Manalyze report for f586835082f632dc8d9404d83bc16316

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	1972-Dec-14 16:22:50
Detected languages	English - United States
Debug artifacts	svchost.pdb
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Services
FileVersion	`10.0.19041.546 (WinBuild.160101.0800)`
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.19041.546`

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: CurrentControlSet\Services`
Suspicious	The PE is possibly packed.	`Unusual section name found: .didat`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Functions which can be used for anti-debugging purposes: NtQuerySystemInformation` `Can access the registry: RegCloseKey RegQueryValueExW RegOpenKeyExW RegGetValueW RegEnumKeyExW` `Uses Windows's Native API: NtSetInformationProcess NtQuerySystemInformation` `Functions related to the privilege level: OpenProcessToken`
Info	The PE is digitally signed.	`Signer: Microsoft Windows Publisher` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/72 (Scanned on 2020-11-21 17:23:06)	`All the AVs think this file is safe.`

Hashes

MD5	`f586835082f632dc8d9404d83bc16316`
SHA1	`010db07461e45b41c886192df6fd425ba8d42d82`
SHA256	`643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7`
SHA3	`f9c69f39e892299ddfe14b167a108bc1031073d204f205a232e5d4f2b095f3db`
SSDeep	`768:DPLnVeJ+4jnLejsSOQ3DOIKBL4DbNHeDA/YCN8HVvWc9w3Y1P6j3w:DDVeHnLejsT9k1HeGYbVWc9w3gP6jw`
Imports Hash	`5922afb5df8c64c2f320bf24aa2a6d20`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	1972-Dec-14 16:22:50
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0x6600`
SizeOfInitializedData	`0x5a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000004E80 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x11000`
SizeOfHeaders	`0x400`
Checksum	`0x1c364`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x4000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`fc14482de1f87ed3939f607498d097a1`
SHA1	`2469c0206ea4642f63e8e3f3eae5db42c35d23d4`
SHA256	`b1a2a4056ef8f3c2b3c9f6fe9bb475b003831d8beb7c9bd9b8c0f1edbee21408`
SHA3	`d9d199975fae08b79e85034a248a0f3f6a4ff64d786812537ab55a4f3f29b20e`
VirtualSize	`0x657d`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.91995`

.rdata

MD5	`b56debc26be468f780ca5318a56d9d7f`
SHA1	`c87e37ad1adc35bd0579e2b7dfc8e23aadcd6a3d`
SHA256	`30959d1cd4baf6820fcbd0a593316502c8e32f499b0f05ce89feb14e552e8edf`
SHA3	`393ac34b4d33646206df21e124de35851aa2c349d73c0c34f6563bf884962ebe`
VirtualSize	`0x38e2`
VirtualAddress	`0x8000`
SizeOfRawData	`0x3a00`
PointerToRawData	`0x6a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.51685`

.data

MD5	`99dd770e6464db8f082e0f0e825fbdd4`
SHA1	`289408a9f1719bfb2bbe38cd9114cee8bab18c31`
SHA256	`0aba86986c3c99a38a10adaeab93a28afa6d154e102a1c568598d08a43837cb2`
SHA3	`94695a35cdca83dec1c4e80c07617b4874500363d48149ba86bc2095a372ef44`
VirtualSize	`0x888`
VirtualAddress	`0xc000`
SizeOfRawData	`0x200`
PointerToRawData	`0xa400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.378703`

.pdata

MD5	`98e306063537611b313d43c844535d45`
SHA1	`410f92b3daff2554348f2b2c1efe7f2856b55bf8`
SHA256	`b14bd997c743e8b1c6c3749cdd25382b70393578daf0acf17dcc48e8b3e307ab`
SHA3	`ba19a5804c2eb36994b45ef759bbbf88fa885d813e47830ef7d208035b3e7522`
VirtualSize	`0x69c`
VirtualAddress	`0xd000`
SizeOfRawData	`0x800`
PointerToRawData	`0xa600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.85127`

.didat

MD5	`6cb6ac498fd30180016e0647aa9de652`
SHA1	`f1055cd60e12070f3ebf5cf10fb6a2232763b355`
SHA256	`da851ab07660cfb9172e4e13ee11db7d0d618d3ca8162da15763b48e58f9399d`
SHA3	`14ab2218d33f40d22e64a3f6b0e3ed2d659873a67d4be1b3352d5db00de56d12`
VirtualSize	`0x30`
VirtualAddress	`0xe000`
SizeOfRawData	`0x200`
PointerToRawData	`0xae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.345827`

.rsrc

MD5	`65a22185a5352802648cae0d6cb4832c`
SHA1	`cdf04502eae311a29562d9df74f33242ccc82d02`
SHA256	`28d897e99cdd119bb1a1668fc702a1f0e4b364023e5f7c9c106360df28b466bc`
SHA3	`9dbbedbb85e28bc9a2445de6c546415e4a9774a73dcbba7acef313d054055deb`
VirtualSize	`0x820`
VirtualAddress	`0xf000`
SizeOfRawData	`0xa00`
PointerToRawData	`0xb000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.74623`

.reloc

MD5	`bebba019fc48accb5b8eb04938965ff2`
SHA1	`e4f99de9850d9b9ecc6a218a7ae06110356367f4`
SHA256	`c0665d848e796fc0648e825c132f511249573646ef371902ee114185c44ec15c`
SHA3	`c90a1f6e7f07ee60856c8fac4cb94fe9e46a3e004a766873ec2362ba3dff4d63`
VirtualSize	`0x6c`
VirtualAddress	`0x10000`
SizeOfRawData	`0x200`
PointerToRawData	`0xba00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`1.27754`

Imports

api-ms-win-core-crt-l2-1-0.dll	`_initterm` `_initterm_e` `__wgetmainargs` `exit`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-processthreads-l1-1-0.dll	`GetCurrentProcess` `GetCurrentThreadId` `GetCurrentProcessId` `OpenProcessToken` `TerminateProcess` `SetProcessAffinityUpdateMode` `ExitProcess`
api-ms-win-core-sysinfo-l1-1-0.dll	`GetSystemTimeAsFileTime` `GetTickCount64` `GetTickCount`
api-ms-win-core-rtlsupport-l1-1-0.dll	`RtlLookupFunctionEntry` `RtlCaptureContext` `RtlVirtualUnwind`
api-ms-win-core-errorhandling-l1-1-0.dll	`GetLastError` `SetErrorMode` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter`
api-ms-win-service-private-l1-1-3.dll	`I_RegisterSvchostNotificationCallback`
api-ms-win-core-crt-l1-1-0.dll	`qsort_s` `memcpy` `memset` `_wcsicmp`
api-ms-win-core-libraryloader-l1-2-0.dll	`GetProcAddress` `FreeLibrary` `GetModuleHandleW` `LoadLibraryExW`
api-ms-win-core-heap-l1-1-0.dll	`HeapFree` `GetProcessHeap` `HeapAlloc` `HeapSetInformation`
api-ms-win-core-synch-l1-1-0.dll	`LeaveCriticalSection` `ReleaseSRWLockShared` `AcquireSRWLockShared` `InitializeSRWLock` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `EnterCriticalSection`
api-ms-win-service-winsvc-l1-1-0.dll	`RegisterServiceCtrlHandlerW`
api-ms-win-service-core-l1-1-0.dll	`SetServiceStatus` `StartServiceCtrlDispatcherW`
api-ms-win-core-string-l1-1-0.dll	`MultiByteToWideChar` `WideCharToMultiByte` `CompareStringOrdinal`
api-ms-win-core-registry-l1-1-0.dll	`RegCloseKey` `RegQueryValueExW` `RegDisablePredefinedCacheEx` `RegOpenKeyExW` `RegGetValueW` `RegEnumKeyExW`
api-ms-win-core-processenvironment-l1-1-0.dll	`ExpandEnvironmentStringsW` `GetCommandLineW`
api-ms-win-core-processthreads-l1-1-1.dll	`SetProcessMitigationPolicy`
api-ms-win-core-processthreads-l1-1-2.dll	`SetProtectedPolicy`
RPCRT4.dll	`RpcServerUnregisterIf` `I_RpcMapWin32Status` `RpcMgmtSetServerStackSize` `I_RpcServerDisableExceptionFilter` `RpcServerUseProtseqEpW` `RpcServerUnregisterIfEx` `RpcMgmtStopServerListening` `RpcServerListen` `RpcMgmtWaitServerListen` `RpcServerRegisterIf`
api-ms-win-core-localization-l1-2-0.dll	`LCMapStringW`
api-ms-win-security-base-l1-1-0.dll	`SetSecurityDescriptorGroup` `SetSecurityDescriptorDacl` `MakeAbsoluteSD` `AddAccessAllowedAce` `GetTokenInformation` `GetLengthSid` `InitializeAcl` `SetSecurityDescriptorOwner` `InitializeSecurityDescriptor`
api-ms-win-core-handle-l1-1-0.dll	`CloseHandle`
api-ms-win-eventing-provider-l1-1-0.dll	`EventRegister` `EventSetInformation` `EventWriteTransfer`
api-ms-win-crt-utility-l1-1-0.dll	`bsearch_s`
api-ms-win-core-sidebyside-l1-1-0.dll	`ActivateActCtx` `DeactivateActCtx` `ReleaseActCtx` `CreateActCtxW`
api-ms-win-core-threadpool-private-l1-1-0.dll	`RegisterWaitForSingleObjectEx`
ntdll.dll	`RtlQueryHeapInformation` `TpAllocTimer` `_vsnwprintf` `EtwEventEnabled` `TpReleaseWait` `RtlNtStatusToDosErrorNoTeb` `TpSetWait` `TpAllocWait` `EtwEventRegister` `RtlUnhandledExceptionFilter` `NtSetInformationProcess` `RtlSetProcessIsCritical` `TpSetTimerEx` `TpSetTimer` `RtlImageNtHeader` `RtlValidSecurityDescriptor` `NtQuerySystemInformation` `RtlRunOnceExecuteOnce` `RtlNtStatusToDosError` `RtlFreeHeap` `EtwEventWrite` `TpReleaseTimer` `RtlInitializeCriticalSection` `RtlInitializeSid` `RtlSubAuthoritySid` `RtlGetDeviceFamilyInfoEnum` `RtlReleaseSRWLockExclusive` `RtlSubAuthorityCountSid` `RtlAcquireSRWLockExclusive` `RtlLengthRequiredSid` `RtlDeriveCapabilitySidsFromName` `RtlCopySid` `TpWaitForTimer` `RtlAllocateHeap`
api-ms-win-core-heap-l2-1-0.dll	`LocalAlloc` `LocalFree`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI`
api-ms-win-core-delayload-l1-1-0.dll	`DelayLoadFailureHook`
api-ms-win-core-com-l1-1-0.dll (delay-loaded)	`CoInitializeEx` `CoUninitialize` `CoCreateInstance` `CoInitializeSecurity` `CLSIDFromString`

Delayed Imports

Attributes	`0x1`
Name	`api-ms-win-core-com-l1-1-0.dll`
ModuleHandle	`0xc5d0`
DelayImportAddressTable	`0xe000`
DelayImportNameTable	`0xa218`
BoundDelayImportTable	`0xa2b0`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.68683`
MD5	`df0bac1ab7e8fd8dac31d882615024b3`
SHA1	`41de5a4147dd2e59aad1266304146fad22b916e5`
SHA256	`94c511dfb7111facb08f9c0908f568db2adcb993c7790c1aa3120bd37130b21c`
SHA3	`82b18199f3e3fe21f0f06e7a6bb28a933937566191756485b5f31ddf74d2814d`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3b0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.49765`
MD5	`71db444ba2f541edfb6fa8af395efca0`
SHA1	`f4a9acd610283206bb8b5e5caac5c6116033c8b0`
SHA256	`c6aa75b28f320f9332aa039946edb29512445e1f7fbd713b31f162c15d0b09e6`
SHA3	`ab9f0ac26cada9d1af7474f8ced05e29d3d270b9427781f2d3a42a034cd16ae6`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2b2`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.88655`
MD5	`5b2a444d1ae281ea719f54cc05aaf7b8`
SHA1	`e62709194daa28b7d828a44cccea2de14383211d`
SHA256	`ce0c61a2c2631ef934437c16b616e98511b7772567260100d957bd95d353b1b1`
SHA3	`8cc0ee6e1f5fe7648fac40bb9901b6d6f0ae457977d9eb689034027cfde3ed5e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.19041.546
ProductVersion	10.0.19041.546
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Services
FileVersion (#2)	10.0.19041.546 (WinBuild.160101.0800)
InternalName	svchost.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	svchost.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.19041.546

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	1972-Dec-14 16:22:50
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x93f8`
PointerToRawData	`0x7df8`
Referenced File	svchost.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	1972-Dec-14 16:22:50
Version	`0.0`
SizeofData	`996`
AddressOfRawData	`0x941c`
PointerToRawData	`0x7e1c`

UNKNOWN

Characteristics	`0`
TimeDateStamp	1972-Dec-14 16:22:50
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x9800`
PointerToRawData	`0x8200`

TLS Callbacks

Load Configuration

Size	`0x118`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x14000c040`
GuardCFCheckFunctionPointer	`5368743952`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xf9cd5501`
Unmarked objects	`0`
Imports (27412)	`2`
ASM objects (27412)	`2`
Imports (VS2008 SP1 build 30729)	`59`
Total imports	`148`
269 (27412)	`12`
C objects (27412)	`12`
Resource objects (27412)	`1`
Linker (27412)	`1`

f586835082f632dc8d9404d83bc16316

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.didat

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors