605475ca2c0788009daea80d9fdb2e5d

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2009-Jul-14 01:04:53
Detected languages English - United States
Debug artifacts dhcpcsvc.pdb
CompanyName Microsoft Corporation
FileDescription DHCP Client Service
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName dhcpcsvc.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename dhcpcsvc.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 6.1.7600.16385

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryExA
  • GetProcAddress
Can access the registry:
  • RegCloseKey
  • RegOpenKeyExW
  • RegDeleteValueW
  • RegSetValueExW
  • RegCreateKeyExW
  • RegDeleteKeyExW
  • RegEnumKeyExW
  • RegQueryValueExW
Uses Windows's Native API:
  • NtDeviceIoControlFile
  • NtCreateFile
  • NtClose
  • NtOpenProcessToken
  • ntohl
  • ntohs
Leverages the raw socket API to access the Internet:
  • ntohl
  • ntohs
  • inet_ntoa
Interacts with services:
  • OpenServiceW
  • OpenSCManagerW
Suspicious VirusTotal score: 1/66 (Scanned on 2021-05-30 05:15:39) CrowdStrike: win/malicious_confidence_60% (W)

Hashes

MD5 605475ca2c0788009daea80d9fdb2e5d
SHA1 3bbc9aa6e9e352a2b5434119dcbcc67e6e052a22
SHA256 62693792b73980bd1401c43d00ece93dea6e54eb9c47d9f1188563ff133e6745
SHA3 dec5f31028e5d243bc912d2994876605dc0e2c279a20a9e08bab8d5c69171c06
SSDeep 384:4Yacgp39dx40YMSYTr6m7/a8IC48rofv1jawOucZlK/wCBKsPMEFPLQMwwYayW0:6V20YMtDIEcfNjsuWK/wCtPtQCS
Imports Hash e92b1040e1613d58bdf883d9189cee20

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 4
TimeDateStamp 2009-Jul-14 01:04:53
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.1
SizeOfCode 0xd400
SizeOfInitializedData 0x1800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00003271 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xf000
ImageBase 0x71fb0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.1
ImageVersion 6.1
SubsystemVersion 6.1
Win32VersionValue 0
SizeOfImage 0x12000
SizeOfHeaders 0x600
Checksum 0x1b476
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 83f3671c8032f14c2824d3da5ddcbe6b
SHA1 95185a4d58f325df4a5915d4ef4fdf1c1c70234f
SHA256 63d1fe134f805fb3ec9b90e07477a52c1a6a8cac36a202d0dc9a939b8be83d2d
SHA3 634fd0236e605fec8a5429e37ca7be5c85da27da9944bd60bc9b5d567e11dd6f
VirtualSize 0xd241
VirtualAddress 0x1000
SizeOfRawData 0xd400
PointerToRawData 0x600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 3.06816

.data

MD5 06b042f54d9d97cc38ac2d84b6dcb05a
SHA1 fb9b3d5f0d053dfd72414238d83c68f6044ad1a1
SHA256 08d49e2926a9e909a5f775190f97eedb7ef0252fc42534dcb4bf4b30bbe957f3
SHA3 8d4b0696ac101386b2ac32ccb307e9e34ff2714846679277c6d2a0a662d1650c
VirtualSize 0x5a8
VirtualAddress 0xf000
SizeOfRawData 0x600
PointerToRawData 0xda00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 1.27533

.rsrc

MD5 94165642214fc49a557d307aa1bf6053
SHA1 a540a64e65a744478401009ef12ce123dc0e81de
SHA256 9449b01c8ba2caf2b1430075bcb9679812176f060464a85d77a838e8310ccd86
SHA3 4af55d567f9c393a8e9d25006511f17b956ab202d92c780c6cda4b74c0f93d4c
VirtualSize 0x510
VirtualAddress 0x10000
SizeOfRawData 0x600
PointerToRawData 0xe000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.97221

.reloc

MD5 d2a70550489de356a2cd6bfc40711204
SHA1 02ec1f60b2e76741dd9848ac432057ff9d58d750
SHA256 e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293
SHA3 a2012e2d38b8ac152ac1bcc76bafda877e10eb11d69e0f68f5a697004bfc99e1
VirtualSize 0xa38
VirtualAddress 0x11000
SizeOfRawData 0xc00
PointerToRawData 0xe600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 0

Imports

msvcrt.dll memset
memcpy_s
_vsnprintf
_vsnwprintf
wcsncmp
_XcptFilter
malloc
free
_initterm
memcpy
_except_handler4_common
_amsg_exit
wcschr
wcsrchr
wcstombs
ntdll.dll NlsMbOemCodePageTag
RtlInitUnicodeString
RtlGUIDFromString
RtlOemStringToUnicodeString
EtwTraceMessage
RtlxOemStringToUnicodeSize
NtDeviceIoControlFile
NtCreateFile
RtlDeleteSecurityObject
RtlCopySid
RtlLengthSid
RtlSetSaclSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAce
RtlCreateAcl
NtClose
RtlNewSecurityObject
NtOpenProcessToken
RtlFreeUnicodeString
RtlNtStatusToDosError
RtlStringFromGUID
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlInitString
RPCRT4.dll RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcStringFreeW
RpcBindingSetOption
RpcBindingSetAuthInfoW
NdrClientCall2
RpcBindingFree
WS2_32.dll ntohl
ntohs
inet_ntoa
NSI.dll NsiGetAllParametersEx
API-MS-Win-Core-ErrorHandling-L1-1-0.dll GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError
API-MS-Win-Core-File-L1-1-0.dll CreateFileW
API-MS-Win-Core-Handle-L1-1-0.dll CloseHandle
API-MS-Win-Core-Heap-L1-1-0.dll HeapFree
HeapAlloc
GetProcessHeap
API-MS-Win-Core-Interlocked-L1-1-0.dll InterlockedIncrement
InterlockedExchange
InterlockedCompareExchange
API-MS-Win-Core-IO-L1-1-0.dll DeviceIoControl
API-MS-Win-Core-LibraryLoader-L1-1-0.dll LoadLibraryExA
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls
API-MS-Win-Core-LocalRegistry-L1-1-0.dll RegCloseKey
RegOpenKeyExW
RegDeleteValueW
RegSetValueExW
RegCreateKeyExW
RegDeleteKeyExW
RegEnumKeyExW
RegQueryValueExW
API-MS-Win-Core-Misc-L1-1-0.dll LocalAlloc
Sleep
LocalFree
API-MS-Win-Core-ProcessThreads-L1-1-0.dll TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId
API-MS-Win-Core-Profile-L1-1-0.dll QueryPerformanceCounter
API-MS-Win-Core-Synch-L1-1-0.dll CreateEventW
InitializeCriticalSectionAndSpinCount
OpenEventW
CreateEventA
DeleteCriticalSection
InitializeCriticalSection
API-MS-Win-Core-SysInfo-L1-1-0.dll GetTickCount
GetSystemTimeAsFileTime
API-MS-Win-Security-Base-L1-1-0.dll GetLengthSid
FreeSid
InitializeAcl
AddAccessAllowedAce
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
AllocateAndInitializeSid
API-MS-WIN-Service-Management-L1-1-0.dll CloseServiceHandle
StartServiceW
OpenServiceW
OpenSCManagerW
API-MS-Win-Core-DelayLoad-L1-1-0.dll DelayLoadFailureHook
IPHLPAPI.DLL (delay-loaded) ConvertInterfaceNameToLuidW
ConvertInterfaceGuidToLuid

Delayed Imports

Attributes 0x1
Name IPHLPAPI.DLL
ModuleHandle 0xf1e0
DelayImportAddressTable 0xf000
DelayImportNameTable 0xd300
BoundDelayImportTable 0
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

DhcpAcquireParameters

Ordinal 1
Address 0x46f4

DhcpAcquireParametersByBroadcast

Ordinal 2
Address 0x6099

DhcpCApiCleanup

Ordinal 3
Address 0x7239

DhcpCApiInitialize

Ordinal 4
Address 0x721c

DhcpClient_Generalize

Ordinal 5
Address 0x7b81

DhcpDeRegisterConnectionStateNotification

Ordinal 6
Address 0x7901

DhcpDeRegisterOptions

Ordinal 7
Address 0x720c

DhcpDeRegisterParamChange

Ordinal 8
Address 0x7241

DhcpDelPersistentRequestParams

Ordinal 9
Address 0xa5a8

DhcpEnableDhcp

Ordinal 10
Address 0x6651

DhcpEnableTracing

Ordinal 11
Address 0x7ae9

DhcpEnumClasses

Ordinal 12
Address 0xac62

DhcpEnumInterfaces

Ordinal 13
Address 0x9366

DhcpFallbackRefreshParams

Ordinal 14
Address 0x62f9

DhcpFreeEnumeratedInterfaces

Ordinal 15
Address 0x7421

DhcpFreeLeaseInfo

Ordinal 16
Address 0x3007

DhcpFreeMem

Ordinal 17
Address 0x3e82

DhcpGetClassId

Ordinal 18
Address 0x7445

DhcpGetClientId

Ordinal 19
Address 0x7589

DhcpGetDhcpServicedConnections

Ordinal 20
Address 0x3ec6

DhcpGetFallbackParams

Ordinal 21
Address 0x7829

DhcpGetNotificationStatus

Ordinal 22
Address 0x4129

DhcpGetOriginalSubnetMask

Ordinal 23
Address 0x7349

DhcpGetTraceArray

Ordinal 24
Address 0x79e1

DhcpGlobalIsShuttingDown

Ordinal 25
Address 0xf1e4

DhcpGlobalServiceSyncEvent

Ordinal 26
Address 0xf1e8

DhcpGlobalTerminateEvent

Ordinal 27
Address 0xf1ec

DhcpHandlePnPEvent

Ordinal 28
Address 0xadf9

DhcpIsEnabled

Ordinal 29
Address 0x1b2d

DhcpLeaseIpAddress

Ordinal 30
Address 0x7ee9

DhcpLeaseIpAddressEx

Ordinal 31
Address 0x7c4d

DhcpNotifyConfigChange

Ordinal 32
Address 0xb132

DhcpNotifyConfigChangeEx

Ordinal 33
Address 0xafe6

DhcpNotifyMediaReconnected

Ordinal 34
Address 0x61c9

DhcpOpenGlobalEvent

Ordinal 35
Address 0xb15c

DhcpPersistentRequestParams

Ordinal 36
Address 0xa55f

DhcpQueryLeaseInfo

Ordinal 37
Address 0x306b

DhcpQueryLeaseInfoEx

Ordinal 38
Address 0x3dce

DhcpRegisterConnectionStateNotification

Ordinal 39
Address 0x4975

DhcpRegisterOptions

Ordinal 40
Address 0xa875

DhcpRegisterParamChange

Ordinal 41
Address 0xaaca

DhcpReleaseIpAddressLease

Ordinal 42
Address 0x8441

DhcpReleaseIpAddressLeaseEx

Ordinal 43
Address 0x81cf

DhcpReleaseParameters

Ordinal 44
Address 0x6429

DhcpRemoveDNSRegistrations

Ordinal 45
Address 0x7257

DhcpRenewIpAddressLease

Ordinal 46
Address 0x81a9

DhcpRenewIpAddressLeaseEx

Ordinal 47
Address 0x7f15

DhcpRequestCachedParams

Ordinal 48
Address 0x42a5

DhcpRequestOptions

Ordinal 49
Address 0x6901

DhcpRequestParams

Ordinal 50
Address 0x3a5c

DhcpSetClassId

Ordinal 51
Address 0x9451

DhcpSetClientId

Ordinal 52
Address 0x95e1

DhcpSetFallbackParams

Ordinal 53
Address 0x76c1

DhcpSetMSFTVendorSpecificOptions

Ordinal 54
Address 0x447c

DhcpStaticRefreshParams

Ordinal 55
Address 0x68e9

DhcpUndoRequestParams

Ordinal 56
Address 0xaa9b

Dhcpv4CheckServerAvailability

Ordinal 57
Address 0x5fa0

Dhcpv4EnableDhcpEx

Ordinal 58
Address 0x8f89

McastApiCleanup

Ordinal 59
Address 0x857d

McastApiStartup

Ordinal 60
Address 0x8461

McastEnumerateScopes

Ordinal 61
Address 0x8631

McastGenUID

Ordinal 62
Address 0x8809

McastReleaseAddress

Ordinal 63
Address 0x8de9

McastRenewAddress

Ordinal 64
Address 0x8b99

McastRequestAddress

Ordinal 65
Address 0x8939

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xc8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.66306
MD5 e4cf259016307dd2f363f970943c5038
SHA1 60b99e1546961a9e98f43d408e21c425d95d6070
SHA256 ce7ad41bf0a239811888462c4bd61bdf7e1a09bc151e129405d1d7e4fed95130
SHA3 d37ecd9278044846b2a1a2a7329be7e8e10db62668f037c339f8ba5069b87c23

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x394
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.57154
MD5 e549a22667b53c600ebd22c990418710
SHA1 6d852359f1536393707d08db7a9e4cbe637acc14
SHA256 73acb57a00e740600e68b669a30e38e1b070d6e216b346b9455c908bef7c8bd7
SHA3 859125e031dbaa9e394ed38042f321f4e8c9dbd01daaa3643fafaf6a08e1a6a3

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.1.7600.16385
ProductVersion 6.1.7600.16385
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription DHCP Client Service
FileVersion (#2) 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName dhcpcsvc.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename dhcpcsvc.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.1.7600.16385
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2009-Jul-13 23:12:06
Version 0.0
SizeofData 37
AddressOfRawData 0xe21c
PointerToRawData 0xd81c
Referenced File dhcpcsvc.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2009-Jul-13 23:12:06
Version 565.6526
SizeofData 4
AddressOfRawData 0xe218
PointerToRawData 0xd818

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x71fbf05c
SEHandlerTable 0x71fb5640
SEHandlerCount 1

RICH Header

XOR Key 0x8ec3030e
Unmarked objects 0
C++ objects (VS2008 SP1 build 30729) 2
ASM objects (VS2008 SP1 build 30729) 3
Total imports 133
Imports (VS2008 SP1 build 30729) 47
Exports (VS2008 SP1 build 30729) 1
C objects (VS2008 SP1 build 30729) 30
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

<-- -->