比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-1 2016-09-18 09:47:28 2016-09-18 09:48:13 45 秒

魔盾分数

2.0

正常的

文件详细信息

文件名 rsmain.exe
文件大小 92480 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ead00019530b0c2f0b6ebfbd0bc8cf24
SHA1 1ba5c33aeb9e52c43d791f9c4e74e4227bdb3145
SHA256 0c25dc4e085fa96cadb9567257e4a058db8c42d8fbb2a6999bc27f4479980e36
SHA512 0ed0499f7ef197897c9eac57eaff62cd2d0f36aa9b33197c0360091c9649b3ce96102f7652aa8043fa195b040dd46f758ff1a5dc19f7158fe87a53541a839a5b
CRC32 8A5A1934
Ssdeep 1536:gEbW8iiDim2QPklQjt7eTG5Il2l6c+wupuqgMOEAbEGlF+jriz4fJPGQzIv:gc/iiDiF4klQjt7uGPHyFOEAbEG5z4h8
Yara 登录查看Yara规则
样本下载 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 美国
183.131.67.42 中国

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.10.52
A 122.228.237.169
A 58.220.44.179
A 122.228.22.170
A 122.228.22.209
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 183.131.67.42
A 115.231.84.168
A 122.228.237.147
A 122.228.205.24
A 122.228.22.102
A 183.134.24.72
A 183.134.53.144
A 115.231.158.74
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x00407f3e
声明校验值 0x00019618
实际校验值 0x00019618
最低操作系统版本要求 5.0
PDB路径 C:\DistributedAutoLink\Temp\CompileOutputDir\rsmain.pdb
编译时间 2015-09-01 10:06:13
图标
图标精确哈希值 b9a7d7cd8f43f603a8e42b67b51ea556
图标相似性哈希值 47408a802f350cd6c4cb8c98f6c01e50

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
SpecialBuild
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

微软证书验证 (Sign Tool)

SHA1 时间戳 有效性 错误
829cbfea38dd202b7e5c284fcbc73cf15ffc76d6 Tue Sep 01 10:02:35 2015
证书链 Certificate Chain 1
发行给 VeriSign Class 3 Public Primary Certification Authority - G5
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Thu Jul 17 075959 2036
SHA1 哈希 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
证书链 Certificate Chain 2
发行给 VeriSign Class 3 Code Signing 2010 CA
发行人 VeriSign Class 3 Public Primary Certification Authority - G5
有效期 Sat Feb 08 075959 2020
SHA1 哈希 495847a93187cfb8c71f840cb7b41497ad95c64f
证书链 Certificate Chain 3
发行给 Beijing Rising Information Technology Corporation Limited
发行人 VeriSign Class 3 Code Signing 2010 CA
有效期 Sat Sep 08 075959 2018
SHA1 哈希 6d6afc4a6e24b3441b872b9995e37ca8d2bc4609
证书链 Timestamp Chain 1
发行给 Thawte Timestamping CA
发行人 Thawte Timestamping CA
有效期 Fri Jan 01 075959 2021
SHA1 哈希 be36a4562fb2ee05dbb3d32323adf445084ed656
证书链 Timestamp Chain 2
发行给 Symantec Time Stamping Services CA - G2
发行人 Thawte Timestamping CA
有效期 Thu Dec 31 075959 2020
SHA1 哈希 6c07453ffdda08b83707c09b82fb3d15f35336b1
证书链 Timestamp Chain 3
发行给 Symantec Time Stamping Services Signer - G4
发行人 Symantec Time Stamping Services CA - G2
有效期 Wed Dec 30 075959 2020
SHA1 哈希 65439929b67973eb192d6ff243e6767adf0834e4

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00008228 0x00008400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.26
.rdata 0x0000a000 0x0000325c 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.02
.data 0x0000e000 0x00000c5c 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.55
.rsrc 0x0000f000 0x000076d8 0x00007800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.83
.reloc 0x00017000 0x00000e70 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.01

覆盖

偏移量 0x00014a00
大小 0x00001f40

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_ICON 0x00015a48 0x00000468 LANG_ENGLISH SUBLANG_ENGLISH_US 5.04 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x00015eb0 0x00000092 LANG_ENGLISH SUBLANG_ENGLISH_US 2.99 MS Windows icon resource - 10 icons, 32x32, 16-colors
RT_VERSION 0x00015f44 0x0000042c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.59 data
RT_MANIFEST 0x00016370 0x00000368 LANG_ENGLISH SUBLANG_ENGLISH_US 5.07 ASCII text, with CRLF line terminators

导入

库: KERNEL32.dll:
0x40a02c SuspendThread
0x40a030 GetLocalTime
0x40a034 RaiseException
0x40a038 GetCommandLineW
0x40a03c GetFileSize
0x40a040 SetFilePointer
0x40a044 lstrlenA
0x40a048 FindResourceExW
0x40a04c FindResourceW
0x40a050 LoadResource
0x40a054 CreateProcessW
0x40a05c WaitForSingleObject
0x40a060 OutputDebugStringW
0x40a064 GetTickCount
0x40a06c WriteFile
0x40a070 WideCharToMultiByte
0x40a074 Sleep
0x40a078 SizeofResource
0x40a07c GetVersionExW
0x40a080 GetExitCodeProcess
0x40a084 lstrcpynW
0x40a088 GetFileAttributesW
0x40a08c lstrcatA
0x40a090 MultiByteToWideChar
0x40a094 lstrlenW
0x40a09c OpenMutexW
0x40a0a0 GetLastError
0x40a0a4 GetModuleHandleW
0x40a0a8 MoveFileW
0x40a0ac LoadLibraryA
0x40a0b0 Process32FirstW
0x40a0b4 OpenMutexA
0x40a0bc LocalAlloc
0x40a0c0 LockResource
0x40a0c4 Process32NextW
0x40a0cc ReleaseMutex
0x40a0d4 DeleteFileW
0x40a0d8 LocalFree
0x40a0dc SetFileAttributesW
0x40a0e0 lstrcpyA
0x40a0e4 lstrcmpiW
0x40a0e8 GetProcessHeap
0x40a0ec HeapSize
0x40a0f0 HeapReAlloc
0x40a0f4 HeapFree
0x40a0f8 HeapAlloc
0x40a0fc HeapDestroy
0x40a104 GetCurrentProcess
0x40a108 GetCurrentProcessId
0x40a10c GetCurrentThreadId
0x40a110 CloseHandle
0x40a114 CreateFileW
0x40a118 FreeLibrary
0x40a11c GetProcAddress
0x40a120 LoadLibraryW
0x40a124 GetModuleFileNameW
0x40a144 IsDebuggerPresent
0x40a14c TerminateProcess
0x40a150 GetStartupInfoW
0x40a158 InterlockedExchange
库: USER32.dll:
0x40a2c4 FindWindowW
0x40a2c8 CharUpperW
0x40a2cc IsWindow
0x40a2d4 SendMessageW
库: ADVAPI32.dll:
0x40a000 RegOpenKeyExW
0x40a004 RegEnumValueA
0x40a008 RegQueryInfoKeyA
0x40a00c RegOpenKeyExA
0x40a010 RegQueryValueExW
0x40a014 GetTokenInformation
0x40a01c GetSidSubAuthority
0x40a020 OpenProcessToken
0x40a024 RegCloseKey
库: SHELL32.dll:
0x40a2b0 ShellExecuteExW
0x40a2b4 ShellExecuteW
库: ole32.dll:
0x40a2dc CoUninitialize
0x40a2e4 CoInitialize
0x40a2e8 CoInitializeEx
0x40a2ec CoSetProxyBlanket
0x40a2f0 CoCreateInstance
库: OLEAUT32.dll:
0x40a29c None
0x40a2a0 None
0x40a2a4 None
0x40a2a8 None
库: MSVCP90.dll:
库: SHLWAPI.dll:
库: MSVCR90.dll:
0x40a19c _decode_pointer
0x40a1a0 __CxxFrameHandler3
0x40a1a4 _CxxThrowException
0x40a1a8 memset
0x40a1ac _controlfp_s
0x40a1b0 _invoke_watson
0x40a1b8 wcscat_s
0x40a1bc wcscpy_s
0x40a1c0 wcsrchr
0x40a1c4 swprintf_s
0x40a1c8 ??3@YAXPAX@Z
0x40a1cc wcschr
0x40a1d0 memmove_s
0x40a1d4 _wcsicmp
0x40a1d8 sprintf
0x40a1e8 memmove
0x40a1ec _strlwr
0x40a1f0 free
0x40a1f4 calloc
0x40a1f8 wcsnlen
0x40a1fc _wcslwr
0x40a200 _wcslwr_s
0x40a208 wcsstr
0x40a20c _recalloc
0x40a210 ??_V@YAXPAX@Z
0x40a214 _vsnwprintf
0x40a218 swscanf_s
0x40a21c memcpy_s
0x40a220 _wcsupr
0x40a224 wcsspn
0x40a228 wcscspn
0x40a22c ??2@YAPAXI@Z
0x40a230 strchr
0x40a234 _unlock
0x40a238 __dllonexit
0x40a23c _encode_pointer
0x40a240 _lock
0x40a244 _onexit
0x40a248 memcpy
0x40a24c _amsg_exit
0x40a250 __wgetmainargs
0x40a254 _cexit
0x40a258 _exit
0x40a25c _XcptFilter
0x40a260 exit
0x40a264 _wcmdln
0x40a268 _initterm
0x40a26c _initterm_e
0x40a270 _configthreadlocale
0x40a274 __setusermatherr
0x40a278 _adjust_fdiv
0x40a27c __p__commode
0x40a280 __p__fmode
0x40a284 __set_app_type
0x40a288 _crt_debugger_hook
0x40a290 ?terminate@@YAXXZ
=RSMARK=
.text
`.rdata
@.data
.rsrc
@.reloc
T$$Rj
D$ Pj
WVQPj
D$\Pj
T$,Rj
SPUQj
SRUPj
YQPSh
bad allocation
MiniDumpWriteDump
OpenThread
Thread32First
Thread32Next
CreateToolhelp32Snapshot
DllUnregisterServer
DllRegisterServer
DllCanUnloadNow
DllGetClassObject
ARSCOM
SetPermLayers
CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}
Session\%d\%s-%s-%d
%s-%s-%d
map/set<T> too long
invalid map/set<T> iterator
C:\DistributedAutoLink\Temp\CompileOutputDir\rsmain.pdb
SetUnhandledExceptionFilter
GetModuleFileNameW
LoadLibraryW
GetProcAddress
FreeLibrary
CreateFileW
CloseHandle
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
GetModuleHandleW
SuspendThread
GetLocalTime
RaiseException
GetCommandLineW
GetFileSize
SetFilePointer
lstrlenA
FindResourceExW
FindResourceW
LoadResource
CreateProcessW
InterlockedDecrement
WaitForSingleObject
OutputDebugStringW
GetTickCount
GetPrivateProfileStringW
WriteFile
WideCharToMultiByte
Sleep
SizeofResource
GetVersionExW
GetExitCodeProcess
lstrcpynW
GetFileAttributesW
lstrcatA
MultiByteToWideChar
lstrlenW
GetPrivateProfileIntW
OpenMutexW
GetLastError
GetCurrentDirectoryW
MoveFileW
LoadLibraryA
Process32FirstW
OpenMutexA
ProcessIdToSessionId
LocalAlloc
LockResource
Process32NextW
CreateToolhelp32Snapshot
ReleaseMutex
GetWindowsDirectoryW
DeleteFileW
LocalFree
SetFileAttributesW
lstrcpyA
lstrcmpiW
KERNEL32.dll
SendMessageW
AllowSetForegroundWindow
IsWindow
CharUpperW
FindWindowW
USER32.dll
OpenProcessToken
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
RegQueryValueExW
RegOpenKeyExA
RegQueryInfoKeyA
RegEnumValueA
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
CoCreateInstance
CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity
CoInitialize
CoInitializeEx
ole32.dll
OLEAUT32.dll
??1?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@XZ
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@PB_W@Z
??$?8_WU?$char_traits@_W@std@@V?$allocator@_W@1@@std@@YA_NABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@0@PB_W@Z
?npos@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@2IB
?find_last_of@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEI_WI@Z
?erase@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@II@Z
?assign@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@ABV12@II@Z
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@PB_W@Z
?append@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV12@ABV12@@Z
??Y?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAEAAV01@PB_W@Z
??0?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QAE@ABV01@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z
MSVCP90.dll
PathRemoveExtensionW
SHLWAPI.dll
_set_invalid_parameter_handler
wcscat_s
wcscpy_s
wcsrchr
swprintf_s
??3@YAXPAX@Z
wcschr
memmove_s
_wcsicmp
sprintf
??1exception@std@@UAE@XZ
??0exception@std@@QAE@XZ
??0exception@std@@QAE@ABV01@@Z
memmove
_strlwr
calloc
wcsnlen
_wcslwr
_wcslwr_s
_invalid_parameter_noinfo
wcsstr
_recalloc
??_V@YAXPAX@Z
_vsnwprintf
swscanf_s
memcpy_s
_wcsupr
wcsspn
wcscspn
??2@YAPAXI@Z
strchr
MSVCR90.dll
_unlock
__dllonexit
_encode_pointer
_lock
_onexit
_decode_pointer
_amsg_exit
__wgetmainargs
_cexit
_exit
_XcptFilter
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_crt_debugger_hook
_except_handler4_common
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_invoke_watson
_controlfp_s
InterlockedExchange
InterlockedCompareExchange
GetStartupInfoW
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
HeapDestroy
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
GetProcessHeap
memset
_CxxThrowException
__CxxFrameHandler3
memcpy
.?AVtype_info@@
.?AV_com_error@@
welcome Rising*youarelawless!y2a3n4g5Y6U7q8i@S9I0N#A.C%O(M-)<>ABI993JIEM,;'{jkliewaqlsiqomv.z^iwaql}-_=+)_(l;2j2f90aslkjflkasjas32092JKLSJFbASAUI/Z/A[/,./|@~`FS'.Z,MF920SDLAFJKAL9320QFFMmlajfl,.<>//|348q9729|fjlail3jo798,ksafa302-s;akfa;=_++-0-_))0-0-p23is
welcome Rising*youarelawless!y2a$n4g5Y6U7q8i@S9I0N#A.C%O(M-)<>ABI99*JIEM,;'{jkliewaqlsiqomv.z^iwaql}-_=+)_(l;2j@f90aslkjflkasjas6j09kJKLSJFbASAUI/Z/A[/,./|@~`FS'.Z,MF920SDLAFJKAL9320QFFMmlajfl,.<>//|348q9729|fjlail3jo798,ksafa302-s;akfa;=_++-0-_))0-0-p^bis
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
.?AVIImpModuleBase@rsdk@@
.?AV?$tImpModuleMid@VCRSComLoader@@@rsdk@@
.?AVCRSComLoader@@
.?AVCAtlException@ATL@@
.?AVexception@std@@
.?AVout_of_range@std@@
.?AVlogic_error@std@@
.?AVlength_error@std@@
pl}J/*
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
>D?V?x?
54585P5
>8>D>
dbghelp.dll
c:\%s
kernel32.dll
%04d-%02d-%02d(%02d-%02d-%02d)
/ClearAppCompatFlags
/RestartByWMI
SOFTWARE\Rising\%s
installpath
datapath
SOFTWARE\Rising\
\NetConfig.ini
SETTING
Software\Microsoft\Windows\CurrentVersion
ProgramFilesDir
\Program Files
\Rising\RSD
RAV.INI
LEVEL
DEBUG
OUTPUT
LOGSIZE
RS_DEBUG_VIEW
2.log
[0x%08X]
[%04u]
[%04d-%02d-%02d][%02d:%02d:%02d:%03d]
[DETAIL]
[ACTION]
[WAINNING]
[ALERT]
[FATAL]
LOGNAME
\logfiles
\Rising\RSD\Data\
WILLREBOOT
SETUP
Rav.ini
@ROOT\CIMV2
Create
Win32_Process
CommandLine
CurrentDirectory
ReturnValue
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
apphelp.dll
ravmond.exe
ravmonexe
rstray.exe
rstrayexe
CB508F94-4FFA-4fa7-A4BC-CFC2A25A564A
Global\CB508F94-4FFA-4fa7-A4BC-CFC2A25A564A
C41DE27C-DE6B-440b-8CA4-5C9DAAB44B07
Global\C41DE27C-DE6B-440b-8CA4-5C9DAAB44B07
126EEC93-7882-4e96-9133-6C285F30AAA4
Global\126EEC93-7882-4e96-9133-6C285F30AAA4
<rsmain.exe> IsRavTryRunEx Entering ......
{D6EB0652-1172-4e51-BFC6-6AF63762C09C}
-srv setup
%installpath%
"%s\rsstub.exe"
/highrun /binpath "%s" /logon
/highrun /binpath "%s" /argument "%s" /logon
/runxml:
/highintegrity
\rscom.dll
\cfgxml\rscom.xml
\cfgxml\
rsshell xmls, rscomxml[%s], proccfgxml[%s]
rsxml3w.dll
runas
VS_VERSION_INFO
StringFileInfo
080404b0
CompanyName
Beijing Rising Information Technology Co., Ltd.
FileDescription
FileVersion
24.0.0.35
InternalName
Beijing Rising Information Technology Co., Ltd.
LegalCopyright
Copyright(C) 2015-2016 Beijing Rising Information Technology Co., Ltd. All Rights Reserved.
OriginalFilename
rsmain.exe
ProductName
rsmain Application
ProductVersion
24.00
SpecialBuild
20150901100559781
VarFileInfo
Translation
防病毒引擎/厂商 病毒名/规则匹配 病毒库日期
Bkav 未发现病毒 20160827
MicroWorld-eScan 未发现病毒 20160827
nProtect 未发现病毒 20160827
CMC 未发现病毒 20160824
CAT-QuickHeal 未发现病毒 20160826
McAfee 未发现病毒 20160827
Malwarebytes 未发现病毒 20160827
Zillya 未发现病毒 20160826
TheHacker 未发现病毒 20160826
BitDefender 未发现病毒 20160827
K7GW 未发现病毒 20160827
K7AntiVirus 未发现病毒 20160827
TrendMicro 未发现病毒 20160827
Baidu 未发现病毒 20160827
F-Prot 未发现病毒 20160827
Symantec 未发现病毒 20160827
TotalDefense 未发现病毒 20160827
TrendMicro-HouseCall 未发现病毒 20160827
Avast 未发现病毒 20160827
ClamAV 未发现病毒 20160827
Kaspersky 未发现病毒 20160827
Alibaba 未发现病毒 20160826
NANO-Antivirus 未发现病毒 20160827
ViRobot 未发现病毒 20160827
AegisLab 未发现病毒 20160827
Rising 未发现病毒 20160827
Ad-Aware 未发现病毒 20160827
Sophos 未发现病毒 20160827
Comodo 未发现病毒 20160827
F-Secure 未发现病毒 20160827
DrWeb 未发现病毒 20160827
VIPRE 未发现病毒 20160827
Invincea 未发现病毒 20160826
McAfee-GW-Edition 未发现病毒 20160827
Emsisoft 未发现病毒 20160827
Cyren 未发现病毒 20160827
Jiangmin 未发现病毒 20160827
Avira 未发现病毒 20160827
Antiy-AVL 未发现病毒 20160827
Kingsoft 未发现病毒 20160827
Microsoft 未发现病毒 20160827
Arcabit 未发现病毒 20160827
SUPERAntiSpyware 未发现病毒 20160826
GData 未发现病毒 20160827
AhnLab-V3 未发现病毒 20160826
ALYac 未发现病毒 20160827
AVware 未发现病毒 20160827
VBA32 未发现病毒 20160826
Zoner 未发现病毒 20160827
ESET-NOD32 未发现病毒 20160827
Tencent 未发现病毒 20160827
Yandex 未发现病毒 20160826
Ikarus 未发现病毒 20160827
Fortinet 未发现病毒 20160827
AVG 未发现病毒 20160827
Panda 未发现病毒 20160827
CrowdStrike 未发现病毒 20160826
Qihoo-360 未发现病毒 20160827

进程树

rsmain.exe, PID: 2776, 上一级进程 PID: 2152
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
23.44.155.27 美国
183.131.67.42 中国

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 51080 183.131.67.42 www.download.windowsupdate.com 80
192.168.122.70 51079 192.168.122.1 53
192.168.122.70 51081 23.44.155.27 ocsp.verisign.com 80
192.168.122.70 51082 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 5355 192.168.122.70 60614
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54315 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 57997 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 65276 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
www.download.windowsupdate.com CNAME fg.download.windowsupdate.com.mwcname.com
CNAME ipv6microsoft.dlmix.ourdvs.com
A 183.134.10.52
A 122.228.237.169
A 58.220.44.179
A 122.228.22.170
A 122.228.22.209
CNAME 2-01-3cf7-0009.cdx.cedexis.net
A 183.131.67.42
A 115.231.84.168
A 122.228.237.147
A 122.228.205.24
A 122.228.22.102
A 183.134.24.72
A 183.134.53.144
A 115.231.158.74
ocsp.verisign.com CNAME ocsp-ds.ws.symantec.com.edgekey.net
CNAME e8218.dscb1.akamaiedge.net
A 23.44.155.27
sf.symcd.com

TCP

源地址 源端口 目标地址 目标端口
192.168.122.70 51080 183.131.67.42 www.download.windowsupdate.com 80
192.168.122.70 51079 192.168.122.1 53
192.168.122.70 51081 23.44.155.27 ocsp.verisign.com 80
192.168.122.70 51082 23.44.155.27 ocsp.verisign.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.69 5355 192.168.122.70 60614
192.168.122.70 51435 192.168.122.1 53
192.168.122.70 53257 192.168.122.1 53
192.168.122.70 54315 192.168.122.1 53
192.168.122.70 54531 192.168.122.1 53
192.168.122.70 57997 192.168.122.1 53
192.168.122.70 59485 192.168.122.1 53
192.168.122.70 64732 192.168.122.1 53
192.168.122.70 65276 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 14 Jan 2016 00:22:10 GMT
If-None-Match: "0e59c9b614ed11:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
URL专业沙箱检测 -> http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com
URL专业沙箱检测 -> http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEDIqeMqxALS22aDMZsFrgC0%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sf.symcd.com

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 rsmain.exe.log
相关文件
C:\Users\test\AppData\Local\Temp\rsmain.exe.log
文件大小 187 字节
文件类型 ASCII text, with CRLF line terminators
MD5 5101e6954e796749fff387750a797597
SHA1 0042a4d546762375ea028aa8e8987945ea498e24
SHA256 6f7ae9f6e8de43c9b3572adaa63b2d4f4059a2b6f431e3d7b82a9babca452260
CRC32 2D1ADBDF
Ssdeep 3:oVU+R6/l7QUw9KwmWOmWfkiE2J5xAIy3GGqOUDXJ+5OmWfkiE2J5xAIy3GIlLpIX:oLEWKhm+kn23fyWGqL+Im+kn23fyWIlW
下载提交魔盾安全分析显示文本 
[2016-05-21][14:26:44:582][2776][1248]: [ACTION]rsshell xmls, rscomxml[C:\Users\test\AppData\Local\Temp\cfgxml\rscom.xml], proccfgxml[C:\Users\test\AppData\Local\Temp\cfgxml\rsmain.xml]
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 18.624 seconds )

  • 15.682 NetworkAnalysis
  • 1.204 VirusTotal
  • 0.717 Static
  • 0.506 peid
  • 0.227 Dropped
  • 0.186 TargetInfo
  • 0.046 BehaviorAnalysis
  • 0.02 AnalysisInfo
  • 0.015 Strings
  • 0.008 config_decoder
  • 0.007 Debug
  • 0.005 Memory
  • 0.001 ProcessMemory

Signatures ( 0.065 seconds )

  • 0.012 antiav_detectreg
  • 0.005 persistence_autorun
  • 0.005 antiav_detectfile
  • 0.005 infostealer_ftp
  • 0.004 geodo_banking_trojan
  • 0.004 ransomware_files
  • 0.003 disables_browser_warn
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 antianalysis_detectreg
  • 0.002 antivm_vbox_files
  • 0.002 md_domain_bl
  • 0.002 network_torgateway
  • 0.001 betabot_behavior
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 browser_security
  • 0.001 modify_uac_prompt
  • 0.001 network_http

Reporting ( 2.886 seconds )

  • 2.324 ReportPDF
  • 0.551 ReportHTMLSummary
  • 0.011 Malheur
Task ID 18296
Mongo ID 57ddf2734d3bd0391814a6b7
Cuckoo release 1.4-Maldun