比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64 2016-09-18 09:47:10 2016-09-18 09:48:19 69 秒

魔盾分数

2.3

可疑的

文件详细信息

文件名 RsMgrSvc.exe
文件大小 220952 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 648a00d1c34eced63339d82e876463a5
SHA1 581bb5964bfc12aba0496c915974d4ef378933b6
SHA256 c85637900da9d36fd65dc2e900ac74a1458ac1f9b51815247542e79b9c4f3b3d
SHA512 7d6b287f7cabac1f91f19627c4dc2f8ed07b882ecdcd28dde7ba3f323667c7724edacbb7da9c117aa7e5c353433608b228fef4916e7aca9cf8e8ad39494aaf04
CRC32 A852172B
Ssdeep 6144:ku2FdgcfH/A3xJOYatSFjQJKZO2OJrY9w:6dgcfH/AMS9JZO
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 美国
115.231.158.27 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.9.63
A 115.231.20.47
A 122.228.22.104
A 115.231.30.15
A 183.131.67.41
A 183.131.168.143
A 115.231.22.28
A 122.228.22.178
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 115.231.156.74
A 183.134.20.57
A 115.231.158.27
A 183.131.208.34
A 122.228.237.147
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x0041ba5f
声明校验值 0x0003a22f
实际校验值 0x0003a22f
最低操作系统版本要求 4.0
PDB路径 C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
编译时间 2016-08-12 15:24:29

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
SpecialBuild
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
57112390cb8eecc0294103ce7ceb1315a3c8cc8a Fri Aug 12 15:19:10 2016
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 Beijing Rising Information Technology Corporation Limited
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Sat Sep 08 075959 2018
SHA1 哈希 6d6afc4a6e24b3441b872b9995e37ca8d2bc4609
证书链 Timestamp Chain 1
发行给 GlobalSign Root CA
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 b1bc968bd4f49d622aa89a81f2150152a41d829c
证书链 Timestamp Chain 2
发行给 GlobalSign Timestamping CA - G2
发行人 GlobalSign Root CA
有效期 Fri Jan 28 200000 2028
SHA1 哈希 c0e49d2d7d90a5cd427f02d9125694d5d6ec5b71
证书链 Timestamp Chain 3
发行给 GlobalSign TSA for MS Authenticode - G2
发行人 GlobalSign Timestamping CA - G2
有效期 Thu Jun 24 080000 2027
SHA1 哈希 63b82fab61f583909695050b00249c502933ec79

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000264c6 0x00027000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.53
.rdata 0x00028000 0x00006cba 0x00007000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.38
.data 0x0002f000 0x00002f7c 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.94
.rsrc 0x00032000 0x000004c0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.26

覆盖

偏移量 0x00032000
大小 0x00003f18

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x00032060 0x0000045c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.48 data

导入

库: KERNEL32.dll:
0x428078 FindResourceExA
0x42807c GlobalFree
0x428080 GlobalAlloc
0x428084 SetLastError
0x428088 GetModuleFileNameA
0x42808c GetCommandLineA
0x428090 MultiByteToWideChar
0x428094 WaitForSingleObject
0x428098 OpenProcess
0x42809c FindNextFileA
0x4280a0 FindClose
0x4280a4 GetLocalTime
0x4280a8 GetFullPathNameA
0x4280ac FindFirstFileA
0x4280b0 CreateDirectoryA
0x4280b4 DeleteFileA
0x4280c0 WriteFile
0x4280c4 SetFilePointer
0x4280c8 MoveFileA
0x4280cc SetFileAttributesA
0x4280d0 lstrcpynA
0x4280d4 GetFileSize
0x4280d8 GetCurrentThreadId
0x4280dc GetCurrentProcessId
0x4280e0 OutputDebugStringA
0x4280e4 GetModuleHandleA
0x4280e8 CreateProcessA
0x4280ec SetEvent
0x4280f0 OpenEventA
0x4280f4 GetVersion
0x4280f8 GetFileAttributesA
0x4280fc Process32Next
0x428100 Process32First
0x428108 CreateThread
0x42810c ResetEvent
0x428110 GetTempPathA
0x428118 TerminateThread
0x42811c GetExitCodeThread
0x428120 ResumeThread
0x428124 CreateEventA
0x428128 ReadFile
0x428130 CompareStringA
0x428134 CompareStringW
0x428138 FindResourceA
0x42813c RemoveDirectoryA
0x428140 FlushFileBuffers
0x428144 SetEndOfFile
0x428148 SetFileTime
0x428154 GetModuleHandleW
0x428160 SetStdHandle
0x428164 IsBadCodePtr
0x428168 LoadResource
0x42816c LockResource
0x428170 SizeofResource
0x428178 GetTickCount
0x42817c Sleep
0x428180 GetCurrentProcess
0x428188 lstrcmpiA
0x42818c lstrlenW
0x428190 WideCharToMultiByte
0x428194 GetThreadLocale
0x428198 GetLocaleInfoA
0x42819c GetACP
0x4281a0 InterlockedExchange
0x4281a4 CreateFileA
0x4281a8 GetVersionExA
0x4281ac lstrlenA
0x4281b0 DeviceIoControl
0x4281b4 lstrcpyA
0x4281b8 lstrcatA
0x4281bc LoadLibraryA
0x4281c0 GetProcAddress
0x4281c4 CloseHandle
0x4281c8 GetLastError
0x4281cc LocalAlloc
0x4281d0 IsBadReadPtr
0x4281d4 GetFileType
0x4281d8 SetHandleCount
0x4281f0 GetStdHandle
0x4281f4 GetStringTypeW
0x4281f8 GetStringTypeA
0x4281fc LCMapStringW
0x428200 LCMapStringA
0x428208 GetCPInfo
0x42820c GetOEMCP
0x428210 TlsGetValue
0x428214 TlsSetValue
0x428218 TlsFree
0x42821c TlsAlloc
0x428228 IsBadWritePtr
0x42822c LocalFree
0x428230 FreeLibrary
0x42823c RaiseException
0x428240 VirtualFree
0x428244 HeapCreate
0x428248 GetStartupInfoA
0x42824c VirtualQuery
0x428250 GetSystemInfo
0x428254 VirtualAlloc
0x428258 VirtualProtect
0x42825c TerminateProcess
0x428264 ExitProcess
0x428268 RtlUnwind
0x42826c GetProcessHeap
0x428270 HeapSize
0x428274 HeapReAlloc
0x428278 HeapFree
0x42827c HeapAlloc
0x428280 HeapDestroy
库: USER32.dll:
0x4282f0 wsprintfA
0x4282f4 IsWindow
0x4282f8 SendMessageA
0x4282fc FindWindowA
0x428300 CharUpperA
库: ADVAPI32.dll:
0x428000 SetTokenInformation
0x428004 OpenProcessToken
0x428008 CloseServiceHandle
0x42800c OpenServiceA
0x428018 SetServiceStatus
0x42801c RegQueryInfoKeyA
0x428028 RegSaveKeyA
0x428034 RegOpenKeyA
0x428038 RegCreateKeyA
0x42803c RegSetValueExA
0x428040 RegEnumKeyExA
0x428044 CreateServiceA
0x42804c RegOpenKeyExA
0x428050 RegQueryValueExA
0x428054 RegCloseKey
0x428058 OpenSCManagerA
0x42805c GetTokenInformation
库: ole32.dll:
0x428354 CoInitializeEx
0x428358 CoInitialize
0x42835c CoCreateInstance
0x428360 CoUninitialize
0x428364 CoSetProxyBlanket
库: OLEAUT32.dll:
0x428290 None
0x428294 None
0x428298 None
0x42829c None
0x4282a0 None
0x4282a4 None
0x4282a8 None
0x4282ac None
0x4282b0 None
0x4282b4 None
库: SHLWAPI.dll:
0x4282dc PathFileExistsA
0x4282e0 StrStrIA
0x4282e4 PathRemoveFileSpecA
0x4282e8 PathSkipRootA
库: CRYPT32.dll:
0x428064 CertGetNameStringW
0x42806c CertCloseStore
0x428070 CryptMsgClose
库: RPCRT4.dll:
0x4282bc UuidCreate
库: SETUPAPI.dll:
库: iphlpapi.dll:
0x428348 GetAdaptersInfo
库: WININET.dll:
0x428318 HttpOpenRequestA
0x42831c HttpSendRequestA
0x428320 HttpQueryInfoA
0x428324 InternetReadFile
0x428328 InternetSetOptionA
0x42832c InternetOpenA
0x428330 InternetConnectA
0x428338 InternetCloseHandle
0x428340 InternetCrackUrlA
库: VERSION.dll:
0x428308 GetFileVersionInfoA
0x42830c VerQueryValueA
.text
`.rdata
@.data
.rsrc
WPVUj
L$LQRSj
D$(Pj
L$pQj
t$0Vj
\$<Sj
t$ Vj
|$ Wj
t$ Vj
t$ Vj
t$ Vj
t$ Vj
VUWPj
UWSVj
u=WVj
VPQUj
QSVWh
D$8PSj
T$8RSj
D$ Pj
T$ Rj
D$<PQRh
L$$QWWWWWWWh
D$(Pj
L$0Qj
\$(Sj
t$dSj
|$ Qj
T$8Rj
D$4Ph
D$8Pj
D$8Pj
D$8Pj
L$8Qj
SVWUj
WSVPj
wintrust.dll
WTHelperGetProvCertFromChain
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust
CryptCATAdminEnumCatalogFromHash
CryptCATAdminCalcHashFromFileHandle
CryptCATCatalogInfoFromContext
CryptCATAdminReleaseCatalogContext
CryptCATAdminReleaseContext
CryptCATAdminAcquireContext
crypt32.dll
CryptSIPVerifyIndirectData
CryptSIPCreateIndirectData
CryptSIPRetrieveSubjectGuid
CryptMsgGetParam
CryptDecodeObject
CryptQueryObject
1.3.6.1.4.1.311.2.1.4
list<T> too long
vector<T> too long
\\.\PhysicalDrive%d
SCSIDISK
\\.\Scsi%d:
GetAdaptersInfo
Iphlpapi.dll
Lenovo
Nvidia
Ralink
Atheros
Marvell
Intel
Broadcom
Realtek
Broadband Connection
pppoe
Virtual
Windows
Microsoft
VMware
SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%')) AND (NOT (PNPDeviceID LIKE 'USB%'))
SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
b06bdrv
MACAddress
Description
AdapterType
Manufacturer
PhysicalAdapter
00-00-00-00-00-00
%.2x-%.2x-%.2x-%.2x-%.2x-%.2x
%02X-
LOOPBACK
TOKENRING
ETHERNET
OTHER
RsMgrSvc
\Program Files
ProgramFilesDir
Software\Microsoft\Windows\CurrentVersion
ChangeServiceConfig2A
Advapi32.dll
Rsd Service
COM Infrastructure
RpcSs
\Rising\RSD\RsMgrSvc.exe"
DuplicateTokenEx
SetTokenInformation
OpenProcessToken
Explorer.exe
ProcID
%08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
\Rising\RSD
Progman
Program Manager
Shell
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[%04d-%02d-%02d][%02d:%02d:%02d:%03d]
\Rising
SHFolder.dll
SHGetFolderPathA
Shell32.dll
installpath
SOFTWARE\Rising\%s
datapath
2.log
[%04u]
[0x%08X]
[FATAL]
[ALERT]
[WAINNING]
[ACTION]
[DETAIL]
LOGNAME
DEBUG
RAV.INI
RS_DEBUG_VIEW
LOGSIZE
OUTPUT
LEVEL
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtQuerySystemInformation
NtDll.dll
ProcessIdToSessionId
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
WTSQueryUserToken
wtsapi32.DLL
Explorer is not running...
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
Explorer is running...
GetLogonUserToken(%d)
>`userinit.exe
GetModuleBaseNameA
EnumProcessModules
EnumProcesses
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
Cancel to Logon
Sucessed to Logon
m_hWaitLogonEvent == NULL
CRsMgrSvc::WaitForLogonNT()
Fail to OpenProcessToken; 0x%x
Successed to CreateProcessAsUser.
CreateProcessAsUser to change session 0.
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
WinSta0\Default
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
The Terminate Service not running.
WTSFreeMemory
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
WTSEnumerateSessionsA
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
RunProcessAsSvc
ThreadRepair success
ThreadCldRsd success
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess LoadLibrary Userenv err !
WinSessionThread CreateProcess LoadLibrary GetProcAddress err !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess SetTokenInformation return value:4
DestroyEnvironmentBlock
CreateEnvironmentBlock
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
CRsMgrSvc::OnStop()
CRsMgrSvc::OnShutdown()
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
RunProcessAsSvc...
New Failed to call WTSQueryUserToken, err= 0x%x
RunProcessAsLogon
rsmsg
sguid
%s\rsmsginfo.ini
Failed to open the shell ready event: 0x%x
"%s" /shellrun
%s\RsStub.exe
Session\%d\ShellReadyEvent
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
SYSTEM\CurrentControlSet\Services\RsMgrSvc
Failed to call AdjustTokenPrivileges, err = 0x%x
SeBackupPrivilege
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
GHOST
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
BaiduAnSvc.exe
BaiduSdSvc.exe
liebao.exe
liebao
ksafe.exe
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
kxescore.exe
Kingsoft Internet Security
QQPCRtp.exe
QQPCMgr
360sd.exe
360SD
360se.exe
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
360Desktop.exe
360Desktop
ZhuDongFangYu.exe
safeboxTray.exe
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
VERSION
COMPONENT
\Backup\RSD\RSSetup\RSSetup.xml
rsup10.rising.com.cn
u.suxiazai.com
%s?t=0&info=%s
ver=%s&guid=%s&sguid=%s&state=%s
Switch
MENU/ITEM
http://u.suxiazai.com/menu/info.xml
http://rsup10.rising.com.cn/menu/info.xml
%srsd\info.xml
/logon
/session
/subkey
/lang
/lang
/silence
/silence
/tray
/tray
Failed to Verify the "%s".
/workdir
/highrun
Failed to call vf.Init.
Success to Verify the "%s".
/argument
/binpath
%s\rsbackup.exe
"%s\rsbackup.exe"
/backup
/uc
Update
/subkey
%.4d-%.2d-%.2d %.2d:%.2d:%.2d
%s\RsMgrSvc.ini
%s\updater.exe
"%s\updater.exe"
/update
/rsstub
/exit
CRsMgrSvc::Handle.
DeleteFile: %s.
ITEM%d
DELETEFILE
COUNT
\RsMgrSvc.ini
DeletePath: %s.
DELETEPATH
REBOOTRUN
Clean WillReboot In %s
SETUP
WILLREBOOT
%s\%s\%s.ini
\Data
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%s\Data
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
%s\Updater.exe
TryGetUserGUID param1=%d param2=%d
End RunAfterReboot.
Reboot
BeforeReboot
\Reboot.ini
Begin RunAfterReboot.
m_hTimerThread success
WaitForLogon success
CreateThread ThreadCldRsd
CreateThread dwThreadRepair
CRsMgrSvc::SVC:Failed to m_lpRsStub->Initialize(this)
CRsMgrSvc::SVC:Failed to new CRsStub
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
RsMgrSvc_Wait
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
-/UPDATE
/UPDATE
YYYIYOUDAO
comx3.dll
RS_ShutDown
RS_FreeCallCenter
RS_AllocateCallCenter
RS_UninitializeCallCenter
RS_InitializeCallCenter
RegisterServiceProcess
KERNEL32.DLL
RegisterServiceCtrlHandlerExA
-DEBUG
/DEBUG
Delete
NoRemove
ForceRemove
kernel32.dll
K.$invalid map/set<T> iterator
map/set<T> too long
DiskSerial
Model
ProcessorId
Win32_NetworkAdapter
Win32_Processor
MSIE %d.%d
WININET.DLL
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
proxy
<local>
Mozilla/4.0 (compatible; %s; %s; Rising)
Content-Type: application/x-www-form-urlencoded
InPost=
HTTP/1.0
close
Range: bytes=%d-
Host:
RstoreDll.dll
SOFTWARE\Rising\
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s
StartSpecialRepair
@CRsUseRepairProduct::LoadDllAndForkRepair
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s Path:%s
\RstoreDll.dll
\rsupdater
@CRsUseRepairProduct::getRestoreDllPath
CldRsd.dll
CRsLoadCloud::InitData...
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll... success
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::StartTask...success
StartTask
CRsLoadCloud::StartTask...
CRsLoadCloud::StopTask... success
StopTask
CRsLoadCloud::StopTask...
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
http://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
%sbase
IsWow64Process
RtlGetVersion
SystemMsg
IsSendWin10Msg
IsSendWin10MsgNew
IsWin10OS
@CRsCheckWin10::DoWork ThisSystem is not Win10.
@CRsCheckWin10::DoWork SendWin10MsgInfo failed. lastError = %d.
@CRsCheckWin10::DoWork SendWin10MsgInfo success.
@CRsCheckWin10::DoWork IsSendWin10MsgNew = true.already has send msg to server.
@CRsCheckWin10::DoWork
isExistReg....failed
isExistReg....success end
RapUrl
Software\rising\lockie
isExistReg....begin
IsEquelToStringRap_25...end success
RAVP_25
PRODUCTUID
%s\data\rav\rav.ini
IsEquelToStringRap_25...begin
isExistFiles....success end
%s\backup\rav\rapbase\rapsetup.dll
Failed isExistFiles %s not exist
%s\rapsetup.dll
%s\xmls\_rap.xml
isExistFiles....begin
Unknown exception
CorExitProcess
mscoree.dll
`h````
(null)
Microsoft Visual C++ Runtime Library
Program:
<program name unknown>
Buffer overrun detected!
Unknown security failure detected!
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
e+000
GAIsProcessorFeaturePresent
KERNEL32
runtime error
Program:
InitializeCriticalSectionAndSpinCount
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
1#QNAN
1#INF
1#IND
1#SNAN
invalid string position
string too long
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
lstrlenA
RaiseException
InitializeCriticalSection
DeleteCriticalSection
FreeLibrary
LocalFree
LocalAlloc
GetLastError
CloseHandle
GetProcAddress
LoadLibraryA
lstrcatA
lstrcpyA
DeviceIoControl
GetVersionExA
CreateFileA
InterlockedExchange
GetACP
GetLocaleInfoA
GetThreadLocale
WideCharToMultiByte
lstrlenW
lstrcmpiA
InterlockedDecrement
GetCurrentProcess
Sleep
GetTickCount
GetWindowsDirectoryA
SizeofResource
LockResource
LoadResource
FindResourceA
FindResourceExA
GlobalFree
GlobalAlloc
SetLastError
GetModuleFileNameA
GetCommandLineA
MultiByteToWideChar
WaitForSingleObject
OpenProcess
FindNextFileA
FindClose
GetLocalTime
GetFullPathNameA
FindFirstFileA
CreateDirectoryA
DeleteFileA
GetPrivateProfileIntA
GetPrivateProfileStringA
WriteFile
SetFilePointer
MoveFileA
SetFileAttributesA
lstrcpynA
GetFileSize
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringA
GetModuleHandleA
CreateProcessA
SetEvent
OpenEventA
GetVersion
GetFileAttributesA
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateThread
ResetEvent
GetTempPathA
WritePrivateProfileStringA
TerminateThread
GetExitCodeThread
ResumeThread
CreateEventA
ReadFile
WritePrivateProfileSectionA
CompareStringA
CompareStringW
RemoveDirectoryA
FlushFileBuffers
SetEndOfFile
SetFileTime
SystemTimeToFileTime
FileTimeToSystemTime
GetModuleHandleW
KERNEL32.dll
CharUpperA
FindWindowA
SendMessageA
IsWindow
wsprintfA
USER32.dll
GetTokenInformation
OpenProcessToken
CloseServiceHandle
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
ChangeServiceConfigA
CreateServiceA
RegEnumKeyExA
RegSetValueExA
RegCreateKeyA
RegOpenKeyA
CreateProcessAsUserA
SetTokenInformation
AllocateAndInitializeSid
RegSaveKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
RegQueryInfoKeyA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
ADVAPI32.dll
CoSetProxyBlanket
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
CoInitialize
ole32.dll
OLEAUT32.dll
StrStrIA
PathSkipRootA
PathFileExistsA
PathRemoveFileSpecA
SHLWAPI.dll
CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CRYPT32.dll
UuidCreate
RPCRT4.dll
SetupDiDestroyDeviceInfoList
SetupDiGetDeviceRegistryPropertyA
SetupDiGetDeviceInterfaceDetailA
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsA
SETUPAPI.dll
GetAdaptersInfo
iphlpapi.dll
InternetCloseHandle
InternetAttemptConnect
InternetConnectA
InternetOpenA
InternetSetOptionA
InternetCrackUrlA
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
WININET.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
EnterCriticalSection
LeaveCriticalSection
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
RtlUnwind
ExitProcess
GetSystemTimeAsFileTime
TerminateProcess
VirtualProtect
VirtualAlloc
GetSystemInfo
VirtualQuery
GetStartupInfoA
HeapCreate
VirtualFree
IsBadWritePtr
SetUnhandledExceptionFilter
QueryPerformanceCounter
TlsAlloc
TlsFree
TlsSetValue
TlsGetValue
GetOEMCP
GetCPInfo
GetTimeZoneInformation
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetStdHandle
UnhandledExceptionFilter
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
IsBadReadPtr
IsBadCodePtr
SetStdHandle
SetEnvironmentVariableA
InterlockedIncrement
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
.?AVCAtlException@ATL@@
.?AVexception@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
welcome Rising*youarelawless!y2a3n4g5Y6U7q8i@S9I0N#A.C%O(M-)<>ABI993JIEM,;'{jkliewaqlsiqomv.z^iwaql}-_=+)_(l;2j2f90aslkjflkasjas32092JKLSJFbASAUI/Z/A[/,./|@~`FS'.Z,MF920SDLAFJKAL9320QFFMmlajfl,.<>//|348q9729|fjlail3jo798,ksafa302-s;akfa;=_++-0-_))0-0-p23is
welcome Rising*youarelawless!y2a$n4g5Y6U7q8i@S9I0N#A.C%O(M-)<>ABI99*JIEM,;'{jkliewaqlsiqomv.z^iwaql}-_=+)_(l;2j@f90aslkjflkasjas6j09kJKLSJFbASAUI/Z/A[/,./|@~`FS'.Z,MF920SDLAFJKAL9320QFFMmlajfl,.<>//|348q9729|fjlail3jo798,ksafa302-s;akfa;=_++-0-_))0-0-p^bis
.?AVout_of_range@std@@
.?AVtype_info@@
Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
.?AV_com_error@@
PNPDeviceID
LROOT\CIMV2
Beijing Rising Information Technology Co.,Ltd.
Beijing Rising Information Technology Corporation Limited
gunknown
Select * from
root\cimv2
ntdll.dll
(null)
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
Beijing Rising Information Technology Co., Ltd.
FileDescription
RsMgrSvc Application
FileVersion
1.0.0.69
InternalName
Beijing Rising Information Technology Co., Ltd.
LegalCopyright
Copyright(C) 2016-2017 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.
OriginalFilename
RsMgrSvc.exe
ProductName
Rising Software Distribute System
ProductVersion
SpecialBuild
20160812152415890
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160908
MicroWorld-eScan 未发现病毒 20160909
nProtect 未发现病毒 20160909
CMC 未发现病毒 20160908
CAT-QuickHeal 未发现病毒 20160908
ALYac 未发现病毒 20160909
Malwarebytes 未发现病毒 20160909
Zillya 未发现病毒 20160908
TheHacker 未发现病毒 20160908
BitDefender 未发现病毒 20160909
K7GW 未发现病毒 20160908
K7AntiVirus 未发现病毒 20160908
TrendMicro 未发现病毒 20160909
Baidu 未发现病毒 20160908
Cyren 未发现病毒 20160909
Symantec 未发现病毒 20160909
TotalDefense 未发现病毒 20160907
TrendMicro-HouseCall 未发现病毒 20160909
Avast 未发现病毒 20160909
ClamAV 未发现病毒 20160907
Kaspersky 未发现病毒 20160909
Alibaba 未发现病毒 20160909
NANO-Antivirus 未发现病毒 20160909
ViRobot 未发现病毒 20160909
AegisLab 未发现病毒 20160909
Rising 未发现病毒 20160909
Ad-Aware 未发现病毒 20160909
Sophos 未发现病毒 20160909
Comodo 未发现病毒 20160908
F-Secure 未发现病毒 20160909
DrWeb 未发现病毒 20160909
VIPRE 未发现病毒 20160909
Invincea 未发现病毒 20160830
McAfee-GW-Edition 未发现病毒 20160909
Emsisoft 未发现病毒 20160909
F-Prot 未发现病毒 20160909
Jiangmin 未发现病毒 20160908
Avira 未发现病毒 20160908
Antiy-AVL 未发现病毒 20160909
Kingsoft 未发现病毒 20160909
Microsoft 未发现病毒 20160909
Arcabit 未发现病毒 20160909
SUPERAntiSpyware 未发现病毒 20160909
GData 未发现病毒 20160909
AhnLab-V3 未发现病毒 20160908
McAfee 未发现病毒 20160909
AVware 未发现病毒 20160909
VBA32 未发现病毒 20160908
Zoner 未发现病毒 20160909
ESET-NOD32 未发现病毒 20160909
Tencent 未发现病毒 20160909
Yandex 未发现病毒 20160908
Ikarus 未发现病毒 20160908
Fortinet 未发现病毒 20160909
AVG 未发现病毒 20160908
Panda 未发现病毒 20160908
Qihoo-360 未发现病毒 20160909

进程树

RsMgrSvc.exe, PID: 100, 上一级进程 PID: 2064
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 美国
115.231.158.27 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.69 59209 115.231.158.27 www.download.windowsupdate.com 80
192.168.122.69 53440 184.28.218.129 80
192.168.122.69 59208 192.168.122.1 53
192.168.122.69 59210 23.44.155.27 ocsp.verisign.com 80
192.168.122.69 59211 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 52431 192.168.122.1 53
192.168.122.69 52625 192.168.122.1 53
192.168.122.69 52766 192.168.122.1 53
192.168.122.69 56589 192.168.122.1 53
192.168.122.69 57129 192.168.122.1 53
192.168.122.69 58396 192.168.122.1 53
192.168.122.69 63333 192.168.122.1 53
192.168.122.69 5355 192.168.122.70 60614

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.9.63
A 115.231.20.47
A 122.228.22.104
A 115.231.30.15
A 183.131.67.41
A 183.131.168.143
A 115.231.22.28
A 122.228.22.178
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 115.231.156.74
A 183.134.20.57
A 115.231.158.27
A 183.131.208.34
A 122.228.237.147
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.69 59209 115.231.158.27 www.download.windowsupdate.com 80
192.168.122.69 53440 184.28.218.129 80
192.168.122.69 59208 192.168.122.1 53
192.168.122.69 59210 23.44.155.27 ocsp.verisign.com 80
192.168.122.69 59211 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 52431 192.168.122.1 53
192.168.122.69 52625 192.168.122.1 53
192.168.122.69 52766 192.168.122.1 53
192.168.122.69 56589 192.168.122.1 53
192.168.122.69 57129 192.168.122.1 53
192.168.122.69 58396 192.168.122.1 53
192.168.122.69 63333 192.168.122.1 53
192.168.122.69 5355 192.168.122.70 60614

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.msftncsi.com/ncsi.txt 
GET /ncsi.txt HTTP/1.1
Connection: Close
User-Agent: Microsoft NCSI
Host: www.msftncsi.com
URL专业沙箱检测 -> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 14 Jan 2016 00:22:10 GMT
If-None-Match: "0e59c9b614ed11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 19.06 seconds )

  • 17.106 NetworkAnalysis
  • 0.923 VirusTotal
  • 0.462 Static
  • 0.237 peid
  • 0.2 TargetInfo
  • 0.054 BehaviorAnalysis
  • 0.028 Strings
  • 0.026 AnalysisInfo
  • 0.009 Debug
  • 0.009 config_decoder
  • 0.003 Dropped
  • 0.002 Memory
  • 0.001 ProcessMemory

Signatures ( 0.065 seconds )

  • 0.012 antiav_detectreg
  • 0.005 persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_files
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 bot_drive
  • 0.002 disables_browser_warn
  • 0.002 infostealer_mail
  • 0.002 md_domain_bl
  • 0.002 network_torgateway
  • 0.001 betabot_behavior
  • 0.001 stealth_timeout
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 modify_uac_prompt
  • 0.001 network_http

Reporting ( 3.108 seconds )

  • 2.605 ReportPDF
  • 0.493 ReportHTMLSummary
  • 0.01 Malheur
Task ID 18295
Mongo ID 57ddf27a4d3bd0391814a6bd
Cuckoo release 1.4-Maldun