比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-1 2016-09-18 09:46:02 2016-09-18 09:46:45 43 秒

魔盾分数

2.0

正常的

文件详细信息

文件名 popwndexe.exe
文件大小 126656 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 170167e76178b0c22dde4d7bea0717dd
SHA1 92356827c46448ffff6509d933fe7c67333c2c5d
SHA256 7a613313a4eb6ccab6156c6c16d59e519c67db28bda2067fc3c1e90059be1171
SHA512 522703f7485e8d623cbe5393695ab18f71c7cf12b02b3227dede19d89cc1861a278095df792c06643d567769742c62ecb319a04f7b6562ff0df0ddb595e258d7
CRC32 44A716B9
Ssdeep 1536:5T33u1VPMRHs/2RRbL9gg8fkUndG20wqlXdvn3on:5r3cIztLF8L0blX93
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
58.211.137.192 中国
23.44.155.27 美国
122.228.22.178 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.9.63
A 115.231.20.47
A 122.228.22.104
A 115.231.30.15
A 183.131.67.41
A 183.131.168.143
A 115.231.22.28
A 122.228.237.147
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 115.231.156.74
A 183.134.20.57
A 122.228.22.178
A 183.131.208.34
A 115.231.158.27
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004027a7
声明校验值 0x00026287
实际校验值 0x00026287
最低操作系统版本要求 5.0
PDB路径 C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
编译时间 2015-09-02 11:26:41
图标
图标精确哈希值 c6f5bc489b8dbcd2f0cecc510ed1da3b
图标相似性哈希值 8ffaebf154a84c42a6264e8d8ca52a87

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
SpecialBuild
ProductVersion
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
214f7414ed10ff23bbdfbb2bd5803ae2ca0cdb5c Wed Sep 02 11:22:36 2015
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 Beijing Rising Information Technology Corporation Limited
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Sat Sep 08 075959 2018
SHA1 哈希 6d6afc4a6e24b3441b872b9995e37ca8d2bc4609
证书链 Timestamp Chain 1
发行给 Thawte Timestamping CA
发行人 Thawte Timestamping CA
有效期 Fri Jan 01 075959 2021
SHA1 哈希 be36a4562fb2ee05dbb3d32323adf445084ed656
证书链 Timestamp Chain 2
发行给 Symantec Time Stamping Services CA - G2
发行人 Thawte Timestamping CA
有效期 Thu Dec 31 075959 2020
SHA1 哈希 6c07453ffdda08b83707c09b82fb3d15f35336b1
证书链 Timestamp Chain 3
发行给 Symantec Time Stamping Services Signer - G4
发行人 Symantec Time Stamping Services CA - G2
有效期 Wed Dec 30 075959 2020
SHA1 哈希 65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000bf86 0x0000c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.54
.rdata 0x0000d000 0x00003f3e 0x00004000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.13
.data 0x00011000 0x00002dbc 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.33
.rsrc 0x00014000 0x0000a1d4 0x0000a200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
.reloc 0x0001f000 0x00001768 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.93

覆盖

偏移量 0x0001d000
大小 0x00001ec0

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_ICON 0x0001d630 0x00000468 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.06 GLS_BINARY_LSB_FIRST
RT_MENU 0x0001da98 0x00000050 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.25 data
RT_DIALOG 0x0001dae8 0x00000110 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.20 data
RT_STRING 0x0001dbf8 0x00000030 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.39 data
RT_ACCELERATOR 0x0001dc28 0x00000010 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 1.80 data
RT_GROUP_ICON 0x0001dc68 0x00000076 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.87 MS Windows icon resource - 8 icons, 32x32, 16-colors
RT_GROUP_ICON 0x0001dc68 0x00000076 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.87 MS Windows icon resource - 8 icons, 32x32, 16-colors
RT_VERSION 0x0001dce0 0x00000398 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.46 data
RT_MANIFEST 0x0001e078 0x0000015a LANG_ENGLISH SUBLANG_ENGLISH_US 4.80 ASCII text, with CRLF line terminators

导入

库: KERNEL32.dll:
0x40d000 WideCharToMultiByte
0x40d004 lstrlenW
0x40d008 GetLastError
0x40d00c LoadResource
0x40d010 LockResource
0x40d014 SizeofResource
0x40d018 FindResourceW
0x40d01c FindResourceExW
0x40d020 lstrlenA
0x40d024 GetProcAddress
0x40d028 GetModuleFileNameW
0x40d02c FreeLibrary
0x40d030 lstrcpyA
0x40d034 lstrcatA
0x40d038 LoadLibraryA
0x40d03c CreateMutexW
0x40d040 RaiseException
0x40d054 HeapDestroy
0x40d058 HeapAlloc
0x40d05c HeapFree
0x40d060 HeapReAlloc
0x40d064 HeapSize
0x40d068 GetProcessHeap
0x40d06c GetStartupInfoW
0x40d070 TerminateProcess
0x40d074 GetCurrentProcess
0x40d080 IsDebuggerPresent
0x40d084 GetModuleHandleW
0x40d088 Sleep
0x40d08c ExitProcess
0x40d090 WriteFile
0x40d094 GetStdHandle
0x40d098 GetModuleFileNameA
0x40d0a4 GetCommandLineW
0x40d0a8 SetHandleCount
0x40d0ac GetFileType
0x40d0b0 GetStartupInfoA
0x40d0b4 TlsGetValue
0x40d0b8 TlsAlloc
0x40d0bc TlsSetValue
0x40d0c0 TlsFree
0x40d0c8 SetLastError
0x40d0cc GetCurrentThreadId
0x40d0d4 HeapCreate
0x40d0d8 VirtualFree
0x40d0e0 GetTickCount
0x40d0e4 GetCurrentProcessId
0x40d0ec VirtualAlloc
0x40d0f0 RtlUnwind
0x40d0f4 SetFilePointer
0x40d0f8 GetConsoleCP
0x40d0fc GetConsoleMode
0x40d100 GetCPInfo
0x40d104 GetACP
0x40d108 GetOEMCP
0x40d10c IsValidCodePage
0x40d110 MultiByteToWideChar
0x40d118 SetStdHandle
0x40d11c WriteConsoleA
0x40d120 GetConsoleOutputCP
0x40d124 WriteConsoleW
0x40d128 LCMapStringA
0x40d12c LCMapStringW
0x40d130 GetStringTypeA
0x40d134 GetStringTypeW
0x40d138 GetLocaleInfoA
0x40d13c CreateFileA
0x40d140 CloseHandle
0x40d144 FlushFileBuffers
库: ole32.dll:
0x40d14c CoInitialize
0x40d150 CoUninitialize
.text
`.rdata
@.data
.rsrc
@.reloc
YQPVh
uBh7]@
teh>`@
URPQQhhr@
;5t<A
9=p+A
;5t<A
SVWUj
uL9=p+A
;=`<A
;5`<A
bad allocation
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
(null)
`h````
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
DllUnregisterServer
DllRegisterServer
DllCanUnloadNow
DllGetClassObject
ARSCOM
bad exception
Unknown exception
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
WideCharToMultiByte
lstrlenW
GetLastError
LoadResource
LockResource
SizeofResource
FindResourceW
FindResourceExW
lstrlenA
GetProcAddress
GetModuleFileNameW
FreeLibrary
lstrcpyA
lstrcatA
LoadLibraryA
CreateMutexW
KERNEL32.dll
CoInitialize
CoUninitialize
ole32.dll
RaiseException
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
GetStartupInfoW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
VirtualAlloc
RtlUnwind
SetFilePointer
GetConsoleCP
GetConsoleMode
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
MultiByteToWideChar
InitializeCriticalSectionAndSpinCount
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
CreateFileA
CloseHandle
FlushFileBuffers
.?AVtype_info@@
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVIImpModuleBase@rsdk@@
.?AV?$tImpModuleMid@VCRSComLoader@@@rsdk@@
.?AVCRSComLoader@@
.?AVCAtlException@ATL@@
.?AVbad_exception@std@@
.?AVexception@std@@
pxDDDDDDDDD@
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<A<)>
=U?s?
mscoree.dll
KERNEL32.DLL
(null)
rsdk.dll
<plugin clsid='{EBC23555-424F-45c3-BECE-206819CB276B}' name='ClSID_CTrayWnd' start='999' /> </plugins></process></rscom>
BUF:<?xml version='1.0' ?><rscom> <components> <component path='rsdk.dll'> <clsid progid='RscomEnv.1'>{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}</clsid> <clsid progid='ObjectLoader.1'>{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}</clsid> <clsid progid='Rot.1'>{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}</clsid> <clsid progid='MainRun.1'>{C8CA7580-8E65-49E6-A66A-B087C7EF523D}</clsid> <clsid progid='RsSrv.1'>{5D37C04C-8F58-4D47-94C8-B94153399473}</clsid> <clsid progid='Property.1'>{ED20E0E5-2357-4825-B3FA-198AEC674E81}</clsid> <clsid progid='PropertyThread.1'>{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}</clsid> <clsid progid='Property2.1'>{2100E98D-B13E-4306-8081-50F325B10586}</clsid> <clsid progid='Property2Thread.1'>{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}</clsid> <clsid>{E8D494C-D598-4E2F-B796-809E74315E76}</clsid> <clsid>{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}</clsid> <clsid progid='TrayWnd'>{EBC23555-424F-45C3-BECE-206819CB276B}</clsid> <clsid progid='TraySrv'>{4FCE6281-8849-4FC6-A764-95C793EB8A48}</clsid> <clsid progid='TrayMenuBase'>{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}</clsid> <clsid>{35FD921E-B758-46D8-B0AA-FCD033B0E66D}</clsid> <clsid progid='DfwWindow'>{201409F6-22F8-48D3-A69F-7935BDDE6BFA}</clsid> <clsid progid='DfwComponentMgr'>{787683B8-D58D-4072-BA04-46284CEA5AF8}</clsid> <clsid progid='DfwDrawIcon'>{224E5B34-E98F-4033-8B6F-46B758E7587E}</clsid> <clsid progid='DfwLocalExternal'>{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}</clsid> <clsid progid='SafeSecurity'>{B769D42A-2392-42B6-8C10-DB99AE23F75A}</clsid> </component> <component path = 'localopt.dll'> <clsid progid='localopt'>{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}</clsid> </component> <component path = 'rsmginfo.dll'> <clsid progid='rsmginfo'>{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}</clsid> </component> </components></rscom>
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
A A<A
(&A) ...
tray
MS Shell Dlg
Copyright (C) 2010
VS_VERSION_INFO
StringFileInfo
080404b0
FileVersion
1.0.0.8
InternalName
Beijing Rising Information Technology Co., Ltd.
LegalCopyright
Copyright(C) 2015-2016 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.
OriginalFilename
tray.exe
ProductVersion
CompanyName
Beijing Rising Information Technology Co., Ltd.
SpecialBuild
20150902112635500
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160910
MicroWorld-eScan 未发现病毒 20160912
nProtect 未发现病毒 20160912
CMC 未发现病毒 20160908
CAT-QuickHeal 未发现病毒 20160912
ALYac 未发现病毒 20160912
Malwarebytes 未发现病毒 20160912
VIPRE 未发现病毒 20160912
TheHacker 未发现病毒 20160911
BitDefender 未发现病毒 20160912
K7GW 未发现病毒 20160912
K7AntiVirus 未发现病毒 20160912
Invincea 未发现病毒 20160830
Baidu 未发现病毒 20160912
F-Prot 未发现病毒 20160912
Symantec 未发现病毒 20160912
TotalDefense 未发现病毒 20160907
TrendMicro-HouseCall 未发现病毒 20160912
Avast 未发现病毒 20160912
ClamAV 未发现病毒 20160912
Kaspersky 未发现病毒 20160912
Alibaba 未发现病毒 20160912
NANO-Antivirus 未发现病毒 20160912
ViRobot 未发现病毒 20160912
AegisLab 未发现病毒 20160912
Rising 未发现病毒 20160912
Ad-Aware 未发现病毒 20160912
Sophos 未发现病毒 20160912
Comodo 未发现病毒 20160908
F-Secure 未发现病毒 20160912
DrWeb 未发现病毒 20160912
Zillya 未发现病毒 20160911
TrendMicro 未发现病毒 20160912
McAfee-GW-Edition 未发现病毒 20160911
Emsisoft 未发现病毒 20160912
Cyren 未发现病毒 20160912
Jiangmin 未发现病毒 20160912
Avira 未发现病毒 20160912
Antiy-AVL 未发现病毒 20160912
Kingsoft 未发现病毒 20160912
Microsoft 未发现病毒 20160912
Arcabit 未发现病毒 20160912
SUPERAntiSpyware 未发现病毒 20160912
GData 未发现病毒 20160912
AhnLab-V3 未发现病毒 20160912
McAfee 未发现病毒 20160912
AVware 未发现病毒 20160912
VBA32 未发现病毒 20160912
Zoner 未发现病毒 20160912
ESET-NOD32 未发现病毒 20160912
Tencent 未发现病毒 20160912
Yandex 未发现病毒 20160911
Ikarus 未发现病毒 20160912
Fortinet 未发现病毒 20160912
AVG 未发现病毒 20160912
Panda 未发现病毒 20160911
CrowdStrike 未发现病毒 20160725
Qihoo-360 未发现病毒 20160912

进程树

popwndexe.exe, PID: 3012, 上一级进程 PID: 524
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
58.211.137.192 中国
23.44.155.27 美国
122.228.22.178 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 51080 122.228.22.178 www.download.windowsupdate.com 80
192.168.122.70 51079 192.168.122.1 53
192.168.122.70 51081 23.44.155.27 ocsp.verisign.com 80
192.168.122.70 51082 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 5355 192.168.122.70 60614
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54315 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 61735 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 65276 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.9.63
A 115.231.20.47
A 122.228.22.104
A 115.231.30.15
A 183.131.67.41
A 183.131.168.143
A 115.231.22.28
A 122.228.237.147
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 115.231.156.74
A 183.134.20.57
A 122.228.22.178
A 183.131.208.34
A 115.231.158.27
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 51080 122.228.22.178 www.download.windowsupdate.com 80
192.168.122.70 51079 192.168.122.1 53
192.168.122.70 51081 23.44.155.27 ocsp.verisign.com 80
192.168.122.70 51082 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 5355 192.168.122.70 60614
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54315 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 61735 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 65276 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 14 Jan 2016 00:22:10 GMT
If-None-Match: "0e59c9b614ed11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 47.027 seconds )

  • 44.107 NetworkAnalysis
  • 1.0 VirusTotal
  • 0.961 Static
  • 0.615 peid
  • 0.221 TargetInfo
  • 0.04 BehaviorAnalysis
  • 0.025 AnalysisInfo
  • 0.019 ProcessMemory
  • 0.018 Strings
  • 0.009 config_decoder
  • 0.008 Debug
  • 0.002 Dropped
  • 0.002 Memory

Signatures ( 0.387 seconds )

  • 0.096 tinba_behavior
  • 0.074 ransomware_files
  • 0.062 geodo_banking_trojan
  • 0.028 shifu_behavior
  • 0.016 rat_pcclient
  • 0.015 antiav_detectreg
  • 0.013 downloader_cabby
  • 0.007 banker_cridex
  • 0.007 disables_browser_warn
  • 0.007 infostealer_ftp
  • 0.006 persistence_autorun
  • 0.006 antiav_detectfile
  • 0.005 antivm_vbox_files
  • 0.004 infostealer_bitcoin
  • 0.004 infostealer_im
  • 0.004 md_url_bl
  • 0.004 network_http
  • 0.004 network_torgateway
  • 0.003 antianalysis_detectreg
  • 0.003 infostealer_mail
  • 0.002 bot_drive
  • 0.002 bot_drive2
  • 0.002 modify_proxy
  • 0.002 browser_security
  • 0.002 md_domain_bl
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 banker_zeus_mutex
  • 0.001 bot_athenahttp
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 mimics_extension
  • 0.001 modify_uac_prompt

Reporting ( 3.538 seconds )

  • 2.329 ReportPDF
  • 1.129 ReportHTMLSummary
  • 0.08 Malheur
Task ID 18292
Mongo ID 57ddf2384d3bd0391814a690
Cuckoo release 1.4-Maldun