Manalyze report for 933581dcb7b289d61b63f08544540ba5

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2015-Jul-05 22:39:24
Detected languages	English - United States
Debug artifacts	taskhostw.pdb
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Tasks
FileVersion	`10.0.19041.4474 (WinBuild.160101.0800)`
InternalName	taskhostw.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	taskhostw.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`10.0.19041.4474`

Plugin Output

Info	The PE contains common functions which appear in legitimate applications.	`Can access the registry: RegGetValueW`
Info	The PE is digitally signed.	`Signer: Microsoft Windows` `Issuer: Microsoft Windows Production PCA 2011`
Safe	VirusTotal score: 0/71 (Scanned on 2025-04-02 07:22:57)	`All the AVs think this file is safe.`

Hashes

MD5	`933581dcb7b289d61b63f08544540ba5`
SHA1	`f45c326eb377ab9667e0d0d3ec72c4417dbb2286`
SHA256	`1c7b7e7026ef8307bf33afdadf1d49e7c1ee4c829260b4f6988185d22d7bcc3a`
SHA3	`a2de2bf29195d8ea3812e466725cf045f1bab8bfd5f673609c95686ec76f09c6`
SSDeep	`1536:C1Z+Sw2Dm9RPqcpHyxlLfE3sW8xPvNItN+ZfF7rg3K//HN6wLPJz3:QwSnEqcJyxlLfE3sRPOtN+Zf5g3Knt5V`
Imports Hash	`8006ffd4b6f0520d9f9a3753e9e6acc5`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`7`
TimeDateStamp	2015-Jul-05 22:39:24
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`14.0`
SizeOfCode	`0xaa00`
SizeOfInitializedData	`0xae00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000000000005BF0 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`A.0`
ImageVersion	`A.0`
SubsystemVersion	`A.0`
Win32VersionValue	`0`
SizeOfImage	`0x1a000`
SizeOfHeaders	`0x400`
Checksum	`0x1c004`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_GUARD_CF` `IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x8000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`936cad05af86f33721b4e08012487b37`
SHA1	`2589b76fb0d4538f6e8ecab189a376315100fb1a`
SHA256	`0d6a0d9ced02c135e8f23c3e9aa01a95e93ce361665f1fbba2a41b744617f36e`
SHA3	`be45b8a7fe8f0e92caa25383a10cc9a7359f72abaf5e30595632f747565c223c`
VirtualSize	`0xa987`
VirtualAddress	`0x1000`
SizeOfRawData	`0xaa00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.98083`

.rdata

MD5	`798341d22ac8f778f00f58937057d33d`
SHA1	`7e97a6c4865a9f9375048f1d75335914fc8a9e34`
SHA256	`dec6bd441a22b8cbdbaff95d92c94d2dd5e874367be9628efd581bfcfab21c97`
SHA3	`07d8742199860eb43e5be578ecfc5d11100a4effb2832f9fe12a5b06ab1e5b42`
VirtualSize	`0x831c`
VirtualAddress	`0xc000`
SizeOfRawData	`0x8400`
PointerToRawData	`0xae00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.95965`

.data

MD5	`a92ce2a13fa8ddef43643b378d60177f`
SHA1	`62f78cdc9b5204c25b77adfceef3e11f433be7b4`
SHA256	`71f29720ea1097c9cdac7bfd554af94017d17deb9cc86407695de72b560979ea`
SHA3	`13e44033cf5bd7d2b7cebba5bc38deab065523eb2bc41bab3ac1353c5ebc589b`
VirtualSize	`0x9c8`
VirtualAddress	`0x15000`
SizeOfRawData	`0x400`
PointerToRawData	`0x13200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.19748`

.pdata

MD5	`0928f8f4bf30248851037b11ce0797bf`
SHA1	`97d67fc62174e555d648d9f263166b58a9e7c78f`
SHA256	`292943d3f25151cbbcce24c23d2fb569d059b31f69deecdfe0f31f9b18ad7523`
SHA3	`8f905f559784954b496d18d5123f20f9415974c4bb5914fad126cce79c82016c`
VirtualSize	`0xfe4`
VirtualAddress	`0x16000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x13600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.93323`

.didat

MD5	`5d15aa0f82f18982934ecf03def25a3a`
SHA1	`bde286fb4d3123dfe7a49d7a5004ea0cc5a48675`
SHA256	`a77e93b677737c01581766af5db6dbce26d4bc53d92da82301de7571c8a49b8b`
SHA3	`41da0e41bfba8a8334f7391c38a3a3a91b17509c75a8745f4742e826ac7508fd`
VirtualSize	`0xc8`
VirtualAddress	`0x17000`
SizeOfRawData	`0x200`
PointerToRawData	`0x14600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`1.07508`

.rsrc

MD5	`0757845b790c7d17650b579b4d65b6e5`
SHA1	`a547eb65e70f03ec12b4409045bdef0bf836bbe4`
SHA256	`17bbdb476c0509d05b38a9540544b6844912682993dfa2555c285ed6d88d4488`
SHA3	`32d954b89f939edba574255d4b9d7db17e2dd11e598eea31370b408cb4ee9fd8`
VirtualSize	`0x8d0`
VirtualAddress	`0x18000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x14800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.1588`

.reloc

MD5	`9830aaddd6793a0bda5944da8275e7aa`
SHA1	`3d70e2c91cdf21a8ac9d66ac85f784f5aa01ad0b`
SHA256	`2849e86ea087f19ee9cdd4b182b86abb44f9962f1abc5d97050ddedc5fb99042`
SHA3	`0b88f432561f5faebc5abae4d3c8810fb82ddd6cdd8102aff3eb39a2dbea8817`
VirtualSize	`0x2fc`
VirtualAddress	`0x19000`
SizeOfRawData	`0x400`
PointerToRawData	`0x15200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.57942`

Imports

msvcrt.dll	`_callnewh` `_purecall` `calloc` `wcsstr` `??0exception@@QEAA@AEBQEBD@Z` `memmove_s` `??0exception@@QEAA@AEBQEBDH@Z` `memcpy_s` `_XcptFilter` `free` `??0exception@@QEAA@AEBV0@@Z` `_onexit` `__dllonexit` `_unlock` `_lock` `?terminate@@YAXXZ` `_commode` `malloc` `_fmode` `_wcmdln` `__C_specific_handler` `_initterm` `__setusermatherr` `_cexit` `??1type_info@@UEAA@XZ` `_exit` `__CxxFrameHandler3` `??3@YAXPEAX@Z` `exit` `__set_app_type` `__wgetmainargs` `memmove` `memcpy` `_CxxThrowException` `_amsg_exit` `?what@exception@@UEBAPEBDXZ` `??1exception@@UEAA@XZ` `memset`
api-ms-win-core-heap-l1-1-0.dll	`HeapFree` `GetProcessHeap` `HeapSize` `HeapAlloc` `HeapDestroy` `HeapReAlloc`
api-ms-win-eventing-classicprovider-l1-1-0.dll	`RegisterTraceGuidsW` `TraceMessage` `GetTraceEnableLevel` `GetTraceLoggerHandle` `GetTraceEnableFlags` `UnregisterTraceGuids`
api-ms-win-eventing-provider-l1-1-0.dll	`EventRegister` `EventSetInformation`
api-ms-win-core-errorhandling-l1-1-0.dll	`SetUnhandledExceptionFilter` `GetLastError` `UnhandledExceptionFilter`
api-ms-win-core-synch-l1-2-0.dll	`Sleep`
api-ms-win-core-processthreads-l1-1-0.dll	`SetProcessShutdownParameters` `TerminateProcess` `GetCurrentProcess` `GetCurrentProcessId` `GetExitCodeThread` `GetThreadPriority` `SetThreadPriority` `CreateThread` `GetStartupInfoW` `GetCurrentThread` `GetCurrentThreadId`
api-ms-win-core-libraryloader-l1-2-0.dll	`GetModuleHandleW` `LoadStringW`
api-ms-win-core-profile-l1-1-0.dll	`QueryPerformanceCounter`
api-ms-win-core-sysinfo-l1-1-0.dll	`GetTickCount` `GetSystemTimeAsFileTime`
api-ms-win-core-rtlsupport-l1-1-0.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind`
api-ms-win-core-apiquery-l1-1-0.dll	`ApiSetQueryApiSetPresence`
RPCRT4.dll	`Ndr64AsyncClientCall` `NdrClientCall3` `RpcAsyncCancelCall` `RpcAsyncInitializeHandle` `RpcStringFreeW` `RpcBindingSetAuthInfoExW` `RpcAsyncCompleteCall` `RpcStringBindingComposeW` `RpcBindingFromStringBindingW` `RpcBindingFree`
api-ms-win-core-com-l1-1-0.dll	`CoUninitialize` `CoEnableCallCancellation` `CoInitializeEx` `CoDisableCallCancellation` `CoCancelCall` `CoCreateInstance` `CoInitializeSecurity`
api-ms-win-security-base-l1-1-0.dll	`SetSecurityDescriptorGroup` `GetSecurityDescriptorGroup` `GetSidLengthRequired` `SetSecurityDescriptorOwner` `GetSecurityDescriptorOwner` `InitializeSid` `GetSidSubAuthority` `CopySid` `FreeSid` `GetAclInformation` `CreateWellKnownSid` `InitializeSecurityDescriptor` `MakeAbsoluteSD` `GetSecurityDescriptorControl` `AllocateAndInitializeSid` `GetSecurityDescriptorSacl` `SetSecurityDescriptorDacl` `AddAce` `InitializeAcl` `GetLengthSid` `IsValidSid` `GetSecurityDescriptorDacl`
api-ms-win-core-synch-l1-1-0.dll	`ResetEvent` `CreateEventW` `DeleteCriticalSection` `InitializeCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `SetEvent` `WaitForSingleObject` `ReleaseSRWLockExclusive` `AcquireSRWLockExclusive` `InitializeSRWLock`
api-ms-win-core-handle-l1-1-0.dll	`CloseHandle`
api-ms-win-core-debug-l1-1-0.dll	`IsDebuggerPresent`
api-ms-win-core-registry-l1-1-0.dll	`RegGetValueW`
OLEAUT32.dll	`SysFreeString` `SysAllocString`
api-ms-win-core-delayload-l1-1-1.dll	`ResolveDelayLoadedAPI`
api-ms-win-core-delayload-l1-1-0.dll	`DelayLoadFailureHook`
api-ms-win-core-heap-l2-1-0.dll	`LocalFree`
api-ms-win-core-threadpool-legacy-l1-1-0.dll	`CreateTimerQueueTimer` `DeleteTimerQueueTimer`
ntdll.dll	`EtwTraceMessage` `NtSetInformationProcess` `RtlUnhandledExceptionFilter` `RtlIsMultiSessionSku` `DbgPrintEx`
ext-ms-win-ntuser-message-l1-1-0.dll (delay-loaded)	`PostQuitMessage` `TranslateMessage` `PeekMessageW` `DispatchMessageW` `PostMessageW`

Delayed Imports

Attributes	`0x1`
Name	`ext-ms-win-ntuser-message-l1-1-0.dll`
ModuleHandle	`0x157c0`
DelayImportAddressTable	`0x17010`
DelayImportNameTable	`0x12b00`
BoundDelayImportTable	`0x12d28`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.68946`
MD5	`2eee07ed2b7302cb9cee651ad7ba18a9`
SHA1	`e5776b3ffb244d12b3bb1a2757925aa90e4aa053`
SHA256	`0cc7c2d44d52f00ec65424a8c944e8d71ddc5d728cea7613708136d1a154f3e1`
SHA3	`94f9adc5fabaabc9d65e8cf043948170ffc4d97a830a172dbecc4c47de905d1e`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3b4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.50903`
MD5	`1f14026dea973eb10391c5540e5948f9`
SHA1	`ee448efe7914f42db1fbe3ebe5f0342048740544`
SHA256	`8f120f92c60dafcc106acba6502227252ef86c9a67dd9032d5b4cd4b1026a51e`
SHA3	`7989c90d4c330ee09785e3debf01b781d91bddb2d196a5584c0d25a50480b114`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x35b`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.06979`
MD5	`87ccd15ab26010fd0c5d46605a0f3e50`
SHA1	`5efddc13df0e4d36b357405cbeb9268169672e85`
SHA256	`d26856efefb2e073e3c7a22b3a57433bc1bfd51e4444846def989a654beea52f`
SHA3	`c6c55864106bb88cb769a98d3f8f90b15c7e332545f72fcaeddcb5005297fc63`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.19041.4474
ProductVersion	10.0.19041.4474
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Host Process for Windows Tasks
FileVersion (#2)	10.0.19041.4474 (WinBuild.160101.0800)
InternalName	taskhostw.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	taskhostw.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	10.0.19041.4474

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2015-Jul-05 22:39:24
Version	`0.0`
SizeofData	`38`
AddressOfRawData	`0x102e8`
PointerToRawData	`0xf0e8`
Referenced File	taskhostw.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2015-Jul-05 22:39:24
Version	`0.0`
SizeofData	`1216`
AddressOfRawData	`0x10310`
PointerToRawData	`0xf110`

UNKNOWN

Characteristics	`0`
TimeDateStamp	2015-Jul-05 22:39:24
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x107d0`
PointerToRawData	`0xf5d0`

TLS Callbacks

Load Configuration

Size	`0x118`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1400151f8`
GuardCFCheckFunctionPointer	`5368764464`
GuardCFDispatchFunctionPointer	`0`
GuardCFFunctionTable	`0`
GuardCFFunctionCount	`0`
GuardFlags	`(EMPTY)`
CodeIntegrity.Flags	`0`
CodeIntegrity.Catalog	`0`
CodeIntegrity.CatalogOffset	`0`
CodeIntegrity.Reserved	`0`
GuardAddressTakenIatEntryTable	`0`
GuardAddressTakenIatEntryCount	`0`
GuardLongJumpTargetTable	`0`
GuardLongJumpTargetCount	`0`

RICH Header

XOR Key	`0xad75c746`
Unmarked objects	`0`
Imports (VS2008 SP1 build 30729)	`60`
ASM objects (27412)	`2`
C objects (27412)	`24`
Total imports	`188`
Imports (27412)	`5`
C++ objects (27412)	`7`
C objects (POGO O) (27412)	`17`
Resource objects (27412)	`1`
Linker (27412)	`1`

933581dcb7b289d61b63f08544540ba5

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.didat

.rsrc

.reloc

Imports

Delayed Imports

1

1 (#2)

1 (#3)

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

IMAGE_DEBUG_TYPE_POGO

UNKNOWN

TLS Callbacks

Load Configuration

RICH Header

Errors