c7084336325dc8eadfb1e8ff876921c4

Summary

Architecture IMAGE_FILE_MACHINE_AMD64
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2019-Dec-31 01:01:44
Detected languages English - United States
Debug artifacts d:\build\ob\bora-15389592\bora-vmsoft\build\release-x64\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb
CompanyName VMware, Inc.
FileDescription VMware Tools Core Service
FileVersion 11.0.5.17716
InternalName vmtoolsd
LegalCopyright Copyright © 1998-2020 VMware, Inc.
OriginalFilename vmtoolsd.exe
ProductName VMware Tools
ProductVersion 11.0.5 build-15389592

Plugin Output

Info Matching compiler(s): MASM/TASM - sig1(h)
Suspicious Strings found in the binary may indicate undesirable behavior: Looks for VMWare presence:
  • VMTools
  • VMware
  • vmtools
  • vmware
May have dropper capabilities:
  • CurrentControlSet\Services
Miscellaneous malware strings:
  • Backdoor
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
Can access the registry:
  • RegCloseKey
  • RegCreateKeyW
  • RegSetValueExW
Interacts with services:
  • CreateServiceW
  • DeleteService
  • OpenSCManagerW
  • OpenServiceW
Info The PE is digitally signed. Signer: VMware
Issuer: DigiCert Assured ID Code Signing CA-1
Safe VirusTotal score: 0/66 (Scanned on 2021-09-08 06:06:07) All the AVs think this file is safe.

Hashes

MD5 c7084336325dc8eadfb1e8ff876921c4
SHA1 01bdf7b458e7728cd1ddf9e7bef2942b7038e036
SHA256 63d423ea882264dbb157a965c200306212fc5e1c6ddb8cbbb0f1d3b51ecd82e6
SHA3 9b6e45fcf82dbeb7a979389a1a0fce9ad20ca6d64889e62ab196e312b4d7cd8e
SSDeep 1536:YYjdVSD6K3sMi11IPfHeQVqYR8BWbcbr7D82kARQHtAekT5ZmbCp9iy10A:XXW3sr1+neQVbR8Becbr382kAitAUbOh
Imports Hash 35f1ce01823cdaa0d765c2b1c322584d

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_AMD64
NumberofSections 6
TimeDateStamp 2019-Dec-31 01:01:44
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xf0
Characteristics IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Image Optional Header

Magic PE32+
LinkerVersion 14.0
SizeOfCode 0x8a00
SizeOfInitializedData 0xb800
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000000000008580 (Section: .text)
BaseOfCode 0x1000
ImageBase 0x140000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x18000
SizeOfHeaders 0x400
Checksum 0x1b605
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f9bc5861733e41832e4ca1cddf3d04db
SHA1 6b58413be34bf09437cace926739a5f328ce3edc
SHA256 46537a60e7f763a59f760edafcfde3b2cfbdc2b2a3f8248839fac928db7f5ece
SHA3 5d85930bb8de715e28ee8863dcfe656e4d159ff39ca72275ab1ae7a82e71e1a9
VirtualSize 0x88e2
VirtualAddress 0x1000
SizeOfRawData 0x8a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.91826

.rdata

MD5 80e3af64d327f4eabbee51160a142945
SHA1 678a8d5656c493f2a7a575db75dd3d920c86de4a
SHA256 655c8fc27a1e391eab0bde3573ea187363a13f5ed2d6cf5facf9365033251e15
SHA3 3fb0831c6b7e59a94c539583d007b8de25e4404c3e912cba82ac7791ebf2f727
VirtualSize 0x6a5e
VirtualAddress 0xa000
SizeOfRawData 0x6c00
PointerToRawData 0x8e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.9143

.data

MD5 fa0652f6bd76638710d68b85d7e91881
SHA1 ef53bfe1fe642afd2e3d673b2ebedd0bc5942b07
SHA256 5b986edb604c5144e49ef6fbcc0cb830dbd7e2f059be28f4fdf4eed00a038fbe
SHA3 6e774d78961ce2bec052b15582684831684074a1fed48e880163d1ed55cd8a20
VirtualSize 0x8a0
VirtualAddress 0x11000
SizeOfRawData 0x200
PointerToRawData 0xfa00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.79167

.pdata

MD5 3754042f389a577f6fc7b026f2c08ba3
SHA1 d38bfde75ad20a3e8e3a045aa41079c06788f4b7
SHA256 8c4392d6f19b069cfdf94707b99f0397404cf5dbeed109be0056a01200451bee
SHA3 679e7d0ffcbe06de3bd980585925b0d95273f9f8ab09dae3226f35a94e5a67cc
VirtualSize 0xa20
VirtualAddress 0x12000
SizeOfRawData 0xc00
PointerToRawData 0xfc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.01629

.rsrc

MD5 4db8d974314755dd6ac1d25a42b5e85e
SHA1 febcf8e24d59d9bf5233101c08f2aa102ad10d87
SHA256 9805d99e649a1563596c8d8ae847b552ba9f0f0004dfbfd4f8859e960fbd6f8f
SHA3 4389cc1ae1ad470ffbfe110425cbe7cae699e9d80a4f0febd5491c75c69dd87f
VirtualSize 0x32d0
VirtualAddress 0x13000
SizeOfRawData 0x3400
PointerToRawData 0x10800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.6293

.reloc

MD5 80ec4819e4a20151858130d684e809e4
SHA1 d38f59116621895a05d6c67833ea0597263fe61a
SHA256 188835d2e14ca0fbd14070c9c591197bc1ba9545c5e73a9d77ce27beccac9ee4
SHA3 a42343d36e48c756cb1096a5164ce9f7f72f96f3c1336412daa32b9f20b8360f
VirtualSize 0xf0
VirtualAddress 0x17000
SizeOfRawData 0x200
PointerToRawData 0x13c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 2.87525

Imports

ADVAPI32.dll AllocateAndInitializeSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
SetEntriesInAclW
DeregisterEventSource
RegisterEventSourceW
ReportEventW
RegCloseKey
RegCreateKeyW
RegSetValueExW
CloseServiceHandle
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
RegisterServiceCtrlHandlerExW
SetServiceStatus
StartServiceCtrlDispatcherW
ole32.dll CoUninitialize
USER32.dll GetDesktopWindow
RegisterDeviceNotificationW
UnregisterDeviceNotification
MessageBoxW
GetWindowLongPtrW
GetSystemMetrics
DestroyWindow
CreateWindowExW
UnregisterClassW
TranslateMessage
DispatchMessageW
PeekMessageW
DefWindowProcW
RegisterClassW
SetWindowLongPtrW
VERSION.dll GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW
intl.dll libintl_gettext
glib-2.0.dll g_option_context_get_main_group
g_option_group_set_error_hook
g_win32_error_message
g_malloc
g_main_context_unref
g_main_context_default
g_main_loop_new
g_main_loop_run
g_main_loop_unref
g_source_remove
g_timeout_add
g_key_file_new
g_key_file_free
g_cond_wait_until
g_key_file_get_keys
g_strchomp
g_strdup_printf
g_strfreev
g_strcmp0
g_array_new
g_array_free
g_array_append_vals
g_ptr_array_new
g_ptr_array_free
g_option_context_add_main_entries
g_source_destroy
g_option_context_free
g_cond_signal
g_snprintf
g_atomic_int_add
g_atomic_int_set
g_key_file_get_boolean
g_thread_pool_set_max_idle_time
g_thread_pool_set_max_unused_threads
g_thread_pool_push
g_thread_pool_free
g_option_context_set_summary
g_main_loop_quit
g_thread_pool_new
g_queue_delete_link
g_mutex_clear
g_queue_remove
g_queue_pop_tail
g_option_context_new
g_queue_push_head
g_queue_find_custom
g_queue_free
g_queue_new
g_key_file_get_integer
g_idle_add_full
g_main_loop_is_running
g_mutex_unlock
g_mutex_lock
g_printerr
g_print
g_free
g_get_monotonic_time
g_option_context_parse
g_main_loop_get_context
g_mutex_init
g_source_unref
g_source_attach
g_source_set_callback
g_idle_add
g_ptr_array_remove_index
g_log
g_logv
g_str_has_prefix
g_thread_join
g_thread_try_new
g_ptr_array_remove
g_strdup
g_str_has_suffix
g_return_if_fail_warning
g_malloc0
g_file_test_utf8
g_dir_read_name_utf8
g_dir_open_utf8
g_dir_close
g_ptr_array_sort
g_ptr_array_add
g_clear_error
gmodule-2.0.dll g_module_close
g_module_open_utf8
g_module_make_resident
g_module_error
g_module_symbol
gobject-2.0.dll g_value_set_boolean
g_param_spec_pointer
g_object_notify
g_signal_new
g_cclosure_marshal_VOID__POINTER
g_type_check_class_cast
g_type_check_instance_cast
g_type_register_static
g_value_set_uint
g_signal_parse_name
g_object_unref
g_object_set
g_object_new
g_signal_connect_data
g_signal_lookup
g_type_init
g_signal_emit_by_name
g_value_get_boolean
g_value_get_uint
g_value_set_pointer
g_value_get_pointer
g_value_peek_pointer
g_object_get
g_type_class_peek_parent
g_object_class_install_property
vmtools.dll VMTools_CreateTimer
RpcChannel_New
RpcChannel_SetRetVals
RpcChannel_Setup
StrUtil_GetNextToken
GuestApp_GetConfPath
GuestApp_GetInstallPath
RpcChannel_RegisterCallback
Win32U_FormatMessage
Win32U_SetEnvironmentVariable
Win32U_GetEnvironmentVariable
RpcChannel_Send
RpcChannel_Start
VMTools_ResumeLogIO
VMTools_SuspendLogIO
VMTools_ConfigGetString
VMTools_ConfigGetInteger
Str_Vasprintf
VMTools_GetString
Str_Snwprintf
Str_SafeAsprintf
RpcChannel_SendOne
VMTools_BindTextDomain
VMTools_SetupVmxGuestLog
VMTools_UseVmxGuestLog
Str_Wcscpy
VMTools_ConfigLogging
Str_Vaswprintf
Str_SafeVaswprintf
Str_Aswprintf
Hostinfo_GetOSType
CodeSet_Utf8ToUtf16le
Unicode_InitW
Panic
RpcChannel_Destroy
RpcChannel_Stop
VMTools_NewHandleSource
BackdoorChannel_New
VMTools_AttachConsole
VMTools_LoadConfig
vm_free
VmCheck_IsVirtualWorld
KERNEL32.dll CloseHandle
GetLastError
SetErrorMode
SetEvent
WaitForSingleObject
CreateEventW
GetCurrentProcess
GetCurrentThread
SetThreadPriority
SetPriorityClass
GetModuleHandleW
GetProcAddress
LocalFree
SetDllDirectoryW
VerifyVersionInfoW
SetConsoleCtrlHandler
OpenEventW
SetLastError
OutputDebugStringA
OutputDebugStringW
FreeLibrary
GetModuleFileNameW
LoadLibraryW
LocalAlloc
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
VerSetConditionMask
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
VCRUNTIME140.dll __std_exception_copy
__C_specific_handler
__CxxFrameHandler3
__std_exception_destroy
_purecall
strchr
memset
_CxxThrowException
api-ms-win-crt-heap-l1-1-0.dll free
_set_new_mode
_callnewh
malloc
api-ms-win-crt-runtime-l1-1-0.dll _cexit
_seh_filter_exe
_set_app_type
_configure_wide_argv
_initialize_wide_environment
_get_initial_wide_environment
_initterm
_initterm_e
_exit
__p___argc
__p___wargv
_c_exit
_register_thread_local_exe_atexit_callback
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate
exit
api-ms-win-crt-locale-l1-1-0.dll _configthreadlocale
setlocale
api-ms-win-crt-string-l1-1-0.dll _wcsicmp
strncmp
strcmp
api-ms-win-crt-stdio-l1-1-0.dll __p__commode
__acrt_iob_func
__stdio_common_vfwprintf
_set_fmode
api-ms-win-crt-math-l1-1-0.dll __setusermatherr

Delayed Imports

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.37925
MD5 7fef88bb6176e299de004c33694b5acc
SHA1 b166acef2038b5294eb30c885a2ac2d97041560e
SHA256 946d53ef3c3e09b367ec93f43aa04bcb23d39ee80f7f2c6edf723d9b47161cf7
SHA3 eff10a859794aa430604374dccf60c0ba12c97b029eca06d96d928661e3518ae

1 (#2)

Type RT_MESSAGETABLE
Language English - United States
Codepage UNKNOWN
Size 0x2c8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.19626
MD5 759168652afe291ecb7dc3ffc46b2561
SHA1 b291f5ccf4cea5eb10d3677298be52373f44d551
SHA256 657fb220e4f919cbf2b87e272649a17c8dc47bfb2126be67b2b9993667f01191
SHA3 5a5a4910cd7326ae953890dfba8e553943340c5f52cdf43f1818875974ef1441

101

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.91924
Detected Filetype Icon file
MD5 6da8e7d5ae1d5d15e0230a67a7c16c6d
SHA1 678db52cbe5d617c33c6269bfd4b6d8d1a17f956
SHA256 6eb54801f91b6d8effccbfaefe6b2d7705a274a75940e6226e24e0d4ec58c396
SHA3 994fc217c7b8bc8008ac262ff58044403206de6eceafd424d4640ecad395eb2f

1 (#3)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x320
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49655
MD5 04807d6b89d9c6f4a11ce5304394e200
SHA1 0d3768677ed3cabdcbd34a2419bba4c7c6e536e5
SHA256 8d47e4b6cf0504f9d7948aafc56ee3b911fb1a1b7dfc31b22d7a9a9fee47b9ca
SHA3 b731029add049ad94b6d44c30f3f076a09510c97178db4c3dada154692e8fb76

1 (#4)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x5a6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.08943
MD5 1de45c3ee8b586ac7a5d7ba628b7ca68
SHA1 9e73c5d9ab857ef568221fa30c76a3b9b13d680a
SHA256 ee47a99bb307726dd743f21a8488cf44140375824697efc6e45d93eb8d872454
SHA3 dfd10caa76a46ad5bee7e03dafd53853ff3ff47ef1c54435e833e83705e64171

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 11.0.5.17716
ProductVersion 11.0.5.17716
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName VMware, Inc.
FileDescription VMware Tools Core Service
FileVersion (#2) 11.0.5.17716
InternalName vmtoolsd
LegalCopyright Copyright © 1998-2020 VMware, Inc.
OriginalFilename vmtoolsd.exe
ProductName VMware Tools
ProductVersion (#2) 11.0.5 build-15389592
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2019-Dec-31 01:01:44
Version 0.0
SizeofData 135
AddressOfRawData 0xd9fc
PointerToRawData 0xc7fc
Referenced File d:\build\ob\bora-15389592\bora-vmsoft\build\release-x64\tools-for-windows\Win32\services\vmtoolsd\vmtoolsd.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2019-Dec-31 01:01:44
Version 0.0
SizeofData 20
AddressOfRawData 0xda84
PointerToRawData 0xc884

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2019-Dec-31 01:01:44
Version 0.0
SizeofData 692
AddressOfRawData 0xda98
PointerToRawData 0xc898

TLS Callbacks

Load Configuration

Size 0x100
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x140011068
GuardCFCheckFunctionPointer 5368752392
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xe6cb45af
Unmarked objects 0
Imports (VS2008 SP1 build 30729) 12
Imports (VS 2015/2017 runtime 26706) 2
Imports (VS2019 Update 2 (16.2) compiler 27905) 6
Imports (VS2017 v15.8.4 compiler 26729) 4
ASM objects (VS 2015/2017 runtime 26706) 2
C++ objects (VS 2015/2017 runtime 26706) 25
C objects (VS 2015/2017 runtime 26706) 10
Imports (VS2015/2017 runtime 25711) 11
Total imports 280
C objects (VS2017 v15.8.4 compiler 26729) 8
C++ objects (VS2017 v15.8.4 compiler 26729) 2
Resource objects (VS2017 v15.8.4 compiler 26729) 1
151 1
Linker (VS2017 v15.8.4 compiler 26729) 1

Errors

<-- -->