f586835082f632dc8d9404d83bc16316

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 1972-Dec-14 16:22:50
Detected languages English - United States
Debug artifacts svchost.pdb
CompanyName Microsoft Corporation
FileDescription Host Process for Windows Services
FileVersion 10.0.19041.546 (WinBuild.160101.0800)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion 10.0.19041.546

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Suspicious The PE is possibly packed. Unusual section name found: .didat
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryExW
Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
Can access the registry:
  • RegCloseKey
  • RegQueryValueExW
  • RegOpenKeyExW
  • RegGetValueW
  • RegEnumKeyExW
Uses Windows's Native API:
  • NtSetInformationProcess
  • NtQuerySystemInformation
Functions related to the privilege level:
  • OpenProcessToken
Info The PE is digitally signed. Signer: Microsoft Windows Publisher
Issuer: Microsoft Windows Production PCA 2011
Safe VirusTotal score: 0/72 (Scanned on 2020-11-21 17:23:06) All the AVs think this file is safe.

Hashes

MD5 f586835082f632dc8d9404d83bc16316
SHA1 010db07461e45b41c886192df6fd425ba8d42d82
SHA256 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
SHA3 f9c69f39e892299ddfe14b167a108bc1031073d204f205a232e5d4f2b095f3db
SSDeep 768:DPLnVeJ+4jnLejsSOQ3DOIKBL4DbNHeDA/YCN8HVvWc9w3Y1P6j3w:DDVeHnLejsT9k1HeGYbVWc9w3gP6jw
Imports Hash 5922afb5df8c64c2f320bf24aa2a6d20

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 7
TimeDateStamp 1972-Dec-14 16:22:50
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x6600
SizeOfInitializedData 0x5a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000004E80 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0x11000
SizeOfHeaders 0x400
Checksum 0x1c364
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x80000
SizeofStackCommit 0x4000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 fc14482de1f87ed3939f607498d097a1
SHA1 2469c0206ea4642f63e8e3f3eae5db42c35d23d4
SHA256 b1a2a4056ef8f3c2b3c9f6fe9bb475b003831d8beb7c9bd9b8c0f1edbee21408
SHA3 d9d199975fae08b79e85034a248a0f3f6a4ff64d786812537ab55a4f3f29b20e
VirtualSize 0x657d
VirtualAddress 0x1000
SizeOfRawData 0x6600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.91995

.rdata

MD5 b56debc26be468f780ca5318a56d9d7f
SHA1 c87e37ad1adc35bd0579e2b7dfc8e23aadcd6a3d
SHA256 30959d1cd4baf6820fcbd0a593316502c8e32f499b0f05ce89feb14e552e8edf
SHA3 393ac34b4d33646206df21e124de35851aa2c349d73c0c34f6563bf884962ebe
VirtualSize 0x38e2
VirtualAddress 0x8000
SizeOfRawData 0x3a00
PointerToRawData 0x6a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.51685

.data

MD5 99dd770e6464db8f082e0f0e825fbdd4
SHA1 289408a9f1719bfb2bbe38cd9114cee8bab18c31
SHA256 0aba86986c3c99a38a10adaeab93a28afa6d154e102a1c568598d08a43837cb2
SHA3 94695a35cdca83dec1c4e80c07617b4874500363d48149ba86bc2095a372ef44
VirtualSize 0x888
VirtualAddress 0xc000
SizeOfRawData 0x200
PointerToRawData 0xa400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.378703

.pdata

MD5 98e306063537611b313d43c844535d45
SHA1 410f92b3daff2554348f2b2c1efe7f2856b55bf8
SHA256 b14bd997c743e8b1c6c3749cdd25382b70393578daf0acf17dcc48e8b3e307ab
SHA3 ba19a5804c2eb36994b45ef759bbbf88fa885d813e47830ef7d208035b3e7522
VirtualSize 0x69c
VirtualAddress 0xd000
SizeOfRawData 0x800
PointerToRawData 0xa600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.85127

.didat

MD5 6cb6ac498fd30180016e0647aa9de652
SHA1 f1055cd60e12070f3ebf5cf10fb6a2232763b355
SHA256 da851ab07660cfb9172e4e13ee11db7d0d618d3ca8162da15763b48e58f9399d
SHA3 14ab2218d33f40d22e64a3f6b0e3ed2d659873a67d4be1b3352d5db00de56d12
VirtualSize 0x30
VirtualAddress 0xe000
SizeOfRawData 0x200
PointerToRawData 0xae00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.345827

.rsrc

MD5 65a22185a5352802648cae0d6cb4832c
SHA1 cdf04502eae311a29562d9df74f33242ccc82d02
SHA256 28d897e99cdd119bb1a1668fc702a1f0e4b364023e5f7c9c106360df28b466bc
SHA3 9dbbedbb85e28bc9a2445de6c546415e4a9774a73dcbba7acef313d054055deb
VirtualSize 0x820
VirtualAddress 0xf000
SizeOfRawData 0xa00
PointerToRawData 0xb000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.74623

.reloc

MD5 bebba019fc48accb5b8eb04938965ff2
SHA1 e4f99de9850d9b9ecc6a218a7ae06110356367f4
SHA256 c0665d848e796fc0648e825c132f511249573646ef371902ee114185c44ec15c
SHA3 c90a1f6e7f07ee60856c8fac4cb94fe9e46a3e004a766873ec2362ba3dff4d63
VirtualSize 0x6c
VirtualAddress 0x10000
SizeOfRawData 0x200
PointerToRawData 0xba00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 1.27754

Imports

api-ms-win-core-crt-l2-1-0.dll _initterm
_initterm_e
__wgetmainargs
exit
api-ms-win-core-profile-l1-1-0.dll QueryPerformanceCounter
api-ms-win-core-processthreads-l1-1-0.dll GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
OpenProcessToken
TerminateProcess
SetProcessAffinityUpdateMode
ExitProcess
api-ms-win-core-sysinfo-l1-1-0.dll GetSystemTimeAsFileTime
GetTickCount64
GetTickCount
api-ms-win-core-rtlsupport-l1-1-0.dll RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind
api-ms-win-core-errorhandling-l1-1-0.dll GetLastError
SetErrorMode
SetUnhandledExceptionFilter
UnhandledExceptionFilter
api-ms-win-service-private-l1-1-3.dll I_RegisterSvchostNotificationCallback
api-ms-win-core-crt-l1-1-0.dll qsort_s
memcpy
memset
_wcsicmp
api-ms-win-core-libraryloader-l1-2-0.dll GetProcAddress
FreeLibrary
GetModuleHandleW
LoadLibraryExW
api-ms-win-core-heap-l1-1-0.dll HeapFree
GetProcessHeap
HeapAlloc
HeapSetInformation
api-ms-win-core-synch-l1-1-0.dll LeaveCriticalSection
ReleaseSRWLockShared
AcquireSRWLockShared
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
api-ms-win-service-winsvc-l1-1-0.dll RegisterServiceCtrlHandlerW
api-ms-win-service-core-l1-1-0.dll SetServiceStatus
StartServiceCtrlDispatcherW
api-ms-win-core-string-l1-1-0.dll MultiByteToWideChar
WideCharToMultiByte
CompareStringOrdinal
api-ms-win-core-registry-l1-1-0.dll RegCloseKey
RegQueryValueExW
RegDisablePredefinedCacheEx
RegOpenKeyExW
RegGetValueW
RegEnumKeyExW
api-ms-win-core-processenvironment-l1-1-0.dll ExpandEnvironmentStringsW
GetCommandLineW
api-ms-win-core-processthreads-l1-1-1.dll SetProcessMitigationPolicy
api-ms-win-core-processthreads-l1-1-2.dll SetProtectedPolicy
RPCRT4.dll RpcServerUnregisterIf
I_RpcMapWin32Status
RpcMgmtSetServerStackSize
I_RpcServerDisableExceptionFilter
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcMgmtStopServerListening
RpcServerListen
RpcMgmtWaitServerListen
RpcServerRegisterIf
api-ms-win-core-localization-l1-2-0.dll LCMapStringW
api-ms-win-security-base-l1-1-0.dll SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
MakeAbsoluteSD
AddAccessAllowedAce
GetTokenInformation
GetLengthSid
InitializeAcl
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
api-ms-win-core-handle-l1-1-0.dll CloseHandle
api-ms-win-eventing-provider-l1-1-0.dll EventRegister
EventSetInformation
EventWriteTransfer
api-ms-win-crt-utility-l1-1-0.dll bsearch_s
api-ms-win-core-sidebyside-l1-1-0.dll ActivateActCtx
DeactivateActCtx
ReleaseActCtx
CreateActCtxW
api-ms-win-core-threadpool-private-l1-1-0.dll RegisterWaitForSingleObjectEx
ntdll.dll RtlQueryHeapInformation
TpAllocTimer
_vsnwprintf
EtwEventEnabled
TpReleaseWait
RtlNtStatusToDosErrorNoTeb
TpSetWait
TpAllocWait
EtwEventRegister
RtlUnhandledExceptionFilter
NtSetInformationProcess
RtlSetProcessIsCritical
TpSetTimerEx
TpSetTimer
RtlImageNtHeader
RtlValidSecurityDescriptor
NtQuerySystemInformation
RtlRunOnceExecuteOnce
RtlNtStatusToDosError
RtlFreeHeap
EtwEventWrite
TpReleaseTimer
RtlInitializeCriticalSection
RtlInitializeSid
RtlSubAuthoritySid
RtlGetDeviceFamilyInfoEnum
RtlReleaseSRWLockExclusive
RtlSubAuthorityCountSid
RtlAcquireSRWLockExclusive
RtlLengthRequiredSid
RtlDeriveCapabilitySidsFromName
RtlCopySid
TpWaitForTimer
RtlAllocateHeap
api-ms-win-core-heap-l2-1-0.dll LocalAlloc
LocalFree
api-ms-win-core-delayload-l1-1-1.dll ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll DelayLoadFailureHook
api-ms-win-core-com-l1-1-0.dll (delay-loaded) CoInitializeEx
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CLSIDFromString

Delayed Imports

Attributes 0x1
Name api-ms-win-core-com-l1-1-0.dll
ModuleHandle 0xc5d0
DelayImportAddressTable 0xe000
DelayImportNameTable 0xa218
BoundDelayImportTable 0xa2b0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xc8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.68683
MD5 df0bac1ab7e8fd8dac31d882615024b3
SHA1 41de5a4147dd2e59aad1266304146fad22b916e5
SHA256 94c511dfb7111facb08f9c0908f568db2adcb993c7790c1aa3120bd37130b21c
SHA3 82b18199f3e3fe21f0f06e7a6bb28a933937566191756485b5f31ddf74d2814d

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3b0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49765
MD5 71db444ba2f541edfb6fa8af395efca0
SHA1 f4a9acd610283206bb8b5e5caac5c6116033c8b0
SHA256 c6aa75b28f320f9332aa039946edb29512445e1f7fbd713b31f162c15d0b09e6
SHA3 ab9f0ac26cada9d1af7474f8ced05e29d3d270b9427781f2d3a42a034cd16ae6

1 (#3)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x2b2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.88655
MD5 5b2a444d1ae281ea719f54cc05aaf7b8
SHA1 e62709194daa28b7d828a44cccea2de14383211d
SHA256 ce0c61a2c2631ef934437c16b616e98511b7772567260100d957bd95d353b1b1
SHA3 8cc0ee6e1f5fe7648fac40bb9901b6d6f0ae457977d9eb689034027cfde3ed5e

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.19041.546
ProductVersion 10.0.19041.546
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Host Process for Windows Services
FileVersion (#2) 10.0.19041.546 (WinBuild.160101.0800)
InternalName svchost.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename svchost.exe
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 10.0.19041.546
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 1972-Dec-14 16:22:50
Version 0.0
SizeofData 36
AddressOfRawData 0x93f8
PointerToRawData 0x7df8
Referenced File svchost.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 1972-Dec-14 16:22:50
Version 0.0
SizeofData 996
AddressOfRawData 0x941c
PointerToRawData 0x7e1c

UNKNOWN

Characteristics 0
TimeDateStamp 1972-Dec-14 16:22:50
Version 0.0
SizeofData 36
AddressOfRawData 0x9800
PointerToRawData 0x8200

TLS Callbacks

Load Configuration

Size 0x118
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x14000c040
GuardCFCheckFunctionPointer 5368743952
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xf9cd5501
Unmarked objects 0
Imports (27412) 2
ASM objects (27412) 2
Imports (VS2008 SP1 build 30729) 59
Total imports 148
269 (27412) 12
C objects (27412) 12
Resource objects (27412) 1
Linker (27412) 1

Errors