCPInfo
0x918884 GetACP
0x918888 GetOEMCP
0x91888c IsValidCodePage
0x918890 TlsGetValue
0x918894 TlsAlloc
0x918898 TlsSetValue
0x91889c TlsFree
0x9188a0 SetLastError
0x9188ac IsDebuggerPresent
0x9188b0 HeapAlloc
0x9188b4 LCMapStringA
0x9188b8 LCMapStringW
0x9188bc SetHandleCount
0x9188c0 GetStdHandle
0x9188c4 GetFileType
0x9188c8 GetStartupInfoA
0x9188cc GetModuleFileNameA
0x9188e0 HeapCreate
0x9188e4 HeapDestroy
0x9188ec HeapReAlloc
0x9188f0 GetStringTypeA
0x9188f4 GetStringTypeW
0x9188f8 GetLocaleInfoA
0x9188fc HeapSize
0x918900 WriteFile
0x918904 SetFilePointer
0x918908 GetConsoleCP
0x91890c GetConsoleMode
0x918914 SetStdHandle
库: USER32.dll:
0x918920 CharUpperBuffW
0x918924 MessageBoxW
库: KERNEL32.dll:
0x918930 LocalAlloc
0x918934 LocalFree
0x918938 GetModuleFileNameW
0x918948 Sleep
0x91894c ExitProcess
0x918950 FreeLibrary
0x918954 LoadLibraryA
0x918958 GetModuleHandleA
0x91895c GetProcAddress
库: USER32.dll:

.text
`.rdata
@.data
`.rsrc
h-=%Bh
h-=%Bh
:8j@2
没有防病毒引擎扫描信息!

进程树


V4Panda.exe, PID: 2660, 上一级进程 PID: 2296

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 48.049 seconds )

  • 22.037 Static
  • 15.584 Suricata
  • 7.861 TargetInfo
  • 1.509 VirusTotal
  • 0.467 peid
  • 0.342 NetworkAnalysis
  • 0.123 AnalysisInfo
  • 0.084 BehaviorAnalysis
  • 0.024 config_decoder
  • 0.015 Strings
  • 0.003 Memory

Signatures ( 0.52 seconds )

  • 0.326 md_bad_drop
  • 0.028 antiav_detectreg
  • 0.023 md_url_bl
  • 0.021 md_domain_bl
  • 0.011 infostealer_ftp
  • 0.008 ransomware_files
  • 0.007 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.007 ransomware_extensions
  • 0.006 antianalysis_detectreg
  • 0.005 infostealer_bitcoin
  • 0.004 api_spamming
  • 0.004 infostealer_mail
  • 0.003 tinba_behavior
  • 0.003 stealth_decoy_document
  • 0.003 stealth_timeout
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 bot_drive
  • 0.002 bot_drive2
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 shifu_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_athenahttp
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 malicious_drop_executable_file_to_temp_folder
  • 0.001 office_security
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt
  • 0.001 stealth_modify_security_center_warnings

Reporting ( 1.182 seconds )

  • 0.904 ReportHTMLSummary
  • 0.278 Malheur
Task ID 283009
Mongo ID 5cc1f2fd2f8f2e0444a9bf4e
Cuckoo release 1.4-Maldun