Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1972-Dec-14 16:22:50 |
Detected languages |
English - United States
|
Debug artifacts |
svchost.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Host Process for Windows Services |
FileVersion | 10.0.19041.546 (WinBuild.160101.0800) |
InternalName | svchost.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | svchost.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 10.0.19041.546 |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Suspicious | The PE is possibly packed. | Unusual section name found: .didat |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | The PE is digitally signed. |
Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011 |
Safe | VirusTotal score: 0/72 (Scanned on 2020-11-21 17:23:06) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 7 |
TimeDateStamp | 1972-Dec-14 16:22:50 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x6600 |
SizeOfInitializedData | 0x5a00 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0000000000004E80 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x140000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | A.0 |
ImageVersion | A.0 |
SubsystemVersion | A.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x11000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1c364 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x80000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
api-ms-win-core-crt-l2-1-0.dll |
_initterm
_initterm_e __wgetmainargs exit |
---|---|
api-ms-win-core-profile-l1-1-0.dll |
QueryPerformanceCounter
|
api-ms-win-core-processthreads-l1-1-0.dll |
GetCurrentProcess
GetCurrentThreadId GetCurrentProcessId OpenProcessToken TerminateProcess SetProcessAffinityUpdateMode ExitProcess |
api-ms-win-core-sysinfo-l1-1-0.dll |
GetSystemTimeAsFileTime
GetTickCount64 GetTickCount |
api-ms-win-core-rtlsupport-l1-1-0.dll |
RtlLookupFunctionEntry
RtlCaptureContext RtlVirtualUnwind |
api-ms-win-core-errorhandling-l1-1-0.dll |
GetLastError
SetErrorMode SetUnhandledExceptionFilter UnhandledExceptionFilter |
api-ms-win-service-private-l1-1-3.dll |
I_RegisterSvchostNotificationCallback
|
api-ms-win-core-crt-l1-1-0.dll |
qsort_s
memcpy memset _wcsicmp |
api-ms-win-core-libraryloader-l1-2-0.dll |
GetProcAddress
FreeLibrary GetModuleHandleW LoadLibraryExW |
api-ms-win-core-heap-l1-1-0.dll |
HeapFree
GetProcessHeap HeapAlloc HeapSetInformation |
api-ms-win-core-synch-l1-1-0.dll |
LeaveCriticalSection
ReleaseSRWLockShared AcquireSRWLockShared InitializeSRWLock ReleaseSRWLockExclusive AcquireSRWLockExclusive EnterCriticalSection |
api-ms-win-service-winsvc-l1-1-0.dll |
RegisterServiceCtrlHandlerW
|
api-ms-win-service-core-l1-1-0.dll |
SetServiceStatus
StartServiceCtrlDispatcherW |
api-ms-win-core-string-l1-1-0.dll |
MultiByteToWideChar
WideCharToMultiByte CompareStringOrdinal |
api-ms-win-core-registry-l1-1-0.dll |
RegCloseKey
RegQueryValueExW RegDisablePredefinedCacheEx RegOpenKeyExW RegGetValueW RegEnumKeyExW |
api-ms-win-core-processenvironment-l1-1-0.dll |
ExpandEnvironmentStringsW
GetCommandLineW |
api-ms-win-core-processthreads-l1-1-1.dll |
SetProcessMitigationPolicy
|
api-ms-win-core-processthreads-l1-1-2.dll |
SetProtectedPolicy
|
RPCRT4.dll |
RpcServerUnregisterIf
I_RpcMapWin32Status RpcMgmtSetServerStackSize I_RpcServerDisableExceptionFilter RpcServerUseProtseqEpW RpcServerUnregisterIfEx RpcMgmtStopServerListening RpcServerListen RpcMgmtWaitServerListen RpcServerRegisterIf |
api-ms-win-core-localization-l1-2-0.dll |
LCMapStringW
|
api-ms-win-security-base-l1-1-0.dll |
SetSecurityDescriptorGroup
SetSecurityDescriptorDacl MakeAbsoluteSD AddAccessAllowedAce GetTokenInformation GetLengthSid InitializeAcl SetSecurityDescriptorOwner InitializeSecurityDescriptor |
api-ms-win-core-handle-l1-1-0.dll |
CloseHandle
|
api-ms-win-eventing-provider-l1-1-0.dll |
EventRegister
EventSetInformation EventWriteTransfer |
api-ms-win-crt-utility-l1-1-0.dll |
bsearch_s
|
api-ms-win-core-sidebyside-l1-1-0.dll |
ActivateActCtx
DeactivateActCtx ReleaseActCtx CreateActCtxW |
api-ms-win-core-threadpool-private-l1-1-0.dll |
RegisterWaitForSingleObjectEx
|
ntdll.dll |
RtlQueryHeapInformation
TpAllocTimer _vsnwprintf EtwEventEnabled TpReleaseWait RtlNtStatusToDosErrorNoTeb TpSetWait TpAllocWait EtwEventRegister RtlUnhandledExceptionFilter NtSetInformationProcess RtlSetProcessIsCritical TpSetTimerEx TpSetTimer RtlImageNtHeader RtlValidSecurityDescriptor NtQuerySystemInformation RtlRunOnceExecuteOnce RtlNtStatusToDosError RtlFreeHeap EtwEventWrite TpReleaseTimer RtlInitializeCriticalSection RtlInitializeSid RtlSubAuthoritySid RtlGetDeviceFamilyInfoEnum RtlReleaseSRWLockExclusive RtlSubAuthorityCountSid RtlAcquireSRWLockExclusive RtlLengthRequiredSid RtlDeriveCapabilitySidsFromName RtlCopySid TpWaitForTimer RtlAllocateHeap |
api-ms-win-core-heap-l2-1-0.dll |
LocalAlloc
LocalFree |
api-ms-win-core-delayload-l1-1-1.dll |
ResolveDelayLoadedAPI
|
api-ms-win-core-delayload-l1-1-0.dll |
DelayLoadFailureHook
|
api-ms-win-core-com-l1-1-0.dll (delay-loaded) |
CoInitializeEx
CoUninitialize CoCreateInstance CoInitializeSecurity CLSIDFromString |
Attributes | 0x1 |
---|---|
Name | api-ms-win-core-com-l1-1-0.dll |
ModuleHandle | 0xc5d0 |
DelayImportAddressTable | 0xe000 |
DelayImportNameTable | 0xa218 |
BoundDelayImportTable | 0xa2b0 |
UnloadDelayImportTable | 0 |
TimeStamp | 1970-Jan-01 00:00:00 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.19041.546 |
ProductVersion | 10.0.19041.546 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Host Process for Windows Services |
FileVersion (#2) | 10.0.19041.546 (WinBuild.160101.0800) |
InternalName | svchost.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | svchost.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 10.0.19041.546 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 1972-Dec-14 16:22:50 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x93f8 |
PointerToRawData | 0x7df8 |
Referenced File | svchost.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 1972-Dec-14 16:22:50 |
Version | 0.0 |
SizeofData | 996 |
AddressOfRawData | 0x941c |
PointerToRawData | 0x7e1c |
Characteristics |
0
|
---|---|
TimeDateStamp | 1972-Dec-14 16:22:50 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x9800 |
PointerToRawData | 0x8200 |
Size | 0x118 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x14000c040 |
GuardCFCheckFunctionPointer | 5368743952 |
GuardCFDispatchFunctionPointer | 0 |
GuardCFFunctionTable | 0 |
GuardCFFunctionCount | 0 |
GuardFlags | (EMPTY) |
CodeIntegrity.Flags | 0 |
CodeIntegrity.Catalog | 0 |
CodeIntegrity.CatalogOffset | 0 |
CodeIntegrity.Reserved | 0 |
GuardAddressTakenIatEntryTable | 0 |
GuardAddressTakenIatEntryCount | 0 |
GuardLongJumpTargetTable | 0 |
GuardLongJumpTargetCount | 0 |
XOR Key | 0xf9cd5501 |
---|---|
Unmarked objects | 0 |
Imports (27412) | 2 |
ASM objects (27412) | 2 |
Imports (VS2008 SP1 build 30729) | 59 |
Total imports | 148 |
269 (27412) | 12 |
C objects (27412) | 12 |
Resource objects (27412) | 1 |
Linker (27412) | 1 |