Manalyze report for 5cf44da1ae68bfa79e25d4140fcecded

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2019-May-13 05:00:00
Detected languages	English - United States
TLS Callbacks	2 callback(s) detected.
Debug artifacts	elevation_service.exe.pdb
CompanyName	Google Inc.
FileDescription	Google Chrome
FileVersion	`74.0.3729.157`
InternalName	elevation_service_exe
LegalCopyright	Copyright 2018 Google Inc. All rights reserved.
OriginalFilename	elevation_service.exe
ProductName	Google Chrome
ProductVersion	`74.0.3729.157`
CompanyShortName	Google
ProductShortName	Chrome
LastChange	7b16107ab85c5364cdcd0b2dea2539a1f2dc327a-refs/branch-heads/3729@{#998}
Official Build	1

Plugin Output

Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES`
Suspicious	The PE is possibly packed.	`Unusual section name found: .retplne`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA LoadLibraryExW LoadLibraryW` `Functions which can be used for anti-debugging purposes: SwitchToThread` `Can access the registry: RegCloseKey RegOpenKeyExW RegQueryValueExW` `Possibly launches other programs: CreateProcessAsUserW CreateProcessW` `Can create temporary files: CreateFileW GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Enumerates local disk drives: GetDriveTypeW` `Manipulates other processes: OpenProcess`
Info	The PE is digitally signed.	`Signer: Google LLC` `Issuer: DigiCert SHA2 Assured ID Code Signing CA`
Safe	VirusTotal score: 0/68 (Scanned on 2019-05-21 07:05:31)	`All the AVs think this file is safe.`

Hashes

MD5	`5cf44da1ae68bfa79e25d4140fcecded`
SHA1	`9329a044da3b3d0a1cc859906d9bac75bacfa5a1`
SHA256	`186db1f2668aa3d0539a23c893c3a60a5c5eb6d70cd62fb89398b4b43c207e6e`
SHA3	`1f3598091d7dc232bd85b16611de7a295540249b2ec33fedff90df643c9b3ab1`
SSDeep	`24576:y9apJzDtuyhsMskQAykb8J/mdVFplslAT4b8ctu:yYpVBuyhspkQ7QkmX5slATXco`
Imports Hash	`aafed103051c0dea888b4ba38f09bc76`

DOS Header

e_magic	`MZ`
e_cblp	`0x78`
e_cp	`0x1`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0`
e_ss	`0`
e_sp	`0`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x78`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`9`
TimeDateStamp	2019-May-13 05:00:00
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xeee00`
SizeOfInitializedData	`0x44800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000C77D0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0x13f000`
SizeOfHeaders	`0x400`
Checksum	`0x13f7ce`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a7942b06da55273e00e6e6dcc045e189`
SHA1	`9442a0650a883d24ff8444ed049db59225f08677`
SHA256	`ab12065e6172c05bcca45d008564b9f3b23670b7ef45d542d31af0bc215f0622`
SHA3	`2877f826bee4748e0b1cbe7d88b3e332f50da91cbc95d110f91644a016751178`
VirtualSize	`0xeec26`
VirtualAddress	`0x1000`
SizeOfRawData	`0xeee00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.57362`

.rdata

MD5	`3e69c98a6c3dc9d0dbd6da263aeb50c8`
SHA1	`75656f497e0fd6f9af1ec912978b5f63a2f4c8c0`
SHA256	`bda17eb1691dc15cb522deed46869cbacc171aa5e7b73ddd730343e3c8a4952a`
SHA3	`9d480d6c80f2a8ba47b8622355e3f224821a94a141a0c52acfda6295a37f1905`
VirtualSize	`0x33c88`
VirtualAddress	`0xf0000`
SizeOfRawData	`0x33e00`
PointerToRawData	`0xef200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.53801`

.data

MD5	`36c217ae637bb1c10622d6b4557060dc`
SHA1	`9ac20cc15f2356331e14d52a338304e57d0f6180`
SHA256	`99f12eaf3f58973ad001590f2c53ccdaecb700132a530e00c0ede83986b35b4d`
SHA3	`26ed796d9736c9db80c3724d82e8fb14d4f84058823f88d456e2eabbdb3f6f0e`
VirtualSize	`0x9520`
VirtualAddress	`0x124000`
SizeOfRawData	`0x3c00`
PointerToRawData	`0x123000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.48455`

.pdata

MD5	`acb35f8123385699f5c6bb35991770b2`
SHA1	`4884ed6fa0e8d1cdc3182f16a6d0be587ae8e10f`
SHA256	`84c42f2ee32de7155327cf1b20a49c6bc94a293283cb3b24716d74f74d8a03e1`
SHA3	`c3d85954700e5f04089f60c4b1888371280cca10a355350ee30f42ff1ac739ab`
VirtualSize	`0x9498`
VirtualAddress	`0x12e000`
SizeOfRawData	`0x9600`
PointerToRawData	`0x126c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.9187`

.00cfg

MD5	`438ec9ab79c9b985b410bef8e8971b15`
SHA1	`e43c55f03e95ba9f706921b57fa21a0cbf7327d0`
SHA256	`a295b4224d9ba9145c2923e33562fad822b90ba827ce7b175c66ff4c00600a04`
SHA3	`aff524ac34d3e1ba815ed7abbc21576a245f55e1a2c0fb7bf7a7f12d198be56d`
VirtualSize	`0x10`
VirtualAddress	`0x138000`
SizeOfRawData	`0x200`
PointerToRawData	`0x130200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`0.190489`

.retplne

MD5	`bcdee87f658a7bf4080188f07db97ca9`
SHA1	`b39e6a63392c43a2a2310b05f34539a40d08ab89`
SHA256	`cd7e321e97c97e7868f84d576463927c198cae07e3a7bfef1e7946eeae0a2de4`
SHA3	`84c1a226c0a000aaafed916616a5fee7cc655286427c324e2f74ac12ddd2eaf5`
VirtualSize	`0xc`
VirtualAddress	`0x139000`
SizeOfRawData	`0x200`
PointerToRawData	`0x130400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`(EMPTY)`
Entropy	`0.220113`

.tls

MD5	`cee49f38e4febb61d807cbf80d6a3735`
SHA1	`2a95f0b741021c2d9705b7af84b12df9da24ecdd`
SHA256	`f333cbf02061e1aeaec7bf2ec09a1e7c8184f5ce8277b142e84c0369500319dd`
SHA3	`01e4bc0abb51d2d3e550efa3cd7d11d9ffc3b43cc8b5f0a4eda3a327c920ee17`
VirtualSize	`0x19`
VirtualAddress	`0x13a000`
SizeOfRawData	`0x200`
PointerToRawData	`0x130600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.136464`

.rsrc

MD5	`780056bcfde1edb87998bec4be11c384`
SHA1	`1f575a170c28fcd942f729f57c28f2c2e89c7087`
SHA256	`605e0ed57d015665046efa304df175bd383b05f3f52f85f67f2ea920656ccb3c`
SHA3	`515727bea3be075b126b43242642ff76ccdb8389f8bed8ad59068ed083fb0459`
VirtualSize	`0x1520`
VirtualAddress	`0x13b000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x130800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.48767`

.reloc

MD5	`ce8ca02d8dd70bf18d145cfce2d71c04`
SHA1	`486fc63821ae460ba23269aaffd09bc8a49eafbd`
SHA256	`a25fd186a7ef645777f3c5f0e41a61724bd56cecb4a3a8d230ac3a969a98c06e`
SHA3	`1e12a82731a922e4eafd93f11216835fa030d14289860fd81f0e64783d25cfc5`
VirtualSize	`0x1d04`
VirtualAddress	`0x13d000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x131e00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.38892`

Imports

ADVAPI32.dll	`AddAce` `CopySid` `CreateProcessAsUserW` `EventRegister` `EventUnregister` `EventWrite` `GetAclInformation` `GetLengthSid` `GetSecurityDescriptorControl` `GetSecurityDescriptorDacl` `GetSecurityDescriptorGroup` `GetSecurityDescriptorOwner` `GetSecurityDescriptorSacl` `GetSidLengthRequired` `GetSidSubAuthority` `InitializeAcl` `InitializeSecurityDescriptor` `InitializeSid` `IsValidSid` `MakeAbsoluteSD` `RegCloseKey` `RegOpenKeyExW` `RegQueryValueExW` `RegisterServiceCtrlHandlerW` `SetSecurityDescriptorDacl` `SetSecurityDescriptorGroup` `SetSecurityDescriptorOwner` `SetServiceStatus` `StartServiceCtrlDispatcherW` `SystemFunction036`
KERNEL32.dll	`AcquireSRWLockExclusive` `AcquireSRWLockShared` `AssignProcessToJobObject` `ChangeTimerQueueTimer` `CloseHandle` `CompareStringW` `CopyFileW` `CreateDirectoryW` `CreateEventW` `CreateFileW` `CreateProcessW` `CreateThread` `CreateTimerQueue` `CreateTimerQueueTimer` `DecodePointer` `DeleteCriticalSection` `DeleteFileW` `DeleteTimerQueueTimer` `DuplicateHandle` `EncodePointer` `EnterCriticalSection` `EnumSystemLocalesW` `ExitProcess` `FindClose` `FindFirstFileExW` `FindNextFileW` `FlushFileBuffers` `FormatMessageA` `FormatMessageW` `FreeEnvironmentStringsW` `FreeLibrary` `FreeLibraryAndExitThread` `GetACP` `GetCPInfo` `GetCommandLineA` `GetCommandLineW` `GetConsoleCP` `GetConsoleMode` `GetCurrentDirectoryW` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThread` `GetCurrentThreadId` `GetDriveTypeW` `GetEnvironmentStringsW` `GetEnvironmentVariableW` `GetExitCodeProcess` `GetFileAttributesW` `GetFileSizeEx` `GetFileType` `GetFullPathNameW` `GetLastError` `GetLocalTime` `GetLocaleInfoW` `GetLogicalProcessorInformation` `GetModuleFileNameW` `GetModuleHandleA` `GetModuleHandleExW` `GetModuleHandleW` `GetNativeSystemInfo` `GetNumaHighestNodeNumber` `GetOEMCP` `GetProcAddress` `GetProcessAffinityMask` `GetProcessHeap` `GetProcessId` `GetProcessTimes` `GetStartupInfoW` `GetStdHandle` `GetStringTypeW` `GetSystemDirectoryW` `GetSystemInfo` `GetSystemTimeAsFileTime` `GetTempPathW` `GetThreadId` `GetThreadPriority` `GetThreadTimes` `GetTickCount` `GetUserDefaultLCID` `GetVersionExW` `GetWindowsDirectoryW` `HeapAlloc` `HeapCreate` `HeapDestroy` `HeapFree` `HeapReAlloc` `HeapSetInformation` `HeapSize` `InitOnceExecuteOnce` `InitializeCriticalSectionAndSpinCount` `InitializeSListHead` `InitializeSRWLock` `InterlockedFlushSList` `InterlockedPopEntrySList` `InterlockedPushEntrySList` `IsDebuggerPresent` `IsProcessorFeaturePresent` `IsValidCodePage` `IsValidLocale` `LCMapStringW` `LeaveCriticalSection` `LoadLibraryExA` `LoadLibraryExW` `LoadLibraryW` `LocalFree` `MoveFileExW` `MultiByteToWideChar` `OpenProcess` `OutputDebugStringA` `OutputDebugStringW` `QueryDepthSList` `QueryPerformanceCounter` `QueryPerformanceFrequency` `QueryThreadCycleTime` `RaiseException` `ReadConsoleW` `ReadFile` `RegisterWaitForSingleObject` `ReleaseSRWLockExclusive` `ReleaseSRWLockShared` `ReleaseSemaphore` `RemoveDirectoryW` `ResetEvent` `RtlCaptureContext` `RtlCaptureStackBackTrace` `RtlLookupFunctionEntry` `RtlPcToFileHeader` `RtlUnwind` `RtlUnwindEx` `RtlVirtualUnwind` `SetEndOfFile` `SetEnvironmentVariableW` `SetEvent` `SetFileAttributesW` `SetFilePointer` `SetFilePointerEx` `SetFileTime` `SetHandleInformation` `SetLastError` `SetStdHandle` `SetThreadAffinityMask` `SetThreadPriority` `SetUnhandledExceptionFilter` `SignalObjectAndWait` `Sleep` `SwitchToThread` `SystemTimeToFileTime` `TerminateProcess` `TlsAlloc` `TlsFree` `TlsGetValue` `TlsSetValue` `TryAcquireSRWLockExclusive` `TryEnterCriticalSection` `TzSpecificLocalTimeToSystemTime` `UnhandledExceptionFilter` `UnregisterWait` `UnregisterWaitEx` `VirtualAlloc` `VirtualFree` `VirtualProtect` `VirtualQuery` `WaitForSingleObject` `WaitForSingleObjectEx` `WideCharToMultiByte` `WriteConsoleW` `WriteFile`
ole32.dll	`CoAddRefServerProcess` `CoImpersonateClient` `CoInitializeEx` `CoInitializeSecurity` `CoRegisterClassObject` `CoReleaseServerProcess` `CoResumeClassObjects` `CoRevertToSelf` `CoRevokeClassObject` `CoTaskMemFree` `CoUninitialize` `IIDFromString`
SHELL32.dll	`CommandLineToArgvW` `SHGetFolderPathW` `SHGetKnownFolderPath`
USERENV.dll	`CreateEnvironmentBlock` `DestroyEnvironmentBlock`
USER32.dll	`AllowSetForegroundWindow`
SHLWAPI.dll	`PathMatchSpecW`
WINMM.dll	`timeGetTime`

Delayed Imports

GetHandleVerifier

Ordinal	`1`
Address	`0x2fd30`

1

Type	`TYPELIB`
Language	English - United States
Codepage	UNKNOWN
Size	`0xb78`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.90875`
MD5	`f2d17dd15de8ffdacd96324ec374ee43`
SHA1	`291291ad17835c5cba6b784cf9bc03796884ea56`
SHA256	`9f7aa5534846b8c4bcf68921152039a0544652cc4dd8d5ddfe510d2779a35f3a`
SHA3	`982b0ff4e5c50d05c651037a918fc147f383cb7f6db9a3320a6b1d6a9b91c4b0`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x478`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.55699`
MD5	`63d5327823ed16e28487d9a5cec1b0eb`
SHA1	`e7639d78284b571c0caf7ec1398c5d3247f22035`
SHA256	`d012d84d58d97925d29029fcac28a7b993721fec1ac9a866c1af8c219b226bbe`
SHA3	`1c54f5807cc1c35871cf0418852f4d79ae635bfa9833fd506af48b94d8b5ab66`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42c`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.33361`
MD5	`fa140205692392be88038eaba9ca7910`
SHA1	`4ede0ea94437564dc9b1d1d989e3116e92a1a4dc`
SHA256	`1f4b3a5657ae0d8242461a11cb08b8adf8e46a21fb612336311fcba10faccb61`
SHA3	`c72a92379b693f109c695e4e9511e110aa78840b4f2d31bc63ef1a9ff674e88d`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	74.0.3729.157
ProductVersion	74.0.3729.157
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Google Inc.
FileDescription	Google Chrome
FileVersion (#2)	74.0.3729.157
InternalName	elevation_service_exe
LegalCopyright	Copyright 2018 Google Inc. All rights reserved.
OriginalFilename	elevation_service.exe
ProductName	Google Chrome
ProductVersion (#2)	74.0.3729.157
CompanyShortName	Google
ProductShortName	Chrome
LastChange	7b16107ab85c5364cdcd0b2dea2539a1f2dc327a-refs/branch-heads/3729@{#998}
Official Build	1

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2019-May-13 05:00:00
Version	`0.0`
SizeofData	`50`
AddressOfRawData	`0x118cf0`
PointerToRawData	`0x117ef0`
Referenced File	elevation_service.exe.pdb

TLS Callbacks

StartAddressOfRawData	`0x14013a000`
EndAddressOfRawData	`0x14013a018`
AddressOfIndex	`0x140127e00`
AddressOfCallbacks	`0x14011b5c8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_TYPE_REG`
Callbacks	`0x0000000140068B60` `0x000000014007F270`

Load Configuration

Size	`0x100`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x140124058`
GuardCFCheckFunctionPointer	`5369987072`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

Errors

[*] Warning: 1 invalid export(s) not shown.