Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
Compilation Date | 2009-Jul-14 01:10:28 |
Detected languages |
English - United States
|
Debug artifacts |
sechost.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Host for SCM/SDDL/LSA Lookup APIs |
FileVersion | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | sechost.dll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | sechost.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7600.16385 |
Info | Matching compiler(s): | Microsoft Visual C++ 6.0 - 8.0 |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Suspicious | VirusTotal score: 1/67 (Scanned on 2021-06-24 05:02:03) | CrowdStrike: win/malicious_confidence_60% (W) |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2009-Jul-14 01:10:28 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0x12e00 |
SizeOfInitializedData | 0x3a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00004975 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x14000 |
ImageBase | 0x75e00000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x19000 |
SizeOfHeaders | 0x600 |
Checksum | 0x25332 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_CUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ntdll.dll |
RtlValidSid
RtlValidAcl RtlFirstFreeAce RtlCopySid RtlSubAuthoritySid RtlInitializeSid RtlSubAuthorityCountSid RtlLengthSid RtlConvertSidToUnicodeString RtlFreeUnicodeString RtlInitializeCriticalSectionEx RtlDeleteCriticalSection NtQueueApcThread LdrQueryModuleServiceTags NtQueryInformationThread RtlEqualSid RtlInitUnicodeString RtlCreateServiceSid NtSetInformationThread RtlRunOnceExecuteOnce WinSqmAddToStream NtQueryInformationProcess RtlMakeSelfRelativeSD RtlNtStatusToDosError RtlAddAuditAccessObjectAce RtlAddAce RtlAddAccessDeniedObjectAce RtlAddAccessAllowedAceEx RtlAddAccessDeniedAceEx RtlAddAuditAccessAceEx RtlAddAccessAllowedObjectAce RtlGetControlSecurityDescriptor RtlGetSaclSecurityDescriptor RtlGetDaclSecurityDescriptor RtlGetGroupSecurityDescriptor RtlGetOwnerSecurityDescriptor RtlAbsoluteToSelfRelativeSD RtlSetSaclSecurityDescriptor RtlSetDaclSecurityDescriptor RtlSetGroupSecurityDescriptor RtlSetOwnerSecurityDescriptor RtlCreateSecurityDescriptor RtlInitAnsiString RtlCopyUnicodeString RtlUnicodeToMultiByteSize RtlUnicodeStringToAnsiString RtlNtStatusToDosErrorNoTeb RtlAllocateHeap RtlFreeHeap RtlCreateAcl DbgPrintEx RtlAnsiStringToUnicodeString RtlUnhandledExceptionFilter NtTerminateProcess |
---|---|
API-MS-Win-Core-LibraryLoader-L1-1-0.dll |
LoadLibraryExA
FreeLibrary GetProcAddress GetModuleHandleExW DisableThreadLibraryCalls |
API-MS-Win-Core-ErrorHandling-L1-1-0.dll |
GetLastError
SetLastError |
API-MS-Win-Core-Interlocked-L1-1-0.dll |
InterlockedCompareExchange
InterlockedExchange |
API-MS-Win-Core-DelayLoad-L1-1-0.dll |
DelayLoadFailureHook
|
msvcrt.dll |
memcpy
_wcsicmp wcsrchr wcsstr memset qsort _wcsnicmp iswctype _wcstoui64 wcschr wcstoul wcscpy_s wcsncpy_s _ultow swprintf_s _vsnwprintf wcstok isalnum isspace _errno _except_handler4_common _wcslwr |
API-MS-Win-Core-Debug-L1-1-0.dll |
IsDebuggerPresent
|
API-MS-Win-Core-Handle-L1-1-0.dll |
CloseHandle
|
API-MS-Win-Core-LocalRegistry-L1-1-0.dll |
RegQueryValueExW
RegOpenKeyExW RegCloseKey |
API-MS-Win-Core-Misc-L1-1-0.dll |
LocalFree
LocalAlloc IsWow64Process Sleep lstrcmpiW LocalReAlloc |
API-MS-Win-Core-ProcessThreads-L1-1-0.dll |
GetCurrentProcess
TlsSetValue TlsGetValue SetThreadPriority OpenProcessToken GetCurrentProcessId GetThreadPriority TerminateThread CreateThread TlsAlloc GetCurrentThreadId GetProcessTimes OpenThread ResumeThread |
API-MS-Win-Security-Base-L1-1-0.dll |
EqualSid
AdjustTokenGroups GetSidSubAuthorityCount FreeSid AllocateAndInitializeSid GetTokenInformation IsValidSecurityDescriptor GetSidSubAuthority |
API-MS-Win-Core-String-L1-1-0.dll |
CompareStringW
|
API-MS-Win-Core-Synch-L1-1-0.dll |
CreateEventA
OpenEventW CreateEventW WaitForSingleObject LeaveCriticalSection EnterCriticalSection ResetEvent SleepEx |
API-MS-Win-Core-SysInfo-L1-1-0.dll |
GetComputerNameExW
|
RPCRT4.dll |
RpcRevertToSelf
RpcImpersonateClient RpcBindingFree RpcBindingSetOption I_RpcExceptionFilter RpcAsyncCancelCall RpcAsyncInitializeHandle RpcBindingSetAuthInfoExW RpcStringFreeW RpcBindingFromStringBindingW RpcStringBindingComposeW UuidCreate RpcSmDestroyClientContext UuidIsNil UuidEqual NdrClientCall2 NdrAsyncClientCall UuidFromStringW UuidToStringW I_RpcMapWin32Status RpcSsDestroyClientContext RpcStringBindingParseW RpcBindingToStringBindingW RpcBindingServerFromClient RpcSsGetContextBinding RpcServerInqCallAttributesA RpcAsyncCompleteCall |
CRYPTBASE.dll (delay-loaded) |
SystemFunction028
SystemFunction004 |
Attributes | 0x1 |
---|---|
Name | CRYPTBASE.dll |
ModuleHandle | 0x1622c |
DelayImportAddressTable | 0x15de0 |
DelayImportNameTable | 0x12184 |
BoundDelayImportTable | 0x121b8 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Ordinal | 1 |
---|---|
Address | 0x54c2 |
Ordinal | 2 |
---|---|
Address | 0x55e2 |
Ordinal | 3 |
---|---|
Address | 0x5254 |
Ordinal | 4 |
---|---|
Address | 0x53d5 |
Ordinal | 5 |
---|---|
Address | 0x4dc3 |
Ordinal | 6 |
---|---|
Address | 0x4d5c |
Ordinal | 7 |
---|---|
Address | 0x5ca0 |
Ordinal | 8 |
---|---|
Address | 0x5d8c |
Ordinal | 9 |
---|---|
Address | 0xe0e4 |
Ordinal | 10 |
---|---|
Address | 0xa901 |
Ordinal | 11 |
---|---|
Address | 0xe093 |
Ordinal | 12 |
---|---|
Address | 0xddfc |
Ordinal | 13 |
---|---|
Address | 0x567c |
Ordinal | 14 |
---|---|
Address | 0x589f |
Ordinal | 15 |
---|---|
Address | 0x5a22 |
Ordinal | 16 |
---|---|
Address | 0x72d8 |
Ordinal | 17 |
---|---|
Address | 0x71c5 |
Ordinal | 18 |
---|---|
Address | 0x733f |
Ordinal | 19 |
---|---|
Address | 0x7c40 |
Ordinal | 20 |
---|---|
Address | 0x5f8a |
Ordinal | 21 |
---|---|
Address | 0x8e4e |
Ordinal | 22 |
---|---|
Address | 0x8e3e |
Ordinal | 23 |
---|---|
Address | 0x5e7d |
Ordinal | 24 |
---|---|
Address | 0x71c5 |
Ordinal | 25 |
---|---|
Address | 0x6b9d |
Ordinal | 26 |
---|---|
Address | 0x10180 |
Ordinal | 27 |
---|---|
Address | 0x10270 |
Ordinal | 28 |
---|---|
Address | 0x1048e |
Ordinal | 29 |
---|---|
Address | 0x105da |
Ordinal | 30 |
---|---|
Address | 0x106b5 |
Ordinal | 31 |
---|---|
Address | 0x10b2a |
Ordinal | 32 |
---|---|
Address | 0x10c53 |
Ordinal | 33 |
---|---|
Address | 0x10b9d |
Ordinal | 34 |
---|---|
Address | 0x10634 |
Ordinal | 35 |
---|---|
Address | 0x108b6 |
Ordinal | 36 |
---|---|
Address | 0x10a0e |
Ordinal | 37 |
---|---|
Address | 0xa0ff |
Ordinal | 38 |
---|---|
Address | 0xa11d |
Ordinal | 39 |
---|---|
Address | 0xa0ff |
Ordinal | 40 |
---|---|
Address | 0x64f0 |
Ordinal | 41 |
---|---|
Address | 0x63ad |
Ordinal | 42 |
---|---|
Address | 0x7245 |
Ordinal | 43 |
---|---|
Address | 0x714b |
Ordinal | 44 |
---|---|
Address | 0x6633 |
Ordinal | 45 |
---|---|
Address | 0x680c |
Ordinal | 46 |
---|---|
Address | 0x5a83 |
Ordinal | 47 |
---|---|
Address | 0x5b29 |
Ordinal | 48 |
---|---|
Address | 0x50f4 |
Ordinal | 49 |
---|---|
Address | 0x4e4b |
Ordinal | 50 |
---|---|
Address | 0x4eaf |
Ordinal | 51 |
---|---|
Address | 0x7d64 |
Ordinal | 52 |
---|---|
Address | 0x7dc6 |
Ordinal | 53 |
---|---|
Address | 0x7da8 |
Ordinal | 54 |
---|---|
Address | 0x7d47 |
Ordinal | 55 |
---|---|
Address | 0x5181 |
Ordinal | 56 |
---|---|
Address | 0x4f9c |
Ordinal | 57 |
---|---|
Address | 0x508d |
Ordinal | 58 |
---|---|
Address | 0x84eb |
Ordinal | 59 |
---|---|
Address | 0x85b2 |
Ordinal | 60 |
---|---|
Address | 0x4f35 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7600.16385 |
ProductVersion | 6.1.7600.16385 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Host for SCM/SDDL/LSA Lookup APIs |
FileVersion (#2) | 6.1.7600.16385 (win7_rtm.090713-1255) |
InternalName | sechost.dll |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | sechost.dll |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7600.16385 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2009-Jul-13 23:11:58 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x4938 |
PointerToRawData | 0x3f38 |
Referenced File | sechost.pdb |
Size | 0x48 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x75e14000 |
SEHandlerTable | 0x75e04960 |
SEHandlerCount | 1 |
XOR Key | 0x611c453c |
---|---|
Unmarked objects | 0 |
C++ objects (VS2008 SP1 build 30729) | 12 |
ASM objects (VS2008 SP1 build 30729) | 3 |
Total imports | 172 |
Imports (VS2008 SP1 build 30729) | 33 |
Exports (VS2008 SP1 build 30729) | 1 |
C objects (VS2008 SP1 build 30729) | 16 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |