1db270bbd208f961c1ebe295364c8210

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2008-Apr-13 19:15:12
Detected languages English - United States
Debug artifacts svchost.pdb
CompanyName Microsoft Corporation
FileDescription Generic Host Process for Win32 Services
FileVersion 5.1.2600.5512 (xpsp.080413-2111)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.5512

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
  • LoadLibraryA
 Can access the registry:
  • RegQueryValueExW
  • RegCloseKey
  • RegOpenKeyExW
 Uses Windows's Native API:
  • NtQuerySecurityObject
  • NtOpenKey
  • NtClose
 Functions related to the privilege level:
  • OpenProcessToken
Safe VirusTotal score: 0/71 (Scanned on 2024-03-25 18:48:16) All the AVs think this file is safe.

Hashes

MD5 1db270bbd208f961c1ebe295364c8210
SHA1 fa25b965c958175950ba6673396fead8bf48ef4e
SHA256 5a73ad711a2eef15212503e4ea75d2df6bbd03041b8602824d9068280ab07210
SHA3 f5bedaa83a970cb7cb7fb3e44eab193b3fd759c3530dc572c4761874e2bf9af7
SSDeep 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9V0GWCNJbW:INcG6xlCRaJKGOA7vYJ
Imports Hash b0b91dcbecbadc11c79cb5896790e8e9

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2008-Apr-13 19:15:12
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 7.1
SizeOfCode 0x2c00
SizeOfInitializedData 0xa00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00002509 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x4000
ImageBase 0x1000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.1
ImageVersion 5.1
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x6000
SizeOfHeaders 0x400
Checksum 0x53a0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x40000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f6589e1ed3da6afefb0b4294d9ff7f2e
SHA1 881377d0006aa803fcc1eab88e7cc5ec90b5c0fc
SHA256 395659de88865ec3fb3a95ef767561fa1a243adad02e40fbf62ec2384ca830f0
SHA3 0b475979be6b2d1f7b2147bdda0c743407164307f88d18d4751064c92864fd97
VirtualSize 0x2c00
VirtualAddress 0x1000
SizeOfRawData 0x2c00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.28653

.data

MD5 e19b0fd6af46045b00e8df9f40793874
SHA1 ef09fd78ed2c7c26ae2d73b4227e9f5e09b47630
SHA256 771207403166eb563be0f07bd1a4f40d03f788536ec698767076385487d5e0ba
SHA3 a44031db6b77deed5c257afe4a3047d59445826789c4bd91c9a7742cdd25eb46
VirtualSize 0x210
VirtualAddress 0x4000
SizeOfRawData 0x200
PointerToRawData 0x3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.84689

.rsrc

MD5 dcede0c303bbb48c6875eb64477e5882
SHA1 4bf80df8c0cf7644e5f7672cec0b9453e2dfd2b1
SHA256 3234921633633a5af55631da96907b11d225a72e45e17cd179445f65d1f7f0d1
SHA3 8fab21827d3d81861f6a8c7a2fbd4b1f73ffc50b350385a6a87f3ae42b4d48fa
VirtualSize 0x408
VirtualAddress 0x5000
SizeOfRawData 0x600
PointerToRawData 0x3200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.51379

Imports

ADVAPI32.dll RegQueryValueExW
SetSecurityDescriptorDacl
SetEntriesInAclW
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
GetTokenInformation
OpenProcessToken
OpenThreadToken
SetServiceStatus
RegisterServiceCtrlHandlerW
RegCloseKey
RegOpenKeyExW
StartServiceCtrlDispatcherW
KERNEL32.dll HeapFree
GetLastError
WideCharToMultiByte
lstrlenW
LocalFree
GetCurrentProcess
GetCurrentThread
GetProcAddress
LoadLibraryExW
LeaveCriticalSection
HeapAlloc
EnterCriticalSection
LCMapStringW
FreeLibrary
lstrcpyW
ExpandEnvironmentStringsW
lstrcmpiW
ExitProcess
GetCommandLineW
InitializeCriticalSection
GetProcessHeap
SetErrorMode
SetUnhandledExceptionFilter
RegisterWaitForSingleObject
InterlockedCompareExchange
LoadLibraryA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
UnhandledExceptionFilter
LocalAlloc
lstrcmpW
DelayLoadFailureHook
ntdll.dll NtQuerySecurityObject
RtlFreeHeap
NtOpenKey
wcscat
wcscpy
RtlAllocateHeap
RtlCompareUnicodeString
RtlInitUnicodeString
RtlInitializeSid
RtlLengthRequiredSid
RtlSubAuthoritySid
NtClose
RtlSubAuthorityCountSid
RtlGetDaclSecurityDescriptor
RtlQueryInformationAcl
RtlGetAce
RtlImageNtHeader
wcslen
RtlUnhandledExceptionFilter
RtlCopySid
RPCRT4.dll RpcServerUnregisterIfEx
RpcMgmtWaitServerListen
RpcMgmtSetServerStackSize
RpcServerUnregisterIf
RpcServerListen
RpcServerUseProtseqEpW
RpcServerRegisterIf
I_RpcMapWin32Status
RpcMgmtStopServerListening
NETAPI32.dll (delay-loaded) Netbios

Delayed Imports

Attributes 0x1
Name NETAPI32.dll
ModuleHandle 0x420c
DelayImportAddressTable 0x4000
DelayImportNameTable 0x330c
BoundDelayImportTable 0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.56696
MD5 1611a43d3bb0b0e186df14757617951d
SHA1 dd7d1d176d14ff587148613a0f508a4892d61495
SHA256 9c7c81b3fe515187de2853148144f9c4113a3ad74b0a51e5faffa55c608cf1a6
SHA3 c762e75570e29b2f376c71f4f0eaa92a6359d901deca8e825942f76973044bb7

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 5.1.2600.5512
ProductVersion 5.1.2600.5512
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Generic Host Process for Win32 Services
FileVersion (#2) 5.1.2600.5512 (xpsp.080413-2111)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 5.1.2600.5512
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2008-Apr-13 19:15:12
Version 0.0
SizeofData 36
AddressOfRawData 0x3bdc
PointerToRawData 0x2fdc
Referenced File svchost.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2008-Apr-13 19:15:12
Version 553.3640
SizeofData 4
AddressOfRawData 0x3bd8
PointerToRawData 0x2fd8

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x359bc8b8
Unmarked objects 0
C++ objects (VS2003 (.NET) build 4035) 1
Imports (VS2003 (.NET) build 4035) 9
Total imports 95
94 (VS2003 (.NET) build 4035) 1
C objects (VS2003 (.NET) build 4035) 12
Linker (VS2003 (.NET) build 4035) 1

Errors

<-- -->