Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Analysis Report svchost.exe

Overview

General Information

Sample Name:svchost.exe
Analysis ID:331940
MD5:9520a99e77d6196d0d09833146424113
SHA1:75c5a97f521f760e32a4a9639a653eed862e9c61
SHA256:dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048

Detection

Score:0
Range:0 - 100
Whitelisted:true
Confidence:100%

Signatures

Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • svchost.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\svchost.exe' MD5: 9520A99E77D6196D0D09833146424113)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251660 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,GetCurrentProcess,SetProcessAffinityUpdateMode,ExitProcess,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2531E0 memset,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegCloseKey,HeapAlloc,RegQueryValueExW,ExpandEnvironmentStringsW,LCMapStringW,RegQueryValueExW,HeapFree,AcquireSRWLockShared,ReleaseSRWLockShared,HeapAlloc,memcpy,memcpy,AcquireSRWLockExclusive,ReleaseSRWLockExclusive,RegGetValueW,ActivateActCtx,LoadLibraryExW,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,ActivateActCtx,MultiByteToWideChar,RtlRunOnceExecuteOnce,NtQuerySystemInformation,GetProcAddress,DeactivateActCtx,RegCloseKey,HeapAlloc,RegGetValueW,WideCharToMultiByte,HeapAlloc,WideCharToMultiByte,HeapFree,ExpandEnvironmentStringsW,HeapFree,CreateActCtxW,GetLastError,HeapFree,GetLastError,CreateActCtxW,GetLastError,ReleaseActCtx,GetLastError,RtlNtStatusToDosError,GetLastError,LoadLibraryExW,RtlNtStatusToDosError,LoadLibraryExW,RtlNtStatusToDosError,HeapFree,ReleaseActCtx,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251830 RtlImageNtHeader,RpcMgmtSetServerStackSize,HeapSetInformation,HeapSetInformation,TpAllocTimer,EventRegister,EventSetInformation,GetTickCount64,GetTickCount64,TpSetTimer,I_RpcServerDisableExceptionFilter,RtlSetProcessIsCritical,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProcessMitigationPolicy,SetProtectedPolicy,NtSetInformationProcess,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C253D60
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2531E0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C252B60
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251830
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251C80
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2515E0 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,TpSetTimerEx,TpReleaseTimer,ExitProcess,TpWaitForTimer,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2515E0 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,TpSetTimerEx,TpReleaseTimer,ExitProcess,TpWaitForTimer,
Source: svchost.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\svchost.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\svchost.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: svchost.exeStatic PE information: certificate valid
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Source: svchost.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: svchost.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: svchost.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: svchost.pdb source: svchost.exe
Source: Binary string: svchost.pdbUGP source: svchost.exe
Source: svchost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: svchost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: svchost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: svchost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: svchost.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: svchost.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2515E0 I_RegisterSvchostNotificationCallback,StartServiceCtrlDispatcherW,TpSetTimerEx,TpReleaseTimer,ExitProcess,TpWaitForTimer,
Source: C:\Users\user\Desktop\svchost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\svchost.exeAPI coverage: 4.5 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251660 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,GetCurrentProcess,SetProcessAffinityUpdateMode,ExitProcess,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C251660 NtSetInformationProcess,SetUnhandledExceptionFilter,SetErrorMode,GetProcessHeap,InitializeSRWLock,InitializeSRWLock,RegDisablePredefinedCacheEx,EventRegister,GetCommandLineW,memset,GetCurrentProcess,NtSetInformationProcess,HeapFree,HeapFree,GetCurrentProcess,SetProcessAffinityUpdateMode,ExitProcess,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2547FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C252B60 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,GetLastError,HeapAlloc,InitializeSecurityDescriptor,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,HeapAlloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,CloseHandle,GetLengthSid,AddAccessAllowedAce,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C254720 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2565F0 EnterCriticalSection,RpcServerListen,LeaveCriticalSection,I_RpcMapWin32Status,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C2566E0 RpcServerUnregisterIfEx,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,
Source: C:\Users\user\Desktop\svchost.exeCode function: 0_2_00007FF66C256680 RpcServerUnregisterIf,EnterCriticalSection,RpcMgmtStopServerListening,RpcMgmtWaitServerListen,LeaveCriticalSection,I_RpcMapWin32Status,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Windows Service3Windows Service3Direct Volume AccessOS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsService Execution2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsNative API11Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 331940 Sample: svchost.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 0 4 svchost.exe 2->4         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
svchost.exe0%VirustotalBrowse
svchost.exe0%MetadefenderBrowse
svchost.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:331940
Start date:17.12.2020
Start time:20:45:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 6s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:svchost.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 33.8%)
  • Quality average: 26.2%
  • Quality standard deviation: 39%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):5.990499737630852
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:svchost.exe
File size:53744
MD5:9520a99e77d6196d0d09833146424113
SHA1:75c5a97f521f760e32a4a9639a653eed862e9c61
SHA256:dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048
SHA512:5ded9fbd8bd6e06c922949bd1437de019242e70a7bb1f2855806e942e7e85e53ccad207478d9d567d41cd6bfa698c5551dae2cd9302ea78f8daf13091c3a060b
SSDEEP:768:bnw5T+bazyxWN79Kc5CgxHLWlhF2pyAHYC68HVpmXgX5y1PlW:vbQQWN7NjxrWlhF2xYwnmXgXIPlW
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]].E<3.E<3.E<3..T2.G<3..T0.G<3.LD..~<3.E<2..<3..T>.N<3..T7.I<3..T..D<3..T1.D<3.RichE<3.................PE..d......2.........."

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x140004690
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x32D6C210 [Fri Jan 10 22:26:24 1997 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:247b9220e5d9b720a82b2c8b5069ad69

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 6/6/2018 8:57:19 PM 5/29/2019 8:57:19 PM
Subject Chain
  • CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:3
Thumbprint MD5:68894D995E2C03DD992FB480FD029A25
Thumbprint SHA-1:458D803A5CF470DD3F01A475214938D97A5051E8
Thumbprint SHA-256:1EA333BC6C404760B4B76F39F9E9903E555864912C34BA10E321A15BAEBF031C
Serial:33000001A90F2D80C9A929387C0000000001A9
Instruction
dec eax
sub esp, 28h
call 00007F489CC2E3CCh
dec eax
add esp, 28h
jmp 00007F489CC2E2A3h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00006979h]
jne 00007F489CC2E352h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F489CC2E343h
ret
dec eax
ror ecx, 10h
jmp 00007F489CC2E4A7h
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 38h
dec eax
and dword ptr [esp+20h], 00000000h
inc ebp
xor ecx, ecx
inc ebp
xor eax, eax
call dword ptr [00002CB6h]
xor eax, eax
dec eax
add esp, 38h
ret
int3
int3
int3
int3
int3
int3
jmp dword ptr [00002C9Bh]
int3
int3
int3
int3
int3
int3
jmp dword ptr [00002C87h]
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+20h], ebx
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
and dword ptr [ebp+18h], 00000000h
dec eax
mov ebx, 2DDFA232h
cdq
sub eax, dword ptr [eax]
add byte ptr [eax-75h], cl
add eax, 000068FDh
dec eax
cmp eax, ebx
jne 00007F489CC2E3D9h
dec eax
lea ecx, dword ptr [ebp+18h]
call dword ptr [00002EA2h]
dec eax
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x90c00x26c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x820.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xc0000x66c.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0xae000x23f0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x68.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x80600x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x71900x108.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x73200x4d8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x8fdc0x40.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x580c0x5a00False0.565668402778data6.00420833741IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x70000x36a60x3800False0.357561383929dBase III DBT, version number 0, next free block index 1073788792, 1st item "\370w"4.49671960632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xb0000x7d00x200False0.08203125data0.362317553901IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0xc0000x66c0x800False0.3984375PEX Binary Archive3.74985721943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0xd0000x280x200False0.056640625data0.28508543466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0xe0000x8200xa00False0.380078125data3.72987256706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xf0000x680x200False0.212890625data1.23549747809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountry
MUI0xe7580xc8dataEnglishUnited States
RT_VERSION0xe3a80x3b0dataEnglishUnited States
RT_MANIFEST0xe0f00x2b2XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
DLLImport
api-ms-win-core-crt-l2-1-0.dll_initterm, _initterm_e, __wgetmainargs, exit
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-processthreads-l1-1-0.dllGetCurrentProcess, GetCurrentThreadId, GetCurrentProcessId, OpenProcessToken, TerminateProcess, SetProcessAffinityUpdateMode, ExitProcess
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTimeAsFileTime, GetTickCount64, GetTickCount
api-ms-win-core-rtlsupport-l1-1-0.dllRtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-errorhandling-l1-1-0.dllGetLastError, SetErrorMode, SetUnhandledExceptionFilter, UnhandledExceptionFilter
api-ms-win-service-private-l1-1-3.dllI_RegisterSvchostNotificationCallback
api-ms-win-core-crt-l1-1-0.dllqsort_s, memcpy, memset, _wcsicmp
api-ms-win-core-libraryloader-l1-2-0.dllGetProcAddress, FreeLibrary, LoadLibraryExW
api-ms-win-core-heap-l1-1-0.dllHeapFree, GetProcessHeap, HeapAlloc, HeapSetInformation
api-ms-win-core-synch-l1-1-0.dllLeaveCriticalSection, ReleaseSRWLockShared, AcquireSRWLockShared, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, EnterCriticalSection
api-ms-win-service-winsvc-l1-1-0.dllRegisterServiceCtrlHandlerW
api-ms-win-service-core-l1-1-0.dllSetServiceStatus, StartServiceCtrlDispatcherW
api-ms-win-core-string-l1-1-0.dllMultiByteToWideChar, WideCharToMultiByte, CompareStringOrdinal
api-ms-win-core-registry-l1-1-0.dllRegCloseKey, RegQueryValueExW, RegDisablePredefinedCacheEx, RegOpenKeyExW, RegGetValueW, RegEnumKeyExW
api-ms-win-core-processenvironment-l1-1-0.dllExpandEnvironmentStringsW, GetCommandLineW
api-ms-win-core-processthreads-l1-1-1.dllSetProcessMitigationPolicy
api-ms-win-core-processthreads-l1-1-2.dllSetProtectedPolicy
RPCRT4.dllRpcServerUnregisterIf, I_RpcMapWin32Status, RpcMgmtSetServerStackSize, I_RpcServerDisableExceptionFilter, RpcServerUseProtseqEpW, RpcServerUnregisterIfEx, RpcMgmtStopServerListening, RpcServerListen, RpcMgmtWaitServerListen, RpcServerRegisterIf
api-ms-win-core-localization-l1-2-0.dllLCMapStringW
api-ms-win-security-base-l1-1-0.dllSetSecurityDescriptorGroup, SetSecurityDescriptorDacl, MakeAbsoluteSD, AddAccessAllowedAce, GetTokenInformation, GetLengthSid, InitializeAcl, SetSecurityDescriptorOwner, InitializeSecurityDescriptor
api-ms-win-core-handle-l1-1-0.dllCloseHandle
api-ms-win-eventing-provider-l1-1-0.dllEventRegister, EventSetInformation, EventWriteTransfer
api-ms-win-crt-utility-l1-1-0.dllbsearch_s
api-ms-win-core-sidebyside-l1-1-0.dllActivateActCtx, DeactivateActCtx, ReleaseActCtx, CreateActCtxW
api-ms-win-core-threadpool-private-l1-1-0.dllRegisterWaitForSingleObjectEx
ntdll.dllRtlQueryHeapInformation, TpAllocTimer, _vsnwprintf, EtwEventEnabled, TpReleaseWait, RtlNtStatusToDosErrorNoTeb, TpSetWait, TpAllocWait, EtwEventRegister, RtlUnhandledExceptionFilter, NtSetInformationProcess, RtlSetProcessIsCritical, TpSetTimerEx, TpSetTimer, RtlImageNtHeader, RtlValidSecurityDescriptor, NtQuerySystemInformation, RtlRunOnceExecuteOnce, RtlNtStatusToDosError, RtlFreeHeap, EtwEventWrite, TpReleaseTimer, RtlInitializeCriticalSection, RtlInitializeSid, RtlSubAuthoritySid, RtlGetDeviceFamilyInfoEnum, RtlReleaseSRWLockExclusive, RtlSubAuthorityCountSid, RtlAcquireSRWLockExclusive, RtlLengthRequiredSid, RtlDeriveCapabilitySidsFromName, RtlCopySid, TpWaitForTimer, RtlAllocateHeap
api-ms-win-core-heap-l2-1-0.dllLocalAlloc, LocalFree
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook
DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamesvchost.exe
FileVersion10.0.18362.1 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion10.0.18362.1
FileDescriptionHost Process for Windows Services
OriginalFilenamesvchost.exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: svchost.exe PID: 7160 Parent PID: 5952

General

Start time:20:46:30
Start date:17/12/2020
Path:C:\Users\user\Desktop\svchost.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\svchost.exe'
Imagebase:0x7ff66c250000
File size:53744 bytes
MD5 hash:9520A99E77D6196D0D09833146424113
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Disassembly

Code Analysis