Manalyze report for 0cd128f416a04c06d50ec56392c25d9f

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2104-Nov-12 20:36:41
Detected languages	English - United States
Debug artifacts	svchost.pdb
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Services
FileVersion	`10.0.26100.1150 (WinBuild.160101.0800)`
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.26100.1150`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Suspicious	The PE is possibly packed.	`Unusual section name found: fothk`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: NtQueryInformationProcess NtQuerySystemInformation` `Can access the registry: RegEnumKeyExW RegQueryValueExW RegCloseKey RegOpenKeyExW RegGetValueW` `Uses Windows's Native API: NtSetInformationProcess NtQueryInformationProcess NtQuerySystemInformation` `Functions related to the privilege level: OpenProcessToken`
Info	The PE is digitally signed.	`Signer: Microsoft Windows Publisher` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/73 (Scanned on 2024-10-13 15:55:48)	`All the AVs think this file is safe.`

Hashes

MD5	`0cd128f416a04c06d50ec56392c25d9f`
SHA1	`55efb424933087d755b18468bc574db4463d9ce6`
SHA256	`324451797ac909a4dd40c7a2f7347ef91f6b7c786941ad5035f609c0fc15edaa`
SHA3	`9a9d1d18d31cc29b1a8ddf5279effeb5bc84397103a089821eb1f368c2003b8d`
SSDeep	`1536:fLXMvWgR/K1oAoJVqHY5uZgSV+lLNsUP4SzG:fmR/K1oAowY5jSQZrwSa`
Imports Hash	`8daadf8ea66c89ae21239369044d576c`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x108`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`8`
TimeDateStamp	2104-Nov-12 20:36:41
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x8000`
SizeOfInitializedData	`0xa000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000004FE0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x13000`
SizeOfHeaders	`0x1000`
Checksum	`0x19466`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`855c6b758f8ac80e5295d9730896af6c`
SHA1	`8bda8061140a04d2e44ebb3d0709bbc76de0be78`
SHA256	`964eb45df62bcc0736914c22d5b43afcf2de424bed8245a69f4b3fd550007e14`
SHA3	`78c6a40336ba07147d071618edc7ce00f97b0ca2a2ef61a2e5d797a89b1fd8c2`
VirtualSize	`0x6ae8`
VirtualAddress	`0x1000`
SizeOfRawData	`0x7000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.83102`

fothk

MD5	`b5e6b88b1014240156b8a9a13b1ee5de`
SHA1	`875fa7ea3b726a79c9dd5a76d6613c28f6d31105`
SHA256	`cfcbf6122021655712fc95441f25e0f51b3539b73328b26bbd2c4ce356d5c91b`
SHA3	`c47eddab6d56e6c1f7082f43637cfab9f6d0dfdd4c1e32eb9dd52ef2b51f1923`
VirtualSize	`0x1000`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`0.0159202`

.rdata

MD5	`cd7291a0834d80cb03289c0e3bc3ee90`
SHA1	`1f4d6d6561560d4902630252719e60950e13d6bc`
SHA256	`ca5e6e80fdf9e0b09cae1b3585978d4811c535796058136f8932757ca0c26c95`
SHA3	`5ee3e4f88f9692f7c5b9ea43a3e6163189b78c10a5fa9ba9036101fad69dbd80`
VirtualSize	`0x4454`
VirtualAddress	`0x9000`
SizeOfRawData	`0x5000`
PointerToRawData	`0x9000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.04539`

.data

MD5	`581a9d8c0bf9b33336f81b8759159645`
SHA1	`aa8284fcd76674e7c1acf1ca633865a675149984`
SHA256	`083c4f45aa15a173a3e0d041baa3b812b1f048334387a31805f06d7a12c26280`
SHA3	`d8ea769841e4daf17e5274948ef949b9302472d8783e43f27305f01e881d58d5`
VirtualSize	`0x9a0`
VirtualAddress	`0xe000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xe000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.0782098`

.pdata

MD5	`dbc73a85a59c5717179c0f24c045beee`
SHA1	`ff85bc05b6d3adb72e50e37b80919550c8e54ec1`
SHA256	`b28c2e5b3a57adf2275d5a71ca7895f56f8d5dcc24939df2addf485043e9d533`
SHA3	`5fcb0303e6fa26c053d66f72f954b793f4cce4e0875fc1f6428f1ee70b413520`
VirtualSize	`0x6d8`
VirtualAddress	`0xf000`
SizeOfRawData	`0x1000`
PointerToRawData	`0xf000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.25304`

.didat

MD5	`aeebda1504ce728254486bd7dbee67be`
SHA1	`35a926967bdbc928709d52c3c60cc4ffb16f6bf8`
SHA256	`842ae39154156fd35cf3dbd708f9f0db62c94fd3de9dd15cf93166db8f1f6573`
SHA3	`cdc809696dad711f2f70bc6f0a0bfe627b6a57cd825348d1f7a41ffa7887dc82`
VirtualSize	`0xc0`
VirtualAddress	`0x10000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.194615`

.rsrc

MD5	`1396955e3fd0bad4ddfa53631cc2b272`
SHA1	`e1779383b231d5cdf44ce84eb0dd316825558673`
SHA256	`d1fc5c57dfe75906cce1b82f158bdfd231a2fe28ffeba500490f5884d329013a`
SHA3	`b83543b03f58336d168ca9d01b73e4e4409fa11777d1258eff6da1f1497ff468`
VirtualSize	`0x820`
VirtualAddress	`0x11000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x11000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.6058`

.reloc

MD5	`789316021c8d30f1928c8b76eb2b32b2`
SHA1	`c9c2162f1640ae068ef770da9fb45d8cf7813af2`
SHA256	`4455fd6eaeb0fcd4aeb72f36fa389b3c1213eb19486b76af78914e4625f62dcd`
SHA3	`74910576527e4d911695e972b36961698ee733a9ff8e93fb02b96f91240dc25b`
VirtualSize	`0x100`
VirtualAddress	`0x12000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x12000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0.435878`

Imports

api-ms-win-crt-runtime-l1-1-0.dll	`_c_exit` `_register_thread_local_exe_atexit_callback` `_initterm_e` `_initterm`
api-ms-win-crt-private-l1-1-0.dll	`_o__configthreadlocale` `_o__configure_wide_argv` `_o__crt_atexit` `_o__exit` `_o__get_initial_wide_environment` `_o__initialize_onexit_table` `_o__initialize_wide_environment` `_o__register_onexit_function` `_o__seh_filter_exe` `_o__set_app_type` `_o__set_fmode` `_o__set_new_mode` `_o__cexit` `memcpy` `_o__wcsicmp` `_o_bsearch_s` `_o_exit` `_o_qsort_s` `_o_terminate` `__C_specific_handler` `__current_exception` `__current_exception_context` `_o___stdio_common_vswprintf` `_o___p__commode` `_o___p___wargv` `_o___p___argc`
api-ms-win-crt-string-l1-1-0.dll	`memset`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-processthreads-l1-1-0.dll	`SetProcessAffinityUpdateMode` `GetCurrentProcessId` `GetCurrentThreadId` `OpenProcessToken` `ExitProcess` `TerminateProcess` `GetCurrentProcess`
api-ms-win-core-sysinfo-l1-1-0.dll	`GetSystemTimeAsFileTime` `GetTickCount64`
api-ms-win-core-interlocked-l1-1-0.dll	`InitializeSListHead`
api-ms-win-core-rtlsupport-l1-1-0.dll	`RtlCaptureContext` `RtlVirtualUnwind` `RtlLookupFunctionEntry`
api-ms-win-core-debug-l1-1-0.dll	`DebugBreak` `IsDebuggerPresent`
api-ms-win-core-errorhandling-l1-1-0.dll	`SetErrorMode` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `GetLastError`
api-ms-win-core-processthreads-l1-1-1.dll	`IsProcessorFeaturePresent` `SetProcessMitigationPolicy`
api-ms-win-core-libraryloader-l1-2-0.dll	`GetProcAddress` `FreeLibrary` `GetModuleHandleW` `LoadLibraryExW`
api-ms-win-eventing-provider-l1-1-0.dll	`EventRegister` `EventWriteTransfer` `EventSetInformation`
api-ms-win-core-heap-l1-1-0.dll	`HeapFree` `GetProcessHeap` `HeapAlloc` `HeapSetInformation`
api-ms-win-core-synch-l1-1-0.dll	`ReleaseSRWLockExclusive` `AcquireSRWLockShared` `InitializeSRWLock` `ReleaseSRWLockShared` `AcquireSRWLockExclusive` `EnterCriticalSection` `LeaveCriticalSection`
api-ms-win-core-string-l1-1-0.dll	`CompareStringOrdinal` `WideCharToMultiByte` `MultiByteToWideChar`
api-ms-win-core-registry-l1-1-0.dll	`RegEnumKeyExW` `RegQueryValueExW` `RegCloseKey` `RegDisablePredefinedCacheEx` `RegOpenKeyExW` `RegGetValueW`
api-ms-win-core-processenvironment-l1-1-0.dll	`GetCommandLineW` `ExpandEnvironmentStringsW`
api-ms-win-core-processthreads-l1-1-2.dll	`SetProtectedPolicy`
api-ms-win-core-synch-l1-2-0.dll	`SleepConditionVariableSRW` `WakeAllConditionVariable` `InitializeConditionVariable`
api-ms-win-core-localization-l1-2-0.dll	`LCMapStringW`
api-ms-win-security-base-l1-1-0.dll	`GetTokenInformation` `SetSecurityDescriptorDacl` `SetSecurityDescriptorOwner` `InitializeSecurityDescriptor` `InitializeAcl` `GetLengthSid` `AddAccessAllowedAce` `MakeAbsoluteSD` `SetSecurityDescriptorGroup`
api-ms-win-core-handle-l1-1-0.dll	`CloseHandle`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI`
api-ms-win-core-delayload-l1-1-0.dll	`DelayLoadFailureHook`
api-ms-win-core-sidebyside-l1-1-0.dll	`ReleaseActCtx` `DeactivateActCtx` `ActivateActCtx` `CreateActCtxW`
api-ms-win-core-threadpool-private-l1-1-0.dll	`RegisterWaitForSingleObjectEx`
ntdll.dll	`TpAllocWait` `TpSetWait` `RtlNtStatusToDosErrorNoTeb` `TpReleaseWait` `EtwEventEnabled` `EtwEventWrite` `RtlAllocateHeap` `RtlFreeHeap` `TpSetTimerEx` `TpWaitForTimer` `TpReleaseTimer` `TpSetTimer` `RtlUnhandledExceptionFilter` `RtlQueryHeapInformation` `NtSetInformationProcess` `RtlSetProcessIsCritical` `RtlImageNtHeader` `NtQueryInformationProcess` `RtlValidSecurityDescriptor` `RtlRunOnceExecuteOnce` `EtwEventRegister` `NtQuerySystemInformation` `RtlNtStatusToDosError` `RtlInitializeCriticalSection` `RtlInitializeSid` `RtlSubAuthoritySid` `RtlGetDeviceFamilyInfoEnum` `RtlReleaseSRWLockExclusive` `RtlSubAuthorityCountSid` `RtlAcquireSRWLockExclusive` `RtlLengthRequiredSid` `RtlDeriveCapabilitySidsFromName` `RtlCopySid` `TpAllocTimer`
api-ms-win-core-heap-l2-1-0.dll	`LocalAlloc` `LocalFree`
api-ms-win-service-private-l1-1-3.dll (delay-loaded)	`I_RegisterSvchostNotificationCallback`

Delayed Imports

Attributes	`0x1`
Name	`api-ms-win-service-private-l1-1-3.dll`
ModuleHandle	`0xe6b8`
DelayImportAddressTable	`0x100a0`
DelayImportNameTable	`0xb8f8`
BoundDelayImportTable	`0xbaf8`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.68683`
MD5	`df0bac1ab7e8fd8dac31d882615024b3`
SHA1	`41de5a4147dd2e59aad1266304146fad22b916e5`
SHA256	`94c511dfb7111facb08f9c0908f568db2adcb993c7790c1aa3120bd37130b21c`
SHA3	`82b18199f3e3fe21f0f06e7a6bb28a933937566191756485b5f31ddf74d2814d`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.49865`
MD5	`90c2d95100714cb4878fd11b8a2d953f`
SHA1	`64c9db38b63c3be9e4cc8fa916a2e06bab89b81e`
SHA256	`968d210fe23ace8dc96a3302fb207a68f79742872540e16073c101195ee5e604`
SHA3	`a42c3e43e7b34e392f3b0007ec1a5868b92ab365f499c01e6871eb10f289a677`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2b2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.88655`
MD5	`5b2a444d1ae281ea719f54cc05aaf7b8`
SHA1	`e62709194daa28b7d828a44cccea2de14383211d`
SHA256	`ce0c61a2c2631ef934437c16b616e98511b7772567260100d957bd95d353b1b1`
SHA3	`8cc0ee6e1f5fe7648fac40bb9901b6d6f0ae457977d9eb689034027cfde3ed5e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.26100.1150
ProductVersion	10.0.26100.1150
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Services
FileVersion (#2)	10.0.26100.1150 (WinBuild.160101.0800)
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.26100.1150

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2104-Nov-12 20:36:41
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0xaaa0`
PointerToRawData	`0xaaa0`
Referenced File	svchost.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2104-Nov-12 20:36:41
Version	`0.0`
SizeofData	`1028`
AddressOfRawData	`0xaac4`
PointerToRawData	`0xaac4`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2104-Nov-12 20:36:41
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0xaef0`
PointerToRawData	`0xaef0`

UNKNOWN (#2)

Characteristics	`0`
TimeDateStamp	2104-Nov-12 20:36:41
Version	`0.0`
SizeofData	`4`
AddressOfRawData	`0xaf14`
PointerToRawData	`0xaf14`

TLS Callbacks

Load Configuration

Size	`0x140`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14000e040`
GuardCFCheckFunctionPointer	`5368748264`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xa211860e`
Unmarked objects	`0`
Imports (33138)	`2`
Imports (VS2008 SP1 build 30729)	`59`
Total imports	`1218`
Unmarked objects (#2)	`1`
C objects (33138)	`13`
ASM objects (33138)	`4`
C++ objects (33138)	`20`
C objects (LTCG) (33138)	`13`
253 (33138)	`1`
Resource objects (33138)	`1`
Linker (33138)	`1`

0cd128f416a04c06d50ec56392c25d9f

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

fothk

.rdata

.data

.pdata

.didat

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

UNKNOWN (#2)

TLS Callbacks

Load Configuration

RICH Header

Errors