魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2020-04-08 23:08:25	2020-04-08 23:10:32	127 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp01-1	win7-sp1-x64-shaapp01-1	KVM	2020-04-08 23:08:26	2020-04-08 23:10:33

魔盾分数
0.0 正常的

文件名	刀-雷神Thor4.8日.zip
文件大小	472 字节
文件类型	DOS batch file, ISO-8859 text, with CRLF line terminators
CRC32	E980D0F3
MD5	091f8b6010b1e166a1eadc294d3a7de5
SHA1	6b6e5750d62b8c3fcaa3afc6ea5adf3596bafa39
SHA256	521f888b7cb577fd9a679f5d2fed252bbfcdd5975a828b2d152de31d2cd60b42
SHA512	89f7590dfa10843852c8e27489242ea03055aa12babc54b66dc8485dc6dec8560c450f8f4cd1ed527613654f09fbffab50b8780efc150034d97fecc07122ec1b
Ssdeep	6:hiFjttJtJOBNlBSOJUlvbtUtge7YsiOPMNRtf7d5edXAaG2ADQRvn:EftJtJOnltUljtUtgetG5f5qBGHDQJn
PEiD	无匹配
Yara	无Yara规则匹配
VirusTotal	无此文件扫描结果

文件名	\xb7\xc0\xd7\xb7\xb7\xe2\xc7\xe5\xc0\xed.bat
相关文件	C:\Users\test\AppData\Local\Temp\zip-tmp\\xe9\x98\xb2\xe8\xbf\xbd\xe5\xb0\x81\xe6\xb8\x85\xe7\x90\x86.bat
文件大小	472 bytes
文件类型	DOS batch file, ISO-8859 text, with CRLF line terminators
MD5	091f8b6010b1e166a1eadc294d3a7de5
SHA1	6b6e5750d62b8c3fcaa3afc6ea5adf3596bafa39
SHA256	521f888b7cb577fd9a679f5d2fed252bbfcdd5975a828b2d152de31d2cd60b42
SHA512	89f7590dfa10843852c8e27489242ea03055aa12babc54b66dc8485dc6dec8560c450f8f4cd1ed527613654f09fbffab50b8780efc150034d97fecc07122ec1b
Ssdeep	6:hiFjttJtJOBNlBSOJUlvbtUtge7YsiOPMNRtf7d5edXAaG2ADQRvn:EftJtJOnltUljtUtgetG5f5qBGHDQJn
VirusTotal	搜索相关分析

互斥量(Mutexes) 无信息

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

访问的文件

C:\Users\test\AppData\Local\Temp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\
C:\Users\test\AppData\Local\Temp\zip-tmp\\xe9\x98\xb2\xe8\xbf\xbd\xe5\xb0\x81\xe6\xb8\x85\xe7\x90\x86.bat
C:\Users\test\AppData\Local\Temp\ECHO..*
C:\Users\test\AppData\Local\Temp\ECHO
C:\ProgramData\Oracle\Java\javapath\ECHO..*
C:\ProgramData\Oracle\Java\javapath\ECHO
C:\Windows\System32\ECHO..*
C:\Windows\System32\ECHO
C:\Windows\ECHO..*
C:\Windows\ECHO
C:\Windows\System32\wbem\ECHO..*
C:\Windows\System32\wbem\ECHO
C:\Windows\System32\WindowsPowerShell\v1.0\ECHO..*
C:\Windows\System32\WindowsPowerShell\v1.0\ECHO
C:\Program Files (x86)\WinRAR\ECHO..*
C:\Program Files (x86)\WinRAR\ECHO

读取的文件

C:\Users\test\AppData\Local\Temp\zip-tmp\\xe9\x98\xb2\xe8\xbf\xbd\xe5\xb0\x81\xe6\xb8\x85\xe7\x90\x86.bat

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

修改的注册表键 无信息

删除的注册表键 无信息

API解析

kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel

魔盾安全分析报告

0.0

正常的

文件详细信息

特征

运行截图

网络分析

静态分析

投放文件

\xb7\xc0\xd7\xb7\xb7\xe2\xc7\xe5\xc0\xed.bat

行为分析

进程

cmd.exe PID: 2756, 上一级进程 PID: 2332

cmd.exe PID: 2888, 上一级进程 PID: 2756