× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
File name: svchost.exe
Detection ratio: 0 / 55
Analysis date: 2015-06-24 08:14:20 UTC ( 2 years, 5 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20150623
AVG 20150623
AVware 20150623
Ad-Aware 20150623
AegisLab 20150623
Yandex 20150623
AhnLab-V3 20150623
Alibaba 20150623
Antiy-AVL 20150623
Arcabit 20150624
Avast 20150623
Avira (no cloud) 20150623
Baidu-International 20150623
BitDefender 20150623
Bkav 20150623
ByteHero 20150624
CAT-QuickHeal 20150623
ClamAV 20150624
Comodo 20150623
Cyren 20150623
DrWeb 20150623
ESET-NOD32 20150623
Emsisoft 20150623
F-Prot 20150622
F-Secure 20150623
Fortinet 20150624
GData 20150623
Ikarus 20150623
Jiangmin 20150623
K7AntiVirus 20150623
K7GW 20150623
Kaspersky 20150623
Kingsoft 20150624
Malwarebytes 20150624
McAfee 20150623
McAfee-GW-Edition 20150623
eScan 20150623
Microsoft 20150624
NANO-Antivirus 20150623
Panda 20150623
Qihoo-360 20150624
Rising 20150623
SUPERAntiSpyware 20150623
Sophos AV 20150624
Symantec 20150623
Tencent 20150624
TheHacker 20150622
TrendMicro 20150624
TrendMicro-HouseCall 20150623
VBA32 20150622
VIPRE 20150623
ViRobot 20150623
Zillya 20150624
Zoner 20150624
nProtect 20150623
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name svchost.exe
Internal name svchost.exe
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Host Process for Windows Services
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:28
Entry Point 0x00002104
Number of sections 4
PE sections
PE imports
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
GetCurrentProcessId
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
OpenProcessToken
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
AddAccessAllowedAce
InitializeSecurityDescriptor
GetLengthSid
InitializeAcl
GetTokenInformation
SetSecurityDescriptorGroup
GetLastError
RegCloseKey
EnterCriticalSection
LCMapStringW
DeactivateActCtx
FreeLibrary
QueryPerformanceCounter
GetTickCount
RegOpenKeyExW
HeapFree
lstrcmpiW
GetCommandLineW
lstrlenW
HeapSetInformation
LoadLibraryExA
CreateActCtxW
LocalAlloc
DelayLoadFailureHook
ActivateActCtx
RegQueryValueExW
SetErrorMode
UnhandledExceptionFilter
LoadLibraryExW
GetProcAddress
InterlockedCompareExchange
GetProcessHeap
RegisterWaitForSingleObjectEx
ExpandEnvironmentStringsW
WideCharToMultiByte
GetModuleHandleA
InterlockedExchange
SetUnhandledExceptionFilter
CloseHandle
GetSystemTimeAsFileTime
ReleaseActCtx
lstrcmpW
HeapAlloc
LocalFree
SetProcessAffinityUpdateMode
RegDisablePredefinedCacheEx
InitializeCriticalSection
Sleep
ExitProcess
LeaveCriticalSection
RpcServerUnregisterIfEx
I_RpcMapWin32Status
RpcMgmtWaitServerListen
RpcMgmtStopServerListening
RpcServerRegisterIf
RpcServerListen
RpcMgmtSetServerStackSize
RpcServerUnregisterIf
RpcServerUseProtseqEpW
_amsg_exit
__wgetmainargs
?terminate@@YAXXZ
__p__commode
__setusermatherr
__p__fmode
memcpy
_controlfp
_except_handler4_common
exit
_XcptFilter
_cexit
_exit
_initterm
__set_app_type
RtlAllocateHeap
RtlSubAuthoritySid
RtlImageNtHeader
RtlUnhandledExceptionFilter
EtwEventRegister
RtlInitializeSid
RtlSubAuthorityCountSid
RtlCopySid
EtwEventEnabled
RtlInitializeCriticalSection
RtlLengthRequiredSid
RtlSetProcessIsCritical
EtwEventWrite
RtlFreeHeap
Number of PE resources by type
RT_MANIFEST 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

InitializedDataSize
5120

ImageVersion
6.1

ProductName
Microsoft Windows Operating System

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

LinkerVersion
9.0

FileTypeExtension
exe

OriginalFileName
svchost.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:28+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
svchost.exe

ProductVersion
6.1.7600.16385

FileDescription
Host Process for Windows Services

OSVersion
6.1

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
14848

FileSubtype
0

ProductVersionNumber
6.1.7600.16385

EntryPoint
0x2104

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 54a47f6b5e09a77e61649109c6a08866
SHA1 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
ssdeep
384:eipYzV8555BUcKaJEEyKxC0exYQ1k3KFUOLg2JfvaW9C5bW9odW:3peIszaqEyKxCtxJk6FbXaw

authentihash 0c0d321a1a8d6816e2e97b8be9d762f84a882ea7e16870d4cd09b0c482f52802
imphash 58e185299ecca757fe68ba83a6495fde
File size 20.5 KB ( 20992 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe trusted via-tor

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with svchost.exe as its name.
VirusTotal metadata
First submission 2009-07-22 12:30:01 UTC ( 8 years, 5 months ago )
Last submission 2017-12-18 12:50:27 UTC ( 3 hours, 50 minutes ago )
File names fc278810-c6a5-6aed-d057-7356da679f9d_1d210928245dff3
71BA.xe
svchost (4).exe
18F4D0.exe.3800.dr
0e71993f8a7434617a362f6ad91b36d40f40c30f.exe
svchost.exe
svchost.exe_00000000003880685697
fad9d07a-b501-b068-90db-1beac2670b48_1d21092535f41ac
121118a0f5e0e8c9_explorer.exe
121118a0f5e0e8c9_advancedsytem2.exe
2c0a436b-284b-b7d7-4e04-f55c1bb105dd_1d2257bc29f6ffc
svchost (9).exe
552EC5.exe
7b6564624b2873ff5baa3d99a521d73ff75bd8f6.exe
121118a0f5e0e8c9_win32k.exe
svchost (3).exe
66fc3aa7-86aa-3818-8d36-5c04891a8ecf_1d2259e33dd941b
8435282b-23a9-0379-60e0-b54e8c48bca6_1d211677d1ac998
121118a0f5e0e8c9_java.exe
svchost.exe
svchost.exe
svchost.dll
121118a0f5e0e8c9_svchost.exe
svchost64.exe
7d7e6d92-1d6e-dfc6-15ae-fc3045ec3187_1d214105b1fe27f
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!