Manalyze report for bbf6e395ae0cd4085243250ee7de3cf3

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2009-Jul-14 01:10:28
Detected languages	English - United States
Debug artifacts	sechost.pdb
CompanyName	Microsoft Corporation
FileDescription	Host for SCM/SDDL/LSA Lookup APIs
FileVersion	`6.1.7600.16385 (win7_rtm.090713-1255)`
InternalName	sechost.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	sechost.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7600.16385`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExA GetProcAddress` `Functions which can be used for anti-debugging purposes: NtQueryInformationProcess` `Can access the registry: RegQueryValueExW RegOpenKeyExW RegCloseKey` `Uses Windows's Native API: NtQueueApcThread NtQueryInformationThread NtSetInformationThread NtQueryInformationProcess NtTerminateProcess` `Functions related to the privilege level: OpenProcessToken`
Suspicious	VirusTotal score: 1/67 (Scanned on 2021-06-24 05:02:03)	`CrowdStrike: win/malicious_confidence_60% (W)`

Hashes

MD5	`bbf6e395ae0cd4085243250ee7de3cf3`
SHA1	`96998c6862d84ed0d461025bb1a3140deabed671`
SHA256	`82ce3bebc14d767ad762bec563640b63c4ac11464c4d357be61471064ebd9abb`
SHA3	`8b92515733b9b7f74743a8e25d3df559c1014919f7f43fcbde0b0d07d7527819`
SSDeep	`768:9Lgn5WEh3BAksG/6ZkfYZyxOmIT50L87CFZbSdX261+fJURZkkT7LnV/CgROo:9L/eF/6ZJWOmITOLfFZGMURZkkX`
Imports Hash	`2d7b9924a0a40faecce1d64e14878e1f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2009-Jul-14 01:10:28
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`9.1`
SizeOfCode	`0x12e00`
SizeOfInitializedData	`0x3a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00004975 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x14000`
ImageBase	`0x75e00000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`6.1`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x19000`
SizeOfHeaders	`0x600`
Checksum	`0x25332`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`b2b1fe29fdc18293da3ec180128e1f7d`
SHA1	`b7103f0e3397874aedd938f63c310ba9d02a2863`
SHA256	`dd2923c748931efc0064c2d1d0980a6b505b09b20375e32d632dc3e66fbdce14`
SHA3	`c24a5dda5069c825eda0bdc83f441d0d1649cfcd4470203392652d051cfd5073`
VirtualSize	`0x12c1b`
VirtualAddress	`0x1000`
SizeOfRawData	`0x12e00`
PointerToRawData	`0x600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`4.96788`

.data

MD5	`2a73d85ba1bd79b2abfd17d1ad9dc57f`
SHA1	`1036b400b193c1f1184134da46cb2da4baba699c`
SHA256	`823290667e23484976cb3646542bebc91a537b3071afb8f43ed44e79d64d99ae`
SHA3	`7c904f71d5f9a3767ed34d7d828baf5e3f84ab85e8d5e25a873e2d8ebf8d1615`
VirtualSize	`0x2324`
VirtualAddress	`0x14000`
SizeOfRawData	`0x1e00`
PointerToRawData	`0x13400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0.412203`

.rsrc

MD5	`5286f9ff8cc203ce4a1ee51473d23d66`
SHA1	`1914cba4a759dacde40ef58681d7599cd0b4ca93`
SHA256	`35e42ff9892964da5da2faba5cf804a639fc4f04de4416cf9df32858c2c54c2e`
SHA3	`87df4c74513dbe55dd9c75af35d3088e9461e89896f6100cad6da4d81e4b7214`
VirtualSize	`0x520`
VirtualAddress	`0x17000`
SizeOfRawData	`0x600`
PointerToRawData	`0x15200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.02036`

.reloc

MD5	`620f0b67a91f7f74151bc5be745b7110`
SHA1	`1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d`
SHA256	`ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7`
SHA3	`a99f9ed58079237f7f0275887f0c03a0c9d7d8de4443842297fceea67e423563`
VirtualSize	`0xed8`
VirtualAddress	`0x18000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x15800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`0`

Imports

ntdll.dll	`RtlValidSid` `RtlValidAcl` `RtlFirstFreeAce` `RtlCopySid` `RtlSubAuthoritySid` `RtlInitializeSid` `RtlSubAuthorityCountSid` `RtlLengthSid` `RtlConvertSidToUnicodeString` `RtlFreeUnicodeString` `RtlInitializeCriticalSectionEx` `RtlDeleteCriticalSection` `NtQueueApcThread` `LdrQueryModuleServiceTags` `NtQueryInformationThread` `RtlEqualSid` `RtlInitUnicodeString` `RtlCreateServiceSid` `NtSetInformationThread` `RtlRunOnceExecuteOnce` `WinSqmAddToStream` `NtQueryInformationProcess` `RtlMakeSelfRelativeSD` `RtlNtStatusToDosError` `RtlAddAuditAccessObjectAce` `RtlAddAce` `RtlAddAccessDeniedObjectAce` `RtlAddAccessAllowedAceEx` `RtlAddAccessDeniedAceEx` `RtlAddAuditAccessAceEx` `RtlAddAccessAllowedObjectAce` `RtlGetControlSecurityDescriptor` `RtlGetSaclSecurityDescriptor` `RtlGetDaclSecurityDescriptor` `RtlGetGroupSecurityDescriptor` `RtlGetOwnerSecurityDescriptor` `RtlAbsoluteToSelfRelativeSD` `RtlSetSaclSecurityDescriptor` `RtlSetDaclSecurityDescriptor` `RtlSetGroupSecurityDescriptor` `RtlSetOwnerSecurityDescriptor` `RtlCreateSecurityDescriptor` `RtlInitAnsiString` `RtlCopyUnicodeString` `RtlUnicodeToMultiByteSize` `RtlUnicodeStringToAnsiString` `RtlNtStatusToDosErrorNoTeb` `RtlAllocateHeap` `RtlFreeHeap` `RtlCreateAcl` `DbgPrintEx` `RtlAnsiStringToUnicodeString` `RtlUnhandledExceptionFilter` `NtTerminateProcess`
API-MS-Win-Core-LibraryLoader-L1-1-0.dll	`LoadLibraryExA` `FreeLibrary` `GetProcAddress` `GetModuleHandleExW` `DisableThreadLibraryCalls`
API-MS-Win-Core-ErrorHandling-L1-1-0.dll	`GetLastError` `SetLastError`
API-MS-Win-Core-Interlocked-L1-1-0.dll	`InterlockedCompareExchange` `InterlockedExchange`
API-MS-Win-Core-DelayLoad-L1-1-0.dll	`DelayLoadFailureHook`
msvcrt.dll	`memcpy` `_wcsicmp` `wcsrchr` `wcsstr` `memset` `qsort` `_wcsnicmp` `iswctype` `_wcstoui64` `wcschr` `wcstoul` `wcscpy_s` `wcsncpy_s` `_ultow` `swprintf_s` `_vsnwprintf` `wcstok` `isalnum` `isspace` `_errno` `_except_handler4_common` `_wcslwr`
API-MS-Win-Core-Debug-L1-1-0.dll	`IsDebuggerPresent`
API-MS-Win-Core-Handle-L1-1-0.dll	`CloseHandle`
API-MS-Win-Core-LocalRegistry-L1-1-0.dll	`RegQueryValueExW` `RegOpenKeyExW` `RegCloseKey`
API-MS-Win-Core-Misc-L1-1-0.dll	`LocalFree` `LocalAlloc` `IsWow64Process` `Sleep` `lstrcmpiW` `LocalReAlloc`
API-MS-Win-Core-ProcessThreads-L1-1-0.dll	`GetCurrentProcess` `TlsSetValue` `TlsGetValue` `SetThreadPriority` `OpenProcessToken` `GetCurrentProcessId` `GetThreadPriority` `TerminateThread` `CreateThread` `TlsAlloc` `GetCurrentThreadId` `GetProcessTimes` `OpenThread` `ResumeThread`
API-MS-Win-Security-Base-L1-1-0.dll	`EqualSid` `AdjustTokenGroups` `GetSidSubAuthorityCount` `FreeSid` `AllocateAndInitializeSid` `GetTokenInformation` `IsValidSecurityDescriptor` `GetSidSubAuthority`
API-MS-Win-Core-String-L1-1-0.dll	`CompareStringW`
API-MS-Win-Core-Synch-L1-1-0.dll	`CreateEventA` `OpenEventW` `CreateEventW` `WaitForSingleObject` `LeaveCriticalSection` `EnterCriticalSection` `ResetEvent` `SleepEx`
API-MS-Win-Core-SysInfo-L1-1-0.dll	`GetComputerNameExW`
RPCRT4.dll	`RpcRevertToSelf` `RpcImpersonateClient` `RpcBindingFree` `RpcBindingSetOption` `I_RpcExceptionFilter` `RpcAsyncCancelCall` `RpcAsyncInitializeHandle` `RpcBindingSetAuthInfoExW` `RpcStringFreeW` `RpcBindingFromStringBindingW` `RpcStringBindingComposeW` `UuidCreate` `RpcSmDestroyClientContext` `UuidIsNil` `UuidEqual` `NdrClientCall2` `NdrAsyncClientCall` `UuidFromStringW` `UuidToStringW` `I_RpcMapWin32Status` `RpcSsDestroyClientContext` `RpcStringBindingParseW` `RpcBindingToStringBindingW` `RpcBindingServerFromClient` `RpcSsGetContextBinding` `RpcServerInqCallAttributesA` `RpcAsyncCompleteCall`
CRYPTBASE.dll (delay-loaded)	`SystemFunction028` `SystemFunction004`

Delayed Imports

Attributes	`0x1`
Name	`CRYPTBASE.dll`
ModuleHandle	`0x1622c`
DelayImportAddressTable	`0x15de0`
DelayImportNameTable	`0x12184`
BoundDelayImportTable	`0x121b8`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

ChangeServiceConfig2A

Ordinal	`1`
Address	`0x54c2`

ChangeServiceConfig2W

Ordinal	`2`
Address	`0x55e2`

ChangeServiceConfigA

Ordinal	`3`
Address	`0x5254`

ChangeServiceConfigW

Ordinal	`4`
Address	`0x53d5`

CloseServiceHandle

Ordinal	`5`
Address	`0x4dc3`

ControlService

Ordinal	`6`
Address	`0x4d5c`

ControlServiceExA

Ordinal	`7`
Address	`0x5ca0`

ControlServiceExW

Ordinal	`8`
Address	`0x5d8c`

ConvertSecurityDescriptorToStringSecurityDescriptorW

Ordinal	`9`
Address	`0xe0e4`

ConvertSidToStringSidW

Ordinal	`10`
Address	`0xa901`

ConvertStringSecurityDescriptorToSecurityDescriptorW

Ordinal	`11`
Address	`0xe093`

ConvertStringSidToSidW

Ordinal	`12`
Address	`0xddfc`

CreateServiceA

Ordinal	`13`
Address	`0x567c`

CreateServiceW

Ordinal	`14`
Address	`0x589f`

DeleteService

Ordinal	`15`
Address	`0x5a22`

I_QueryTagInformation

Ordinal	`16`
Address	`0x72d8`

I_ScBroadcastServiceControlMessage

Ordinal	`17`
Address	`0x71c5`

I_ScIsSecurityProcess

Ordinal	`18`
Address	`0x733f`

I_ScPnPGetServiceName

Ordinal	`19`
Address	`0x7c40`

I_ScQueryServiceConfig

Ordinal	`20`
Address	`0x5f8a`

I_ScRpcBindA

Ordinal	`21`
Address	`0x8e4e`

I_ScRpcBindW

Ordinal	`22`
Address	`0x8e3e`

I_ScSendPnPMessage

Ordinal	`23`
Address	`0x5e7d`

I_ScSendTSMessage

Ordinal	`24`
Address	`0x71c5`

I_ScValidatePnPService

Ordinal	`25`
Address	`0x6b9d`

LookupAccountNameLocalA

Ordinal	`26`
Address	`0x10180`

LookupAccountNameLocalW

Ordinal	`27`
Address	`0x10270`

LookupAccountSidLocalA

Ordinal	`28`
Address	`0x1048e`

LookupAccountSidLocalW

Ordinal	`29`
Address	`0x105da`

LsaLookupClose

Ordinal	`30`
Address	`0x106b5`

LsaLookupFreeMemory

Ordinal	`31`
Address	`0x10b2a`

LsaLookupGetDomainInfo

Ordinal	`32`
Address	`0x10c53`

LsaLookupManageSidNameMapping

Ordinal	`33`
Address	`0x10b9d`

LsaLookupOpenLocalPolicy

Ordinal	`34`
Address	`0x10634`

LsaLookupTranslateNames

Ordinal	`35`
Address	`0x108b6`

LsaLookupTranslateSids

Ordinal	`36`
Address	`0x10a0e`

NotifyServiceStatusChange

Ordinal	`37`
Address	`0xa0ff`

NotifyServiceStatusChangeA

Ordinal	`38`
Address	`0xa11d`

NotifyServiceStatusChangeW

Ordinal	`39`
Address	`0xa0ff`

OpenSCManagerA

Ordinal	`40`
Address	`0x64f0`

OpenSCManagerW

Ordinal	`41`
Address	`0x63ad`

OpenServiceA

Ordinal	`42`
Address	`0x7245`

OpenServiceW

Ordinal	`43`
Address	`0x714b`

QueryServiceConfig2A

Ordinal	`44`
Address	`0x6633`

QueryServiceConfig2W

Ordinal	`45`
Address	`0x680c`

QueryServiceConfigA

Ordinal	`46`
Address	`0x5a83`

QueryServiceConfigW

Ordinal	`47`
Address	`0x5b29`

QueryServiceObjectSecurity

Ordinal	`48`
Address	`0x50f4`

QueryServiceStatus

Ordinal	`49`
Address	`0x4e4b`

QueryServiceStatusEx

Ordinal	`50`
Address	`0x4eaf`

RegisterServiceCtrlHandlerA

Ordinal	`51`
Address	`0x7d64`

RegisterServiceCtrlHandlerExA

Ordinal	`52`
Address	`0x7dc6`

RegisterServiceCtrlHandlerExW

Ordinal	`53`
Address	`0x7da8`

RegisterServiceCtrlHandlerW

Ordinal	`54`
Address	`0x7d47`

SetServiceObjectSecurity

Ordinal	`55`
Address	`0x5181`

SetServiceStatus

Ordinal	`56`
Address	`0x4f9c`

StartServiceA

Ordinal	`57`
Address	`0x508d`

StartServiceCtrlDispatcherA

Ordinal	`58`
Address	`0x84eb`

StartServiceCtrlDispatcherW

Ordinal	`59`
Address	`0x85b2`

StartServiceW

Ordinal	`60`
Address	`0x4f35`

1

Type	`MUI`
Language	English - United States
Codepage	UNKNOWN
Size	`0xc8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.61416`
MD5	`84fba7655f2217a27bbcd12a0529d93d`
SHA1	`ff9fc130d60d1aef98066a232479bcdee07a0aef`
SHA256	`f8560fc40759daebfaa2f8e3fb3b8b4855a19c3c360e95ba7115dd78e5b42e6d`
SHA3	`7ca2b766816f4b804f7392ee502805fb5d58b75bbcb87d33331917ff38bfae3a`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.59026`
MD5	`5839862d1d19e1facd68af22920206a2`
SHA1	`f95f08b2804382bfb9bc7a2585adfef9aa65fa52`
SHA256	`271bec7340440c8b4cb287915fc7b033b14e3c1049d163755dfb7d39e9b45eb1`
SHA3	`1bf4452ea0479e0b863ae6ec6e339e80b69e561e963843daa1729ed1a0a6c6d8`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7600.16385
ProductVersion	6.1.7600.16385
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Host for SCM/SDDL/LSA Lookup APIs
FileVersion (#2)	6.1.7600.16385 (win7_rtm.090713-1255)
InternalName	sechost.dll
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	sechost.dll
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7600.16385

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2009-Jul-13 23:11:58
Version	`0.0`
SizeofData	`36`
AddressOfRawData	`0x4938`
PointerToRawData	`0x3f38`
Referenced File	sechost.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x75e14000`
SEHandlerTable	`0x75e04960`
SEHandlerCount	`1`

RICH Header

XOR Key	`0x611c453c`
Unmarked objects	`0`
C++ objects (VS2008 SP1 build 30729)	`12`
ASM objects (VS2008 SP1 build 30729)	`3`
Total imports	`172`
Imports (VS2008 SP1 build 30729)	`33`
Exports (VS2008 SP1 build 30729)	`1`
C objects (VS2008 SP1 build 30729)	`16`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`