分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2019-09-20 16:22:40 2019-09-20 16:25:06 146 秒

魔盾分数

3.0

可疑的

文件详细信息

文件名 免费辅助.exe
文件大小 6811648 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 89263a35a9633eb915c926bfd2fd6b2c
SHA1 ae3aed434a058629a8c0f5de350baca887f50925
SHA256 ecf6572c17451560b5d6121a967b5ff96283a6f0125b391d2ea7453d68ac9a91
SHA512 c4caae04cac0a51926e49247da4e142109e28de24f4a6bb996488eb653fbae250a58236baed930d8f8dcb5933c4ba8301b8efa38da2c72c5bf193b92dbdc9585
CRC32 7C3E5250
Ssdeep 98304:O8tuN2TcgqVHMGuxfQP8nmfS2AQn4XWhFh+YEc9t53yD48JfnmY6+vG4G4o+f:gIggqxMGusSAmWJ+YTToDJZ5SYf
Yara
  • Detected timing ticks function
  • Detected code injection function with CreateRemoteThread in a remote process
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
  • Detected UPX. Commonly used by RAT!
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.


摘要

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\SkinH_EL.dll
C:\Users\test\AppData\Local\Temp\kernel32.DLL
C:\Windows\System32\SkinH_EL.dll
C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\\x08?
C:\Users\test\AppData\Local\Temp\____________.exe
C:\Windows\Fonts\staticcache.dat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\test\AppData\Local\Temp\\x08?
C:\Users\test\AppData\Local\Temp\____________.exe
C:\Windows\Fonts\staticcache.dat
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\____________.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)
kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetSystemDirectoryA
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
kernel32.dll.lstrcpyn
kernel32.dll.VirtualProtect
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.IsBadReadPtr
kernel32.dll.GetProcessHeap
kernel32.dll.FreeLibrary
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.GetProcAddress
comctl32.dll.ImageList_Draw
gdi32.dll.BitBlt
msimg32.dll.TransparentBlt
msvcrt.dll.free
msvfw32.dll.DrawDibOpen
user32.dll.GetDC
kernel32.dll.MulDiv
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTickCount
kernel32.dll.VirtualQuery
kernel32.dll.SetFilePointer
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalReAlloc
kernel32.dll.GlobalFree
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.SizeofResource
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersion
kernel32.dll.GetCurrentThreadId
kernel32.dll.CreateFileA
kernel32.dll.GetFileSize
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.SetLastError
comctl32.dll.ImageList_GetIcon
comctl32.dll.ImageList_GetImageInfo
comctl32.dll.ImageList_GetIconSize
gdi32.dll.SetWindowExtEx
gdi32.dll.SetWindowOrgEx
gdi32.dll.SetMapMode
gdi32.dll.SelectClipPath
gdi32.dll.EndPath
gdi32.dll.BeginPath
gdi32.dll.TextOutA
gdi32.dll.GetClipRgn
gdi32.dll.GetPixel
gdi32.dll.CreatePatternBrush
gdi32.dll.CreateFontIndirectA
gdi32.dll.SetViewportOrgEx
gdi32.dll.GetStockObject
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateFontA
gdi32.dll.SetViewportExtEx
gdi32.dll.SelectClipRgn
gdi32.dll.SelectObject
gdi32.dll.CreateCompatibleDC
gdi32.dll.DeleteDC
gdi32.dll.OffsetRgn
gdi32.dll.CombineRgn
gdi32.dll.CreateRectRgn
gdi32.dll.CreatePen
gdi32.dll.ExtCreateRegion
gdi32.dll.DeleteObject
gdi32.dll.Rectangle
gdi32.dll.SetPixel
gdi32.dll.PtInRegion
gdi32.dll.SetTextColor
gdi32.dll.SetBkMode
gdi32.dll.PatBlt
gdi32.dll.CreateDIBSection
gdi32.dll.GetObjectA
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.GetTextExtentPointA
gdi32.dll.ExtTextOutA
gdi32.dll.ExtTextOutW
gdi32.dll.SetBkColor
gdi32.dll.GetTextColor
gdi32.dll.CreateSolidBrush
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.__CxxFrameHandler
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll._ftol
msvcrt.dll._mbsstr
msvcrt.dll._mbscmp
msvcrt.dll.__dllonexit
msvcrt.dll.malloc
msvcrt.dll._initterm
msvcrt.dll._adjust_fdiv
msvcrt.dll._onexit
msvcrt.dll.memcpy
msvfw32.dll.DrawDibDraw
msvfw32.dll.DrawDibClose
user32.dll.SetWindowsHookExA
user32.dll.UnhookWindowsHookEx
user32.dll.CallNextHookEx
user32.dll.GetClassNameA
user32.dll.IsWindow
user32.dll.EnumThreadWindows
user32.dll.EnumChildWindows
user32.dll.LockWindowUpdate
user32.dll.DestroyIcon
user32.dll.DrawStateA
user32.dll.ShowWindow
user32.dll.GetMenuItemID
user32.dll.GetWindowRgn
user32.dll.SetMenu
user32.dll.GetMenu
user32.dll.GetSubMenu
user32.dll.TrackPopupMenu
user32.dll.CreateWindowExA
user32.dll.DestroyWindow
user32.dll.GetWindowInfo
user32.dll.SetWindowPos
user32.dll.GetClassLongA
user32.dll.ScreenToClient
user32.dll.SystemParametersInfoA
user32.dll.GetSystemMetrics
user32.dll.MenuItemFromPoint
user32.dll.GetMenuItemRect
user32.dll.GetMenuItemCount
user32.dll.SetMenuItemInfoA
user32.dll.IsMenu
user32.dll.GetUpdateRect
user32.dll.EqualRect
user32.dll.ShowScrollBar
user32.dll.SetWindowRgn
user32.dll.WindowFromDC
user32.dll.MoveWindow
user32.dll.GetSysColor
user32.dll.EnableScrollBar
user32.dll.GetScrollBarInfo
user32.dll.GetCapture
user32.dll.SetScrollPos
user32.dll.SetScrollInfo
user32.dll.GetScrollRange
user32.dll.GetScrollPos
user32.dll.GetScrollInfo
user32.dll.ReleaseDC
user32.dll.GetWindowDC
user32.dll.GetDCEx
user32.dll.EndPaint
user32.dll.BeginPaint
user32.dll.GetWindowLongW
user32.dll.SetWindowLongW
user32.dll.SetWindowLongA
user32.dll.ClientToScreen
user32.dll.FindWindowExA
user32.dll.GetMenuItemInfoA
user32.dll.GetParent
user32.dll.GetComboBoxInfo
user32.dll.TrackMouseEvent
user32.dll.GetIconInfo
user32.dll.GetClientRect
user32.dll.GetFocus
user32.dll.InflateRect
user32.dll.InvalidateRect
user32.dll.SetPropA
user32.dll.RemovePropA
user32.dll.CallWindowProcA
user32.dll.GetPropA
user32.dll.SetTimer
user32.dll.OffsetRect
user32.dll.KillTimer
user32.dll.EnableWindow
user32.dll.GetWindowLongA
user32.dll.SetRectEmpty
user32.dll.DrawIconEx
user32.dll.GetWindowTextA
user32.dll.DrawTextA
user32.dll.IsRectEmpty
user32.dll.IsIconic
user32.dll.IsZoomed
user32.dll.GetSystemMenu
user32.dll.GetMenuState
user32.dll.ReleaseCapture
user32.dll.GetMessageA
user32.dll.SetScrollRange
user32.dll.DispatchMessageA
user32.dll.SetRect
user32.dll.IsWindowVisible
user32.dll.RegisterClassExA
user32.dll.DefWindowProcA
user32.dll.IsWindowEnabled
user32.dll.SendMessageA
user32.dll.GetCursorPos
user32.dll.LoadCursorA
user32.dll.SetCursor
user32.dll.GetWindowRect
user32.dll.PtInRect
user32.dll.SetCapture
user32.dll.UpdateLayeredWindow
user32.dll.SetLayeredWindowAttributes
dciman32.dll.DCIOpenProvider
dciman32.dll.DCICloseProvider
dciman32.dll.DCICreatePrimary
dciman32.dll.DCIEndAccess
dciman32.dll.DCIBeginAccess
dciman32.dll.DCIDestroy
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Process32First
kernel32.dll.Process32Next
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x00400000
入口地址 0x00461795
声明校验值 0x00000000
实际校验值 0x0068792d
最低操作系统版本要求 4.0
编译时间 2019-09-20 16:17:44
载入哈希 2d781056a5f616bff835acf0f5b6215c

版本信息

LegalCopyright
FileVersion
Comments
ProductName
ProductVersion
FileDescription
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0007f61a 0x00080000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x00081000 0x005e5a18 0x005e6000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.95
.data 0x00667000 0x00021aa8 0x00012000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.09
.rsrc 0x00689000 0x00005f04 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.11

导入

库: KERNEL32.dll:
0x481170 FindClose
0x481174 FindFirstFileA
0x481178 GlobalUnlock
0x48117c SetEndOfFile
0x481180 UnlockFile
0x481184 LockFile
0x481188 FlushFileBuffers
0x48118c SetFilePointer
0x481190 GetCurrentProcess
0x481194 DuplicateHandle
0x481198 lstrcpynA
0x48119c SetLastError
0x4811a8 LocalFree
0x4811ac MultiByteToWideChar
0x4811b0 WideCharToMultiByte
0x4811b8 GetFileAttributesA
0x4811bc SetStdHandle
0x4811c0 IsBadCodePtr
0x4811c4 IsBadReadPtr
0x4811c8 CompareStringW
0x4811cc CompareStringA
0x4811d4 GetStringTypeW
0x4811d8 GetStringTypeA
0x4811dc IsBadWritePtr
0x4811e0 VirtualAlloc
0x4811e4 LCMapStringW
0x4811e8 LCMapStringA
0x4811f0 VirtualFree
0x4811f4 HeapCreate
0x4811f8 HeapDestroy
0x481200 GetFileType
0x481204 GetStdHandle
0x481208 SetHandleCount
0x481220 GetACP
0x481224 HeapSize
0x481228 TerminateProcess
0x48122c GetLocalTime
0x481230 GetSystemTime
0x481238 CreateSemaphoreA
0x48123c ResumeThread
0x481240 ReleaseSemaphore
0x48124c GetProfileStringA
0x481250 WriteFile
0x481258 CreateFileA
0x48125c SetEvent
0x481260 FindResourceA
0x481264 LoadResource
0x481268 LockResource
0x48126c ReadFile
0x481270 GetModuleFileNameA
0x481274 GetCurrentThreadId
0x481278 ExitProcess
0x48127c GlobalSize
0x481280 GlobalFree
0x48128c lstrcatA
0x481290 lstrlenA
0x481294 WinExec
0x481298 lstrcpyA
0x48129c FindNextFileA
0x4812a0 GlobalReAlloc
0x4812a4 HeapFree
0x4812a8 HeapReAlloc
0x4812ac GetProcessHeap
0x4812b0 HeapAlloc
0x4812b4 GetFullPathNameA
0x4812b8 FreeLibrary
0x4812bc LoadLibraryA
0x4812c0 GetLastError
0x4812c4 GetVersionExA
0x4812cc CreateThread
0x4812d0 CreateEventA
0x4812d4 Sleep
0x4812d8 GlobalAlloc
0x4812dc GlobalLock
0x4812e0 RaiseException
0x4812e4 RtlUnwind
0x4812e8 GetStartupInfoA
0x4812ec GetOEMCP
0x4812f0 GetCPInfo
0x4812f4 GetProcessVersion
0x4812f8 SetErrorMode
0x4812fc GlobalFlags
0x481300 GetCurrentThread
0x481304 GetFileTime
0x481308 GetFileSize
0x48130c TlsGetValue
0x481310 LocalReAlloc
0x481314 TlsSetValue
0x481318 TlsFree
0x48131c GlobalHandle
0x481320 DeleteFileA
0x48132c GetModuleHandleA
0x481330 TlsAlloc
0x481334 LocalAlloc
0x481338 lstrcmpA
0x48133c GetVersion
0x481340 GlobalGetAtomNameA
0x481344 GlobalAddAtomA
0x481348 GlobalFindAtomA
0x48134c GlobalDeleteAtom
0x481350 lstrcmpiA
0x481354 GetProcAddress
0x481358 MulDiv
0x48135c GetCommandLineA
0x481360 GetTickCount
0x481364 WaitForSingleObject
0x481368 CloseHandle
库: USER32.dll:
0x481390 OpenClipboard
0x481394 SetClipboardData
0x481398 EmptyClipboard
0x48139c GetSystemMetrics
0x4813a0 GetCursorPos
0x4813a4 MessageBoxA
0x4813a8 SetWindowPos
0x4813ac SendMessageA
0x4813b0 DestroyCursor
0x4813b4 SetParent
0x4813b8 GetClipboardData
0x4813bc PostMessageA
0x4813c0 GetTopWindow
0x4813c4 GetParent
0x4813c8 CloseClipboard
0x4813cc wsprintfA
0x4813d0 GetFocus
0x4813d4 GetClientRect
0x4813d8 InvalidateRect
0x4813dc ValidateRect
0x4813e0 UpdateWindow
0x4813e4 EqualRect
0x4813e8 GetWindowRect
0x4813ec SetForegroundWindow
0x4813f0 IsWindow
0x4813f4 RegisterClassA
0x4813f8 DestroyMenu
0x4813fc IsChild
0x481400 ReleaseDC
0x481404 IsRectEmpty
0x481408 FillRect
0x48140c GetDC
0x481410 SetCursor
0x481414 LoadCursorA
0x481418 SetCursorPos
0x48141c SetActiveWindow
0x481420 GetSysColor
0x481424 SetWindowLongA
0x481428 GetWindowLongA
0x48142c RedrawWindow
0x481430 EnableWindow
0x481434 IsWindowVisible
0x481438 OffsetRect
0x48143c PtInRect
0x481440 DestroyIcon
0x481444 IntersectRect
0x481448 InflateRect
0x48144c SetRect
0x481450 SetScrollPos
0x481454 SetScrollRange
0x481458 GetScrollRange
0x48145c SetCapture
0x481460 LoadIconA
0x481464 TranslateMessage
0x481468 DrawFrameControl
0x48146c DrawEdge
0x481470 DrawFocusRect
0x481474 WindowFromPoint
0x481478 GetMessageA
0x48147c DispatchMessageA
0x481480 SetRectEmpty
0x481490 DrawIconEx
0x481494 CreatePopupMenu
0x481498 AppendMenuA
0x48149c ModifyMenuA
0x4814a0 CreateMenu
0x4814a8 GetDlgCtrlID
0x4814ac GetSubMenu
0x4814b0 EnableMenuItem
0x4814b4 ClientToScreen
0x4814bc LoadImageA
0x4814c4 ShowWindow
0x4814c8 IsWindowEnabled
0x4814d0 GetKeyState
0x4814d8 PostQuitMessage
0x4814dc IsZoomed
0x4814e0 GetClassInfoA
0x4814e4 DefWindowProcA
0x4814e8 GetSystemMenu
0x4814ec DeleteMenu
0x4814f0 GetMenu
0x4814f4 SetMenu
0x4814f8 PeekMessageA
0x4814fc GetWindowTextA
0x481504 CharUpperA
0x481508 GetWindowDC
0x48150c BeginPaint
0x481510 EndPaint
0x481514 TabbedTextOutA
0x481518 DrawTextA
0x48151c GrayStringA
0x481520 GetDlgItem
0x481524 DestroyWindow
0x48152c EndDialog
0x481530 GetNextDlgTabItem
0x481534 GetWindowPlacement
0x48153c GetForegroundWindow
0x481540 GetLastActivePopup
0x481544 GetMessageTime
0x481548 RemovePropA
0x48154c CallWindowProcA
0x481550 GetPropA
0x481554 UnhookWindowsHookEx
0x481558 SetPropA
0x48155c GetClassLongA
0x481560 CallNextHookEx
0x481564 SetWindowsHookExA
0x481568 CreateWindowExA
0x48156c GetMenuItemID
0x481570 GetMenuItemCount
0x481574 UnregisterClassA
0x481578 GetScrollPos
0x48157c AdjustWindowRectEx
0x481580 MapWindowPoints
0x481584 SendDlgItemMessageA
0x481588 ScrollWindowEx
0x48158c IsDialogMessageA
0x481590 SetWindowTextA
0x481594 MoveWindow
0x481598 CheckMenuItem
0x48159c SetMenuItemBitmaps
0x4815a0 GetMenuState
0x4815a8 GetClassNameA
0x4815ac GetDesktopWindow
0x4815b0 LoadStringA
0x4815b4 GetSysColorBrush
0x4815b8 IsIconic
0x4815bc SetFocus
0x4815c0 GetActiveWindow
0x4815c4 GetWindow
0x4815cc SetWindowRgn
0x4815d0 GetMessagePos
0x4815d4 ScreenToClient
0x4815dc CopyRect
0x4815e0 LoadBitmapA
0x4815e4 WinHelpA
0x4815e8 KillTimer
0x4815ec SetTimer
0x4815f0 ReleaseCapture
0x4815f4 GetCapture
库: GDI32.dll:
0x481024 ExcludeClipRect
0x481028 SetBkColor
0x481030 SetStretchBltMode
0x481034 GetClipRgn
0x481038 CreatePolygonRgn
0x48103c SelectClipRgn
0x481040 DeleteObject
0x481044 CreateDIBitmap
0x48104c CreatePalette
0x481050 StretchBlt
0x481054 SelectPalette
0x481058 RealizePalette
0x48105c GetDIBits
0x481060 GetWindowExtEx
0x481064 GetViewportOrgEx
0x481068 GetWindowOrgEx
0x48106c BeginPath
0x481070 EndPath
0x481074 PathToRegion
0x481078 CreateEllipticRgn
0x48107c CreateRoundRectRgn
0x481080 GetTextColor
0x481084 GetBkMode
0x481088 GetBkColor
0x48108c GetROP2
0x481090 GetStretchBltMode
0x481094 GetPolyFillMode
0x48109c CreateDCA
0x4810a0 CreateBitmap
0x4810a4 SelectObject
0x4810a8 GetObjectA
0x4810ac CreatePen
0x4810b0 PatBlt
0x4810b4 CombineRgn
0x4810b8 CreateRectRgn
0x4810bc FillRgn
0x4810c0 CreateSolidBrush
0x4810c4 GetStockObject
0x4810c8 CreateFontIndirectA
0x4810cc EndPage
0x4810d0 EndDoc
0x4810d4 DeleteDC
0x4810d8 StartDocA
0x4810dc StartPage
0x4810e0 BitBlt
0x4810e4 CreateCompatibleDC
0x4810e8 Ellipse
0x4810ec Rectangle
0x4810f0 LPtoDP
0x4810f4 DPtoLP
0x4810f8 GetCurrentObject
0x4810fc RoundRect
0x481104 GetDeviceCaps
0x481108 SaveDC
0x48110c RestoreDC
0x481110 SetBkMode
0x481114 SetPolyFillMode
0x481118 SetROP2
0x48111c SetTextColor
0x481120 SetMapMode
0x481124 SetViewportOrgEx
0x481128 OffsetViewportOrgEx
0x48112c SetViewportExtEx
0x481130 ScaleViewportExtEx
0x481134 SetWindowOrgEx
0x481138 SetWindowExtEx
0x48113c ScaleWindowExtEx
0x481140 GetClipBox
0x481144 MoveToEx
0x481148 LineTo
0x48114c GetTextMetricsA
0x481150 Escape
0x481154 ExtTextOutA
0x481158 TextOutA
0x48115c RectVisible
0x481160 PtVisible
0x481164 GetViewportExtEx
0x481168 ExtSelectClipRgn
库: WINMM.dll:
0x4815fc midiStreamRestart
0x481600 midiStreamClose
0x481604 midiOutReset
0x481608 midiStreamStop
0x48160c midiStreamOut
0x481614 midiStreamProperty
0x481618 midiStreamOpen
0x481620 waveOutOpen
0x481624 waveOutGetNumDevs
0x481628 waveOutClose
0x48162c waveOutReset
0x481630 waveOutPause
0x481634 waveOutWrite
库: WINSPOOL.DRV:
0x481644 ClosePrinter
0x481648 DocumentPropertiesA
0x48164c OpenPrinterA
库: ADVAPI32.dll:
0x481000 RegCloseKey
0x481004 RegOpenKeyExA
0x481008 RegSetValueExA
0x48100c RegQueryValueA
0x481010 RegCreateKeyExA
库: SHELL32.dll:
0x481384 ShellExecuteA
0x481388 Shell_NotifyIconA
库: ole32.dll:
0x481690 OleInitialize
0x481694 OleUninitialize
0x481698 CLSIDFromString
库: OLEAUT32.dll:
0x481374 UnRegisterTypeLib
0x481378 RegisterTypeLib
0x48137c LoadTypeLib
库: COMCTL32.dll:
0x481018 ImageList_Destroy
0x48101c None
库: WS2_32.dll:
0x481654 recv
0x481658 getpeername
0x48165c accept
0x481660 ioctlsocket
0x481664 recvfrom
0x481668 WSAAsyncSelect
0x48166c closesocket
0x481670 inet_ntoa
0x481674 WSACleanup
库: comdlg32.dll:
0x48167c ChooseColorA
0x481680 GetSaveFileNameA
0x481684 GetOpenFileNameA
0x481688 GetFileTitleA

.text
`.rdata
@.data
.rsrc
8`}<j
T$th
|$TVj
|$`Vj
DQRWj
|$`Vj
D$@Sj
L$8h
D$8Rj
l$<VWj
}'h
9^xu5j
T$,Qj
T$0Pj
D$8RPj
没有防病毒引擎扫描信息!

进程树


____________.exe, PID: 2496, 上一级进程 PID: 2344

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

无TCP连接纪录.

UDP

无UDP连接纪录.

HTTP 请求

未发现HTTP请求.

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 39.746 seconds )

  • 19.792 Static
  • 15.497 Suricata
  • 1.613 TargetInfo
  • 1.433 VirusTotal
  • 0.598 peid
  • 0.358 NetworkAnalysis
  • 0.285 BehaviorAnalysis
  • 0.131 AnalysisInfo
  • 0.018 config_decoder
  • 0.017 Strings
  • 0.004 Memory

Signatures ( 0.224 seconds )

  • 0.027 antiav_detectreg
  • 0.021 md_url_bl
  • 0.017 md_domain_bl
  • 0.014 api_spamming
  • 0.011 stealth_timeout
  • 0.011 infostealer_ftp
  • 0.01 stealth_decoy_document
  • 0.008 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.007 ransomware_extensions
  • 0.007 ransomware_files
  • 0.006 antianalysis_detectreg
  • 0.005 infostealer_bitcoin
  • 0.004 kovter_behavior
  • 0.004 infostealer_mail
  • 0.003 tinba_behavior
  • 0.003 antiemu_wine_func
  • 0.003 infostealer_browser_password
  • 0.003 antivm_vbox_files
  • 0.003 geodo_banking_trojan
  • 0.003 disables_browser_warn
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.001 antivm_vbox_libs
  • 0.001 injection_createremotethread
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 shifu_behavior
  • 0.001 exec_crash
  • 0.001 antidbg_windows
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 office_security
  • 0.001 rat_pcclient
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg
  • 0.001 stealth_hide_notifications
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.842 seconds )

  • 0.839 ReportHTMLSummary
  • 0.003 Malheur
Task ID 378146
Mongo ID 5d848d172f8f2e1711c65ca4
Cuckoo release 1.4-Maldun