比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2024-03-27 14:33:31 2024-03-27 14:35:49 138 秒

魔盾分数

1.4

正常的

文件详细信息

文件名 YOMIPAPAmonitor.exe
文件大小 92160 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 25a6fdda5e3f0c7ca91be1090997d9cc
SHA1 19e0dd4f8e6b631ad4a223d767be726b0284f21f
SHA256 d7b14a634313a0aacbc543c68538da9762902314be1bfecc2070c9214b03ea25
SHA512 7625c8a252880b3ee32f9230e85a868655053b7269afddeb6881b44ca9d73d599b415eca42e17d2222e71866f93850f0084b024d4fceeaea1840a679d1e01fd9
CRC32 9E9B897D
Ssdeep 1536:7QxhttG9OcKGZDujOW87DW0YeFQTO2hQu62MxqtwoFdouEvmXnYXG1sWsbcdaZZB:7QxhG9OXGZD0OW8hQTO2hQu7MxUw1uE9
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00401f04
声明校验值 0x00000000
实际校验值 0x00024e20
最低操作系统版本要求 6.0
PDB路径 E:\work\PCworks\donglemonitor\Release\YOMIPAPAmonitor.pdb
编译时间 2020-12-30 15:35:21
载入哈希 79c9f037f5da57435230c2fa35020e73

版本信息

LegalCopyright
InternalName
FileVersion
SpecialBuild
PrivateBuild
Comments
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000c18f 0x0000c200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.62
.rdata 0x0000e000 0x00006256 0x00006400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88
.data 0x00015000 0x00001dc8 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 1.81
.rsrc 0x00017000 0x00002208 0x00002400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.34
.reloc 0x0001a000 0x00000ecc 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.34

导入

库: KERNEL32.dll:
0x40e010 Module32FirstW
0x40e014 CreateFileW
0x40e018 Sleep
0x40e020 CreateMutexW
0x40e024 GetLastError
0x40e028 GetLongPathNameW
0x40e02c Process32NextW
0x40e030 FindClose
0x40e034 CopyFileW
0x40e038 OutputDebugStringW
0x40e03c CreateProcessW
0x40e040 GetFileAttributesW
0x40e044 CreateDirectoryW
0x40e048 WriteConsoleW
0x40e04c FindFirstFileW
0x40e050 CloseHandle
0x40e054 SetFilePointerEx
0x40e058 Process32FirstW
0x40e05c GetConsoleMode
0x40e060 GetConsoleOutputCP
0x40e064 FlushFileBuffers
0x40e068 HeapReAlloc
0x40e06c HeapSize
0x40e070 GetProcessHeap
0x40e074 LCMapStringW
0x40e078 GetStringTypeW
0x40e07c GetFileType
0x40e080 SetStdHandle
0x40e08c WideCharToMultiByte
0x40e094 MultiByteToWideChar
0x40e098 GetCommandLineW
0x40e09c GetCommandLineA
0x40e0a0 GetCPInfo
0x40e0a4 GetOEMCP
0x40e0a8 GetACP
0x40e0b4 GetCurrentProcess
0x40e0b8 TerminateProcess
0x40e0c4 GetCurrentProcessId
0x40e0c8 GetCurrentThreadId
0x40e0d0 InitializeSListHead
0x40e0d4 IsDebuggerPresent
0x40e0d8 GetStartupInfoW
0x40e0dc GetModuleHandleW
0x40e0e0 RtlUnwind
0x40e0e4 SetLastError
0x40e0f8 TlsAlloc
0x40e0fc TlsGetValue
0x40e100 TlsSetValue
0x40e104 TlsFree
0x40e108 FreeLibrary
0x40e10c GetProcAddress
0x40e110 LoadLibraryExW
0x40e114 RaiseException
0x40e118 GetStdHandle
0x40e11c WriteFile
0x40e120 GetModuleFileNameW
0x40e124 ExitProcess
0x40e128 GetModuleHandleExW
0x40e12c HeapAlloc
0x40e130 HeapFree
0x40e134 FindFirstFileExW
0x40e138 FindNextFileW
0x40e13c IsValidCodePage
0x40e140 DecodePointer
库: HID.DLL:
0x40e008 HidD_GetAttributes
库: SETUPAPI.dll:
库: USER32.dll:
0x40e168 BeginPaint
0x40e16c DefWindowProcW
0x40e170 DestroyWindow
0x40e174 DialogBoxParamW
0x40e17c EndPaint
0x40e180 RegisterClassExW
0x40e184 PostQuitMessage
0x40e188 LoadIconW
0x40e190 DispatchMessageW
0x40e194 TranslateMessage
0x40e19c GetMessageW
0x40e1a0 LoadAcceleratorsW
0x40e1a4 LoadStringW
0x40e1a8 PostMessageW
0x40e1ac EndDialog
0x40e1b0 LoadCursorW
0x40e1b4 CreateWindowExW
库: ADVAPI32.dll:
0x40e000 GetUserNameW
库: SHELL32.dll:
库: WTSAPI32.dll:
.text
`.rdata
@.data
.rsrc
@.reloc
D$ht)Ph
PVh`/A
D$ Ph
URPQQh -@
SVWUj
@H(QA
xH(QA
tl=HVA
35lcA
35xcA
j$h 6A
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
CorExitProcess
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
log10
log10
BC .=
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
E:\work\PCworks\donglemonitor\Release\YOMIPAPAmonitor.pdb
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
CreateToolhelp32Snapshot
Process32FirstW
CloseHandle
Process32NextW
Module32FirstW
CreateFileW
Sleep
GetVolumeInformationW
CreateMutexW
GetLastError
GetLongPathNameW
FindFirstFileW
FindClose
CopyFileW
OutputDebugStringW
CreateProcessW
GetFileAttributesW
CreateDirectoryW
KERNEL32.dll
HidD_GetAttributes
HID.DLL
SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiDestroyDeviceInfoList
SETUPAPI.dll
PostMessageW
LoadStringW
LoadAcceleratorsW
GetMessageW
TranslateAcceleratorW
TranslateMessage
DispatchMessageW
UnregisterDeviceNotification
LoadIconW
LoadCursorW
RegisterClassExW
CreateWindowExW
RegisterDeviceNotificationW
DialogBoxParamW
DestroyWindow
DefWindowProcW
BeginPaint
EndPaint
PostQuitMessage
EndDialog
USER32.dll
GetUserNameW
ADVAPI32.dll
SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHELL32.dll
WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
WTSAPI32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
HeapAlloc
HeapFree
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetFileType
GetStringTypeW
LCMapStringW
GetProcessHeap
HeapSize
HeapReAlloc
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
SetFilePointerEx
WriteConsoleW
DecodePointer
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
>L?z?
787X7t7x7
@api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
@ja-JP
zh-CN
ko-KR
zh-TW
Aapi-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
YOMIPAPA
cdrom
:\YOMIPAPA.EXE
\YOMIPAPA
\YOMIPAPA.exe
(&A) ...
YOMIPAPADevice
MS Shell Dlg
Copyright (C) 2016
VS_VERSION_INFO
StringFileInfo
080404b0
Comments
FileDescription
YOMIPAPAmonitor
FileVersion
1.0.2.3
InternalName
YOMIPAPAmonitor.exe
LegalCopyright
2016
OriginalFilename
YOMIPAPAmonitor.exe
PrivateBuild
2016.11.03
ProductName
YOMIPAPAmonitor
ProductVersion
1.0.2.1
SpecialBuild
2016.11.03
VarFileInfo
Translation
YOMIPAPADevice
YOMIPAPADEVICE
没有防病毒引擎扫描信息!

进程树

YOMIPAPAmonitor.exe, PID: 2604, 上一级进程 PID: 2276
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.206.229.110 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

无域名信息.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49157 23.206.229.110 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 16.376 seconds )

  • 11.254 Suricata
  • 3.663 NetworkAnalysis
  • 0.851 Static
  • 0.286 TargetInfo
  • 0.282 peid
  • 0.02 BehaviorAnalysis
  • 0.01 AnalysisInfo
  • 0.008 Strings
  • 0.002 Memory

Signatures ( 1.635 seconds )

  • 1.539 proprietary_url_bl
  • 0.012 antiav_detectreg
  • 0.008 proprietary_domain_bl
  • 0.006 anomaly_persistence_autorun
  • 0.006 antiav_detectfile
  • 0.006 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.004 network_http
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 tinba_behavior
  • 0.003 rat_nanocore
  • 0.003 disables_browser_warn
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 infostealer_mail
  • 0.001 network_tor
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 ursnif_behavior
  • 0.001 shifu_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_parallels_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.849 seconds )

  • 0.843 ReportHTMLSummary
  • 0.006 Malheur
Task ID 743109
Mongo ID 6603beb8dc327bb8998be747
Cuckoo release 1.4-Maldun