分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-09-06 08:07:30 2019-09-06 08:09:58 148 秒

魔盾分数

7.175

危险的

文件详细信息

文件名 凤凰破解.exe
文件大小 6279168 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a9856cee32ecc1930f66e9d671b0b712
SHA1 cdbbd4febe2735031444eeaca3e8bb8345a28150
SHA256 202480d1986931ac016bc6320b6a9dd53eea35346b2b5a77aa9491dbd9dab58e
SHA512 59f92da5178ea447ecb9c483bd18e7c1b600fbfbc92ea1a7542d8e673be981edbe6473c38f69b8d1ebe2a5b566755a7e6cc98f72284cbde88e6b69ebd25ae55d
CRC32 C9B83132
Ssdeep 98304:i7r/1qRrm82ua0/cSLetMIBHW2gQBG6a0/cSLetMIBHW2gQ:uON3LwME22gQBGW3LwME22gQ
Yara
  • Detected 32bit PE signature
  • Detected Entropy signature
  • Detected Rich Signature
  • Checks if being debugged
  • Code injection with CreateRemoteThread in a remote process
  • Create a new process
  • Create a windows service
  • Communications over UDP socket
  • Listen for incoming communication
  • Communications over RAW socket
  • Communications use DNS
  • Detected escalate priviledges function
  • Detected take screenshot function
  • Run a keylogger
  • Create or check mutex
  • Affect system registries
  • Change registries to affect system
  • Affect system token
  • Affect private profile
  • Affect private profile
  • Affect hook table
  • Spotted potential mallicious behaviors like logging and network communication
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
  • Detected the presence of an or several images
  • Detected the presence of an or several urls
  • Looks for advapi API functions
  • Look for CRC32 [poly]
  • Look for CRC32 table
  • Look for MD5 constants
  • Look for DES [sbox]
  • Look for Random function
样本下载 提交误报

特征低危险等级 中危险等级 高危险等级

创建RWX内存
魔盾wping.org 域名信誉系统
Greylist: v9.hphu.com
发起了一些HTTP请求
url: http://v9.hphu.com:8080/kss_io/io.php?v=13&b=1&s=11759001&e=get&line=1&kstoken=46571566847
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.45, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0034f000, virtual_size: 0x0034edce
section: name: .data, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x001ea000, virtual_size: 0x002275e9
在加密调用中发现至少一个IP地址,域名,或文件名
ioc: http://ec.360bc.cnhttp
ioc: www.eyybc.com/forumdisplay.php
ioc: memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php
ioc: http://www.super-ec.cn
建立TCP连接到一个外部IP地址的非标准端口
Connection: 59.153.74.79:8080
魔盾安全Yara规则检测结果 - 高危
Informational: Detected Entropy signature
Informational: Detected Rich Signature
Warning: Code injection with CreateRemoteThread in a remote process
Warning: Create a new process
Warning: Create a windows service
Warning: Communications over UDP socket
Warning: Listen for incoming communication
Warning: Communications over RAW socket
Informational: Communications use DNS
Warning: Detected escalate priviledges function
Warning: Detected take screenshot function
Warning: Run a keylogger
Warning: Affect system registries
Warning: Affect system token
Warning: Affect private profile
Warning: Affect hook table
Critical: Spotted potential mallicious behaviors like logging and network communication
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
Critical: maldoc_find_kernel32_base_method_1
Critical: maldoc_getEIP_method_1
Informational: Detected the presence of an or several images
Informational: Detected the presence of an or several urls
Warning: Looks for advapi API functions
Informational: Look for CRC32 [poly]
Informational: Look for CRC32 table
Informational: Look for MD5 constants
Informational: Look for DES [sbox]
Informational: Look for Random function

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
59.153.74.79 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
v9.hphu.com A 59.153.74.79

摘要

C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\system\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\api-ms-win-core-fibers-l1-1-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-fibers-l1-1-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-fibers-l1-1-1.DLL
C:\mac.ini
\??\PCI#VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20#3&13C0B0C5&0&18#{AD498944-762F-11D0-8DCB-00C04FC3358C}
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\____________.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
\??\PhysicalDrive0
C:\Users\test\AppData\Local\Temp\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\system\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\ProgramData\Oracle\Java\javapath\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\wbem\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Program Files (x86)\WinRAR\api-ms-win-core-sysinfo-l1-2-1.DLL
C:\Windows\System32\tzres.dll
C:\softlic.ini
C:\Users\test\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
C:\Users\test\AppData\Local\Temp\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\mac.ini
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
\??\PhysicalDrive0
C:\Windows\System32\tzres.dll
C:\softlic.ini
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui
\??\PhysicalDrive0
C:\softlic.ini
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\DeviceInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0021\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0022\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0023\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0024\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0025\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0026\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0027\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0028\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0029\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0030\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\____________.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\DeviceInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Characteristics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetNativeSystemInfo
kernel32.dll.CloseHandle
user32.dll.MessageBoxA
advapi32.dll.InitializeSecurityDescriptor
wtsapi32.dll.WTSSendMessageW
kernel32.dll.GetCurrentProcess
user32.dll.CharUpperBuffW
advapi32.dll.RegQueryValueExA
kernel32.dll.LocalAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.LocalFree
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetProcessAffinityMask
kernel32.dll.SetProcessAffinityMask
kernel32.dll.SetThreadAffinityMask
kernel32.dll.Sleep
kernel32.dll.ExitProcess
kernel32.dll.GetLastError
kernel32.dll.FreeLibrary
kernel32.dll.LoadLibraryA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetProcAddress
advapi32.dll.OpenSCManagerW
advapi32.dll.EnumServicesStatusExW
advapi32.dll.OpenServiceW
advapi32.dll.QueryServiceConfigW
advapi32.dll.CloseServiceHandle
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
api-ms-win-core-localization-l1-2-1.dll.LCMapStringEx
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.InitOnceExecuteOnce
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.GetTickCount64
kernel32.dll.GetFileInformationByHandleEx
kernel32.dll.SetFileInformationByHandle
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
kernel32.dll.InitializeSRWLock
kernel32.dll.AcquireSRWLockExclusive
kernel32.dll.TryAcquireSRWLockExclusive
kernel32.dll.ReleaseSRWLockExclusive
kernel32.dll.SleepConditionVariableSRW
kernel32.dll.CreateThreadpoolWork
kernel32.dll.SubmitThreadpoolWork
kernel32.dll.CloseThreadpoolWork
kernel32.dll.CompareStringEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCMapStringEx
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
advapi32.dll.CryptCreateHash
cryptsp.dll.CryptCreateHash
advapi32.dll.CryptHashData
cryptsp.dll.CryptHashData
advapi32.dll.CryptGetHashParam
cryptsp.dll.CryptGetHashParam
advapi32.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptReleaseContext
kernel32.dll.lstrcpyn
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
comctl32.dll.InitCommonControlsEx
shlwapi.dll.StrCmpNW
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ws2_32.dll.#3
rpcrt4.dll.RpcBindingFree
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
gdi32.dll.GetFontAssocStatus
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
ws2_32.dll.#116
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x00400000
入口地址 0x00497c35
声明校验值 0x00000000
实际校验值 0x00606b2e
最低操作系统版本要求 4.0
编译时间 2019-09-04 02:16:23
载入哈希 68a11cab70d2d9250b0312b936a76dd9

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000b7cba 0x000b8000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.57
.rdata 0x000b9000 0x0034edce 0x0034f000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.45
.data 0x00408000 0x002275e9 0x001ea000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.97
.rsrc 0x00630000 0x0000a6d0 0x0000b000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.64

导入

库: WINMM.dll:
0x4b9678 midiStreamOut
0x4b9688 waveOutWrite
0x4b968c waveOutPause
0x4b9690 waveOutReset
0x4b9694 waveOutClose
0x4b9698 waveOutGetNumDevs
0x4b969c waveOutOpen
0x4b96a0 midiStreamStop
0x4b96a4 midiOutReset
0x4b96a8 midiStreamClose
0x4b96ac midiStreamRestart
0x4b96b4 midiStreamOpen
0x4b96b8 midiStreamProperty
库: WS2_32.dll:
0x4b96d0 closesocket
0x4b96d4 send
0x4b96d8 select
0x4b96dc WSACleanup
0x4b96e0 WSAStartup
0x4b96e4 gethostbyname
0x4b96e8 WSAAsyncSelect
0x4b96ec inet_addr
0x4b96f0 accept
0x4b96f4 ntohs
0x4b96f8 htons
0x4b96fc socket
0x4b9700 recvfrom
0x4b9704 ioctlsocket
0x4b9708 connect
0x4b970c recv
0x4b9710 inet_ntoa
0x4b9714 getpeername
库: KERNEL32.dll:
0x4b918c GetCurrentProcess
0x4b9190 MultiByteToWideChar
0x4b9194 WideCharToMultiByte
0x4b9198 Process32Next
0x4b919c Process32First
0x4b91a4 SetFilePointer
0x4b91a8 GetFileSize
0x4b91ac TerminateProcess
0x4b91b0 OpenProcess
0x4b91b8 GetVersion
0x4b91bc RaiseException
0x4b91c0 GetLocalTime
0x4b91c4 GetSystemTime
0x4b91c8 RtlUnwind
0x4b91cc GetStartupInfoA
0x4b91d0 GetOEMCP
0x4b91d4 GetCPInfo
0x4b91d8 GetProcessVersion
0x4b91dc SetErrorMode
0x4b91e0 GlobalFlags
0x4b91e4 GetCurrentThread
0x4b91e8 GetFileTime
0x4b91ec TlsGetValue
0x4b91f0 LocalReAlloc
0x4b91f4 TlsSetValue
0x4b91f8 TlsFree
0x4b91fc GlobalHandle
0x4b9200 TlsAlloc
0x4b9204 LocalAlloc
0x4b9208 lstrcmpA
0x4b920c GlobalGetAtomNameA
0x4b9210 GlobalAddAtomA
0x4b9214 GlobalFindAtomA
0x4b9218 GlobalDeleteAtom
0x4b921c lstrcmpiA
0x4b9220 SetEndOfFile
0x4b9224 UnlockFile
0x4b9228 LockFile
0x4b922c FlushFileBuffers
0x4b9230 DuplicateHandle
0x4b9234 lstrcpynA
0x4b9240 LocalFree
0x4b9250 CreateFileMappingA
0x4b9254 MapViewOfFile
0x4b9258 UnmapViewOfFile
0x4b925c OpenFileMappingA
0x4b9260 ReleaseMutex
0x4b9264 GetSystemDirectoryA
0x4b9268 IsBadReadPtr
0x4b926c VirtualProtect
0x4b9270 VirtualFree
0x4b9274 VirtualAlloc
0x4b9278 SetLastError
0x4b927c CreateSemaphoreA
0x4b9280 ResumeThread
0x4b9284 ReleaseSemaphore
0x4b9290 GetProfileStringA
0x4b9294 WriteFile
0x4b929c CreateFileA
0x4b92a0 SetEvent
0x4b92a4 FindResourceA
0x4b92a8 LoadResource
0x4b92ac LockResource
0x4b92b0 ReadFile
0x4b92b4 RemoveDirectoryA
0x4b92b8 GetModuleFileNameA
0x4b92bc GetCurrentThreadId
0x4b92c0 ExitProcess
0x4b92c4 GlobalSize
0x4b92c8 GlobalFree
0x4b92d4 lstrcatA
0x4b92d8 InterlockedExchange
0x4b92dc lstrlenA
0x4b92e0 WinExec
0x4b92e4 lstrcpyA
0x4b92e8 FindNextFileA
0x4b92ec GlobalReAlloc
0x4b92f0 HeapFree
0x4b92f4 HeapReAlloc
0x4b92f8 GetProcessHeap
0x4b92fc HeapAlloc
0x4b9300 GetFullPathNameA
0x4b9304 FreeLibrary
0x4b9308 LoadLibraryA
0x4b930c GetLastError
0x4b9310 GetVersionExA
0x4b931c CreateThread
0x4b9320 CreateEventA
0x4b9324 Sleep
0x4b932c GlobalAlloc
0x4b9330 GlobalLock
0x4b9334 GlobalUnlock
0x4b9338 GetTempPathA
0x4b933c FindFirstFileA
0x4b9340 FindClose
0x4b9344 SetFileAttributesA
0x4b9348 GetFileAttributesA
0x4b934c DeleteFileA
0x4b9350 CopyFileA
0x4b935c GetModuleHandleA
0x4b9360 GetProcAddress
0x4b9364 MulDiv
0x4b9368 GetCommandLineA
0x4b936c GetTickCount
0x4b9370 CreateProcessA
0x4b9374 WaitForSingleObject
0x4b9378 CloseHandle
0x4b937c HeapSize
0x4b9380 GetACP
0x4b9398 SetHandleCount
0x4b939c GetStdHandle
0x4b93a0 GetFileType
0x4b93a8 HeapDestroy
0x4b93ac HeapCreate
0x4b93b4 LCMapStringA
0x4b93b8 LCMapStringW
0x4b93bc IsBadWritePtr
0x4b93c4 GetStringTypeA
0x4b93c8 GetStringTypeW
0x4b93cc CompareStringA
0x4b93d0 CompareStringW
0x4b93d4 IsBadCodePtr
0x4b93d8 SetStdHandle
库: USER32.dll:
0x4b9400 IsIconic
0x4b9404 PeekMessageA
0x4b9408 SetMenu
0x4b940c GetMenu
0x4b9410 SetFocus
0x4b9414 GetActiveWindow
0x4b9418 GetWindow
0x4b9420 SetWindowRgn
0x4b9424 GetMessagePos
0x4b9428 ScreenToClient
0x4b9430 DeleteMenu
0x4b9434 GetSystemMenu
0x4b9438 DefWindowProcA
0x4b943c GetClassInfoA
0x4b9440 IsZoomed
0x4b9444 PostQuitMessage
0x4b944c GetKeyState
0x4b9454 IsWindowEnabled
0x4b9458 ShowWindow
0x4b9460 LoadImageA
0x4b9468 ClientToScreen
0x4b946c EnableMenuItem
0x4b9470 GetSubMenu
0x4b9474 GetDlgCtrlID
0x4b947c CreateMenu
0x4b9480 ModifyMenuA
0x4b9484 CreatePopupMenu
0x4b9488 DrawIconEx
0x4b948c LoadBitmapA
0x4b9490 WinHelpA
0x4b9494 KillTimer
0x4b9498 SetTimer
0x4b949c ReleaseCapture
0x4b94a0 GetCapture
0x4b94a4 SetCapture
0x4b94a8 GetScrollRange
0x4b94ac SetScrollRange
0x4b94b0 SetScrollPos
0x4b94b4 SetRect
0x4b94b8 InflateRect
0x4b94bc IntersectRect
0x4b94c0 DestroyIcon
0x4b94c4 PtInRect
0x4b94c8 OffsetRect
0x4b94cc IsWindowVisible
0x4b94d0 EnableWindow
0x4b94d4 GetSysColorBrush
0x4b94d8 LoadStringA
0x4b94dc RedrawWindow
0x4b94e0 GetWindowLongA
0x4b94e4 SetWindowLongA
0x4b94e8 GetSysColor
0x4b94ec SetActiveWindow
0x4b94f0 SetCursorPos
0x4b94f4 LoadCursorA
0x4b94f8 SetCursor
0x4b94fc GetDC
0x4b9500 FillRect
0x4b9504 IsRectEmpty
0x4b9508 ReleaseDC
0x4b950c IsChild
0x4b9510 DestroyMenu
0x4b9514 SetForegroundWindow
0x4b9518 GetWindowRect
0x4b951c EqualRect
0x4b9520 UpdateWindow
0x4b9524 ValidateRect
0x4b9528 InvalidateRect
0x4b952c GetClientRect
0x4b9530 GetFocus
0x4b9534 GetParent
0x4b9538 GetTopWindow
0x4b953c PostMessageA
0x4b9540 IsWindow
0x4b9544 SetParent
0x4b9548 DestroyCursor
0x4b954c SendMessageA
0x4b9550 SetWindowPos
0x4b9554 MessageBoxA
0x4b9558 GetCursorPos
0x4b955c GetSystemMetrics
0x4b9560 EmptyClipboard
0x4b9564 SetClipboardData
0x4b9568 OpenClipboard
0x4b956c GetClipboardData
0x4b9570 CloseClipboard
0x4b9574 wsprintfA
0x4b9578 WaitForInputIdle
0x4b9588 SetRectEmpty
0x4b958c DispatchMessageA
0x4b9590 GetMessageA
0x4b9594 WindowFromPoint
0x4b9598 DrawFocusRect
0x4b959c DrawEdge
0x4b95a0 DrawFrameControl
0x4b95a4 TranslateMessage
0x4b95a8 LoadIconA
0x4b95ac GetForegroundWindow
0x4b95b0 GetDesktopWindow
0x4b95b4 GetClassNameA
0x4b95bc FindWindowA
0x4b95c0 GetDlgItem
0x4b95c4 GetWindowTextA
0x4b95c8 CopyRect
0x4b95cc UnregisterClassA
0x4b95d0 AppendMenuA
0x4b95d8 CharUpperA
0x4b95dc GetWindowDC
0x4b95e0 BeginPaint
0x4b95e4 EndPaint
0x4b95e8 TabbedTextOutA
0x4b95ec DrawTextA
0x4b95f0 GrayStringA
0x4b95f4 DestroyWindow
0x4b95fc EndDialog
0x4b9600 GetNextDlgTabItem
0x4b9604 GetWindowPlacement
0x4b960c GetLastActivePopup
0x4b9610 GetMessageTime
0x4b9614 RemovePropA
0x4b9618 CallWindowProcA
0x4b961c GetPropA
0x4b9620 UnhookWindowsHookEx
0x4b9624 SetPropA
0x4b9628 GetClassLongA
0x4b962c CallNextHookEx
0x4b9630 SetWindowsHookExA
0x4b9634 CreateWindowExA
0x4b9638 GetMenuItemID
0x4b963c GetMenuItemCount
0x4b9640 RegisterClassA
0x4b9644 GetScrollPos
0x4b9648 AdjustWindowRectEx
0x4b964c MapWindowPoints
0x4b9650 SendDlgItemMessageA
0x4b9654 ScrollWindowEx
0x4b9658 IsDialogMessageA
0x4b965c SetWindowTextA
0x4b9660 MoveWindow
0x4b9664 CheckMenuItem
0x4b9668 SetMenuItemBitmaps
0x4b966c GetMenuState
库: GDI32.dll:
0x4b9040 PtVisible
0x4b9044 GetViewportExtEx
0x4b9048 ExtSelectClipRgn
0x4b904c EndPage
0x4b9050 EndDoc
0x4b9054 DeleteDC
0x4b9058 StartDocA
0x4b905c StartPage
0x4b9060 BitBlt
0x4b9064 CreateCompatibleDC
0x4b9068 Ellipse
0x4b906c Rectangle
0x4b9070 LPtoDP
0x4b9074 DPtoLP
0x4b9078 GetCurrentObject
0x4b907c RoundRect
0x4b9080 RectVisible
0x4b9088 GetDeviceCaps
0x4b908c GetClipRgn
0x4b9090 SetStretchBltMode
0x4b9098 SetBkColor
0x4b909c LineTo
0x4b90a0 MoveToEx
0x4b90a4 ExcludeClipRect
0x4b90a8 GetClipBox
0x4b90ac ScaleWindowExtEx
0x4b90b0 SetWindowExtEx
0x4b90b4 SetWindowOrgEx
0x4b90b8 ScaleViewportExtEx
0x4b90bc TextOutA
0x4b90c0 ExtTextOutA
0x4b90c4 Escape
0x4b90c8 GetTextMetricsA
0x4b90cc CreateFontIndirectA
0x4b90d0 GetStockObject
0x4b90d4 CreateSolidBrush
0x4b90d8 FillRgn
0x4b90dc CreateRectRgn
0x4b90e0 CombineRgn
0x4b90e4 PatBlt
0x4b90e8 CreatePen
0x4b90ec GetObjectA
0x4b90f0 SelectObject
0x4b90f4 CreateBitmap
0x4b90f8 CreateDCA
0x4b9100 GetPolyFillMode
0x4b9104 GetStretchBltMode
0x4b9108 GetROP2
0x4b910c GetBkColor
0x4b9110 GetBkMode
0x4b9114 GetTextColor
0x4b9118 CreateRoundRectRgn
0x4b911c SetViewportExtEx
0x4b9120 OffsetViewportOrgEx
0x4b9124 SetViewportOrgEx
0x4b9128 SetMapMode
0x4b912c SetTextColor
0x4b9130 SetROP2
0x4b9134 SetPolyFillMode
0x4b9138 SetBkMode
0x4b913c CreateEllipticRgn
0x4b9140 PathToRegion
0x4b9144 EndPath
0x4b9148 BeginPath
0x4b914c GetWindowOrgEx
0x4b9150 GetViewportOrgEx
0x4b9154 GetWindowExtEx
0x4b9158 GetDIBits
0x4b915c CreatePolygonRgn
0x4b9160 SelectPalette
0x4b9164 StretchBlt
0x4b9168 CreatePalette
0x4b9170 CreateDIBitmap
0x4b9174 DeleteObject
0x4b9178 RealizePalette
0x4b917c RestoreDC
0x4b9180 SaveDC
0x4b9184 SelectClipRgn
库: WINSPOOL.DRV:
0x4b96c0 OpenPrinterA
0x4b96c4 DocumentPropertiesA
0x4b96c8 ClosePrinter
库: ADVAPI32.dll:
0x4b9000 RegQueryValueExA
0x4b9004 RegOpenKeyExA
0x4b9008 RegSetValueExA
0x4b900c RegDeleteValueA
0x4b9010 RegDeleteKeyA
0x4b9014 RegQueryValueA
0x4b9018 RegCreateKeyExA
0x4b901c RegEnumKeyA
0x4b9020 RegOpenKeyA
0x4b902c RegCloseKey
库: SHELL32.dll:
0x4b93f4 ShellExecuteA
0x4b93f8 Shell_NotifyIconA
库: ole32.dll:
0x4b9730 CLSIDFromString
0x4b9734 OleUninitialize
0x4b9738 OleInitialize
库: OLEAUT32.dll:
0x4b93e0 LoadTypeLib
0x4b93e4 RegisterTypeLib
0x4b93e8 UnRegisterTypeLib
库: COMCTL32.dll:
0x4b9034 None
0x4b9038 ImageList_Destroy
库: comdlg32.dll:
0x4b971c ChooseColorA
0x4b9720 GetFileTitleA
0x4b9724 GetSaveFileNameA
0x4b9728 GetOpenFileNameA

.text
`.rdata
@.data
.rsrc
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect begin
VMProtect end
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
VMProtect begin
VMProtect end
没有防病毒引擎扫描信息!

进程树


____________.exe, PID: 2648, 上一级进程 PID: 2300

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
59.153.74.79 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 59.153.74.79 v9.hphu.com 8080

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
v9.hphu.com A 59.153.74.79

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49160 59.153.74.79 v9.hphu.com 8080

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 62233 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://v9.hphu.com:8080/kss_io/io.php?v=13&b=1&s=11759001&e=get&line=1&kstoken=46571566847
POST /kss_io/io.php?v=13&b=1&s=11759001&e=get&line=1&kstoken=46571566847 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: zh-cn
Referer: http://v9.hphu.com/
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; 541856776)
Content-Length: 126
Host: v9.hphu.com:8080

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 41.422 seconds )

  • 18.361 Static
  • 15.519 Suricata
  • 3.776 NetworkAnalysis
  • 1.522 TargetInfo
  • 1.37 VirusTotal
  • 0.454 peid
  • 0.266 BehaviorAnalysis
  • 0.115 AnalysisInfo
  • 0.022 config_decoder
  • 0.014 Strings
  • 0.003 Memory

Signatures ( 2.162 seconds )

  • 1.903 md_url_bl
  • 0.036 antiav_detectreg
  • 0.023 md_domain_bl
  • 0.015 infostealer_ftp
  • 0.012 api_spamming
  • 0.01 stealth_timeout
  • 0.01 antiav_detectfile
  • 0.009 infostealer_im
  • 0.008 stealth_decoy_document
  • 0.007 anomaly_persistence_autorun
  • 0.007 antianalysis_detectreg
  • 0.007 infostealer_bitcoin
  • 0.006 antidbg_windows
  • 0.006 geodo_banking_trojan
  • 0.006 infostealer_mail
  • 0.006 network_http
  • 0.006 ransomware_files
  • 0.005 ransomware_extensions
  • 0.004 antivm_vbox_files
  • 0.003 tinba_behavior
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 antiemu_wine_func
  • 0.002 antivm_vbox_libs
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 antivm_generic_scsi
  • 0.002 infostealer_browser_password
  • 0.002 cerber_behavior
  • 0.002 kovter_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_xen_keys
  • 0.002 bot_drive
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.001 network_tor
  • 0.001 bootkit
  • 0.001 antiav_avast_libs
  • 0.001 mimics_filetime
  • 0.001 dridex_behavior
  • 0.001 stealth_file
  • 0.001 maldun_anomaly_massive_file_ops
  • 0.001 injection_createremotethread
  • 0.001 antivm_generic_services
  • 0.001 antivm_vbox_window
  • 0.001 reads_self
  • 0.001 ursnif_behavior
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 ransomeware_modifies_desktop_wallpaper
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 antivm_generic_disk
  • 0.001 anormaly_invoke_kills
  • 0.001 virus
  • 0.001 hancitor_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_network_blacklist
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 1.189 seconds )

  • 0.891 ReportHTMLSummary
  • 0.298 Malheur
Task ID 367415
Mongo ID 5d71a40c2f8f2e17bf9ddd54
Cuckoo release 1.4-Maldun