45555683527f88c77ed3b460cd5fd5be

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2023-Jan-18 15:57:09
Detected languages English - United States
Debug artifacts sechost.pdb
CompanyName Microsoft Corporation
FileDescription Host for SCM/SDDL/LSA Lookup APIs
FileVersion 10.0.22621.3296 (WinBuild.160101.0800)
InternalName sechost.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename sechost.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.22621.3296

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
 Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
 Can access the registry:
  • RegOpenKeyExA
  • RegQueryValueExA
  • RegSetValueExW
  • RegNotifyChangeKeyValue
  • RegCloseKey
  • RegDeleteValueW
  • RegEnumKeyExW
  • RegOpenKeyExW
  • RegQueryValueExW
 Possibly launches other programs:
  • CreateProcessAsUserW
  • CreateProcessW
 Uses Windows's Native API:
  • NtTerminateProcess
  • NtOpenProcessTokenEx
  • NtOpenKey
  • NtQueryValueKey
  • NtSetInformationThread
  • NtQueryInformationThread
  • NtQueryInformationToken
  • NtQueueApcThread
  • NtQueryInformationFile
  • NtQueryLicenseValue
  • NtCancelIoFile
  • NtTraceControl
  • NtSetSystemInformation
  • NtSetIntervalProfile
  • NtQuerySystemInformation
  • NtQueryIntervalProfile
  • NtWaitForMultipleObjects
  • NtAllocateVirtualMemoryEx
  • NtFreeVirtualMemory
  • NtQueryPerformanceCounter
  • NtSetEvent
  • NtOpenProcessToken
  • NtOpenThreadToken
  • NtClose
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
 Changes object ACLs:
  • SetKernelObjectSecurity
Info The PE is digitally signed. Signer: Microsoft Windows
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/71 (Scanned on 2024-04-01 01:59:19) All the AVs think this file is safe.

Hashes

MD5 45555683527f88c77ed3b460cd5fd5be
SHA1 ef95e630113e2af07fe9058a2906a03d5d5b5410
SHA256 19375900b6f0859f824cdd42eefc39594bbe6bea50ad3ea1b0c162708dbf3d9d
SHA3 c78e3e472dd756d6749186e8d1c0c58f34bd22fe25666839f9d413d5ebaf9af3
SSDeep 12288:UQBmUZSro7wIrBPtBXi1pDXyIlkVFF1R0oq9XsZYaH8:dBm6+oZB1BXi1p7yckHTR1q9AYac
Imports Hash 9bb3f0fc16ece5649fda15cf5cc76df7

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 2023-Jan-18 15:57:09
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x70000
SizeOfInitializedData 0x37000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00000000000178E0 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x180000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0xa8000
SizeOfHeaders 0x1000
Checksum 0xb0f27
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 2f43ba5fb8ff30b5fe30ad7f3a3d807d
SHA1 88076943a82bf5f4c24d1a5519372b8e864d1231
SHA256 058cb9e5d1cc036bd730e4218314ed8cafb10d836c61cb69cb69b726da0be080
SHA3 3f75dbb39126c173fd9f613e5e1cc3ea37302dd68f2ec2ac0013b4a0d0414ec3
VirtualSize 0x6f78d
VirtualAddress 0x1000
SizeOfRawData 0x70000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.41565

.rdata

MD5 af612fff8d81be2cf9b21fe5d3e94168
SHA1 5eb4b04511c25c2fe197bfbaf7035c35845795f8
SHA256 4d7c2fb56e4f64f2066502817fbaa2e8197e7d12221e3c35950d84cd3a18d887
SHA3 d7296746f2152d30bceaf21b96ca06a98490e2ad0f74709686ce4c990d03c302
VirtualSize 0x28f90
VirtualAddress 0x71000
SizeOfRawData 0x29000
PointerToRawData 0x71000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.77115

.data

MD5 7503bc108b067df5dc914d48842fc84c
SHA1 c2c8d432ffd646a8eaa6b678d3971ff6475bf725
SHA256 959f679a93a685a3ba8b4eebea968d4aba598bdad5c1ff528744176f736f689b
SHA3 b314cbbfcf998092dd93539b0b157590c97baf11efa79b4a9eb8c9b595b3cb05
VirtualSize 0x3b20
VirtualAddress 0x9a000
SizeOfRawData 0x3000
PointerToRawData 0x9a000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.21937

.pdata

MD5 21483492eb69466bf1dcf0eb2b31a42a
SHA1 32f87e081fccd36156ef0246e04609a85e969d98
SHA256 5a44c9bd72d8a6bb7d8ca0a8762f9c6d56701e090439060b22e8b770a53078c3
SHA3 bfd177af41b088b5500b5e7c6fd4977d094067cbfb15211765b99e7b5b49b089
VirtualSize 0x4a88
VirtualAddress 0x9e000
SizeOfRawData 0x5000
PointerToRawData 0x9d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.51894

.didat

MD5 cbe761d1379f5b012ef639b1185f16c0
SHA1 44e16180be1d0639a4a61ed16c32e780901ca6cf
SHA256 c925fc2458960f4b57afa6a136bfaf6560867193f4f7ce35899aad23e123d91a
SHA3 c3b1766ae96023ae3d8f909bd9f207e4a847717e5d9b8699dc33137a3f5da9c1
VirtualSize 0x238
VirtualAddress 0xa3000
SizeOfRawData 0x1000
PointerToRawData 0xa2000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.640228

.rsrc

MD5 e4e403bcd5ad672ea7f107bd9b7a0b32
SHA1 a2d7f82a7a04c38293f79ba3680d3eb715f0065f
SHA256 e1b21a0803ff85b8c5a833e6a3da0ebabc06a938d08f2a067699a281a1532230
SHA3 ad0d6d940a5eb1fdd2292c16bfb0f7cc9228e1f441594de82bda92a29235b679
VirtualSize 0x12b8
VirtualAddress 0xa4000
SizeOfRawData 0x2000
PointerToRawData 0xa3000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.5585

.reloc

MD5 c16fd64bacf1a329400cf190104cb5fd
SHA1 0ba3aa79e2bab9edac4933170eb1ae55617f883c
SHA256 8fdf6bb290ec96f4c366115a4609cb2c6c9116cf2d6f673412e310706d3dff55
SHA3 c87144532cae8cb315bfdeaca8cd02c63254a4eae101dba6f0a3d2b18e4093e5
VirtualSize 0x15f0
VirtualAddress 0xa6000
SizeOfRawData 0x2000
PointerToRawData 0xa5000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.47585

Imports

api-ms-win-core-crt-l1-1-0.dll memset
_vsnwprintf_s
memcpy
memcmp
memmove
wcscmp
memcpy_s
towlower
strnlen
memmove_s
wcsrchr
strstr
strrchr
strchr
_stricmp
strncmp
wcsncmp
wcsnlen
qsort_s
wcsstr
wcscat_s
_i64tow_s
_ui64tow_s
_errno
wcstok_s
_ultow
_wcstoi64
wcsncpy_s
_wcstoui64
_wcsnicmp
wcschr
swprintf_s
wcstoul
iswctype
_ultow_s
wcscpy_s
_wcsicmp
api-ms-win-core-crt-l2-1-0.dll _onexit
_initterm_e
_initterm
__dllonexit3
_purecall
ntdll.dll RtlEqualPrefixSid
RtlEqualUnicodeString
RtlEqualSid
RtlValidAcl
RtlSetSaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlInitializeSid
RtlGetControlSecurityDescriptor
RtlAddAuditAccessObjectAce
RtlSubAuthoritySid
RtlSetDaclSecurityDescriptor
NtTerminateProcess
RtlConvertSidToUnicodeString
RtlGetAce
RtlAddAuditAccessAceEx
RtlxAnsiStringToUnicodeSize
RtlAddAccessAllowedAceEx
RtlGetOwnerSecurityDescriptor
RtlSubAuthorityCountSid
RtlAddAce
RtlGetGroupSecurityDescriptor
RtlAbsoluteToSelfRelativeSD
RtlMultiByteToUnicodeN
RtlAddAccessDeniedAceEx
RtlAddAccessAllowedObjectAce
RtlAddAccessDeniedObjectAce
RtlFirstFreeAce
RtlSetGroupSecurityDescriptor
RtlCreateSecurityDescriptor
RtlGetDaclSecurityDescriptor
RtlCaptureContext
RtlInitializeCriticalSectionEx
NtOpenProcessTokenEx
RtlLengthSecurityDescriptor
RtlLengthRequiredSid
RtlAddAccessAllowedAce
RtlAddMandatoryAce
RtlCreateAcl
RtlAllocateHeap
RtlCopySecurityDescriptor
NtOpenKey
RtlFreeHeap
NtQueryValueKey
RtlCapabilityCheckForSingleSessionSku
RtlCheckTokenMembership
RtlCheckTokenMembershipEx
RtlCapabilityCheck
RtlCheckTokenCapability
RtlMakeSelfRelativeSD
RtlSetThreadSubProcessTag
DbgPrintEx
NtSetInformationThread
RtlCreateServiceSid
LdrQueryModuleServiceTags
NtQueryInformationThread
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
NtQueryInformationToken
RtlAcquireSRWLockShared
RtlReleaseSRWLockShared
RtlRunOnceExecuteOnce
RtlCompareUnicodeString
RtlSubscribeWnfStateChangeNotification
NtQueueApcThread
RtlQueryWnfStateData
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSetLastWin32Error
NtQueryInformationFile
NtQueryLicenseValue
NtCancelIoFile
NtTraceControl
RtlFreeAnsiString
RtlGetPersistedStateLocation
RtlQueryRegistryValueWithFallback
RtlValidRelativeSecurityDescriptor
EtwDeliverDataBlock
EtwSendNotification
EtwEnumerateProcessRegGuids
NtSetSystemInformation
NtSetIntervalProfile
NtQuerySystemInformation
NtQueryIntervalProfile
RtlQueryTimeZoneInformation
EtwpGetCpuSpeed
RtlQueryPerformanceFrequency
NtWaitForMultipleObjects
NtAllocateVirtualMemoryEx
NtFreeVirtualMemory
RtlGetNativeSystemInformation
RtlInitializeBitMap
RtlInterlockedSetBitRun
NtQueryPerformanceCounter
RtlInterlockedClearBitRun
EtwEventWriteTransfer
RtlGetCompressionWorkSpaceSize
RtlDecompressBufferEx
RtlGetCurrentServiceSessionId
EtwProcessPrivateLoggerRequest
NtSetEvent
RtlGetNtProductType
RtlxUnicodeStringToAnsiSize
RtlInitUnicodeStringEx
LdrResSearchResource
RtlAllocateAndInitializeSid
RtlDeriveCapabilitySidsFromName
_vsnwprintf
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlUnhandledExceptionFilter
__C_specific_handler
NtOpenProcessToken
RtlNtStatusToDosError
RtlUnicodeToMultiByteSize
RtlCopySid
RtlInitAnsiString
RtlUnicodeStringToAnsiString
RtlLengthSid
RtlCopyUnicodeString
RtlFreeUnicodeString
RtlAnsiStringToUnicodeString
RtlInitUnicodeString
RtlGUIDFromString
RtlValidSid
NtOpenThreadToken
RtlDllShutdownInProgress
RtlNtStatusToDosErrorNoTeb
RtlUnsubscribeWnfStateChangeNotification
NtClose
RtlAcquireSRWLockExclusive
RtlDeleteCriticalSection
RtlGetSaclSecurityDescriptor
api-ms-win-core-libraryloader-l1-2-0.dll GetModuleHandleW
GetModuleHandleExW
GetModuleFileNameA
DisableThreadLibraryCalls
FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleFileNameW
api-ms-win-core-debug-l1-1-0.dll DebugBreak
IsDebuggerPresent
OutputDebugStringW
api-ms-win-core-errorhandling-l1-1-0.dll SetLastError
RaiseException
GetLastError
api-ms-win-core-handle-l1-1-0.dll CloseHandle
api-ms-win-core-heap-l1-1-0.dll HeapFree
HeapAlloc
GetProcessHeap
HeapReAlloc
api-ms-win-core-processthreads-l1-1-0.dll UpdateProcThreadAttribute
ResumeThread
SetThreadPriority
TerminateThread
GetThreadPriority
CreateThread
InitializeProcThreadAttributeList
CreateProcessAsUserW
OpenProcessToken
GetCurrentProcess
TlsSetValue
GetProcessTimes
GetCurrentThread
OpenThreadToken
CreateProcessW
OpenThread
GetCurrentProcessId
TlsAlloc
GetCurrentThreadId
TlsGetValue
api-ms-win-core-synch-l1-1-0.dll InitializeCriticalSectionEx
DeleteCriticalSection
OpenSemaphoreW
WaitForSingleObjectEx
ReleaseSRWLockExclusive
CreateEventA
InitializeSRWLock
ReleaseSRWLockShared
ResetEvent
AcquireSRWLockShared
ReleaseMutex
CreateSemaphoreExW
ReleaseSemaphore
WaitForMultipleObjectsEx
CreateMutexExW
WaitForSingleObject
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
SetEvent
OpenEventW
CreateEventExW
CreateEventW
SleepEx
api-ms-win-core-util-l1-1-0.dll DecodePointer
EncodePointer
api-ms-win-eventing-provider-l1-1-0.dll EventWriteTransfer
EventRegister
EventSetInformation
EventUnregister
api-ms-win-core-localization-l1-2-0.dll FormatMessageW
api-ms-win-core-registry-l1-1-0.dll RegOpenKeyExA
RegQueryValueExA
RegSetValueExW
RegNotifyChangeKeyValue
RegCloseKey
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryValueExW
api-ms-win-core-heap-l2-1-0.dll LocalFree
LocalReAlloc
LocalAlloc
api-ms-win-security-base-l1-1-0.dll GetSidSubAuthority
GetSidSubAuthorityCount
GetSecurityDescriptorDacl
FreeSid
IsValidSid
AdjustTokenGroups
InitializeSecurityDescriptor
EqualSid
SetKernelObjectSecurity
SetSecurityDescriptorDacl
EqualDomainSid
GetLengthSid
AddAccessDeniedAce
GetSecurityDescriptorSacl
AddAccessAllowedAce
AdjustTokenPrivileges
GetTokenInformation
CreateRestrictedToken
IsValidSecurityDescriptor
AllocateAndInitializeSid
GetAclInformation
SetSecurityDescriptorSacl
api-ms-win-core-string-l1-1-0.dll CompareStringW
CompareStringOrdinal
api-ms-win-core-wow64-l1-1-1.dll IsWow64Process2
api-ms-win-core-synch-l1-2-0.dll SleepConditionVariableSRW
WakeConditionVariable
Sleep
api-ms-win-core-threadpool-l1-2-0.dll CloseThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolWork
SubmitThreadpoolWork
CreateThreadpoolWork
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
api-ms-win-core-sysinfo-l1-1-0.dll GetComputerNameExW
GetSystemDirectoryW
api-ms-win-core-file-l1-1-0.dll CreateFileW
GetFullPathNameA
GetFullPathNameW
ReadFile
GetDiskFreeSpaceExW
GetFileAttributesExW
api-ms-win-core-memory-l1-1-0.dll VirtualFree
VirtualAllocEx
VirtualFreeEx
api-ms-win-core-io-l1-1-0.dll DeviceIoControl
GetOverlappedResult
bcrypt.dll BCryptGenerateSymmetricKey
BCryptCreateHash
BCryptSetProperty
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptDecrypt
BCryptGetProperty
BCryptDestroyKey
BCryptEncrypt
BCryptGenRandom
api-ms-win-core-rtlsupport-l1-1-0.dll RtlCompareMemory
api-ms-win-core-processthreads-l1-1-1.dll GetProcessMitigationPolicy
api-ms-win-core-delayload-l1-1-1.dll ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll DelayLoadFailureHook
api-ms-win-core-apiquery-l1-1-0.dll ApiSetQueryApiSetPresence
RPCRT4.dll (delay-loaded) RpcStringFreeW
RpcBindingFree
UuidFromStringW
UuidToStringW
RpcBindingCreateW
RpcBindingBind
RpcServerUseProtseqW
RpcServerRegisterIf3
RpcBindingSetAuthInfoExW
RpcRevertToSelfEx
RpcImpersonateClient
RpcBindingFromStringBindingW
RpcRevertToSelf
RpcAsyncInitializeHandle
RpcAsyncCompleteCall
RpcAsyncCancelCall
UuidEqual
UuidIsNil
RpcSmDestroyClientContext
UuidCreate
NdrClientCall2
NdrAsyncClientCall
RpcBindingSetAuthInfoW
NdrClientCall3
RpcStringBindingComposeW
I_RpcExceptionFilter
I_RpcMapWin32Status
RpcBindingSetOption
RpcSsDestroyClientContext
RpcSsGetContextBinding
RpcServerInqCallAttributesA
RpcBindingServerFromClient
RpcStringBindingParseW
RpcBindingToStringBindingW

Delayed Imports

Attributes 0x1
Name RPCRT4.dll
ModuleHandle 0x9d150
DelayImportAddressTable 0xa3030
DelayImportNameTable 0x94ab8
BoundDelayImportTable 0x95248
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

Ordinal 1000
Address 0x4ffe0

(#2)

Ordinal 1001
Address 0x50c70

(#3)

Ordinal 1002
Address 0x50c80

I_ScSetServiceBitsA

Ordinal 1003
Address 0x49d60

I_ScSetServiceBitsW

Ordinal 1004
Address 0x49d90

AuditComputeEffectivePolicyBySid

Ordinal 1005
Address 0x58180

AuditEnumerateCategories

Ordinal 1006
Address 0x583a0

AuditEnumeratePerUserPolicy

Ordinal 1007
Address 0x584f0

AuditEnumerateSubCategories

Ordinal 1008
Address 0x58580

AuditFree

Ordinal 1009
Address 0x2d240

AuditLookupCategoryNameW

Ordinal 1010
Address 0x586f0

AuditLookupSubCategoryNameW

Ordinal 1011
Address 0x58870

AuditQueryGlobalSaclW

Ordinal 1012
Address 0x589f0

AuditQueryPerUserPolicy

Ordinal 1013
Address 0x58a60

AuditQuerySecurity

Ordinal 1014
Address 0x58b20

AuditQuerySystemPolicy

Ordinal 1015
Address 0x58bf0

AuditSetGlobalSaclW

Ordinal 1016
Address 0x58cb0

AuditSetPerUserPolicy

Ordinal 1017
Address 0x58d20

AuditSetSecurity

Ordinal 1018
Address 0x58dd0

AuditSetSystemPolicy

Ordinal 1019
Address 0x58f30

BuildSecurityDescriptorForSharingAccess

Ordinal 1020
Address 0x31970

BuildSecurityDescriptorForSharingAccessEx

Ordinal 1021
Address 0x31990

CapabilityCheck

Ordinal 1022
Address 0x13f40

CapabilityCheckForSingleSessionSku

Ordinal 1023
Address 0x49650

ChangeServiceConfig2A

Ordinal 1024
Address 0x49f50

ChangeServiceConfig2W

Ordinal 1025
Address 0x4a110

ChangeServiceConfigA

Ordinal 1026
Address 0x4a1f0

ChangeServiceConfigW

Ordinal 1027
Address 0x16de0

CloseServiceHandle

Ordinal 1028
Address 0x9a20

CloseTrace

Ordinal 1029
Address 0x107e0

ControlService

Ordinal 1030
Address 0x1f1a0

ControlServiceExA

Ordinal 1031
Address 0x4a4d0

ControlServiceExW

Ordinal 1032
Address 0x16b80

ControlTraceA

Ordinal 1033
Address 0x14030

ControlTraceW

Ordinal 1034
Address 0xa080

ConvertSDToStringSDRootDomainW

Ordinal 1035
Address 0x2d260

ConvertSecurityDescriptorToStringSecurityDescriptorW

Ordinal 1036
Address 0x2410

ConvertSidToStringSidW

Ordinal 1037
Address 0x4710

ConvertStringSDToSDDomainA

Ordinal 1038
Address 0x2d2e0

ConvertStringSDToSDDomainW

Ordinal 1039
Address 0x2d420

ConvertStringSDToSDRootDomainW

Ordinal 1040
Address 0x2d4f0

ConvertStringSecurityDescriptorToSecurityDescriptorW

Ordinal 1041
Address 0x1de0

ConvertStringSidToSidW

Ordinal 1042
Address 0x4a80

CreateIsolatedProcess

Ordinal 1043
Address 0x6b030

CreateIsolationContainer

Ordinal 1044
Address 0x6b0c0

CreateServiceA

Ordinal 1045
Address 0x4a630

CreateServiceEx

Ordinal 1046
Address 0x4ad90

CreateServiceW

Ordinal 1047
Address 0x4b290

CredBackupCredentials

Ordinal 1048
Address 0x59230

CredDeleteA

Ordinal 1049
Address 0x593d0

CredDeleteW

Ordinal 1050
Address 0x594c0

CredEncryptAndMarshalBinaryBlob

Ordinal 1051
Address 0x5ab30

CredEnumerateA

Ordinal 1052
Address 0x595b0

CredEnumerateW

Ordinal 1053
Address 0x59710

CredFindBestCredentialA

Ordinal 1054
Address 0x59870

CredFindBestCredentialW

Ordinal 1055
Address 0x599c0

CredFree

Ordinal 1056
Address 0x2d240

CredGetSessionTypes

Ordinal 1057
Address 0x59b10

CredGetTargetInfoA

Ordinal 1058
Address 0x59ba0

CredGetTargetInfoW

Ordinal 1059
Address 0x59ce0

CredIsMarshaledCredentialW

Ordinal 1060
Address 0x1fb90

CredIsProtectedA

Ordinal 1061
Address 0x5ab60

CredIsProtectedW

Ordinal 1062
Address 0x14d00

CredMarshalCredentialA

Ordinal 1063
Address 0x5ac00

CredMarshalCredentialW

Ordinal 1064
Address 0x5ac80

CredParseUserNameWithType

Ordinal 1065
Address 0x200c0

CredProfileLoaded

Ordinal 1066
Address 0x59e20

CredProfileLoadedEx

Ordinal 1067
Address 0x59eb0

CredProfileUnloaded

Ordinal 1068
Address 0x59f40

CredProtectA

Ordinal 1069
Address 0x5ae70

CredProtectEx

Ordinal 1070
Address 0x5aff0

CredProtectW

Ordinal 1071
Address 0x1fbd0

CredReadA

Ordinal 1072
Address 0x59fd0

CredReadByTokenHandle

Ordinal 1073
Address 0x5a120

CredReadDomainCredentialsA

Ordinal 1074
Address 0x5a270

CredReadDomainCredentialsW

Ordinal 1075
Address 0x5a3d0

CredReadW

Ordinal 1076
Address 0x1fa40

CredRestoreCredentials

Ordinal 1077
Address 0x5a540

CredUnmarshalCredentialA

Ordinal 1078
Address 0x5b180

CredUnmarshalCredentialW

Ordinal 1079
Address 0x14d70

CredUnprotectA

Ordinal 1080
Address 0x5b230

CredUnprotectEx

Ordinal 1081
Address 0x5b3d0

CredUnprotectW

Ordinal 1082
Address 0x1fbf0

CredWriteA

Ordinal 1083
Address 0x5a6c0

CredWriteDomainCredentialsA

Ordinal 1084
Address 0x5a7a0

CredWriteDomainCredentialsW

Ordinal 1085
Address 0x5a8d0

CredWriteW

Ordinal 1086
Address 0x5aa00

CredpConvertCredential

Ordinal 1087
Address 0x5b5e0

CredpConvertOneCredentialSize

Ordinal 1088
Address 0x1fec0

CredpConvertTargetInfo

Ordinal 1089
Address 0x5b9a0

CredpDecodeCredential

Ordinal 1090
Address 0x1ffe0

CredpEncodeCredential

Ordinal 1091
Address 0x20030

CredpEncodeSecret

Ordinal 1092
Address 0x5bf20

DecodeAttributeName

Ordinal 1093
Address 0x2db80

DeleteIsolationContainer

Ordinal 1094
Address 0x6b130

DeleteService

Ordinal 1095
Address 0x4b750

EnableTraceEx2

Ordinal 1096
Address 0xa5c0

EncodeAttributeName

Ordinal 1097
Address 0x2de30

EnumDependentServicesW

Ordinal 1098
Address 0x4b7e0

EnumServicesStatusExW

Ordinal 1099
Address 0x8b30

EnumerateIdentityProviders

Ordinal 1100
Address 0x13470

EnumerateTraceGuidsEx

Ordinal 1101
Address 0x1f730

EventAccessControl

Ordinal 1102
Address 0x50cc0

EventAccessQuery

Ordinal 1103
Address 0x50d10

EventAccessRemove

Ordinal 1104
Address 0x50f60

FreeContainer

Ordinal 1105
Address 0x5d9d0

FreeOperandValue

Ordinal 1106
Address 0x2df80

FreeTransientObjectSecurityDescriptor

Ordinal 1107
Address 0x6290

GetCharFromDigit

Ordinal 1108
Address 0x2e2d0

GetDefaultIdentityProvider

Ordinal 1109
Address 0x2a9a0

GetDigitFromChar

Ordinal 1110
Address 0x2e380

GetEmbeddedContainerIsolationPolicy

Ordinal 1111
Address 0x5da20

GetEmbeddedImageMitigationPolicy

Ordinal 1112
Address 0x13de0

GetIdentityProviderInfoByGUID

Ordinal 1113
Address 0x2aa10

GetIdentityProviderInfoByName

Ordinal 1114
Address 0x1e430

GetOperandValue

Ordinal 1115
Address 0x2e520

GetOperatorCodeAtIndex

Ordinal 1116
Address 0x2ebc0

GetOperatorIndexByToken

Ordinal 1117
Address 0x2ed90

GetOperatorUnaryAtIndex

Ordinal 1118
Address 0x2edc0

GetPrintableOperandValue

Ordinal 1119
Address 0x2f000

GetServiceDirectory

Ordinal 1120
Address 0x4b990

GetServiceDisplayNameW

Ordinal 1121
Address 0x4ba30

GetServiceKeyNameW

Ordinal 1122
Address 0x4bb20

GetServiceProcessToken

Ordinal 1123
Address 0x1f230

GetServiceRegistryStateKey

Ordinal 1124
Address 0x17130

GetSharedServiceDirectory

Ordinal 1125
Address 0x4bc10

GetSharedServiceRegistryStateKey

Ordinal 1126
Address 0x4bcb0

I_QueryTagInformation

Ordinal 1127
Address 0x88d0

I_RegisterSvchostNotificationCallback

Ordinal 1128
Address 0x17020

I_ScBroadcastServiceControlMessage

Ordinal 1129
Address 0x4bd40

I_ScIsSecurityProcess

Ordinal 1130
Address 0x4cb30

I_ScPnPGetServiceName

Ordinal 1131
Address 0x15bb0

I_ScQueryServiceConfig

Ordinal 1132
Address 0x9120

I_ScRegisterDeviceNotification

Ordinal 1133
Address 0x15740

I_ScRegisterPreshutdownRestart

Ordinal 1134
Address 0x4be30

I_ScReparseServiceDatabase

Ordinal 1135
Address 0x4bf00

I_ScRpcBindA

Ordinal 1136
Address 0x4da30

I_ScRpcBindW

Ordinal 1137
Address 0x4da40

I_ScSendPnPMessage

Ordinal 1138
Address 0x9610

I_ScSendTSMessage

Ordinal 1139
Address 0x4bd40

I_ScUnregisterDeviceNotification

Ordinal 1140
Address 0x16450

I_ScValidatePnPService

Ordinal 1141
Address 0x15c10

IsArrayType

Ordinal 1142
Address 0x2f830

IsValueSizeFixed

Ordinal 1143
Address 0x2f910

LocalGetConditionForString

Ordinal 1144
Address 0x1e970

LocalGetReferencedTokenTypesForCondition

Ordinal 1145
Address 0x2f970

LocalGetSidForString

Ordinal 1146
Address 0x1cd0

LocalGetStringForCondition

Ordinal 1147
Address 0x307d0

LocalGetStringForRelativeAttribute

Ordinal 1148
Address 0x30810

LocalRpcBindingCreateWithSecurity

Ordinal 1149
Address 0x49840

LocalRpcBindingSetAuthInfoEx

Ordinal 1150
Address 0x499f0

LookupAccountNameLocalA

Ordinal 1151
Address 0x1e520

LookupAccountNameLocalW

Ordinal 1152
Address 0x5710

LookupAccountSidLocalA

Ordinal 1153
Address 0x1e6a0

LookupAccountSidLocalW

Ordinal 1154
Address 0x5c20

LsaAddAccountRights

Ordinal 1155
Address 0x55d90

LsaClose

Ordinal 1156
Address 0x123b0

LsaCreateSecret

Ordinal 1157
Address 0x56a00

LsaDelete

Ordinal 1158
Address 0x560b0

LsaEnumerateAccountRights

Ordinal 1159
Address 0x55e30

LsaEnumerateAccountsWithUserRight

Ordinal 1160
Address 0x55f20

LsaFreeMemory

Ordinal 1161
Address 0x14cb0

LsaICLookupNames

Ordinal 1162
Address 0x11af0

LsaICLookupNamesWithCreds

Ordinal 1163
Address 0x56150

LsaICLookupSids

Ordinal 1164
Address 0x12160

LsaICLookupSidsWithCreds

Ordinal 1165
Address 0x56360

LsaLookupClose

Ordinal 1166
Address 0x61b0

LsaLookupFreeMemory

Ordinal 1167
Address 0x14cb0

LsaLookupGetDomainInfo

Ordinal 1168
Address 0x5b80

LsaLookupManageSidNameMapping

Ordinal 1169
Address 0x16820

LsaLookupNames2

Ordinal 1170
Address 0x11a80

LsaLookupOpenLocalPolicy

Ordinal 1171
Address 0x6110

LsaLookupSids

Ordinal 1172
Address 0x11fb0

LsaLookupSids2

Ordinal 1173
Address 0x1fa30

LsaLookupTranslateNames

Ordinal 1174
Address 0x59c0

LsaLookupTranslateSids

Ordinal 1175
Address 0x7530

LsaLookupUserAccountType

Ordinal 1176
Address 0x16240

LsaOpenPolicy

Ordinal 1177
Address 0x12a70

LsaOpenSecret

Ordinal 1178
Address 0x56b70

LsaQueryInformationPolicy

Ordinal 1179
Address 0x11e70

LsaQuerySecret

Ordinal 1180
Address 0x56ce0

LsaRemoveAccountRights

Ordinal 1181
Address 0x56000

LsaRetrievePrivateData

Ordinal 1182
Address 0x57000

LsaSetInformationPolicy

Ordinal 1183
Address 0x565b0

LsaSetSecret

Ordinal 1184
Address 0x572c0

LsaStorePrivateData

Ordinal 1185
Address 0x57530

NotifyServiceStatusChange

Ordinal 1186
Address 0x14e10

NotifyServiceStatusChangeA

Ordinal 1187
Address 0x4ea10

NotifyServiceStatusChangeW

Ordinal 1188
Address 0x14e10

OpenSCManagerA

Ordinal 1189
Address 0x9750

OpenSCManagerW

Ordinal 1190
Address 0x9910

OpenServiceA

Ordinal 1191
Address 0x17040

OpenServiceW

Ordinal 1192
Address 0x97e0

OpenTraceFromBufferStream

Ordinal 1193
Address 0x50060

OpenTraceFromFile

Ordinal 1194
Address 0x50160

OpenTraceFromRealTimeLogger

Ordinal 1195
Address 0x50290

OpenTraceFromRealTimeLoggerWithAllocationOptions

Ordinal 1196
Address 0x502c0

OpenTraceW

Ordinal 1197
Address 0xff20

ProcessTrace

Ordinal 1198
Address 0x104a0

ProcessTraceAddBufferToBufferStream

Ordinal 1199
Address 0x504b0

ProcessTraceBufferDecrementReference

Ordinal 1200
Address 0x505e0

ProcessTraceBufferIncrementReference

Ordinal 1201
Address 0x506b0

QueryAllTracesA

Ordinal 1202
Address 0x51180

QueryAllTracesW

Ordinal 1203
Address 0x51190

QueryLocalUserServiceName

Ordinal 1204
Address 0x19b0

QueryServiceConfig2A

Ordinal 1205
Address 0x4bfc0

QueryServiceConfig2W

Ordinal 1206
Address 0x15d00

QueryServiceConfigA

Ordinal 1207
Address 0x16930

QueryServiceConfigW

Ordinal 1208
Address 0x92f0

QueryServiceDynamicInformation

Ordinal 1209
Address 0x4cb50

QueryServiceObjectSecurity

Ordinal 1210
Address 0x4c430

QueryServiceStatus

Ordinal 1211
Address 0x8ea0

QueryServiceStatusEx

Ordinal 1212
Address 0x9080

QueryTraceProcessingHandle

Ordinal 1213
Address 0x50760

QueryTransientObjectSecurityDescriptor

Ordinal 1214
Address 0x6570

QueryUserServiceName

Ordinal 1215
Address 0x8f00

QueryUserServiceNameForContext

Ordinal 1216
Address 0x16a40

RegisterServiceCtrlHandlerA

Ordinal 1217
Address 0x4cbf0

RegisterServiceCtrlHandlerExA

Ordinal 1218
Address 0x4cc60

RegisterServiceCtrlHandlerExW

Ordinal 1219
Address 0xb970

RegisterServiceCtrlHandlerW

Ordinal 1220
Address 0x171a0

RegisterTraceGuidsA

Ordinal 1221
Address 0x97174
ForwardName NTDLL.EtwRegisterTraceGuidsA

ReleaseIdentityProviderEnumContext

Ordinal 1222
Address 0x13d40

RemoveTraceCallback

Ordinal 1223
Address 0x50a40

ReparseServiceConfig

Ordinal 1224
Address 0x4c510

RpcClientCapabilityCheck

Ordinal 1225
Address 0x13e60

SetLocalRpcServerInterfaceSecurity

Ordinal 1226
Address 0x49b00

SetLocalRpcServerProtseqSecurity

Ordinal 1227
Address 0x49bf0

SetServiceObjectSecurity

Ordinal 1228
Address 0x4c5a0

SetServiceStatus

Ordinal 1229
Address 0x91e0

SetTraceCallback

Ordinal 1230
Address 0x50b40

StartServiceA

Ordinal 1231
Address 0x4c710

StartServiceCtrlDispatcherA

Ordinal 1232
Address 0x4cce0

StartServiceCtrlDispatcherW

Ordinal 1233
Address 0x8350

StartServiceW

Ordinal 1234
Address 0x7dd0

StartTraceA

Ordinal 1235
Address 0x14530

StartTraceW

Ordinal 1236
Address 0x83f0

StopTraceW

Ordinal 1237
Address 0x511b0

SubscribeServiceChangeNotifications

Ordinal 1238
Address 0x8da0

TraceQueryInformation

Ordinal 1239
Address 0x10da0

TraceSetInformation

Ordinal 1240
Address 0x511d0

UnsubscribeServiceChangeNotifications

Ordinal 1241
Address 0x16200

WaitServiceState

Ordinal 1242
Address 0x15510

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xc8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.69061
MD5 54307bd81196e216d575df6849da52cc
SHA1 025832dc7f741fefc75595170c52d1c3c75efd78
SHA256 24ab330dcc8b676b7c3837ff9c73b815957156758dc2c936785bb1812dec5aa3
SHA3 b6640b7050039e517270b6fa2d81b349efe17e705926886d15ded029c91cf73a

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3b0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.55729
MD5 a92974447fcf12ab36a9b2ed3750922b
SHA1 8cec314448ccd04a03fda06132baab5bd290e49f
SHA256 4523fa212fb0f6c21856429e19b93fee6c084909a4ab93d5ef77621c21648686
SHA3 c4ea443f0a92b6168e46b98d8bac4f7813bcbbffb983fcd53a0e1fb4608d701a

5

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0xd4c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.95795
MD5 3472ae2ccb909f672de15a2261467637
SHA1 014214ff421cca49df6fc4224358431183e53bb6
SHA256 988fbc2571c99cc648bfc68467fa496e1c683860758622525fa8c78471e11c72
SHA3 efb7e0ccab5f547eb69ca412f5365e3081d3089ad90a1ddcd1df425ee1a32297

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.22621.3296
ProductVersion 10.0.22621.3296
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Host for SCM/SDDL/LSA Lookup APIs
FileVersion (#2) 10.0.22621.3296 (WinBuild.160101.0800)
InternalName sechost.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename sechost.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.22621.3296
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2023-Jan-18 15:57:09
Version 0.0
SizeofData 36
AddressOfRawData 0x8f4a0
PointerToRawData 0x8f4a0
Referenced File sechost.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2023-Jan-18 15:57:09
Version 0.0
SizeofData 1308
AddressOfRawData 0x8f4c4
PointerToRawData 0x8f4c4

UNKNOWN

Characteristics 0
TimeDateStamp 2023-Jan-18 15:57:09
Version 0.0
SizeofData 36
AddressOfRawData 0x8f9e0
PointerToRawData 0x8f9e0

UNKNOWN (#2)

Characteristics 0
TimeDateStamp 2023-Jan-18 15:57:09
Version 0.0
SizeofData 4
AddressOfRawData 0x8fa04
PointerToRawData 0x8fa04

TLS Callbacks

Load Configuration

Size 0x140
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0x800
EditList 0
SecurityCookie 0x18009a900
GuardCFCheckFunctionPointer 6442967672
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0x94d373c9
Unmarked objects 0
Imports (30795) 2
C++ objects (30795) 2
Imports (VS2008 SP1 build 30729) 65
Total imports 399
C objects (30795) 12
ASM objects (30795) 4
Exports (30795) 1
C objects (POGO O) (30795) 87
Resource objects (30795) 1
Linker (30795) 1

Errors

<-- -->