× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
File name: svchost.exe
Detection ratio: 0 / 55
Analysis date: 2015-06-24 08:14:20 UTC ( 2 years, 3 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20150623
AVG 20150623
AVware 20150623
Ad-Aware 20150623
AegisLab 20150623
Yandex 20150623
AhnLab-V3 20150623
Alibaba 20150623
Antiy-AVL 20150623
Arcabit 20150624
Avast 20150623
Avira (no cloud) 20150623
Baidu-International 20150623
BitDefender 20150623
Bkav 20150623
ByteHero 20150624
CAT-QuickHeal 20150623
ClamAV 20150624
Comodo 20150623
Cyren 20150623
DrWeb 20150623
ESET-NOD32 20150623
Emsisoft 20150623
F-Prot 20150622
F-Secure 20150623
Fortinet 20150624
GData 20150623
Ikarus 20150623
Jiangmin 20150623
K7AntiVirus 20150623
K7GW 20150623
Kaspersky 20150623
Kingsoft 20150624
Malwarebytes 20150624
McAfee 20150623
McAfee-GW-Edition 20150623
eScan 20150623
Microsoft 20150624
NANO-Antivirus 20150623
Panda 20150623
Qihoo-360 20150624
Rising 20150623
SUPERAntiSpyware 20150623
Sophos AV 20150624
Symantec 20150623
Tencent 20150624
TheHacker 20150622
TrendMicro 20150624
TrendMicro-HouseCall 20150623
VBA32 20150622
VIPRE 20150623
ViRobot 20150623
Zillya 20150624
Zoner 20150624
nProtect 20150623
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name svchost.exe
Internal name svchost.exe
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Host Process for Windows Services
Signature verification Signed file, verified signature
Signing date 4:17 AM 7/14/2009
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 9:39 PM 10/22/2008
Valid to 9:49 PM 1/22/2010
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 018B222E21FBB2952304D04D1D87F736ED46DEA4
Serial number 61 01 C6 C1 00 00 00 00 00 07
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 11:03 PM 6/5/2007
Valid to 11:13 PM 6/5/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 80B9915817340CEE66D71EC27DA5F96EBF8D94D8
Serial number 61 04 CA 69 00 00 00 00 00 08
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:19:28
Entry Point 0x00002104
Number of sections 4
PE sections
PE imports
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
GetCurrentProcessId
GetCurrentProcess
TerminateProcess
GetCurrentThreadId
OpenProcessToken
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
AddAccessAllowedAce
InitializeSecurityDescriptor
GetLengthSid
InitializeAcl
GetTokenInformation
SetSecurityDescriptorGroup
GetLastError
RegCloseKey
EnterCriticalSection
LCMapStringW
DeactivateActCtx
FreeLibrary
QueryPerformanceCounter
GetTickCount
RegOpenKeyExW
HeapFree
lstrcmpiW
GetCommandLineW
lstrlenW
HeapSetInformation
LoadLibraryExA
CreateActCtxW
LocalAlloc
DelayLoadFailureHook
ActivateActCtx
RegQueryValueExW
SetErrorMode
UnhandledExceptionFilter
LoadLibraryExW
GetProcAddress
InterlockedCompareExchange
GetProcessHeap
RegisterWaitForSingleObjectEx
ExpandEnvironmentStringsW
WideCharToMultiByte
GetModuleHandleA
InterlockedExchange
SetUnhandledExceptionFilter
CloseHandle
GetSystemTimeAsFileTime
ReleaseActCtx
lstrcmpW
HeapAlloc
LocalFree
SetProcessAffinityUpdateMode
RegDisablePredefinedCacheEx
InitializeCriticalSection
Sleep
ExitProcess
LeaveCriticalSection
RpcServerUnregisterIfEx
I_RpcMapWin32Status
RpcMgmtWaitServerListen
RpcMgmtStopServerListening
RpcServerRegisterIf
RpcServerListen
RpcMgmtSetServerStackSize
RpcServerUnregisterIf
RpcServerUseProtseqEpW
_amsg_exit
__wgetmainargs
?terminate@@YAXXZ
__p__commode
__setusermatherr
__p__fmode
memcpy
_controlfp
_except_handler4_common
exit
_XcptFilter
_cexit
_exit
_initterm
__set_app_type
RtlAllocateHeap
RtlSubAuthoritySid
RtlImageNtHeader
RtlUnhandledExceptionFilter
EtwEventRegister
RtlInitializeSid
RtlSubAuthorityCountSid
RtlCopySid
EtwEventEnabled
RtlInitializeCriticalSection
RtlLengthRequiredSid
RtlSetProcessIsCritical
EtwEventWrite
RtlFreeHeap
Number of PE resources by type
RT_MANIFEST 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
5120

EntryPoint
0x2104

OriginalFileName
svchost.exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:19:28+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
svchost.exe

ProductVersion
6.1.7600.16385

FileDescription
Host Process for Windows Services

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
14848

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7600.16385

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 54a47f6b5e09a77e61649109c6a08866
SHA1 4af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
ssdeep
384:eipYzV8555BUcKaJEEyKxC0exYQ1k3KFUOLg2JfvaW9C5bW9odW:3peIszaqEyKxCtxJk6FbXaw

authentihash 0c0d321a1a8d6816e2e97b8be9d762f84a882ea7e16870d4cd09b0c482f52802
imphash 58e185299ecca757fe68ba83a6495fde
File size 20.5 KB ( 20992 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Tags
peexe signed trusted via-tor

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with svchost.exe as its name.
VirusTotal metadata
First submission 2009-07-22 12:30:01 UTC ( 8 years, 2 months ago )
Last submission 2017-10-17 10:56:10 UTC ( 13 hours, 33 minutes ago )
File names fc278810-c6a5-6aed-d057-7356da679f9d_1d210928245dff3
71BA.xe
8fc74c00-c156-7a47-bb4f-e880d542ea34
d1c56374fff0243832b8696d133b7861.safe
svchost (4).exe
18F4D0.exe.3800.dr
0e71993f8a7434617a362f6ad91b36d40f40c30f.exe
ul786390691
svchost.exe_00000000003880685697
fad9d07a-b501-b068-90db-1beac2670b48_1d21092535f41ac
c3eb1845-dae7-aa51-ba0d-2ed93f296ae8
2c0a436b-284b-b7d7-4e04-f55c1bb105dd_1d2257bc29f6ffc
svchost (9).exe
552EC5.exe
7b6564624b2873ff5baa3d99a521d73ff75bd8f6.exe
svchost (3).exe
66fc3aa7-86aa-3818-8d36-5c04891a8ecf_1d2259e33dd941b
svchost.ex_
8435282b-23a9-0379-60e0-b54e8c48bca6_1d211677d1ac998
svchost.exe
svchost64.exe
svchost.dll
121118a0f5e0e8c9_svchost.exe
1252cde0-000c-80a7-5b71-0b401da361a2_1d2115c35cd2117
7d7e6d92-1d6e-dfc6-15ae-fc3045ec3187_1d214105b1fe27f
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!