比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp03-1 2021-04-08 23:33:36 2021-04-08 23:35:42 126 秒

魔盾分数

9.8125

危险的

文件详细信息

文件名 gamqoi.exe
文件大小 41427 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a3653c7d9af390813ab9dfe0d89ed261
SHA1 99227541d041b39a4f8b826f1433a62dc2199538
SHA256 37962b94685365ec39d2c2499c93c218219cdcafb26fde184f27b153e92da784
SHA512 ca05a7654b692c3d9e8fa9352bb5a6992c5f4bf3948573a089244aa6b7744ab46d7f87817ce0799ed03339358e661e91ea43174e0453425891cba304a4afcdc3
CRC32 635F76C0
Ssdeep 768:FAum/U12tZAW/BXcTjX/O8KDbZSAn6yHEojY9Poc:1iI2tZ7XqYZZn6yH1mgc
Yara 登录查看Yara规则
样本下载 提交误报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.223.195.201
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.223.195.194

摘要

登录查看详细行为信息

PE 信息

初始地址 0x00400000
入口地址 0x004036ef
声明校验值 0x00000000
实际校验值 0x000195da
最低操作系统版本要求 4.0
编译时间 2010-10-20 03:03:26
载入哈希 ab068c7ff5659f2cd7d0cb03525e6939

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
LegalTrademarks
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00005092 0x00005200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.11
.rdata 0x00007000 0x000015f8 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.58
.data 0x00009000 0x0000142c 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.36
.rsrc 0x0000b000 0x000021fc 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.04

覆盖

偏移量 0x00009e00
大小 0x000003d3

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_DIALOG 0x0000b0e8 0x00000038 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.53 data
RT_RCDATA 0x0000b120 0x00001e00 LANG_NEUTRAL SUBLANG_NEUTRAL 5.18 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
RT_VERSION 0x0000cf20 0x000002dc LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.54 data

导入

库: MFC42.DLL:
0x40711c None
0x407120 None
0x407124 None
0x407128 None
0x40712c None
0x407130 None
0x407134 None
0x407138 None
0x40713c None
0x407140 None
0x407144 None
0x407148 None
0x40714c None
0x407150 None
0x407154 None
0x407158 None
0x40715c None
0x407160 None
0x407164 None
0x407168 None
0x40716c None
0x407170 None
0x407174 None
0x407178 None
0x40717c None
0x407180 None
0x407184 None
0x407188 None
0x40718c None
0x407190 None
0x407194 None
0x407198 None
0x40719c None
0x4071a0 None
0x4071a4 None
0x4071a8 None
0x4071ac None
0x4071b0 None
0x4071b4 None
0x4071b8 None
0x4071bc None
0x4071c0 None
0x4071c4 None
0x4071c8 None
0x4071cc None
0x4071d0 None
0x4071d4 None
0x4071d8 None
0x4071dc None
0x4071e0 None
0x4071e4 None
0x4071e8 None
0x4071ec None
0x4071f0 None
0x4071f4 None
0x4071f8 None
0x4071fc None
0x407200 None
0x407204 None
0x407208 None
0x40720c None
0x407210 None
0x407214 None
0x407218 None
0x40721c None
0x407220 None
0x407224 None
0x407228 None
0x40722c None
0x407230 None
0x407234 None
0x407238 None
0x40723c None
0x407240 None
0x407244 None
0x407248 None
0x40724c None
0x407250 None
0x407254 None
0x407258 None
0x40725c None
0x407260 None
0x407264 None
0x407268 None
库: MSVCRT.dll:
0x407270 sprintf
0x407274 rand
0x407278 __getmainargs
0x40727c fread
0x407280 ftell
0x407284 fseek
0x407288 fclose
0x40728c fopen
0x407290 _setmbcp
0x407294 _acmdln
0x407298 _controlfp
0x40729c __set_app_type
0x4072a0 __p__fmode
0x4072a4 __p__commode
0x4072a8 _adjust_fdiv
0x4072ac __setusermatherr
0x4072b0 _initterm
0x4072b4 exit
0x4072b8 _XcptFilter
0x4072bc __CxxFrameHandler
0x4072c0 strstr
0x4072c4 atoi
0x4072c8 strncpy
0x4072cc strcspn
0x4072d0 strncmp
0x4072d4 _except_handler3
0x4072d8 __dllonexit
0x4072dc _onexit
0x4072e0 _exit
0x4072e4 malloc
库: KERNEL32.dll:
0x40703c CopyFileA
0x407040 CreateMutexA
0x407044 WaitForSingleObject
0x407048 lstrcpyA
0x40704c GetFileAttributesA
0x407050 GetFileSize
0x407054 GlobalAlloc
0x407058 ReadFile
0x40705c GlobalFree
0x407064 UpdateResourceA
0x407068 EndUpdateResourceA
0x40706c EnumResourceNamesA
0x407070 GetSystemDirectoryA
0x407074 LoadResource
0x407078 LockResource
0x40707c WriteFile
0x407080 GetTempPathA
0x407084 MoveFileExA
0x407088 CloseHandle
0x40708c CreateFileA
0x407090 lstrcpynA
0x407094 lstrlenA
0x407098 OpenMutexA
0x40709c GetLastError
0x4070a0 ReleaseMutex
0x4070a4 lstrcatA
0x4070a8 ExitProcess
0x4070ac DeleteFileA
0x4070b0 LoadLibraryA
0x4070b4 GetProcAddress
0x4070b8 FreeLibrary
0x4070bc Sleep
0x4070c0 CreateThread
0x4070c4 GetTickCount
0x4070cc GetComputerNameA
0x4070d0 GetLocaleInfoW
0x4070d4 GetModuleHandleA
0x4070d8 GetStartupInfoA
0x4070dc FindResourceA
0x4070e0 ExitThread
0x4070e4 TerminateProcess
0x4070e8 CreateProcessA
0x4070ec VirtualQueryEx
0x4070f0 ReadProcessMemory
0x4070f4 GetThreadContext
0x4070f8 ResumeThread
0x4070fc SetThreadContext
0x407100 WriteProcessMemory
0x407104 VirtualProtectEx
0x407108 VirtualAllocEx
0x40710c VirtualAlloc
0x407110 GetModuleFileNameA
0x407114 WinExec
库: USER32.dll:
0x4072f4 wsprintfA
0x4072f8 GetSystemMetrics
0x4072fc GetDesktopWindow
0x407300 SetWindowLongA
0x407304 LoadIconA
0x407308 DrawIcon
0x40730c GetClientRect
0x407310 EnableWindow
0x407314 IsIconic
0x407318 SendMessageA
库: ADVAPI32.dll:
0x407000 DeleteService
0x407004 OpenServiceA
0x407008 OpenSCManagerA
0x40700c RegCloseKey
0x407010 RegQueryValueExA
0x407014 RegOpenKeyExA
0x407018 SetServiceStatus
0x40701c CreateServiceA
0x407020 StartServiceA
0x407024 RegOpenKeyA
0x407028 RegSetValueExA
0x40702c CloseServiceHandle
库: SHELL32.dll:
0x4072ec ShellExecuteA
库: WS2_32.dll:
0x407338 WSAStartup
0x40733c send
0x407340 select
0x407344 __WSAFDIsSet
0x407348 recv
0x40734c getpeername
0x407350 setsockopt
0x407354 WSAIoctl
0x407358 htons
0x40735c socket
0x407360 connect
0x407364 closesocket
0x407368 gethostbyname
0x40736c inet_addr
0x407370 sendto
0x407374 WSASocketA
0x407378 htonl
0x40737c ntohs
库: WINMM.dll:
0x407330 timeGetTime
库: WININET.dll:
0x407320 InternetOpenUrlA
0x407324 InternetReadFile
0x407328 InternetCloseHandle
.text
`.rdata
@.data
.rsrc
T$xQRj
L$xRQj
L$ Qj
SUVWh
D$ RPj
T$ QRj
D$ WPj
0123456789abcdefghijklmnopqrstuvwxyz
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
MFC42.DLL
__CxxFrameHandler
strstr
strncpy
strcspn
strncmp
_except_handler3
__dllonexit
_onexit
MSVCRT.dll
_exit
_XcptFilter
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
CreateThread
Sleep
FreeLibrary
GetProcAddress
LoadLibraryA
DeleteFileA
ExitProcess
WinExec
lstrcatA
ReleaseMutex
GetLastError
OpenMutexA
lstrlenA
lstrcpynA
CreateFileA
CloseHandle
MoveFileExA
GetTempPathA
WriteFile
LockResource
LoadResource
FindResourceA
EnumResourceNamesA
EndUpdateResourceA
UpdateResourceA
BeginUpdateResourceA
GlobalFree
ReadFile
GlobalAlloc
GetFileSize
GetFileAttributesA
lstrcpyA
WaitForSingleObject
CreateMutexA
CopyFileA
GetSystemDirectoryA
GetTickCount
GlobalMemoryStatusEx
GetComputerNameA
GetLocaleInfoW
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
LoadIconA
wsprintfA
GetDesktopWindow
SetWindowLongA
SendMessageA
DrawIcon
GetClientRect
GetSystemMetrics
IsIconic
EnableWindow
USER32.dll
DeleteService
OpenServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
SetServiceStatus
RegisterServiceCtrlHandlerA
StartServiceCtrlDispatcherA
CloseServiceHandle
RegSetValueExA
RegOpenKeyA
StartServiceA
CreateServiceA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WSAIoctl
WS2_32.dll
timeGetTime
WINMM.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
WININET.dll
sprintf
malloc
fread
ftell
fseek
fclose
fopen
_setmbcp
ExitThread
TerminateProcess
CreateProcessA
VirtualQueryEx
ReadProcessMemory
GetThreadContext
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualProtectEx
VirtualAllocEx
VirtualAlloc
GetModuleFileNameA
WSASocketA
dWxAgmJsO
Ani31VBiBYDak5
nsaction Coordinator Service
hadJDhDA1NQQvkFiDCn3744NO0cbGv
ator Service.
<>=98
675578140675578140
DOWNFAIL
baidu
%u.%u.%u.%u
ProcessTrans
StopWork
StartWork
hra%u.dll
iexplore.exe
bpk%c%c%c%c%ccn.exe
ExitProcess
SetFileAttributesA
PlusCtrl.dll
GetTempPathA
kernel32.dll
SOFTWARE.LOG
SizeofResource
ImagePath
SYSTEM\CurrentControlSet\Services\
Description
%c%c%c%c%c%c.exe
VIP-10-20
%u MB
%u MHz
HARDWARE\DESCRIPTION\System\CentralProcessor\0
Windows NT
Windows 7
Windows 2008
Windows Vista
Vista
Windows 2003
Windows XP
Windows 2000
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Program Files\Internet Explorer\iexplore.exe
#0%s!
%s/%s
%s %s%s
%d.%d.%d.%d
192.168.1.244
svchost.exe
ntdll.dll
ZwUnmapViewOfSection
.text
`.rdata
@.data
.rsrc
@.reloc
j@hp!
j Ph 2
ftsWordBreak
LpkUseGDIWidthCache
LpkPSMTextOut
LpkInitialize
LpkGetTextExtentExPoint
LpkGetCharacterPlacement
LpkExtTextOut
LpkEditControl
LpkDrawTextEx
LpkDllInitialize
LpkTabbedTextOut
ExitProcess
GetProcAddress
RtlMoveMemory
LoadLibraryW
lstrcatW
GetSystemDirectoryW
FreeLibrary
lstrcpynA
LockResource
LoadResource
SizeofResource
FindResourceW
CreateProcessW
RtlZeroMemory
CloseHandle
WriteFile
CreateFileW
GetTempFileNameW
GetTempPathW
GetLastError
CreateMutexA
lstrcmpiW
GetModuleFileNameW
GetExitCodeProcess
TerminateProcess
WaitForSingleObject
GetCurrentThreadId
GetFileAttributesW
lstrcpyW
GetTickCount
GetLogicalDrives
FindNextFileW
SetFileAttributesW
CopyFileW
FindClose
FindFirstFileW
WaitForMultipleObjects
TerminateThread
ResumeThread
SetThreadPriority
CreateThread
SetEvent
CreateEventW
DisableThreadLibraryCalls
KERNEL32.dll
wsprintfW
USER32.dll
SHELL32.dll
PathFindFileNameW
PathFindExtensionW
PathAppendW
PathRemoveFileSpecW
StrStrIW
SHRegGetValueW
SHLWAPI.dll
lpk.dll
LpkEditControl
LpkDllInitialize
LpkDrawTextEx
LpkExtTextOut
LpkGetCharacterPlacement
LpkGetTextExtentExPoint
LpkInitialize
LpkPSMTextOut
LpkTabbedTextOut
LpkUseGDIWidthCache
ftsWordBreak
;";(;
server
lpk.dll
cmd /c RD /s /q "%s"
"%s" a -r -ep1"%s" "%s" "%s\lpk.dll"
"%s" x "%s" *.exe "%s\"
cmd /c %s vb "%s" lpk.dll|find /i "lpk.dll"
rar.exe
WinRAR\shell\open\command
VS_VERSION_INFO
StringFileInfo
080404B0
CompanyName
FileDescription
FileVersion
1, 0, 0, 1
InternalName
server
LegalCopyright
(C) 2010
LegalTrademarks
OriginalFilename
server.EXE
ProductName
ProductVersion
1, 0, 0, 1
VarFileInfo
Translation
没有防病毒引擎扫描信息!

进程树

gamqoi.exe, PID: 2472, 上一级进程 PID: 2148
services.exe, PID: 432, 上一级进程 PID: 344
rkhdck.exe, PID: 2796, 上一级进程 PID: 432
AcroRd32.exe, PID: 816, 上一级进程 PID: 304
WerFault.exe, PID: 2200, 上一级进程 PID: 816
svchost.exe, PID: 2944, 上一级进程 PID: 432
taskhost.exe, PID: 2516, 上一级进程 PID: 432
mscorsvw.exe, PID: 284, 上一级进程 PID: 432
mscorsvw.exe, PID: 2220, 上一级进程 PID: 432
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49167 23.223.195.194 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.223.195.201
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.223.195.194

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49167 23.223.195.194 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 59401 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 17.005 seconds )

  • 11.139 Suricata
  • 2.541 BehaviorAnalysis
  • 1.557 VirusTotal
  • 0.817 NetworkAnalysis
  • 0.369 Static
  • 0.295 peid
  • 0.268 TargetInfo
  • 0.012 AnalysisInfo
  • 0.005 Strings
  • 0.002 Memory

Signatures ( 2.338 seconds )

  • 1.349 md_url_bl
  • 0.154 api_spamming
  • 0.112 stealth_decoy_document
  • 0.111 stealth_timeout
  • 0.106 injection_createremotethread
  • 0.075 antiav_detectreg
  • 0.06 injection_runpe
  • 0.05 injection_explorer
  • 0.03 infostealer_ftp
  • 0.017 infostealer_im
  • 0.015 antianalysis_detectreg
  • 0.013 mimics_filetime
  • 0.012 reads_self
  • 0.012 virus
  • 0.012 antiav_detectfile
  • 0.011 shifu_behavior
  • 0.011 antivm_generic_disk
  • 0.01 stealth_file
  • 0.01 antivm_generic_scsi
  • 0.01 infostealer_mail
  • 0.01 md_domain_bl
  • 0.009 bootkit
  • 0.008 infostealer_bitcoin
  • 0.007 hancitor_behavior
  • 0.006 geodo_banking_trojan
  • 0.005 antivm_generic_services
  • 0.005 anomaly_persistence_autorun
  • 0.005 antivm_vbox_files
  • 0.005 ransomware_extensions
  • 0.004 betabot_behavior
  • 0.004 kibex_behavior
  • 0.004 anormaly_invoke_kills
  • 0.004 kovter_behavior
  • 0.004 antivm_xen_keys
  • 0.004 ransomware_files
  • 0.003 antiemu_wine_func
  • 0.003 infostealer_browser_password
  • 0.003 antidbg_windows
  • 0.003 antivm_generic_diskreg
  • 0.003 antivm_parallels_keys
  • 0.003 darkcomet_regkeys
  • 0.003 network_http
  • 0.003 recon_fingerprint
  • 0.002 tinba_behavior
  • 0.002 antivm_vbox_libs
  • 0.002 rat_nanocore
  • 0.002 maldun_anomaly_massive_file_ops
  • 0.002 antidbg_devices
  • 0.002 antisandbox_productid
  • 0.002 disables_browser_warn
  • 0.002 network_torgateway
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antiav_avast_libs
  • 0.001 dridex_behavior
  • 0.001 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 exec_crash
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 codelux_behavior
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 md_bad_drop
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 rat_pcclient
  • 0.001 recon_programs
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.615 seconds )

  • 0.558 ReportHTMLSummary
  • 0.057 Malheur
Task ID 628815
Mongo ID 606f22f67e769a06adeb3795
Cuckoo release 1.4-Maldun