Rundll32 exe (Windows host process (Rundll32)) Microsoft Corporation 文件恶意软件分析

Rundll32.exe (Windows host process (Rundll32)) 文件分析

更新于 1 month ago

检查者 Malware Check

rundll32.exe

哈希类型	值	操作
MD5	ef3179d498793bf4234f708d3be28633
SHA1	dd399ae46303343f9f0da189aee11c67bd868222
SHA256	b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA512	02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
ImpHash	4db27267734d1576d75c991dc70f68ac

哈希类型

值

操作

MD5

ef3179d498793bf4234f708d3be28633

SHA1

dd399ae46303343f9f0da189aee11c67bd868222

SHA256

b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512

02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

ImpHash

4db27267734d1576d75c991dc70f68ac

PE 分析

基本信息

▼

图标	哈希: a4fa0e5d3cd5cf96252a7b54ef1d2645 模糊: 8e44d3fab7c48012e90ed1686f656033 dHash: fcf4dcdcdcdcdcd4
映像基址	`0x140000000`
入口点	`0x140006890`
编译时间	2103-08-07 22:53:31
校验和	0x00018f8d (实际: 0x00018f8d)
操作系统版本	10.0
PEiD 签名	`PE32+ executable (GUI) x86-64, for MS Windows`
PDB 路径	`rundll32.pdb`
数字签名	No valid SignedData structure was found.
导入	34 库
导出	0 函数
资源	13 资源
节	7 节

版本信息

▼

CompanyName	Microsoft Corporation
FileDescription	Windows host process (Rundll32)
FileVersion	10.0.19041.746 (WinBuild.160101.0800)
InternalName	rundll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	RUNDLL32.EXE
ProductName	Microsoft® Windows® Operating System
ProductVersion	10.0.19041.746
Translation	0x0409 0x04b0

PE 节

▼

名称	虚拟地址	虚拟大小	原始大小	熵	特征	MD5
`.text`	`0x00001000`	27,027 bytes	27,136 bytes	6.02 (正常)	`IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ`	`44A3DD17089173BCD8470CED01042A31`
`.rdata`	`0x00008000`	13,748 bytes	13,824 bytes	4.52 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ`	`5B707BED7483693309BEE4574003EA36`
`.data`	`0x0000c000`	2,296 bytes	512 bytes	0.42 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`C60C12D87A407696E1257B5A85EF3BBF`
`.pdata`	`0x0000d000`	1,428 bytes	1,536 bytes	4.13 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ`	`80E2503A2969A5DDE91DCEB391E5BE67`
`.didat`	`0x0000e000`	264 bytes	512 bytes	1.36 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE`	`3929DC61D3FD9EA1CFE2B76ECB763F45`
`.rsrc`	`0x0000f000`	26,480 bytes	26,624 bytes	5.70 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ`	`B681DDFA8ED431D935BF08D84E3C4F57`
`.reloc`	`0x00016000`	256 bytes	512 bytes	2.82 (正常)	`IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ`	`2EA14C6091A5444BD95E11E54C401F35`

资源分析

▼

资源总数: 13 (25,699 字节)

资源类型	数量	总大小	百分比
MUI	1	208 字节	0.8%
RT_ICON	8	23,424 字节	91.1%
RT_GROUP_ICON	1	118 字节	0.5%
RT_VERSION	1	936 字节	3.6%
RT_MANIFEST	2	1,013 字节	3.9%

证书链分析

▼

证书 Information

产品	Microsoft® Windows® Operating System
描述	Windows host process (Rundll32)
文件版本	10.0.19041.746 (WinBuild.160101.0800)
原始名称	RUNDLL32.EXE
内部名称	rundll
版权	© Microsoft Corporation. All rights reserved.

✓ 此文件已进行数字签名，证书链已验证。

签名确保文件的完整性和发布者的真实性。
时间戳证明签名的应用时间。

证书验证状态

No valid SignedData structure was found.

建议: 验证文件来源并确保它来自可信的发布者.

发表评论

文件名	rundll32.exe
文件类型	PE32+ executable (GUI) x86-64, for MS Windows
扫描器版本	1.0.230.174
数据库版本	2025-12-08 05:00:20 UTC

Rundll32.exe (Windows host process (Rundll32)) 文件分析

技术分析

干净文件

扫描另一个文件

文件识别