分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-08-17 16:10:39 2019-08-17 16:13:17 158 秒

魔盾分数

8.0

危险的

文件详细信息

文件名 csrss.exe
文件大小 1208320 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8d7c5f11f9d6138b1a45c934b7afc8fd
SHA1 73dcb56b60dfbbb1d464e3112f5019bc83f435ca
SHA256 23df0b07f9a0d363f669b039085f5b8cb5be308fa5281800d37a09a1a02a2ff7
SHA512 d0cadaddcd191c40c241efa11d77fb0a3d5d11359b99780b53bfb3dccfec88bab6ee5e7beabde78f3756bed64140c3e8e0acd15efa2ad91c83f9b369ce9226d9
CRC32 98F5D0C9
Ssdeep 12288:4NnES0tOcWKuo9luALfGSy9i+I/JEnjt3qDyb4hZUyqnuY0gUFols:4NnESIO1KtlxLuSRlQjRqphZUy+u/Gi
Yara
  • Detected 32bit PE signature
  • Detected Rich Signature
  • Checks if being debugged
  • Create a new process
  • Detected take screenshot function
  • Run a keylogger
  • APC queue tasks migration
  • Affect system registries
  • Change registries to affect system
  • Affect system token
  • Affect private profile
  • Affect private profile
  • Affect hook table
  • Detects malicious behaviors from a small size app
  • Detected no presence of any attachment
  • Detected the presence of an or several images
  • Detected the presence of an or several urls
  • Looks for big numbers 32:sized
  • Look for CRC32 [poly]
  • Look for CRC32 table
  • Look for MD5 constants
  • Look for RIPEMD-160 constants
  • Look for SHA1 constants
  • Look for RijnDael AES (check2) [char]
  • Look for RijnDael AES
  • Look for Random function
  • Detects program has the encryption or decription logic
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\TCJ.dll
C:\
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e
C:\Users\test\AppData\Local\Temp\csrss.exe
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
C:\Users\test\AppData\Local\Temp\\xef\xbe\xb1\xef\xbf\x89\xef\xbf\x96\xef\xbf\x83\xef\xbe\xb4\xef\xbf\x92\xef\xbf\x97\xef\xbe\xb3\xef\xbe\xb0\xef\xbe\xbb\xef\xbe\xb3\xef\xbf\x91\\xef\xbe\xb8\xef\xbf\x93\xef\xbf\x96\xef\xbf\x88\xef\xbe\xb7\xef\xbe\xbb\xef\xbf\x8f\xef\xbf\x8c\xef\xbe\xbc\xef\xbe\xb2.ink
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.lnk
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\12095925
C:\Users\test\AppData\Local\Temp\12095925\....\
C:\Users\test\AppData\Local\Temp\12095925\....\TemporaryFile
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
C:\Users\test\AppData\Local\Temp\12095925\*.*
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\*.*
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\TemporaryFile
C:\Users\test\AppData\Local\Temp\Kernel32.dll
C:\Windows\sysnative\ntdll.dll
C:\Users\test\AppData\Local\Temp\Advapi32.dll
C:\Windows\Sysnative\ntdll.dll
C:\Windows\Sysnative\ntdll.dll.bak
C:\Users\test\AppData\Local\Temp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp\cacls.exe
C:\Users\test\AppData\Local\Temp\cacls.exe.*
C:\ProgramData\Oracle\Java\javapath\cacls.exe
C:\ProgramData\Oracle\Java\javapath\cacls.exe.*
C:\Windows\sysnative\cacls.exe
C:\Users\test\AppData\Local\Temp\takeown.*
C:\Users\test\AppData\Local\Temp\takeown
C:\ProgramData\Oracle\Java\javapath\takeown.*
C:\ProgramData\Oracle\Java\javapath\takeown
C:\Windows\sysnative\takeown.*
C:\Windows\sysnative\takeown.COM
C:\Windows\sysnative\takeown.exe
C:\Windows\sysnative\ntdll.dll\
C:\Windows\sysnative
C:\Windows\sysnative\
C:\Windows
C:\Windows\
C:
\??\MountPointManager
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
C:\Windows\Sysnative\csrss.exe
C:\Windows\Sysnative\csrss.exe\
C:\Windows\Sysnative
C:\Windows\Sysnative\
C:\Windows\Sysnative\ntdll.dll\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\csrss.exe
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
C:\Users\test\AppData\Local\Temp\12095925\....\
C:\Windows\sysnative\ntdll.dll
C:\Windows\Sysnative\ntdll.dll
C:\Windows\sysnative\zh-CN\KERNELBASE.dll.mui
C:\TCJ.dll
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.ink
C:\Users\test\AppData\Local\Temp\\xef\xbe\xb1\xef\xbf\x89\xef\xbf\x96\xef\xbf\x83\xef\xbe\xb4\xef\xbf\x92\xef\xbf\x97\xef\xbe\xb3\xef\xbe\xb0\xef\xbe\xbb\xef\xbe\xb3\xef\xbf\x91\\xef\xbe\xb8\xef\xbf\x93\xef\xbf\x96\xef\xbf\x88\xef\xbe\xb7\xef\xbe\xbb\xef\xbf\x8f\xef\xbf\x8c\xef\xbe\xbc\xef\xbe\xb2.ink
C:\Users\test\AppData\Local\Temp\\xe9\x84\x99\xe7\xbd\xae\xe5\x8c\x86\xe5\xa3\xae\xe7\x9b\x8e\xe9\x80\x9e\\xe8\xb5\xa3\xe7\xa7\xa9\xe5\x9d\x8a\xe5\x92\xb8\xe7\x96\xbe.lnk
C:\Users\test\AppData\Local\Temp\12095925\....\TemporaryFile
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
C:\Windows\Sysnative\ntdll.dll.bak
C:\Windows\sysnative\ntdll.dll
C:\TCJ.dll
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile\TemporaryFile
C:\Users\test\AppData\Local\Temp\12095925\TemporaryFile
C:\Users\test\AppData\Local\Temp\12095925
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\csrss.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Tencent\CrossFire
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
kernel32.dll.CreateDirectoryA
kernel32.dll.MoveFileA
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.lstrcpyn
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
shlwapi.dll.StrToIntExA
user32.dll.CallWindowProcA
kernel32.dll.GetCurrentProcessId
kernel32.dll.OpenProcess
advapi32.dll.OpenProcessToken
kernel32.dll.CloseHandle
advapi32.dll.GetTokenInformation
advapi32.dll.LookupAccountSidA
sechost.dll.LookupAccountSidLocalA
advapi32.dll.GetUserNameA
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
sechost.dll.LookupAccountNameLocalW
cmd /c cacls.exe C:\Windows\System32\ntdll.DLL /e /t /p everyone:F
cmd /c takeown /f C:\Windows\Sysnative\ntdll.dll
cmd /c cacls.exe C:\Windows\Sysnative\csrss.exe /e /t /p test:F
cmd /c cacls.exe C:\Windows\Sysnative\ntdll.dll /e /t /p test:F
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x00400000
入口地址 0x00467538
声明校验值 0x00000000
实际校验值 0x0012d021
最低操作系统版本要求 4.0
编译时间 2019-08-14 15:45:26
载入哈希 20c2efba35b346b27e1c8659124336e6

版本信息

LegalCopyright
FileVersion
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0008561e 0x00086000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.55
.rdata 0x00087000 0x000873c2 0x00088000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.40
.data 0x0010f000 0x000371ca 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.05
.rsrc 0x00147000 0x00005944 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.82

导入

库: WINMM.dll:
0x48764c midiStreamOut
0x48765c waveOutWrite
0x487660 waveOutPause
0x487664 waveOutReset
0x487668 waveOutClose
0x48766c waveOutGetNumDevs
0x487670 waveOutOpen
0x487674 midiStreamStop
0x487678 midiOutReset
0x48767c midiStreamClose
0x487680 midiStreamRestart
0x487688 midiStreamOpen
0x48768c midiStreamProperty
库: WS2_32.dll:
0x4876a4 WSACleanup
0x4876a8 closesocket
0x4876ac getpeername
0x4876b0 accept
0x4876b4 WSAAsyncSelect
0x4876b8 recvfrom
0x4876bc ioctlsocket
0x4876c0 inet_ntoa
0x4876c4 recv
库: KERNEL32.dll:
0x487178 GetSystemDirectoryA
0x48717c MultiByteToWideChar
0x487180 SetLastError
0x487188 GetVersion
0x48718c WideCharToMultiByte
0x487190 GetACP
0x487194 HeapSize
0x487198 RaiseException
0x48719c GetLocalTime
0x4871a0 GetSystemTime
0x4871a4 RtlUnwind
0x4871a8 GetStartupInfoA
0x4871ac GetOEMCP
0x4871b0 GetCPInfo
0x4871b4 GetProcessVersion
0x4871b8 SetErrorMode
0x4871bc GlobalFlags
0x4871c0 GetCurrentThread
0x4871c4 GetFileTime
0x4871c8 TlsGetValue
0x4871cc LocalReAlloc
0x4871d0 TlsSetValue
0x4871d4 TlsFree
0x4871d8 GlobalHandle
0x4871dc TlsAlloc
0x4871e0 LocalAlloc
0x4871e4 lstrcmpA
0x4871e8 GlobalGetAtomNameA
0x4871ec GlobalAddAtomA
0x4871f0 GlobalFindAtomA
0x4871f4 GlobalDeleteAtom
0x4871f8 lstrcmpiA
0x4871fc SetEndOfFile
0x487200 UnlockFile
0x487204 LockFile
0x487208 FlushFileBuffers
0x48720c DuplicateHandle
0x487210 lstrcpynA
0x48721c LocalFree
0x487228 OpenProcess
0x48722c TerminateProcess
0x487230 GetCurrentProcess
0x487234 GetFileSize
0x487238 SetFilePointer
0x487240 Process32First
0x487244 Process32Next
0x487248 CreateSemaphoreA
0x48724c ResumeThread
0x487250 ReleaseSemaphore
0x48725c GetProfileStringA
0x487260 WriteFile
0x487268 CreateFileA
0x48726c SetEvent
0x487270 FindResourceA
0x487274 LoadResource
0x487278 LockResource
0x48727c ReadFile
0x487280 RemoveDirectoryA
0x487284 GetModuleFileNameA
0x487288 GetCurrentThreadId
0x48728c ExitProcess
0x487290 GlobalSize
0x487294 GlobalFree
0x4872a0 lstrcatA
0x4872a4 lstrlenA
0x4872a8 WinExec
0x4872ac lstrcpyA
0x4872b0 FindNextFileA
0x4872b4 InterlockedExchange
0x4872b8 GlobalReAlloc
0x4872bc HeapFree
0x4872c0 HeapReAlloc
0x4872c4 GetProcessHeap
0x4872c8 HeapAlloc
0x4872cc GetFullPathNameA
0x4872d0 FreeLibrary
0x4872d4 LoadLibraryA
0x4872d8 GetLastError
0x4872dc GetVersionExA
0x4872e4 CreateThread
0x4872e8 CreateEventA
0x4872ec Sleep
0x4872f4 GlobalAlloc
0x4872f8 GlobalLock
0x4872fc GlobalUnlock
0x487300 GetTempPathA
0x487304 FindFirstFileA
0x487308 FindClose
0x48730c SetFileAttributesA
0x487310 GetFileAttributesA
0x487314 MoveFileA
0x487318 DeleteFileA
0x48731c CopyFileA
0x487320 CreateDirectoryA
0x48732c GetModuleHandleA
0x487330 GetProcAddress
0x487334 MulDiv
0x487338 GetCommandLineA
0x48733c GetTickCount
0x487340 CreateProcessA
0x487344 WaitForSingleObject
0x487348 CloseHandle
0x487360 SetHandleCount
0x487364 GetStdHandle
0x487368 GetFileType
0x487370 HeapDestroy
0x487374 HeapCreate
0x487378 VirtualFree
0x487380 LCMapStringA
0x487384 LCMapStringW
0x487388 VirtualAlloc
0x48738c IsBadWritePtr
0x487394 GetStringTypeA
0x487398 GetStringTypeW
0x48739c CompareStringA
0x4873a0 CompareStringW
0x4873a4 IsBadReadPtr
0x4873a8 IsBadCodePtr
0x4873ac SetStdHandle
库: USER32.dll:
0x4873d4 PeekMessageA
0x4873d8 SetMenu
0x4873dc GetMenu
0x4873e0 IsIconic
0x4873e4 SetFocus
0x4873e8 GetActiveWindow
0x4873ec GetWindow
0x4873f4 SetWindowRgn
0x4873f8 GetMessagePos
0x4873fc ScreenToClient
0x487400 DeleteMenu
0x487404 GetSystemMenu
0x487408 DefWindowProcA
0x48740c GetClassInfoA
0x487410 IsZoomed
0x487414 PostQuitMessage
0x48741c GetKeyState
0x487424 IsWindowEnabled
0x487428 ShowWindow
0x487430 LoadImageA
0x487438 ClientToScreen
0x48743c EnableMenuItem
0x487440 GetSubMenu
0x487444 GetDlgCtrlID
0x48744c CreateMenu
0x487450 ModifyMenuA
0x487454 AppendMenuA
0x487458 CreatePopupMenu
0x48745c CopyRect
0x487460 LoadBitmapA
0x487464 WinHelpA
0x487468 KillTimer
0x48746c SetTimer
0x487470 ReleaseCapture
0x487474 GetCapture
0x487478 SetCapture
0x48747c GetScrollRange
0x487480 SetScrollRange
0x487484 SetScrollPos
0x487488 SetRect
0x48748c InflateRect
0x487490 IntersectRect
0x487494 GetSysColorBrush
0x487498 DestroyIcon
0x48749c PtInRect
0x4874a0 OffsetRect
0x4874a4 IsWindowVisible
0x4874a8 EnableWindow
0x4874ac RedrawWindow
0x4874b0 GetWindowLongA
0x4874b4 SetWindowLongA
0x4874b8 GetSysColor
0x4874bc SetActiveWindow
0x4874c0 SetCursorPos
0x4874c4 LoadCursorA
0x4874c8 SetCursor
0x4874cc GetDC
0x4874d0 FillRect
0x4874d4 IsRectEmpty
0x4874d8 ReleaseDC
0x4874dc IsChild
0x4874e0 DestroyMenu
0x4874e4 SetForegroundWindow
0x4874e8 GetWindowRect
0x4874ec EqualRect
0x4874f0 UpdateWindow
0x4874f4 ValidateRect
0x4874f8 InvalidateRect
0x4874fc GetClientRect
0x487500 GetFocus
0x487504 GetParent
0x487508 GetTopWindow
0x48750c PostMessageA
0x487510 IsWindow
0x487514 SetParent
0x487518 DestroyCursor
0x48751c SendMessageA
0x487520 SetWindowPos
0x487524 MessageBoxA
0x487528 GetCursorPos
0x48752c GetSystemMetrics
0x487530 EmptyClipboard
0x487534 SetClipboardData
0x487538 OpenClipboard
0x48753c GetClipboardData
0x487540 CloseClipboard
0x487544 wsprintfA
0x487548 WaitForInputIdle
0x48754c DrawIconEx
0x48755c DispatchMessageA
0x487560 GetMessageA
0x487564 WindowFromPoint
0x487568 DrawFocusRect
0x48756c DrawEdge
0x487570 DrawFrameControl
0x487574 TranslateMessage
0x487578 LoadIconA
0x48757c GetDesktopWindow
0x487580 GetClassNameA
0x487588 FindWindowA
0x48758c GetDlgItem
0x487590 GetWindowTextA
0x487594 GetForegroundWindow
0x48759c UnregisterClassA
0x4875a0 SetRectEmpty
0x4875a8 CharUpperA
0x4875ac GetWindowDC
0x4875b0 BeginPaint
0x4875b4 EndPaint
0x4875b8 TabbedTextOutA
0x4875bc DrawTextA
0x4875c0 GrayStringA
0x4875c4 DestroyWindow
0x4875cc EndDialog
0x4875d0 GetNextDlgTabItem
0x4875d4 GetWindowPlacement
0x4875dc GetLastActivePopup
0x4875e0 GetMessageTime
0x4875e4 RemovePropA
0x4875e8 CallWindowProcA
0x4875ec GetPropA
0x4875f0 UnhookWindowsHookEx
0x4875f4 SetPropA
0x4875f8 GetClassLongA
0x4875fc CallNextHookEx
0x487600 SetWindowsHookExA
0x487604 CreateWindowExA
0x487608 GetMenuItemID
0x48760c GetMenuItemCount
0x487610 RegisterClassA
0x487614 GetScrollPos
0x487618 AdjustWindowRectEx
0x48761c MapWindowPoints
0x487620 SendDlgItemMessageA
0x487624 ScrollWindowEx
0x487628 IsDialogMessageA
0x48762c SetWindowTextA
0x487630 MoveWindow
0x487634 CheckMenuItem
0x487638 SetMenuItemBitmaps
0x48763c GetMenuState
0x487644 LoadStringA
库: GDI32.dll:
0x487028 Escape
0x48702c ExtTextOutA
0x487030 TextOutA
0x487034 RectVisible
0x487038 PtVisible
0x48703c GetViewportExtEx
0x487040 ExtSelectClipRgn
0x487044 CreateFontIndirectA
0x487048 EndPage
0x48704c EndDoc
0x487050 DeleteDC
0x487054 StartDocA
0x487058 StartPage
0x48705c BitBlt
0x487060 CreateCompatibleDC
0x487064 Ellipse
0x487068 Rectangle
0x48706c LPtoDP
0x487070 DPtoLP
0x487074 GetCurrentObject
0x487078 GetTextMetricsA
0x487080 GetDeviceCaps
0x487084 SetStretchBltMode
0x48708c SetBkColor
0x487090 LineTo
0x487094 MoveToEx
0x487098 ExcludeClipRect
0x48709c GetClipBox
0x4870a0 ScaleWindowExtEx
0x4870a4 SetWindowExtEx
0x4870a8 SetWindowOrgEx
0x4870ac GetStockObject
0x4870b0 CreateSolidBrush
0x4870b4 FillRgn
0x4870b8 CreateRectRgn
0x4870bc CombineRgn
0x4870c0 PatBlt
0x4870c4 CreatePen
0x4870c8 GetObjectA
0x4870cc SelectObject
0x4870d0 CreateBitmap
0x4870d4 CreateDCA
0x4870dc GetPolyFillMode
0x4870e0 GetStretchBltMode
0x4870e4 GetROP2
0x4870e8 GetBkColor
0x4870ec GetBkMode
0x4870f0 GetTextColor
0x4870f4 CreateRoundRectRgn
0x4870f8 CreateEllipticRgn
0x4870fc PathToRegion
0x487100 EndPath
0x487104 BeginPath
0x487108 GetWindowOrgEx
0x48710c GetViewportOrgEx
0x487110 ScaleViewportExtEx
0x487114 SetViewportExtEx
0x487118 OffsetViewportOrgEx
0x48711c SetViewportOrgEx
0x487120 SetMapMode
0x487124 SetTextColor
0x487128 SetROP2
0x48712c SetPolyFillMode
0x487130 GetWindowExtEx
0x487134 GetDIBits
0x487138 RealizePalette
0x48713c SelectPalette
0x487140 StretchBlt
0x487144 CreatePalette
0x48714c CreateDIBitmap
0x487150 GetClipRgn
0x487154 SelectClipRgn
0x487158 RoundRect
0x48715c DeleteObject
0x487160 SetBkMode
0x487164 RestoreDC
0x487168 SaveDC
0x48716c CreatePolygonRgn
库: WINSPOOL.DRV:
0x487694 OpenPrinterA
0x487698 DocumentPropertiesA
0x48769c ClosePrinter
库: ADVAPI32.dll:
0x487000 RegQueryValueExA
0x487004 RegOpenKeyExA
0x487008 RegSetValueExA
0x48700c RegQueryValueA
0x487010 RegCreateKeyExA
0x487014 RegCloseKey
库: SHELL32.dll:
0x4873c4 ShellExecuteA
0x4873c8 Shell_NotifyIconA
库: ole32.dll:
0x4876e0 CLSIDFromString
0x4876e4 OleUninitialize
0x4876e8 OleInitialize
库: OLEAUT32.dll:
0x4873b4 LoadTypeLib
0x4873b8 RegisterTypeLib
0x4873bc UnRegisterTypeLib
库: COMCTL32.dll:
0x48701c None
0x487020 ImageList_Destroy
库: comdlg32.dll:
0x4876cc ChooseColorA
0x4876d0 GetFileTitleA
0x4876d4 GetSaveFileNameA
0x4876d8 GetOpenFileNameA

.text
`.rdata
@.data
.rsrc
VMProtect begin
VMProtect end
8`}<j
T$th
|$|Vj
T$\Vj
D$@Sj
L$8h
t<h\-Q
D$8Rj
l$<VWj
Ph0.Q
u#hL.Q
Ph$/Q
T$ Rj
L$4S+L$0Qj
t*hT/Q
T$$Rh((P
没有防病毒引擎扫描信息!

进程树


csrss.exe, PID: 2660, 上一级进程 PID: 2316
cmd.exe, PID: 2836, 上一级进程 PID: 2660
cmd.exe, PID: 2916, 上一级进程 PID: 2660
cmd.exe, PID: 2944, 上一级进程 PID: 2660
cacls.exe, PID: 3064, 上一级进程 PID: 2836
cacls.exe, PID: 2172, 上一级进程 PID: 2944
takeown.exe, PID: 1640, 上一级进程 PID: 2916
cmd.exe, PID: 2540, 上一级进程 PID: 2660
cacls.exe, PID: 2748, 上一级进程 PID: 2540
cmd.exe, PID: 3052, 上一级进程 PID: 2660
cmd.exe, PID: 2340, 上一级进程 PID: 2660
cacls.exe, PID: 2416, 上一级进程 PID: 3052
cmd.exe, PID: 2460, 上一级进程 PID: 2660
takeown.exe, PID: 2840, 上一级进程 PID: 2340
cacls.exe, PID: 2604, 上一级进程 PID: 2460
cmd.exe, PID: 2828, 上一级进程 PID: 2660
cacls.exe, PID: 1188, 上一级进程 PID: 2828
cmd.exe, PID: 3028, 上一级进程 PID: 2660
cmd.exe, PID: 2300, 上一级进程 PID: 2660
cmd.exe, PID: 712, 上一级进程 PID: 2660
cacls.exe, PID: 2896, 上一级进程 PID: 3028
takeown.exe, PID: 3016, 上一级进程 PID: 2300
cacls.exe, PID: 2708, 上一级进程 PID: 712
cmd.exe, PID: 1672, 上一级进程 PID: 2660
cacls.exe, PID: 3040, 上一级进程 PID: 1672

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 26.144 seconds )

  • 15.513 Suricata
  • 5.14 Static
  • 1.929 TargetInfo
  • 1.919 VirusTotal
  • 0.759 BehaviorAnalysis
  • 0.422 peid
  • 0.356 NetworkAnalysis
  • 0.084 AnalysisInfo
  • 0.015 Strings
  • 0.004 config_decoder
  • 0.003 Memory

Signatures ( 0.572 seconds )

  • 0.105 md_bad_drop
  • 0.042 api_spamming
  • 0.031 antiav_detectreg
  • 0.029 stealth_decoy_document
  • 0.025 stealth_file
  • 0.023 md_url_bl
  • 0.022 antidbg_windows
  • 0.017 md_domain_bl
  • 0.015 mimics_filetime
  • 0.014 infostealer_ftp
  • 0.013 reads_self
  • 0.013 antivm_generic_disk
  • 0.013 stealth_timeout
  • 0.012 virus
  • 0.011 bootkit
  • 0.011 antiav_detectfile
  • 0.008 infostealer_bitcoin
  • 0.008 infostealer_im
  • 0.008 ransomware_extensions
  • 0.008 ransomware_files
  • 0.007 anomaly_persistence_autorun
  • 0.007 hancitor_behavior
  • 0.006 antivm_vbox_libs
  • 0.006 packer_themida
  • 0.006 antivm_vbox_window
  • 0.006 antianalysis_detectreg
  • 0.005 antivm_vbox_files
  • 0.005 infostealer_mail
  • 0.004 browser_needed
  • 0.004 antisandbox_script_timer
  • 0.004 kovter_behavior
  • 0.003 tinba_behavior
  • 0.003 antiemu_wine_func
  • 0.003 injection_createremotethread
  • 0.003 injection_explorer
  • 0.003 antivm_generic_scsi
  • 0.003 shifu_behavior
  • 0.003 exec_crash
  • 0.003 infostealer_browser_password
  • 0.003 maldun_suspicious
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 antiav_avast_libs
  • 0.002 betabot_behavior
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 antisandbox_sboxie_libs
  • 0.002 antiav_bitdefender_libs
  • 0.002 kibex_behavior
  • 0.002 cerber_behavior
  • 0.002 injection_runpe
  • 0.002 antivm_parallels_keys
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.001 malicious_write_executeable_under_temp_to_regrun
  • 0.001 network_tor
  • 0.001 rat_luminosity
  • 0.001 antivm_vmware_libs
  • 0.001 antivm_generic_services
  • 0.001 ursnif_behavior
  • 0.001 kazybot_behavior
  • 0.001 anormaly_invoke_kills
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 darkcomet_regkeys
  • 0.001 malicious_drop_executable_file_to_temp_folder
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.078 seconds )

  • 0.863 ReportHTMLSummary
  • 0.215 Malheur
Task ID 355685
Mongo ID 5d57b74d2f8f2e56d9c96777
Cuckoo release 1.4-Maldun