74230fc4f422c50673aa391eec7d1745

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2021-Feb-09 22:00:17
Detected languages English - United States
Debug artifacts d:\build\ob\bora-17592369\bora-vmsoft\build\release-x64\svga\wddm\src\service\Win8Release\x64\bin\vm3dservice.pdb
CompanyName VMware, Inc.
FileDescription VMware SVGA Helper Service
FileVersion 8.17.02.0014
InternalName vm3dservice.exe
LegalCopyright Copyright (C) 1998-2020 VMware, Inc.
OriginalFilename vm3dservice.exe
ProductName VMware SVGA 3D
ProductVersion 8.17.02.0014 - build-17592369

Plugin Output

Suspicious Strings found in the binary may indicate undesirable behavior: Looks for VMWare presence:
  • VMware
  • vmware
 Miscellaneous malware strings:
  • backdoor
Suspicious The PE is possibly packed. Unusual section name found: .gehcont
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryExW
 Can access the registry:
  • RegOpenKeyExA
  • RegCloseKey
  • RegQueryValueExA
 Possibly launches other programs:
  • CreateProcessAsUserW
 Can create temporary files:
  • CreateFileW
  • GetTempPathW
 Functions related to the privilege level:
  • DuplicateTokenEx
  • OpenProcessToken
Info The PE is digitally signed. Signer: VMware
Issuer: DigiCert Assured ID Code Signing CA-1
Suspicious VirusTotal score: 1/69 (Scanned on 2023-03-09 21:14:45) Zillya: Trojan.GenCBL.Win32.11189

Hashes

MD5 74230fc4f422c50673aa391eec7d1745
SHA1 d888da89f43b66b192a45954bd69bb6bc97289c1
SHA256 c6a06842235a221a7da11f994b1806e42a17d18dae7d1c8d476f5eb61ba66c6f
SHA3 69b97bd142aca88ed998b9af9267be25e4b8b4e3f1ac9e61c66c089f7a52c3d1
SSDeep 6144:Hl6qPDhO4c8hfjcTvAPHM5pKvwHOYPm3lBh+PnxPwFFtxUmH3LDqdSbA:zlO4c8VjXsowHOYPm3bhwnxqUobhbA
Imports Hash 9134cde8fb35f1467005b6873f88781a

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x128

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 8
TimeDateStamp 2021-Feb-09 22:00:17
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x69200
SizeOfInitializedData 0x21000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000006030 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x90000
SizeOfHeaders 0x400
Checksum 0x8fbb0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 6a81cb897222d87fb4e7920ed0ef6204
SHA1 df562a4ebbdf86868dfbd4bb0efe0b55467bf633
SHA256 bdc1c4b461cbce151c5e23f1662d8be4b4fc885ee8a73b18a4cb0d39a921d31d
SHA3 bcc7bc30d00eb65b28fc98e26865403f293da3d3760bf889621bb7e8cfe3e2b6
VirtualSize 0x69100
VirtualAddress 0x1000
SizeOfRawData 0x69200
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.4879

.rdata

MD5 d5dd7e412e05608a456267faa64d9511
SHA1 cdc23b47faca71e80da0a2020b63dfd8b6f60b93
SHA256 eac693317004d856060ef4512a6333246987944ad8bfd1f7ce03dac4cf4420c3
SHA3 cd0ffb1baa1a6abf93b434e6212531d1ebfe079af3ee8fd63f1f34c78a44a413
VirtualSize 0x1749a
VirtualAddress 0x6b000
SizeOfRawData 0x17600
PointerToRawData 0x69600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.42231

.data

MD5 67e572a3d344b0a861a4f336ab1e7ed4
SHA1 c7bc67fa041f1d73ae67fc871f867ce75eb15c6e
SHA256 e98787db666c8e10897b38a2cfb8772c8c75b9118bd74bdca7d50c88e4ec2056
SHA3 0b00fce090ad8042bbf5bfbc3d67ca3dea21ca11551bdab14c1a8202e3752c08
VirtualSize 0x29f8
VirtualAddress 0x83000
SizeOfRawData 0xc00
PointerToRawData 0x80c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.42835

.pdata

MD5 7f708909e1adbec1ab3dc4c48bacb77f
SHA1 448c66af6088aada652eb3ee3d8ee703faca3a44
SHA256 a5de9238e4bce6912dd2a645361b858b0df579ea7fd9476ab9d2c3027b2e356e
SHA3 33141f84e755063bc4d7b33de260aa2749ffa73f0a882e589ef80ae2c719b293
VirtualSize 0x5a18
VirtualAddress 0x86000
SizeOfRawData 0x5c00
PointerToRawData 0x81800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.80871

.gehcont

MD5 33d7c25acb43907776c903192893c295
SHA1 1acf70cf1e28f5b1d06338e9ac4082f05c294434
SHA256 5927bd4762416c6036413c0edcaa9b04d3286c195af19dfd39d6ee5ed21870ea
SHA3 e1dcd4813e094db69a585b07ca4c9d4f5406b1da14326cd02de6c5afec5f508f
VirtualSize 0x38
VirtualAddress 0x8c000
SizeOfRawData 0x200
PointerToRawData 0x87400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 0.43711

_RDATA

MD5 7870c99b52e598d3c89c8dcf719ce1df
SHA1 bd33a1071e6ef04f3a1833a5477e794c7f2210b7
SHA256 b9a1e59a278fbcdc956de5fbc0b9805a3b16755a2714d11b9c6bcab239ff37cd
SHA3 b8082e4f2064563137b03b75d66dba133dd024770d1be555728d8e01b1891a21
VirtualSize 0x100
VirtualAddress 0x8d000
SizeOfRawData 0x200
PointerToRawData 0x87600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 2.01263

.rsrc

MD5 1ed5cb981bf067510c5dd83a8cf1df06
SHA1 aaa2c722374e570b11741c5fb77c0bc2d121c5d0
SHA256 b9f35277610e90d33e1844149a5af82573e449c2ca2700ba9abdeba60c69cbde
SHA3 10062884966945312d61d3b1e5512f10f6f66e75006883c2aed9c3403a989a04
VirtualSize 0x570
VirtualAddress 0x8e000
SizeOfRawData 0x600
PointerToRawData 0x87800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.97299

.reloc

MD5 2e8a05bb3cebb0453ab9fdb369002a69
SHA1 7c0ed7b6f0d258711049fb3f430becc47c800608
SHA256 92b85ac09d6d40dc96cf9974a36089564a115309a0180123fe449e1afb6e14ef
SHA3 ce8e6050ed1ef36fd75387b5ba4f9ab2abd07497172acdaa1a69fc2672205b22
VirtualSize 0x810
VirtualAddress 0x8f000
SizeOfRawData 0xa00
PointerToRawData 0x87e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.88116

Imports

KERNEL32.dll VerifyVersionInfoW
WTSGetActiveConsoleSessionId
FreeLibrary
GetTickCount64
ProcessIdToSessionId
RtlUnwind
RtlCaptureStackBackTrace
SetEndOfFile
WriteConsoleW
HeapReAlloc
HeapSize
ReadConsoleW
ResumeThread
SetFilePointerEx
LoadLibraryW
SetConsoleCtrlHandler
GetProcessHeap
GetStringTypeW
SetStdHandle
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
GetProcAddress
GetFileSizeEx
GetModuleHandleW
GetCurrentThreadId
TerminateProcess
GetCurrentProcessId
GetCurrentProcess
GetLastError
CloseHandle
ReadFile
VerSetConditionMask
FindFirstFileExW
OutputDebugStringW
WideCharToMultiByte
MultiByteToWideChar
GetConsoleMode
GetConsoleOutputCP
FindClose
FindFirstFileA
FindNextFileA
GetLocalTime
FatalExit
RtlCaptureContext
CreateDirectoryW
CreateFileW
DeleteFileW
GetTempPathW
RaiseException
MoveFileW
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
QueryPerformanceCounter
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
RtlUnwindEx
InterlockedPushEntrySList
InterlockedFlushSList
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
EncodePointer
RtlPcToFileHeader
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetFileType
HeapFree
HeapAlloc
GetCurrentThread
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
USER32.dll OpenInputDesktop
CloseDesktop
GetMessageW
SetThreadDesktop
UnhookWinEvent
SetWinEventHook
EnumDisplayDevicesW
LoadCursorW
SetRect
AdjustWindowRectEx
GetClientRect
UpdateWindow
ShowWindow
CreateWindowExW
RegisterClassExW
UnregisterClassW
PostQuitMessage
DefWindowProcW
UnregisterPowerSettingNotification
RegisterPowerSettingNotification
DispatchMessageW
TranslateMessage
EnumDisplayMonitors
RegisterWindowMessageW
GetUserObjectInformationA
GetSystemMetrics
EnumDisplaySettingsW
GetMonitorInfoW
GetThreadDesktop
GDI32.dll CreateDCW
DeleteDC
ADVAPI32.dll StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerExA
SetTokenInformation
DuplicateTokenEx
OpenProcessToken
CreateProcessAsUserW
RegOpenKeyExA
RegCloseKey
RegQueryValueExA
SHELL32.dll SHGetFolderPathW
dwmapi.dll DwmIsCompositionEnabled
WTSAPI32.dll WTSRegisterSessionNotification
dbghelp.dll SymFunctionTableAccess64
MiniDumpWriteDump
SymSetSearchPath
SymGetSearchPath
StackWalk64
SymSetOptions
SymCleanup
SymFromAddr
SymGetModuleBase64
SymGetLineFromAddr64
SymInitialize
WINMM.dll timeGetTime

Delayed Imports

1

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x34c
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.5898
MD5 75471f016eeea9f2268d51d9f7483017
SHA1 fd405bb82c28ebf076823f6e4f37032e0ba2a4f0
SHA256 f476b4e257368eb0ed28a3c52f453c8682eac22591872faa54f674865f2cf16c
SHA3 d9c1cc3cf6329cfdb99f299cd044b95a4a2b2071ec1454fbbb623e208374cff2

1 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 8.17.2.14
ProductVersion 8.17.2.14
FileFlags VS_FF_PRIVATEBUILD
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DRV
FileSubtype VFT2_DRV_DISPLAY
Language English - United States
CompanyName VMware, Inc.
FileDescription VMware SVGA Helper Service
FileVersion (#2) 8.17.02.0014
InternalName vm3dservice.exe
LegalCopyright Copyright (C) 1998-2020 VMware, Inc.
OriginalFilename vm3dservice.exe
ProductName VMware SVGA 3D
ProductVersion (#2) 8.17.02.0014 - build-17592369
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2021-Feb-09 22:00:17
Version 0.0
SizeofData 138
AddressOfRawData 0x79fa4
PointerToRawData 0x785a4
Referenced File d:\build\ob\bora-17592369\bora-vmsoft\build\release-x64\svga\wddm\src\service\Win8Release\x64\bin\vm3dservice.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2021-Feb-09 22:00:17
Version 0.0
SizeofData 20
AddressOfRawData 0x7a030
PointerToRawData 0x78630

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2021-Feb-09 22:00:17
Version 0.0
SizeofData 804
AddressOfRawData 0x7a044
PointerToRawData 0x78644

TLS Callbacks

Load Configuration

Size 0x130
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140083018
GuardCFCheckFunctionPointer 5369148744
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xa98cb5c3
Unmarked objects 0
C objects (27412) 11
ASM objects (27412) 5
C++ objects (27412) 161
ASM objects (VS 2015/2017/2019 runtime 28920) 9
C objects (VS 2015/2017/2019 runtime 28920) 16
C++ objects (VS 2015/2017/2019 runtime 28920) 37
C++ objects (VS2015 UPD1 build 23506) 1
ASM objects (VS2017 v15.9.7-10 compiler 27027) 1
C++ objects (CVTCIL) (26213) 1
Imports (26213) 19
Total imports 160
C objects (VS2017 v15.9.7-10 compiler 27027) 8
Resource objects (VS2017 v15.9.7-10 compiler 27027) 1
151 1
Linker (VS2017 v15.9.7-10 compiler 27027) 1

Errors

<-- -->