恶意软件分析 & URL链接扫描免费在线病毒分析平台

分析任务

分析类型	虚拟机标签	开始时间	结束时间	持续时间
文件 (Windows)	win7-sp1-x64	2016-09-18 09:24:37	2016-09-18 09:27:19	162 秒

魔盾分数

6.3

危险的

文件详细信息

文件名	RsStub.exe
文件大小	64152 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	7a762be1d46bb1ed07eacec047cbd1cc
SHA1	46494455d908d2fecd26d12d60b48510c8915431
SHA256	6bf8b140a8e451227050acd5a2b586ad1b2e4da27c32ae1bb9fb64e2b58d8b29
SHA512	0f8f55843747220fa0b69e3b4417bb87c5149b5bff4f4a4ee867e26c5e6a5bc59c4d396515bf0a564967304f94e8d32b8c0e999951ff02313d0a763d58950c98
CRC32	5CCCF159
Ssdeep	768:tc//Ngv1p9qpBAdp6Uix+LrGY6NfOGIo49kt93l9flLWMmVbCzV:tIuzUHep6n+Lrrnmpl9flaD9CzV
Yara	登录查看Yara规则
	样本下载提交误报

登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
否	93.46.8.89	意大利
否	58.211.137.192	中国
否	23.44.155.27	美国
否	198.41.215.185	美国
否	122.224.10.192	中国
否	117.18.237.29	亚洲太平洋地区
是	115.239.211.84	中国

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.download.windowsupdate.com	A 122.224.10.248 CNAME fg.download.windowsupdate.com.mwcname.com CNAME ipv6microsoft.dlmix.ourdvs.com A 122.228.22.170 A 122.228.237.174 A 115.231.30.15 A 183.131.192.12 CNAME 2-01-3cf7-0009.cdx.cedexis.net A 183.131.192.80 A 122.224.10.192 A 183.134.24.22 A 183.131.82.19 A 122.228.22.103 A 115.231.82.104 A 115.231.158.27 A 183.131.168.139
ocsp.verisign.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.44.155.27
ss.symcd.com
ocsp.msocsp.com	A 198.41.214.185 CNAME hostedocsp.globalsign.com A 198.41.214.186 A 198.41.214.187 A 198.41.215.183 A 198.41.215.182 A 198.41.215.185 A 198.41.214.183 A 198.41.215.184 A 198.41.215.186 A 198.41.214.184
sd.symcd.com
ocsp2.globalsign.com	CNAME cdn.globalsigncdn.com A 58.211.137.192
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29
ocsp.globalsign.com
s.symcd.com
ocsp.omniroot.com	A 93.46.8.89 CNAME wac.BFDD.edgecastcdn.net

摘要

登录查看详细行为信息

PE 信息

初始地址	0x00400000
入口地址	0x004041fe
声明校验值	0x00011ba2
实际校验值	0x00011ba2
最低操作系统版本要求	4.0
PDB路径	C:\DistributedAutoLink\Temp\CompileOutputDir\RsStub.pdb
编译时间	2011-09-02 14:18:26

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
SpecialBuild
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1	时间戳	有效性	错误
9ea91ff396efb9980541c8648fc5e267d92d5018	Fri Sep 02 14:36:09 2011	是	无

证书链	Certificate Chain 1
发行给	Class 3 Public Primary Certification Authority
发行人	Class 3 Public Primary Certification Authority
有效期	Wed Aug 02 075959 2028
SHA1 哈希	742c3192e607e424eb4549542be1bbc53e6174e2

证书链	Certificate Chain 2
发行给	VeriSign Class 3 Code Signing 2009-2 CA
发行人	Class 3 Public Primary Certification Authority
有效期	Tue May 21 075959 2019
SHA1 哈希	12d4872bc3ef019e7e0b6f132480ae29db5b1ca3

证书链	Certificate Chain 3
发行给	Beijing Rising Information Technology Corporation Limited
发行人	VeriSign Class 3 Code Signing 2009-2 CA
有效期	Mon Jul 23 075959 2012
SHA1 哈希	08c44bdde3e6563f92032d65e95bac0844c742e8

证书链	Timestamp Chain 1
发行给	Thawte Timestamping CA
发行人	Thawte Timestamping CA
有效期	Fri Jan 01 075959 2021
SHA1 哈希	be36a4562fb2ee05dbb3d32323adf445084ed656

证书链	Timestamp Chain 2
发行给	VeriSign Time Stamping Services CA
发行人	Thawte Timestamping CA
有效期	Wed Dec 04 075959 2013
SHA1 哈希	f46ac0c6efbb8c6a14f55f09e2d37df4c0de012d

证书链	Timestamp Chain 3
发行给	VeriSign Time Stamping Services Signer - G2
发行人	VeriSign Time Stamping Services CA
有效期	Fri Jun 15 075959 2012
SHA1 哈希	ada8aaa643ff7dc38dd40fa4c97ad559ff4846de

PE 数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x000088ff	0x00009000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x0000a000	0x00001b7c	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.60
.data	0x0000c000	0x00001dc4	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.22
.rsrc	0x0000e000	0x000004b0	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	1.24

覆盖

偏移量	0x0000e000
大小	0x00001a98

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
RT_VERSION	0x0000e060	0x0000044c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.47	data

导入

库: KERNEL32.dll:

• 0x40a034 GetLastError

• 0x40a038 OpenEventA

• 0x40a03c CreateThread

• 0x40a040 InterlockedExchange

• 0x40a044 GetACP

• 0x40a048 GetLocaleInfoA

• 0x40a04c GetThreadLocale

• 0x40a050 SizeofResource

• 0x40a054 LockResource

• 0x40a058 LoadResource

• 0x40a05c FindResourceA

• 0x40a060 FindResourceExA

• 0x40a064 WideCharToMultiByte

• 0x40a068 CreateProcessA

• 0x40a06c GetPrivateProfileSectionA

• 0x40a070 GetModuleFileNameA

• 0x40a074 GetCommandLineA

• 0x40a078 MultiByteToWideChar

• 0x40a07c RaiseException

• 0x40a080 WaitForSingleObject

• 0x40a084 DeleteCriticalSection

• 0x40a088 SetStdHandle

• 0x40a08c SetFilePointer

• 0x40a090 GetStringTypeW

• 0x40a094 GetStringTypeA

• 0x40a098 IsBadCodePtr

• 0x40a09c lstrcpyA

• 0x40a0a0 lstrlenA

• 0x40a0a4 LoadLibraryA

• 0x40a0a8 GetProcAddress

• 0x40a0ac GetVersionExA

• 0x40a0b0 FreeLibrary

• 0x40a0b4 GetWindowsDirectoryA

• 0x40a0b8 lstrcatA

• 0x40a0bc GetTickCount

• 0x40a0c0 Sleep

• 0x40a0c4 GetCurrentProcess

• 0x40a0c8 CloseHandle

• 0x40a0cc InitializeCriticalSection

• 0x40a0d0 HeapDestroy

• 0x40a0d4 HeapAlloc

• 0x40a0d8 HeapFree

• 0x40a0dc HeapReAlloc

• 0x40a0e0 HeapSize

• 0x40a0e4 GetProcessHeap

• 0x40a0e8 EnterCriticalSection

• 0x40a0ec LeaveCriticalSection

• 0x40a0f0 ExitProcess

• 0x40a0f4 RtlUnwind

• 0x40a0f8 VirtualProtect

• 0x40a0fc VirtualAlloc

• 0x40a100 GetSystemInfo

• 0x40a104 VirtualQuery

• 0x40a108 GetModuleHandleA

• 0x40a10c GetStartupInfoA

• 0x40a110 QueryPerformanceCounter

• 0x40a114 GetCurrentThreadId

• 0x40a118 GetCurrentProcessId

• 0x40a11c GetSystemTimeAsFileTime

• 0x40a120 GetOEMCP

• 0x40a124 GetCPInfo

• 0x40a128 LCMapStringA

• 0x40a12c LCMapStringW

• 0x40a130 SetUnhandledExceptionFilter

• 0x40a134 HeapCreate

• 0x40a138 VirtualFree

• 0x40a13c IsBadWritePtr

• 0x40a140 TerminateProcess

• 0x40a144 WriteFile

• 0x40a148 GetStdHandle

• 0x40a14c UnhandledExceptionFilter

• 0x40a150 FreeEnvironmentStringsA

• 0x40a154 GetEnvironmentStrings

• 0x40a158 FreeEnvironmentStringsW

• 0x40a15c GetEnvironmentStringsW

• 0x40a160 SetHandleCount

• 0x40a164 GetFileType

• 0x40a168 IsBadReadPtr

• 0x40a16c FlushFileBuffers

库: ADVAPI32.dll:

• 0x40a000 CloseServiceHandle

• 0x40a004 CreateServiceA

• 0x40a008 ChangeServiceConfigA

• 0x40a00c RegOpenKeyExA

• 0x40a010 RegQueryValueExA

• 0x40a014 RegCloseKey

• 0x40a018 OpenSCManagerA

• 0x40a01c OpenServiceA

• 0x40a020 QueryServiceStatus

• 0x40a024 StartServiceA

• 0x40a028 OpenProcessToken

• 0x40a02c GetTokenInformation

.text
`.rdata
@.data
.rsrc
VPQUj
L$\QWj
SVWUj
u,hn~@
RsMgrSvc
\Program Files
ProgramFilesDir
Software\Microsoft\Windows\CurrentVersion
ChangeServiceConfig2A
Advapi32.dll
Rsd Service
COM Infrastructure
RpcSs
\Rising\RSD\RsMgrSvc.exe"
YYYIYOUDAO
comx3.dll
RS_ShutDown
RS_FreeCallCenter
RS_AllocateCallCenter
RS_UninitializeCallCenter
RS_InitializeCallCenter
ShellReadyEvent
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s\RsMgrSvc.ini
 /rsstub
/shellrun
Delete
NoRemove
ForceRemove
Microsoft Visual C++ Runtime Library
Program: 
<program name unknown>
Buffer overrun detected!
Unknown security failure detected!
`h````
(null)
CorExitProcess
mscoree.dll
runtime error 
Program: 
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsStub.pdb
GetVersionExA
CloseHandle
GetCurrentProcess
Sleep
GetTickCount
lstrcatA
GetWindowsDirectoryA
FreeLibrary
GetProcAddress
LoadLibraryA
lstrlenA
lstrcpyA
WaitForSingleObject
GetLastError
OpenEventA
CreateThread
InterlockedExchange
GetACP
GetLocaleInfoA
GetThreadLocale
SizeofResource
LockResource
LoadResource
FindResourceA
FindResourceExA
WideCharToMultiByte
CreateProcessA
GetPrivateProfileSectionA
GetModuleFileNameA
GetCommandLineA
MultiByteToWideChar
RaiseException
InitializeCriticalSection
DeleteCriticalSection
KERNEL32.dll
USER32.dll
GetTokenInformation
OpenProcessToken
StartServiceA
QueryServiceStatus
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
ChangeServiceConfigA
CreateServiceA
ADVAPI32.dll
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
ExitProcess
RtlUnwind
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetModuleHandleA
GetStartupInfoA
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
GetOEMCP
GetCPInfo
LCMapStringA
LCMapStringW
SetUnhandledExceptionFilter
HeapCreate
VirtualFree
IsBadWritePtr
TerminateProcess
WriteFile
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
IsBadReadPtr
IsBadCodePtr
GetStringTypeA
GetStringTypeW
SetFilePointer
SetStdHandle
FlushFileBuffers
.?AVCAtlException@ATL@@
.?AVtype_info@@
(null)
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
Beijing Rising Information Technology Co., Ltd.
FileDescription
RsStub Application
FileVersion
1.0.0.9
InternalName
Beijing Rising Information Technology Co., Ltd.
LegalCopyright
Copyright(C) 2010-2011 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.
OriginalFilename
RsStub.exe
ProductName
Rising Software Distribute System
ProductVersion
SpecialBuild
505698953750000
VarFileInfo
Translation

防病毒引擎/厂商	病毒名/规则匹配	病毒库日期
Bkav	未发现病毒	20160827
MicroWorld-eScan	未发现病毒	20160827
nProtect	未发现病毒	20160827
CMC	未发现病毒	20160824
CAT-QuickHeal	未发现病毒	20160826
ALYac	未发现病毒	20160827
Malwarebytes	未发现病毒	20160827
Zillya	未发现病毒	20160826
K7AntiVirus	未发现病毒	20160827
BitDefender	未发现病毒	20160827
K7GW	未发现病毒	20160827
TheHacker	未发现病毒	20160826
TrendMicro	未发现病毒	20160827
Baidu	未发现病毒	20160827
F-Prot	未发现病毒	20160827
Symantec	未发现病毒	20160827
TotalDefense	未发现病毒	20160827
TrendMicro-HouseCall	未发现病毒	20160827
Avast	未发现病毒	20160827
ClamAV	未发现病毒	20160827
Kaspersky	未发现病毒	20160827
Alibaba	未发现病毒	20160826
NANO-Antivirus	未发现病毒	20160827
ViRobot	未发现病毒	20160827
AegisLab	未发现病毒	20160827
Rising	未发现病毒	20160827
Ad-Aware	未发现病毒	20160827
Emsisoft	未发现病毒	20160827
Comodo	未发现病毒	20160827
F-Secure	未发现病毒	20160827
DrWeb	未发现病毒	20160827
VIPRE	未发现病毒	20160827
Invincea	未发现病毒	20160826
McAfee-GW-Edition	未发现病毒	20160827
Sophos	未发现病毒	20160827
Cyren	未发现病毒	20160827
Jiangmin	未发现病毒	20160827
Avira	未发现病毒	20160827
Antiy-AVL	未发现病毒	20160827
Kingsoft	未发现病毒	20160827
Microsoft	未发现病毒	20160827
Arcabit	未发现病毒	20160827
SUPERAntiSpyware	未发现病毒	20160826
GData	未发现病毒	20160827
AhnLab-V3	未发现病毒	20160826
McAfee	未发现病毒	20160827
AVware	未发现病毒	20160827
VBA32	未发现病毒	20160826
Zoner	未发现病毒	20160827
ESET-NOD32	未发现病毒	20160827
Tencent	未发现病毒	20160827
Yandex	未发现病毒	20160826
Ikarus	未发现病毒	20160827
Fortinet	未发现病毒	20160827
AVG	未发现病毒	20160827
Panda	未发现病毒	20160827
CrowdStrike	未发现病毒	20160827
Qihoo-360	未发现病毒	20160827

进程树

RsStub.exe id: 2932
services.exe id: 452

RsStub.exe, PID: 2932, 上一级进程 PID: 2464

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

services.exe, PID: 452, 上一级进程 PID: 356

缺省注册表文件系统网络进程线程服务设备同步加密浏览器全部

下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接	IP	安全评级
否	93.46.8.89	意大利
否	58.211.137.192	中国
否	23.44.155.27	美国
否	198.41.215.185	美国
否	122.224.10.192	中国
否	117.18.237.29	亚洲太平洋地区
是	115.239.211.84	中国

TCP

源地址	源端口	目标地址	目标端口
192.168.122.69	59229	117.18.237.29 ocsp.digicert.com	80
192.168.122.69	59232	117.18.237.29 ocsp.digicert.com	80
192.168.122.69	59209	122.224.10.192 www.download.windowsupdate.com	80
192.168.122.69	59222	178.255.83.1	80
192.168.122.69	59224	178.255.83.1	80
192.168.122.69	59226	178.255.83.1	80
192.168.122.69	59208	192.168.122.1	53
192.168.122.69	59223	198.41.215.185 ocsp.msocsp.com	80
192.168.122.69	59210	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59221	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59225	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59227	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59231	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	53441	23.50.224.8	80
192.168.122.69	59228	58.211.137.192 ocsp2.globalsign.com	80
192.168.122.69	59230	58.211.137.192 ocsp2.globalsign.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.69	50115	192.168.122.1	53
192.168.122.69	50607	192.168.122.1	53
192.168.122.69	52431	192.168.122.1	53
192.168.122.69	52625	192.168.122.1	53
192.168.122.69	52766	192.168.122.1	53
192.168.122.69	52907	192.168.122.1	53
192.168.122.69	53214	192.168.122.1	53
192.168.122.69	54501	192.168.122.1	53
192.168.122.69	56011	192.168.122.1	53
192.168.122.69	57829	192.168.122.1	53
192.168.122.69	57905	192.168.122.1	53
192.168.122.69	58396	192.168.122.1	53
192.168.122.69	58549	192.168.122.1	53
192.168.122.69	59029	192.168.122.1	53
192.168.122.69	62771	192.168.122.1	53
192.168.122.69	62911	192.168.122.1	53
192.168.122.69	63333	192.168.122.1	53
192.168.122.69	5355	192.168.122.70	54531
192.168.122.69	5355	192.168.122.70	60614
192.168.122.69	5355	192.168.122.70	61735

域名解析 (可点击查询WPING实时安全评级)

域名	安全评级	响应
www.download.windowsupdate.com	A 122.224.10.248 CNAME fg.download.windowsupdate.com.mwcname.com CNAME ipv6microsoft.dlmix.ourdvs.com A 122.228.22.170 A 122.228.237.174 A 115.231.30.15 A 183.131.192.12 CNAME 2-01-3cf7-0009.cdx.cedexis.net A 183.131.192.80 A 122.224.10.192 A 183.134.24.22 A 183.131.82.19 A 122.228.22.103 A 115.231.82.104 A 115.231.158.27 A 183.131.168.139
ocsp.verisign.com	CNAME ocsp-ds.ws.symantec.com.edgekey.net CNAME e8218.dscb1.akamaiedge.net A 23.44.155.27
ss.symcd.com
ocsp.msocsp.com	A 198.41.214.185 CNAME hostedocsp.globalsign.com A 198.41.214.186 A 198.41.214.187 A 198.41.215.183 A 198.41.215.182 A 198.41.215.185 A 198.41.214.183 A 198.41.215.184 A 198.41.215.186 A 198.41.214.184
sd.symcd.com
ocsp2.globalsign.com	CNAME cdn.globalsigncdn.com A 58.211.137.192
ocsp.digicert.com	CNAME cs9.wac.phicdn.net A 117.18.237.29
ocsp.globalsign.com
s.symcd.com
ocsp.omniroot.com	A 93.46.8.89 CNAME wac.BFDD.edgecastcdn.net

TCP

源地址	源端口	目标地址	目标端口
192.168.122.69	59229	117.18.237.29 ocsp.digicert.com	80
192.168.122.69	59232	117.18.237.29 ocsp.digicert.com	80
192.168.122.69	59209	122.224.10.192 www.download.windowsupdate.com	80
192.168.122.69	59222	178.255.83.1	80
192.168.122.69	59224	178.255.83.1	80
192.168.122.69	59226	178.255.83.1	80
192.168.122.69	59208	192.168.122.1	53
192.168.122.69	59223	198.41.215.185 ocsp.msocsp.com	80
192.168.122.69	59210	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59221	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59225	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59227	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	59231	23.44.155.27 ocsp.verisign.com	80
192.168.122.69	53441	23.50.224.8	80
192.168.122.69	59228	58.211.137.192 ocsp2.globalsign.com	80
192.168.122.69	59230	58.211.137.192 ocsp2.globalsign.com	80

UDP

源地址	源端口	目标地址	目标端口
192.168.122.69	50115	192.168.122.1	53
192.168.122.69	50607	192.168.122.1	53
192.168.122.69	52431	192.168.122.1	53
192.168.122.69	52625	192.168.122.1	53
192.168.122.69	52766	192.168.122.1	53
192.168.122.69	52907	192.168.122.1	53
192.168.122.69	53214	192.168.122.1	53
192.168.122.69	54501	192.168.122.1	53
192.168.122.69	56011	192.168.122.1	53
192.168.122.69	57829	192.168.122.1	53
192.168.122.69	57905	192.168.122.1	53
192.168.122.69	58396	192.168.122.1	53
192.168.122.69	58549	192.168.122.1	53
192.168.122.69	59029	192.168.122.1	53
192.168.122.69	62771	192.168.122.1	53
192.168.122.69	62911	192.168.122.1	53
192.168.122.69	63333	192.168.122.1	53
192.168.122.69	5355	192.168.122.70	54531
192.168.122.69	5355	192.168.122.70	60614
192.168.122.69	5355	192.168.122.70	61735

HTTP 请求

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件

抱歉! 没有任何文件投放。

没有发现相似的分析.

HTML 总结报告 (需15-60分钟同步)	下载

Processing ( 37.383 seconds )

35.349 NetworkAnalysis
1.092 VirusTotal
0.335 Static
0.235 peid
0.186 TargetInfo
0.126 BehaviorAnalysis
0.024 AnalysisInfo
0.013 Strings
0.009 config_decoder
0.008 Debug
0.003 Dropped
0.002 Memory
0.001 ProcessMemory

Signatures ( 0.089 seconds )

0.014 antiav_detectreg
0.009 md_domain_bl
0.006 infostealer_ftp
0.005 persistence_autorun
0.005 antiav_detectfile
0.005 geodo_banking_trojan
0.004 infostealer_im
0.004 ransomware_files
0.003 stealth_timeout
0.003 antianalysis_detectreg
0.003 infostealer_bitcoin
0.003 infostealer_mail
0.003 network_torgateway
0.002 tinba_behavior
0.002 antivm_vbox_files
0.002 disables_browser_warn
0.002 network_http
0.001 bootkit
0.001 reads_self
0.001 betabot_behavior
0.001 mimics_filetime
0.001 stealth_file
0.001 shifu_behavior
0.001 antivm_generic_disk
0.001 virus
0.001 banker_zeus_mutex
0.001 bot_drive
0.001 bot_drive2
0.001 modify_proxy
0.001 browser_security
0.001 md_url_bl

Reporting ( 1.544 seconds )

0.899 ReportPDF
0.634 ReportHTMLSummary
0.011 Malheur


Task ID	18280
Mongo ID	57dded9e4d3bd03918149c2b
Cuckoo release	1.4-Maldun

URI	HTTP数据
URL专业沙箱检测 -> http://www.msftncsi.com/ncsi.txt	GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com
URL专业沙箱检测 -> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 86402 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 14 Jan 2016 00:22:10 GMT If-None-Match: "0e59c9b614ed11:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE%2FlB8ILcQ1m6ShHvICEEhNCdUPKZdCUnK3l6oopVc%3D HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ss.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTRsWSLjJ8N0Wujis0rUBfV%2Bc%2FAZAQUX2DPYZBV34RDFIpgKrL1evRDGO8CEFYsTGl7at%2BFjHRU%2BpXehLM%3D HTTP/1.1 Cache-Control: max-age = 386960 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 21 Jan 2016 20:44:27 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ss.symcd.com
URL专业沙箱检测 -> http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1 Cache-Control: max-age = 311241 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com
URL专业沙箱检测 -> http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D	GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBQmECJms4f7i5EbxtN7NbzQCBwAdAQUUa8kJpz0aCJXgCYrO0ZiFXsezKUCE1oAAN43VPPQBXGCMiwAAQAA3jc%3D HTTP/1.1 Cache-Control: max-age = 10800 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 06:30:15 GMT If-None-Match: "77a3ed05d7337d023a726d1efae9caf1857cedc9" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.msocsp.com
URL专业沙箱检测 -> http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1 Cache-Control: max-age = 311240 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 23 Jan 2016 23:57:39 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECECUM6OAwYS6fK4n3BU18%2BP0%3D HTTP/1.1 Cache-Control: max-age = 603676 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 08:43:57 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.verisign.com
URL专业沙箱检测 -> http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6	GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQD0gtB5WgsdpjrFZePtaJt6 HTTP/1.1 Cache-Control: max-age = 334227 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 06:20:47 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
URL专业沙箱检测 -> http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFzeRE%2FrSZRDaFn%2BzErlAWw%3D HTTP/1.1 Cache-Control: max-age = 533948 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 23 Jan 2016 13:34:51 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: sd.symcd.com
URL专业沙箱检测 -> http://ocsp2.globalsign.com/gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D	GET /gsorganizationvalg2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBReGXQV%2FtqUV3SNMRE%2Bs25eR%2FvhjwQUXUayjcRLdBy77fVztjq3OI91nn4CEhEhyNkSBZL0u2zY4jc9udsWFw%3D%3D HTTP/1.1 Cache-Control: max-age = 180 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 08:12:59 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com
URL专业沙箱检测 -> http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAIwaX55BLru0bCAsau57vM%3D HTTP/1.1 Cache-Control: max-age = 513914 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 04:05:14 GMT If-None-Match: "56a44d7a-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
URL专业沙箱检测 -> http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM	GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAS9O4UUM HTTP/1.1 Cache-Control: max-age = 10800 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 06:40:24 GMT If-None-Match: "1be626cf99d21b40b0ac46e272f28ef043bd829a" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.globalsign.com
URL专业沙箱检测 -> http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D HTTP/1.1 Cache-Control: max-age = 500863 Connection: Keep-Alive Accept: / If-Modified-Since: Sat, 23 Jan 2016 22:46:14 GMT If-None-Match: "56a402b6-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
URL专业沙箱检测 -> http://sd.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMgSk4dLKWKRB%2B2DViUmQEUw3ggwQUDURcFlNEwYJ%2BHSCrJfQBY9i%2BeaUCEFulHELau99g31whfW%2B6uJI%3D HTTP/1.1 Cache-Control: max-age = 582766 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 03:09:24 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: sd.symcd.com
URL专业沙箱检测 -> http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D HTTP/1.1 Cache-Control: max-age = 584283 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 03:35:04 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: s.symcd.com
URL专业沙箱检测 -> http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D	GET /gsorganizationvalsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhGuAGlWtDRHAtLRzCaILaCA%3D%3D HTTP/1.1 Cache-Control: max-age = 180 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 03:25:57 GMT User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp2.globalsign.com
URL专业沙箱检测 -> http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAnmWtgHuEl7B0nUFWjWJtA%3D HTTP/1.1 Cache-Control: max-age = 510937 Connection: Keep-Alive Accept: / If-Modified-Since: Sun, 24 Jan 2016 01:36:05 GMT If-None-Match: "56a42a85-1d7" User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com