魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2018-05-22 10:38:37 2018-05-22 10:40:56 139 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp01-1 win7-sp1-x64-shaapp01-1 KVM 2018-05-22 10:38:37 2018-05-22 10:40:54
魔盾分数

0.0

正常的

文件详细信息

文件名 xin.bat
文件大小 231 字节
文件类型 ISO-8859 text, with CRLF line terminators
CRC32 2782AF56
MD5 3e73503183cca8d372e6ca9b14165e23
SHA1 6272504b84f8e8d72b2ba1df42164dab2f5455a2
SHA256 0dfc8b74f437b8a07af68ff0398bfc968b62f4cf790b585826007fa86c6f2329
SHA512 e9ea96e5649f57f0291e7293afe561a7bb3b9ccae52a6f6a40207154f43454fb2420ccc263c242c12657e7fae65a5891c128ea9a32079da829f3e831e46656a8
Ssdeep 3:Q6AEK3PEUVmTaC943pk3+FW5+fqAEK3PEUVmTaC943pk38FicdqyQAAEK3PEUVmj:QtMUVbddMUVb3UzMUVbdJEXdZ
PEiD 无匹配
Yara
  • without_urls (Rule to detect the no presence of any url)
  • without_attachments (Rule to detect the no presence of any attachment)
  • without_images (Rule to detect the no presence of any image)
VirusTotal 无此文件扫描结果

特征

无特征匹配

运行截图

网络分析

无信息

静态分析

无信息

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

cmd.exe PID: 1808, 上一级进程 PID: 1872

cmd.exe PID: 1920, 上一级进程 PID: 1808

访问的文件
  • C:\Users\test\AppData\Local\Temp
  • C:\Users
  • C:\Users\test
  • C:\Users\test\AppData
  • C:\Users\test\AppData\Local
  • C:\
  • C:\Users\test\AppData\Local\Temp\xin.bat
  • C:\Users\test\AppData\Local\Temp\*.rar
  • C:\Users\test\AppData\Local\Temp\*.zip
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
读取的文件
  • C:\Users\test\AppData\Local\Temp\xin.bat
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
修改的文件 无信息
删除的文件 无信息
注册表键
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
修改的注册表键 无信息
删除的注册表键 无信息
API解析
  • kernel32.dll.SetThreadUILanguage
  • kernel32.dll.CopyFileExW
  • kernel32.dll.IsDebuggerPresent
  • kernel32.dll.SetConsoleInputExeNameW
  • advapi32.dll.SaferIdentifyLevel
  • advapi32.dll.SaferComputeTokenFromLevel
  • advapi32.dll.SaferCloseLevel