Manalyze report for 2c4dfe04c9036899337fe58e9a092f39

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2016-Aug-22 18:55:10
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
Debug artifacts	C:\Jenkins\workspace\Release6.0_Build\Platform\vs2008\out\release-6.0\Tanium_x86\RelWithDebInfo\TaniumSender.pdb
FileDescription	Tanium
InternalName	Tanium
FileVersion	`6.0.314.1540`
LegalCopyright	Copyright (C) Tanium Inc. 2009-2016
ProductName	Tanium
ProductVersion	`6.0.314.1540`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0` `MASM/TASM - sig2(h)` `MASM/TASM - sig1(h)`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to security software: rshell.exe` `May have dropper capabilities: CurrentControlSet\Services CurrentVersion\Run` `Accesses the WMI: ROOT\CIMV2`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Can access the registry: RegDeleteValueA RegDeleteKeyA RegCreateKeyA RegEnumValueA RegQueryInfoKeyA RegEnumKeyExA RegOpenKeyExA RegQueryValueExA RegCreateKeyExA RegSetValueExA RegCloseKey` `Possibly launches other programs: CreateProcessA` `Leverages the raw socket API to access the Internet: WSASend WSARecv #5 WSAIoctl #3 #14 #8 #115 #10 #4 #7 #18 #151 #17 #16 #20 #19 #1 #13 #6 #2 #23 #21 #15 #112 #57 #11 #52 #111 #9 #22` `Interacts with services: QueryServiceStatus CreateServiceA OpenSCManagerA OpenServiceA ControlService DeleteService` `Enumerates local disk drives: GetDriveTypeA` `Manipulates other processes: OpenProcess`
Info	The PE is digitally signed.	`Signer: Tanium Inc.` `Issuer: DigiCert SHA2 Assured ID Code Signing CA`
Safe	VirusTotal score: 0/68 (Scanned on 2017-11-10 02:53:03)	`All the AVs think this file is safe.`

Hashes

MD5	`2c4dfe04c9036899337fe58e9a092f39`
SHA1	`14b79ab35cb58da927cd4dc27c73f2e2b2758344`
SHA256	`1072051dda4e8670d207eb66192a10aa97ead9ab56b7aeb14005050505d218f6`
SHA3	`4a1289175c05e0e54205df454cb426fc42389f9f35a7a5106377f5937573cf30`
SSDeep	`98304:PzUlme7dueIRMXlZUy+CFXEsvAvqdFs7t/KIHHrFRGPTducvpNaRWLnyJRsafKh:o0e7duetoCusvbdFs7t/KIHHrFRGty3o`
Imports Hash	`664c65eca21bb2638c04a5aad282cced`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x100`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2016-Aug-22 18:55:10
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.0`
SizeOfCode	`0x3d5c00`
SizeOfInitializedData	`0xd8400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00367A66 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x3d7000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.0`
ImageVersion	`0.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x4ce000`
SizeOfHeaders	`0x400`
Checksum	`0x4be2db`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0xf4240`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8089d5857fe95e44281ad8f72c9fceff`
SHA1	`93f01d4dee23d5a7b5cf71b2ed28bbdbcb5187d0`
SHA256	`84cbda54c61f8703b7f95619bf762ae90da472ca9fbacaf074ac697b1a84a730`
SHA3	`a4b6f992c89d7cda8bdb35e7313376c4324835ce19e0d4bf75cb94bd701fbcc0`
VirtualSize	`0x3d5b4f`
VirtualAddress	`0x1000`
SizeOfRawData	`0x3d5c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.38589`

.rdata

MD5	`946fbe6c0ebf8b1470ce579368466ba7`
SHA1	`26a53c8b94d24dbbddc85941302e8d5d93d7b351`
SHA256	`3d5e8f808a1b330527933486d7809b610a593fd5872f5c05a5446c9b55697d5c`
SHA3	`165dde4c88410f826cec06fd91cf736a3a3b3a5543df60194cc0822cef07887a`
VirtualSize	`0x95b3c`
VirtualAddress	`0x3d7000`
SizeOfRawData	`0x95c00`
PointerToRawData	`0x3d6000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.87782`

.data

MD5	`f6440870eb420bdbce1bc808d2b74adc`
SHA1	`48621e411afbfa0ab05a3eb94140bdf878d76aad`
SHA256	`7044afc6f5380846e3edca5a0c92bd66a90b7a3099e6d4370bcdd8c9f38d9bdd`
SHA3	`875d99d04c5fc946df1f332a8899d9b9bf369750972f14a7ff12b22811524a7a`
VirtualSize	`0x39498`
VirtualAddress	`0x46d000`
SizeOfRawData	`0x1c600`
PointerToRawData	`0x46bc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`5.30071`

.tls

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x2`
VirtualAddress	`0x4a7000`
SizeOfRawData	`0x200`
PointerToRawData	`0x488200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`c9d63f9237ad8481a23bcebf500532e9`
SHA1	`85f93b5bb07bea16cc367e8194a868e1d7a3e6bb`
SHA256	`899e278325b1efd20913789a5c21b936b216a7d87017c44a1e0ddb698fe0bdc5`
SHA3	`2e0007fdedff741d94b7f7561856e2a45764b219f1797af7d6ca13e1f74b828e`
VirtualSize	`0xf34`
VirtualAddress	`0x4a8000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x488400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.3952`

.reloc

MD5	`7269aa45d633e460e02d58d944455701`
SHA1	`f129612dcf085326452aab0a44216c89f7489128`
SHA256	`d817acb989f3c5c0a15304d56837f8608012ff8f8d694f4cb8b70622677d4dac`
SHA3	`4b9f9cfcb74b0d0d6b5f1ac8ae4cf0e45b5bbb8d7a8be965a8242d914e305c90`
VirtualSize	`0x24ef4`
VirtualAddress	`0x4a9000`
SizeOfRawData	`0x25000`
PointerToRawData	`0x489400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57791`

Imports

KERNEL32.dll	`CreateIoCompletionPort` `GetQueuedCompletionStatus` `PostQueuedCompletionStatus` `GetCurrentThreadId` `LocalAlloc` `lstrlenA` `FormatMessageA` `WideCharToMultiByte` `GetModuleFileNameA` `TerminateThread` `GetSystemDirectoryA` `GetACP` `GetModuleHandleW` `ReleaseMutex` `UnmapViewOfFile` `ResetEvent` `SetEvent` `MapViewOfFile` `CreateFileMappingA` `MultiByteToWideChar` `CreateFileW` `SetFileTime` `LocalFileTimeToFileTime` `DosDateTimeToFileTime` `GetFileTime` `GetVersion` `SystemTimeToFileTime` `GetComputerNameExW` `SetUnhandledExceptionFilter` `GetVersionExA` `LocalFree` `GlobalFree` `GlobalAlloc` `GetStdHandle` `AllocConsole` `InterlockedPopEntrySList` `SetConsoleCtrlHandler` `IsDebuggerPresent` `UnhandledExceptionFilter` `RtlUnwind` `CreateWaitableTimerA` `SetWaitableTimer` `GetSystemInfo` `CompareStringW` `CompareStringA` `WriteConsoleW` `GetConsoleOutputCP` `WriteConsoleA` `GetLocaleInfoW` `IsValidLocale` `EnumSystemLocalesA` `HeapAlloc` `LCMapStringW` `LCMapStringA` `GetStringTypeExW` `GetStringTypeExA` `GetUserDefaultLCID` `FindNextFileA` `FindFirstFileA` `FindNextFileW` `FindFirstFileW` `GetShortPathNameW` `GetFileInformationByHandle` `CopyFileA` `MoveFileA` `CopyFileW` `MoveFileW` `CreateHardLinkA` `CreateDirectoryA` `DeleteFileA` `InterlockedPushEntrySList` `InterlockedFlushSList` `InitializeSListHead` `GetSystemTimeAsFileTime` `SetLastError` `WriteFile` `SetFilePointer` `ReadFile` `CreateFileA` `SetFilePointerEx` `SetEndOfFile` `InterlockedDecrement` `InterlockedIncrement` `GetLocalTime` `Sleep` `GetTickCount` `GetCurrentProcess` `SetProcessWorkingSetSize` `GetCurrentProcessId` `CreateEventA` `CreateProcessA` `InterlockedExchange` `TerminateProcess` `WaitForSingleObject` `LoadLibraryA` `GetProcAddress` `FreeLibrary` `OpenMutexA` `CreateMutexA` `GetLastError` `CloseHandle` `GetModuleHandleA` `GetStringTypeW` `GetStringTypeA` `GetLocaleInfoA` `QueryPerformanceCounter` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `GetEnvironmentStrings` `FreeEnvironmentStringsA` `InitializeCriticalSectionAndSpinCount` `IsValidCodePage` `GetOEMCP` `HeapSize` `FlushFileBuffers` `RemoveDirectoryA` `GetConsoleMode` `GetConsoleCP` `GetStartupInfoA` `SetHandleCount` `VirtualAlloc` `FatalAppExitA` `VirtualFree` `HeapDestroy` `HeapCreate` `GetCPInfo` `HeapReAlloc` `GetTimeZoneInformation` `GetCommandLineA` `GetFileType` `SetStdHandle` `GetDriveTypeA` `FileTimeToLocalFileTime` `FileTimeToSystemTime` `SetFileAttributesA` `SetEnvironmentVariableA` `ExitProcess` `CreateThread` `GetFullPathNameA` `GetDiskFreeSpaceExA` `CreateHardLinkW` `CreateDirectoryW` `ExitThread` `GetDateFormatA` `GetTimeFormatA` `InterlockedExchangeAdd` `GetProcessAffinityMask` `LeaveCriticalSection` `EnterCriticalSection` `OpenProcess` `TlsAlloc` `TlsGetValue` `GetThreadPriority` `DuplicateHandle` `GetCurrentThread` `SetThreadPriority` `ReleaseSemaphore` `TlsSetValue` `CreateSemaphoreA` `TlsFree` `DeleteCriticalSection` `InitializeCriticalSection` `SetThreadContext` `GetThreadContext` `ResumeThread` `SuspendThread` `WaitForMultipleObjects` `InterlockedCompareExchange` `HeapFree` `GetProcessHeap` `lstrlenW` `GetFileAttributesA` `GetFileAttributesW` `GetFileAttributesExW` `GetCurrentDirectoryW` `SetCurrentDirectoryW` `GetFileAttributesExA` `GetCurrentDirectoryA` `SetCurrentDirectoryA` `FindClose` `GetDiskFreeSpaceExW` `GetFullPathNameW` `RemoveDirectoryW` `DeleteFileW` `RaiseException`
USER32.dll	`LoadStringA` `RegisterClassA` `CreateWindowExA` `DefWindowProcA` `DestroyWindow` `LoadStringW`
ole32.dll	`CoSetProxyBlanket` `CoGetInstanceFromFile` `CLSIDFromProgID` `CoCreateInstance` `CoInitialize` `CoInitializeEx` `CoInitializeSecurity` `CoUninitialize`
OLEAUT32.dll	`#2` `#7` `#6` `#150` `#35` `#17` `#77` `#20` `#19` `#25` `#161` `#9` `#12` `#8` `#202` `#201` `#200` `#149`
ADVAPI32.dll	`QueryServiceStatus` `CreateServiceA` `ChangeServiceConfig2A` `StartServiceCtrlDispatcherA` `RegisterServiceCtrlHandlerA` `StartServiceA` `RegDeleteValueA` `OpenSCManagerA` `OpenServiceA` `ControlService` `DeleteService` `CloseServiceHandle` `RegDeleteKeyA` `RegCreateKeyA` `RegisterEventSourceA` `ReportEventA` `DeregisterEventSource` `SetServiceStatus` `GetUserNameA` `LookupAccountNameA` `IsValidSid` `GetLengthSid` `CopySid` `RegEnumValueA` `RegQueryInfoKeyA` `RegEnumKeyExA` `RegOpenKeyExA` `RegQueryValueExA` `RegCreateKeyExA` `RegSetValueExA` `RegCloseKey`
WS2_32.dll	`WSASend` `WSARecv` `#5` `WSAIoctl` `#3` `#14` `#8` `#115` `#10` `#4` `#7` `#18` `#151` `#17` `#16` `#20` `#19` `#1` `#13` `#6` `#2` `#23` `#21` `#15` `#112` `#57` `#11` `#52` `#111` `#9` `#22`
VERSION.dll	`GetFileVersionInfoA` `GetFileVersionInfoSizeA` `VerQueryValueA`
TaniumCryptoLibrary.dll	`?TaniumCryptosystem@@YAABVCryptosystem@@XZ` `?SetConvertSigsToCryptoPPFlag@@YAX_N@Z` `?InitializeTaniumCryptosystem@@YAABVCryptosystem@@PAV?$basic_istream@DU?$char_traits@D@std@@@std@@W4FIPSMode@CryptosystemPreferences@@W4PreferredCryptosystem@5@@Z`
WINMM.dll	`timeEndPeriod` `timeBeginPeriod`
python27.dll (delay-loaded)	`PyThreadState_Delete` `PyEval_ReleaseThread` `PyRun_StringFlags` `PyEval_AcquireThread` `PyThreadState_New` `PyUnicodeUCS2_AsUnicode` `PyUnicodeUCS2_AsUTF8String` `PyType_IsSubtype` `PyObject_GetAttrString` `PyDict_GetItemString` `PyString_AsString` `PyObject_Str` `PyErr_Fetch` `PyDict_Clear` `PyDict_SetItemString` `PyLong_FromVoidPtr` `PyDict_Copy` `PyModule_GetDict` `PyImport_AddModule` `Py_IsInitialized` `PyThreadState_Get` `PyEval_InitThreads` `Py_Initialize` `Py_SetPythonHome` `Py_InitModule4` `PyErr_SetString` `PyString_FromStringAndSize` `PyEval_RestoreThread` `PyEval_SaveThread` `PyNumber_AsSsize_t` `PyLong_AsVoidPtr` `PyNumber_Check` `PyInt_FromSsize_t` `PyString_Size` `PyInt_AsLong` `PyString_FromString` `PyDict_Next`

Delayed Imports

Attributes	`0x1`
Name	`python27.dll`
ModuleHandle	`0x4a41dc`
DelayImportAddressTable	`0x489520`
DelayImportNameTable	`0x46aeb4`
BoundDelayImportTable	`0x46b248`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`TYPELIB`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0xa84`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.86126`
MD5	`409d1b0c0a1e1bf8e9f14077ccc45b39`
SHA1	`1430ed6ced394f2276d5aeffba2942cc340f1f60`
SHA256	`c860691050c48387a5f0a65828b64ff92bf2e8e2bf9a841c1910a3244ea0a837`
SHA3	`9ee69f08fa5f01b7b9914a245aecf30ab71c27310e22c031ff0ba35b4926bea8`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39857`
MD5	`1b0c4281a62a2c90cf00bee4d257b5cb`
SHA1	`9e4ab2562c53c7ddaff747bb99d6e78836f69d38`
SHA256	`3ebc44d17ebfdd4d18d2d2955c7a5a087d029a7da8896072637592128b219458`
SHA3	`ed97315337616f03996bd15d6f8ecd94e2751f058021e8e80d43a45beb31885d`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x15a`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.79597`
MD5	`24d3b502e1846356b0263f945ddd5529`
SHA1	`bac45b86a9c48fc3756a46809c101570d349737d`
SHA256	`49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e`
SHA3	`1244ed60820da52dc4b53880ec48e3b587dbdbd9545f01fa2b1c0fcfea1d5e9e`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.0.314.1540
ProductVersion	6.0.314.1540
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_UNKNOWN`
Language	English - United States
FileDescription	Tanium
InternalName	Tanium
FileVersion (#2)	6.0.314.1540
LegalCopyright	Copyright (C) Tanium Inc. 2009-2016
ProductName	Tanium
ProductVersion (#2)	6.0.314.1540

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2016-Aug-22 18:55:10
Version	`0.0`
SizeofData	`137`
AddressOfRawData	`0x40e750`
PointerToRawData	`0x40d750`
Referenced File	C:\Jenkins\workspace\Release6.0_Build\Platform\vs2008\out\release-6.0\Tanium_x86\RelWithDebInfo\TaniumSender.pdb

TLS Callbacks

StartAddressOfRawData	`0x8a7000`
EndAddressOfRawData	`0x8a7001`
AddressOfIndex	`0x8a47b8`
AddressOfCallbacks	`0x7d847c`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0075D9D0`

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x887d90`
SEHandlerTable	`0x81a2c0`
SEHandlerCount	`3980`

RICH Header

XOR Key	`0x3af6c99a`
Unmarked objects	`0`
150 (20413)	`6`
ASM objects (VS2008 SP1 build 30729)	`57`
C++ objects (VS2008 build 21022)	`19`
Imports (VS2008 SP1 build 30729)	`2`
C objects (VS2008 SP1 build 30729)	`219`
C objects (VS2012 build 50727 / VS2005 build 50727)	`5`
Imports (VS2012 build 50727 / VS2005 build 50727)	`17`
Total imports	`324`
C++ objects (VS2008 SP1 build 30729)	`566`
Linker (VS2008 build 21022)	`1`
151	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

2c4dfe04c9036899337fe58e9a092f39

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.tls

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors