比较分析...

分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-shaapp02-1 2024-04-29 16:49:53 2024-04-29 16:52:08 135 秒

魔盾分数

1.725

正常的

文件详细信息

文件名 svchost.exe
文件大小 55456 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 145dcf6706eeea5b066885ee17964c09
SHA1 445f5f38365af88ec29b357f4696f0e3ee50a1d8
SHA256 f13de58416730d210dab465b242e9c949fb0a0245eef45b07c381f0c6c8a43c3
SHA512 0df69957eb46166c262933f31560575b606304a70ae89588080d071b08220827e7d349aec899d780559fb297071f3810dd458445483568b3367419e2b9830d01
CRC32 B83EA2E8
Ssdeep 768:TCsmFHQ68l82s0GSNvJmEbcetbPamvK+mdGqTnXulYC68HVtQ8fB+1P09z5:T12HQC2s0GivbBti/cY4w8gPcz5
Yara 登录查看Yara规则
找不到该样本 提交漏报
登录查看威胁特征

运行截图

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
185.199.110.133 未知

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
raw.githubusercontent.com 未知 A 185.199.109.133
A 185.199.111.133
A 185.199.110.133

摘要

登录查看详细行为信息

PE 信息

初始地址 0x140000000
入口地址 0x140005080
声明校验值 0x000148a5
实际校验值 0x000148a5
最低操作系统版本要求 10.0
PDB路径 svchost.pdb
编译时间 1979-09-01 07:20:03
载入哈希 247b9220e5d9b720a82b2c8b5069ad69

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00005bed 0x00005c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.93
.rdata 0x00007000 0x000037d6 0x00003800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.55
.data 0x0000b000 0x00000878 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.38
.pdata 0x0000c000 0x00000618 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.60
.didat 0x0000d000 0x00000030 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.35
.rsrc 0x0000e000 0x00000820 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.75
.reloc 0x0000f000 0x0000006c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.28

导入

库: api-ms-win-core-crt-l2-1-0.dll:
0x1400073b0 _initterm
0x1400073b8 _initterm_e
0x1400073c0 __wgetmainargs
0x1400073c8 exit
库: api-ms-win-core-profile-l1-1-0.dll:
0x140007518 QueryPerformanceCounter
库: api-ms-win-core-processthreads-l1-1-0.dll:
0x1400074b8 GetCurrentProcess
0x1400074c0 GetCurrentThreadId
0x1400074c8 GetCurrentProcessId
0x1400074d0 OpenProcessToken
0x1400074d8 TerminateProcess
0x1400074e8 ExitProcess
库: api-ms-win-core-sysinfo-l1-1-0.dll:
0x140007608 GetSystemTimeAsFileTime
0x140007610 GetTickCount64
0x140007618 GetTickCount
库: api-ms-win-core-rtlsupport-l1-1-0.dll:
0x140007560 RtlLookupFunctionEntry
0x140007568 RtlCaptureContext
0x140007570 RtlVirtualUnwind
库: api-ms-win-core-errorhandling-l1-1-0.dll:
0x1400073f8 GetLastError
0x140007400 SetErrorMode
0x140007410 UnhandledExceptionFilter
库: api-ms-win-service-private-l1-1-3.dll:
库: api-ms-win-core-crt-l1-1-0.dll:
0x140007388 qsort_s
0x140007390 memcpy
0x140007398 memset
0x1400073a0 _wcsicmp
库: api-ms-win-core-libraryloader-l1-2-0.dll:
0x140007470 GetProcAddress
0x140007478 FreeLibrary
0x140007480 LoadLibraryExW
库: api-ms-win-core-heap-l1-1-0.dll:
0x140007430 HeapFree
0x140007438 GetProcessHeap
0x140007440 HeapAlloc
0x140007448 HeapSetInformation
库: api-ms-win-core-synch-l1-1-0.dll:
0x1400075c8 LeaveCriticalSection
0x1400075d0 ReleaseSRWLockShared
0x1400075d8 AcquireSRWLockShared
0x1400075e0 InitializeSRWLock
0x1400075e8 ReleaseSRWLockExclusive
0x1400075f0 AcquireSRWLockExclusive
0x1400075f8 EnterCriticalSection
库: api-ms-win-service-winsvc-l1-1-0.dll:
库: api-ms-win-service-core-l1-1-0.dll:
0x1400076b8 SetServiceStatus
库: api-ms-win-core-string-l1-1-0.dll:
0x1400075a8 MultiByteToWideChar
0x1400075b0 WideCharToMultiByte
0x1400075b8 CompareStringOrdinal
库: api-ms-win-core-registry-l1-1-0.dll:
0x140007528 RegCloseKey
0x140007530 RegQueryValueExW
0x140007540 RegOpenKeyExW
0x140007548 RegGetValueW
0x140007550 RegEnumKeyExW
库: api-ms-win-core-processenvironment-l1-1-0.dll:
0x1400074a8 GetCommandLineW
库: api-ms-win-core-processthreads-l1-1-1.dll:
库: api-ms-win-core-processthreads-l1-1-2.dll:
0x140007508 SetProtectedPolicy
库: RPCRT4.dll:
0x140007330 RpcServerUnregisterIf
0x140007338 I_RpcMapWin32Status
0x140007350 RpcServerUseProtseqEpW
0x140007358 RpcServerUnregisterIfEx
0x140007368 RpcServerListen
0x140007370 RpcMgmtWaitServerListen
0x140007378 RpcServerRegisterIf
库: api-ms-win-core-localization-l1-2-0.dll:
0x140007490 LCMapStringW
库: api-ms-win-security-base-l1-1-0.dll:
0x140007678 MakeAbsoluteSD
0x140007680 AddAccessAllowedAce
0x140007688 GetTokenInformation
0x140007690 GetLengthSid
0x140007698 InitializeAcl
库: api-ms-win-core-handle-l1-1-0.dll:
0x140007420 CloseHandle
库: api-ms-win-eventing-provider-l1-1-0.dll:
0x140007648 EventRegister
0x140007650 EventSetInformation
0x140007658 EventWriteTransfer
库: api-ms-win-crt-utility-l1-1-0.dll:
0x140007638 bsearch_s
库: api-ms-win-core-sidebyside-l1-1-0.dll:
0x140007580 ActivateActCtx
0x140007588 DeactivateActCtx
0x140007590 ReleaseActCtx
0x140007598 CreateActCtxW
库: api-ms-win-core-threadpool-private-l1-1-0.dll:
库: ntdll.dll:
0x1400076f0 RtlQueryHeapInformation
0x1400076f8 TpAllocTimer
0x140007700 _vsnwprintf
0x140007708 EtwEventEnabled
0x140007710 TpReleaseWait
0x140007720 TpSetWait
0x140007728 TpAllocWait
0x140007730 EtwEventRegister
0x140007740 NtSetInformationProcess
0x140007748 RtlSetProcessIsCritical
0x140007750 TpSetTimerEx
0x140007758 TpSetTimer
0x140007760 RtlImageNtHeader
0x140007770 NtQuerySystemInformation
0x140007778 RtlRunOnceExecuteOnce
0x140007780 RtlNtStatusToDosError
0x140007788 RtlFreeHeap
0x140007790 EtwEventWrite
0x140007798 TpReleaseTimer
0x1400077a8 RtlInitializeSid
0x1400077b0 RtlSubAuthoritySid
0x1400077c8 RtlSubAuthorityCountSid
0x1400077d8 RtlLengthRequiredSid
0x1400077e8 RtlCopySid
0x1400077f0 TpWaitForTimer
0x1400077f8 RtlAllocateHeap
库: api-ms-win-core-heap-l2-1-0.dll:
0x140007458 LocalAlloc
0x140007460 LocalFree
库: api-ms-win-core-delayload-l1-1-1.dll:
0x1400073e8 ResolveDelayLoadedAPI
库: api-ms-win-core-delayload-l1-1-0.dll:
0x1400073d8 DelayLoadFailureHook
.text
`.rdata
@.data
.pdata
@.didat
.rsrc
@.reloc
T$@H-
D95ov
L95Vt
H9="Y
LH9=cX
T$0H-
SvchostPushServiceGlobals
SvchostPushServiceGlobalsEx
ServiceMain
WldpIsAllowedEntryPoint
api-ms-win-core-com-l1-1-0.dll
NoUrlMimeFilters
LowResourceCallback
serviceName
heapLimit
notifyService
ServiceHeapUsage
PartA_PrivTags
serviceName
aveHeapAlloc
maxHeapAlloc
currentHeapAlloc
singleServiceHost
state
ServiceHeapUsage
PartA_PrivTags
serviceName
aveHeapAlloc
maxHeapAlloc
currentHeapAlloc
singleServiceHost
state
Microsoft.Windows.SvchostTelemetryProvider
svchost.pdb
.text$lp00svchost.exe!20_pri7
.text$lp01svchost.exe!20_pri7
.text$lp03svchost.exe!35_hybridboot
.text$mn
.text$mn$00
.text$zy
.text$zz
.rdata$brc
.rdata$00$brc
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIZ
.gfids
.giats
.rdata
.rdata$00
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zz
.rdata$zzzdbg
.xdata
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.idata$2
.idata$3
.idata$4
.idata$6
.data$dk00$brc
.data
.data$pr00
.bss$00
.bss$dk00
.bss$pr00
.bss$zz
.pdata
.didat$5
.rsrc$01
.rsrc$02
CLSIDFromString
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
_initterm_e
_initterm
api-ms-win-core-crt-l2-1-0.dll
__wgetmainargs
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
I_RegisterSvchostNotificationCallback
api-ms-win-service-private-l1-1-3.dll
_wcsicmp
qsort_s
api-ms-win-core-crt-l1-1-0.dll
GetLastError
GetProcAddress
HeapFree
GetProcessHeap
HeapAlloc
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
RegisterServiceCtrlHandlerW
SetServiceStatus
LoadLibraryExW
MultiByteToWideChar
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
ExpandEnvironmentStringsW
RegEnumKeyExW
CompareStringOrdinal
SetProcessMitigationPolicy
SetProtectedPolicy
RpcMgmtSetServerStackSize
I_RpcServerDisableExceptionFilter
HeapSetInformation
InitializeSRWLock
LCMapStringW
FreeLibrary
SetErrorMode
RegDisablePredefinedCacheEx
SetProcessAffinityUpdateMode
ExitProcess
GetCommandLineW
StartServiceCtrlDispatcherW
RegGetValueW
WideCharToMultiByte
GetTokenInformation
SetSecurityDescriptorGroup
MakeAbsoluteSD
AddAccessAllowedAce
GetLengthSid
InitializeAcl
InitializeSecurityDescriptor
OpenProcessToken
CloseHandle
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
EventRegister
EventSetInformation
EventWriteTransfer
GetTickCount64
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-service-winsvc-l1-1-0.dll
api-ms-win-service-core-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-1.dll
api-ms-win-core-processthreads-l1-1-2.dll
RPCRT4.dll
api-ms-win-core-localization-l1-2-0.dll
api-ms-win-security-base-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-eventing-provider-l1-1-0.dll
bsearch_s
api-ms-win-crt-utility-l1-1-0.dll
ActivateActCtx
DeactivateActCtx
CreateActCtxW
ReleaseActCtx
RegisterWaitForSingleObjectEx
api-ms-win-core-sidebyside-l1-1-0.dll
api-ms-win-core-threadpool-private-l1-1-0.dll
RtlNtStatusToDosError
RtlRunOnceExecuteOnce
NtQuerySystemInformation
RtlValidSecurityDescriptor
RtlImageNtHeader
RtlSetProcessIsCritical
NtSetInformationProcess
RtlUnhandledExceptionFilter
EtwEventRegister
TpAllocWait
TpSetWait
RtlNtStatusToDosErrorNoTeb
TpReleaseWait
EtwEventEnabled
EtwEventWrite
RtlAllocateHeap
RtlFreeHeap
TpSetTimerEx
TpWaitForTimer
TpReleaseTimer
TpSetTimer
TpAllocTimer
RtlQueryHeapInformation
ntdll.dll
_vsnwprintf
I_RpcMapWin32Status
EnterCriticalSection
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
LeaveCriticalSection
RpcServerUnregisterIf
LocalAlloc
RpcServerRegisterIf
RpcMgmtWaitServerListen
RpcServerListen
LocalFree
RpcMgmtStopServerListening
ResolveDelayLoadedAPI
DelayLoadFailureHook
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-delayload-l1-1-1.dll
api-ms-win-core-delayload-l1-1-0.dll
RtlInitializeCriticalSection
RtlInitializeSid
RtlSubAuthoritySid
RtlGetDeviceFamilyInfoEnum
RtlReleaseSRWLockExclusive
RtlSubAuthorityCountSid
RtlAcquireSRWLockExclusive
RtlLengthRequiredSid
RtlDeriveCapabilitySidsFromName
RtlCopySid
memcpy
memset
Software\Microsoft\Windows NT\CurrentVersion\Svchost
SvchostHeapReportingThresholdInKB
System\CurrentControlSet\Control\SCMConfig
[%ws] [%ws]
[%ws]
ServiceMain
ServiceManifest
ServiceDll
Parameters
System\CurrentControlSet\Services
LegacyCOMBehavior
ServiceDllUnloadOnStop
tWLDP.DLL
CoInitializeSecurityParam
CoInitializeSecurityAllowLowBox
CoInitializeSecurityAllowInteractiveUsers
CoInitializeSecurityAllowComCapability
CoInitializeSecurityAllowCrossContainer
AuthenticationLevel
ImpersonationLevel
AuthenticationCapabilities
CoInitializeSecurityAppID
COM_UnmarshalingPolicy
COM_RoSettings
DefaultRpcStackSize
RpcExceptionFilterMode
SystemCritical
NoGuiAccess
COMAccessPermissionsSD
DynamicCodePolicy
BinarySignaturePolicy
RedirectionTrustPolicy
ExtensionPointsPolicy
Software\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\TraceProfile
svchost
EnableSvchostMitigationPolicy
lpacServicesManagement
\PIPE\
ncacn_np
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
Host Process for Windows Services
FileVersion
10.0.19041.3636 (WinBuild.160101.0800)
InternalName
svchost.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
svchost.exe
ProductName
Operating System
ProductVersion
10.0.19041.3636
VarFileInfo
Translation
en-US
没有防病毒引擎扫描信息!

进程树

svchost.exe, PID: 2620, 上一级进程 PID: 2268
下载PCAP包

访问主机纪录 (可点击查询WPING实时安全评级)

直接 IP 安全评级 地理位置
185.199.110.133 未知

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 185.199.110.133 raw.githubusercontent.com 443
192.168.122.201 49158 23.214.95.221 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
raw.githubusercontent.com 未知 A 185.199.109.133
A 185.199.111.133
A 185.199.110.133

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49161 185.199.110.133 raw.githubusercontent.com 443
192.168.122.201 49158 23.214.95.221 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 57526 192.168.122.1 53
192.168.122.201 63246 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)		 下载

Processing ( 28.112 seconds )

  • 13.04 NetworkAnalysis
  • 12.473 Suricata
  • 1.143 Static
  • 0.871 BehaviorAnalysis
  • 0.308 peid
  • 0.26 TargetInfo
  • 0.01 AnalysisInfo
  • 0.005 Strings
  • 0.002 Memory

Signatures ( 1.913 seconds )

  • 1.314 proprietary_url_bl
  • 0.094 antiav_detectreg
  • 0.052 api_spamming
  • 0.041 stealth_timeout
  • 0.039 stealth_decoy_document
  • 0.033 infostealer_ftp
  • 0.02 infostealer_im
  • 0.019 antiav_detectfile
  • 0.019 antianalysis_detectreg
  • 0.015 mimics_filetime
  • 0.013 reads_self
  • 0.013 shifu_behavior
  • 0.013 virus
  • 0.012 stealth_file
  • 0.012 antivm_generic_disk
  • 0.012 infostealer_bitcoin
  • 0.011 bootkit
  • 0.011 infostealer_mail
  • 0.011 proprietary_domain_bl
  • 0.01 hancitor_behavior
  • 0.008 antivm_vbox_files
  • 0.008 geodo_banking_trojan
  • 0.006 anomaly_persistence_autorun
  • 0.006 kibex_behavior
  • 0.005 antivm_generic_scsi
  • 0.005 antivm_xen_keys
  • 0.004 antiemu_wine_func
  • 0.004 proprietary_anomaly_massive_file_ops
  • 0.004 betabot_behavior
  • 0.004 infostealer_browser_password
  • 0.004 kovter_behavior
  • 0.004 antivm_parallels_keys
  • 0.004 darkcomet_regkeys
  • 0.004 ransomware_extensions
  • 0.004 ransomware_files
  • 0.003 injection_createremotethread
  • 0.003 antivm_generic_services
  • 0.003 antidbg_devices
  • 0.003 antivm_generic_diskreg
  • 0.003 disables_browser_warn
  • 0.003 network_http
  • 0.003 recon_fingerprint
  • 0.002 tinba_behavior
  • 0.002 hawkeye_behavior
  • 0.002 network_tor
  • 0.002 rat_nanocore
  • 0.002 anormaly_invoke_kills
  • 0.002 injection_runpe
  • 0.002 antisandbox_productid
  • 0.002 antivm_hyperv_keys
  • 0.002 network_torgateway
  • 0.002 rat_pcclient
  • 0.001 antivm_vbox_libs
  • 0.001 antiav_avast_libs
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 exec_crash
  • 0.001 cerber_behavior
  • 0.001 bypass_firewall
  • 0.001 sniffer_winpcap
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_bios
  • 0.001 antivm_generic_cpu
  • 0.001 antivm_generic_system
  • 0.001 antivm_xen_keys
  • 0.001 antivm_vbox_acpi
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 browser_security
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 codelux_behavior
  • 0.001 proprietary_malicious_drop_executable_file_to_temp_folder
  • 0.001 proprietary_anomaly_invoke_vb_vba
  • 0.001 proprietary_bad_drop
  • 0.001 network_cnc_http
  • 0.001 packer_armadillo_regkey
  • 0.001 recon_programs

Reporting ( 0.894 seconds )

  • 0.847 ReportHTMLSummary
  • 0.047 Malheur
Task ID 744453
Mongo ID 662f6009dc327b46be81136e
Cuckoo release 1.4-Maldun