| 文件名 | taskhostw.exe |
| 文件类型 |
PE32+ executable (GUI) x86-64, for MS Windows
|
| 扫描器版本 | 1.0.211.174 |
| 数据库版本 | 2025-03-18 22:00:32 UTC |
恶意软件家族: CoinMiner
| 哈希类型 | 值 | 操作 |
|---|---|---|
| MD5 |
557fa65e3cee33dd71d1a87fc7383ec9
|
|
| SHA1 |
bd81b0e7d182f38042c68ef3939d6dfc959eba0f
|
|
| SHA256 |
8ff557591472698a4bae5391ace924a6aaef95c2a32f2ebcb204f888b852575d
|
|
| SHA512 |
c30f26358e0d9954601a1f99984ff62fdd87f69b13086246c722ee38d9dcbba9cac0b0eaf416ef3d491db8c2bbd5f367fbbfd2539ea7bedbea10fee166889ea2
|
|
| ImpHash |
1cd069a1d0a6220306935daaf0c539a1
|
| 图标 |
哈希: e7ed9972eff118728ba27b08097c6f66
模糊: 69ccbea4dbacd90b6f4eea4212a3791c dHash: b4b0385e5859b2b4 |
| 映像基址 | 0x140000000 |
| 入口点 | 0x141de8160 |
| 编译时间 | 2024-12-11 18:48:26 |
| 校验和 | 0x01af5dca (实际: 0x01af5dca) |
| 操作系统版本 | 5.2 |
| PEiD 签名 |
PE32+ executable (GUI) x86-64, for MS Windows
|
| 数字签名 | No valid SignedData structure was found. |
| 导入 | 18 库 |
| 导出 | 0 函数 |
| 资源 | 14 资源 |
| 节 | 12 节 |
| CompanyName | Realtek Semiconductor |
| FileDescription | Realtek HD Audio |
| FileVersion | 10.0.0.3 |
| InternalName | RtHDVBgProc.exe |
| LegalCopyright | 2017 (c) Realtek Semiconductor. All rights reserved. |
| OriginalFilename | taskhostw.exe |
| ProductName | Realtek HD Audio |
| ProductVersion | 10.0.0.3 |
| Translation | 0x0409 0x04e4 |
| 名称 | 虚拟地址 | 虚拟大小 | 原始大小 | 熵 | 特征 | MD5 |
|---|---|---|---|---|---|---|
|
0x00001000 |
733,992 bytes | 391,680 bytes | 7.98 (打包/加密) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
63822DBA022DBD769E0996A738A4E01C |
|
0x000b5000 |
213,508 bytes | 60,928 bytes | 7.95 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
6141FE3F052E715ACA734115C4A6A1B7 |
|
0x000ea000 |
37,152 bytes | 1,024 bytes | 7.51 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
48AAB85CC5A6D54D9FACA8C207A01A7F |
|
0x000f4000 |
28,488 bytes | 16,896 bytes | 7.66 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
AE3FD84C7ACF42FA4E67DF06AE5883E0 |
|
0x000fb000 |
22,159,360 bytes | 22,158,336 bytes | 8.00 (打包/加密) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
1B79314D35C069F5A33FA6E12F8119BC |
|
0x0161d000 |
2,676 bytes | 2,048 bytes | 7.27 (压缩) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
CD027850506445D3EFF06E6642E9A295 |
.idata |
0x0161e000 |
4,096 bytes | 1,536 bytes | 3.25 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
A85178E4512B39EF8D5847E4E2A53053 |
.tls |
0x0161f000 |
4,096 bytes | 512 bytes | 0.28 (正常) |
IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
5842F1B5731D15CD6CD978773A87D1AC |
.rsrc |
0x01620000 |
376,320 bytes | 376,320 bytes | 2.87 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
A99887722C98176958CF9F7D400792FF |
.themida |
0x0167c000 |
7,782,400 bytes | 0 bytes | 0.00 (正常) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
D41D8CD98F00B204E9800998ECF8427E |
.boot |
0x01de8000 |
5,213,696 bytes | 5,213,696 bytes | 7.96 (打包/加密) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
9DCE57530655A21F287FAC7792E94FD4 |
.reloc |
0x022e1000 |
4,096 bytes | 16 bytes | 2.73 (正常) |
IMAGE_SCN_MEM_READ
|
BE8ECC38D1A4875319590210B287AAC9 |
6 检测到高熵(≥7.5)的节 - 可能存在打包/加密
1 检测到较高熵(≥6.5)的节 - 可能存在压缩
| 资源类型 | 数量 | 总大小 | 百分比 |
|---|---|---|---|
| RT_ICON | 10 | 371,728 字节 | |
| RT_STRING | 1 | 1,428 字节 | |
| RT_GROUP_ICON | 1 | 146 字节 | |
| RT_VERSION | 1 | 824 字节 | |
| RT_MANIFEST | 1 | 1,007 字节 |
此文件未进行数字签名。
⚠ 此文件缺少数字签名或证书链无法验证。
执行来自未知来源的未签名文件时请谨慎。
No valid SignedData structure was found.
建议: 验证文件来源并确保它来自可信的发布者.
按照以下步骤完全从系统中移除威胁
