Report #5628 check_circle

  • Creation Date: Feb. 11, 2020, 5:58 p.m.
  • Last Update: Feb. 11, 2020, 8:29 p.m.
  • File: McCHSvc.exe
  • Results:
Binary
DLL
False cancel
Size
317.78KB
trid
75.3% Windows ActiveX control
17.8% Win64 Executable
2.9% Win32 Executable
1.3% OS/2 Executable
1.2% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
d08d4ba1dffbec58387790c004d31278
sha1
9ff5e3ec8ec8127e804d93c30f4f7faee868fa73
crc32
0xece8c91c
sha224
80d9e505112b7d7d9989eb6e1c851b9604ecd78504ab6cf4eaa1f17f
sha256
56abbdf19c4b3ccf319a31c6cc4eadbee5c0913d3519d73a8e28d38bc1c6d3b5
sha384
5d39a84f09add98a74ae0c5d73f02483c2f949a7ae45e62e84882ba02fb79be7c586345e4ff7a24b5099135854077f4b
sha512
03b6cccffc60384046f9604add8c2e6ee7c3f21df0de1cb13a76d1256c37a751f5002d5daf5b8fb4b4de14ca5b6d67b509feecd382bfcc0c2f622ab8c0141147
ssdeep
6144:Di2kcFBOUXcA7sG7X+7WBjPF7e724AOZqfr5/cS90Nr3w1:DdiUMO7X+7WBjPNp4KfV3Gr3E
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, win_files_operation, domain, contentis_base64, anti_dbg, IP, win_private_profile, win_token, HasRichSignature, win_mutex, Microsoft_Visual_Cpp_8, win_registry, HasDebugData, HasOverlay, maldoc_find_kernel32_base_method_1, url, MD5_Constants, IsPE32, IsWindowsGUI, Big_Numbers1

Suspicious
True check_circle

Strings
List
http://www.mcafee.com 0
http://www.mcafee.com 0
%http://s.symcb.com/universal-root.crl0
http://sf.symcb.com/sf.crl0a
http://sf.symcb.com/sf.crt0
http://sv.symcb.com/sv.crl0a
http://sv.symcb.com/sv.crt0
https://d.symcb.com/rpa0
https://d.symcb.com/rpa0
https://d.symcb.com/cps0%
https://d.symcb.com/cps0%
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0.
https://d.symcb.com/cps0%
https://d.symcb.com/rpa0@
http://s1.symcb.com/pca3-g5.crl0
E:\B\T\9cf1dcdc-5004-420f-9946-842b591b191d\build\Win32\Release\McComponentHostService.pdb
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
/http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://www.symauth.com/cps0(
http://www.symauth.com/rpa00
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
t.SV
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
McCompHostConfig.ini
Program Files\Common Files\McAfee\Platform\Core\trusted.js
http://sf.symcd.com0&
http://sv.symcd.com0&
http://s2.symcb.com0
http://s.symcd.com06
..\..\..\Shared_PartnerCustom\src\ComponentHostService\McComObjectCreator.cpp
..\..\..\Shared_PartnerCustom\src\ComponentHostService\McComponentHostObject.cpp
log.ini
..\..\..\Shared_PartnerCustom\src\ComponentHostService\McComponent.cpp
..\..\..\Shared_PartnerCustom\src\ComponentHostService\McComponentHost.cpp
WAdvapi32.dll
Mscoree.dll
@kernel32.dll
McCHSvc.exe
http://ts-ocsp.ws.symantec.com0;
http://ts-ocsp.ws.symantec.com07
'%APPID%' = s 'McComponentHostService'
ForceRemove {cc6f4d12-8575-4cff-9455-cf5774aeb13b} = s 'McComponentHost Class'
http://ocsp.verisign.com0
McAfee Security Scanner +
fr-ca
fr-be
fr-ch
operator ""
'TypeLib' = s '{66f54008-1ee3-43a7-95fd-c0d821ee1eff}'
no space on device
no such process
resource deadlock would occur
+McAfee Security Scan Component Host Service+McAfee Security Scan Component Host Service
no such device or address
[PID:%5d TID:%5d]$
operation in progress
NoRemove CLSID
NoRemove AppID
Delete
NoRemove
value too large
no such device
too many files open in system
too many files open
too many links
file too large
device or resource busy
Could not delete service
Service started
operation canceled
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
operation not permitted
McAfee, Inc.0
McAfee, Inc.0
val AppID = s '%APPID%'
val AppID = s '%APPID%'
McAfee, Inc.1
McAfee, Inc.1
McAfee, Inc
McAfee, Inc
\McAfee\
McAfee, Inc.
McAfee, Inc.
[Rename]
[rename]
[rename]
CMcComponentHost::createComponent

Foremost
Matches
0.exe, 297 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed: http://crl.microsoft.com/pki/crl/products/microsoftcodeverifroot.crl0
hasURLs: True check_circle
Suspicious: http://s.symcb.com/universal-root.crl0, http://ocsp.verisign.com0, https://www.verisign.com/rpa, https://www.verisign.com/rpa0, http://s1.symcb.com/pca3-g5.crl0, http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0, https://d.symcb.com/cps0%, http://sv.symcb.com/sv.crl0a, http://s.symcd.com06, http://crl.verisign.com/pca3-g5.crl04, http://www.symauth.com/cps0(, http://logo.verisign.com/vslogo.gif04, https://d.symcb.com/rpa0@, https://d.symcb.com/rpa0, https://www.verisign.com/cps0, http://sv.symcb.com/sv.crt0, http://crl.thawte.com/thawtetimestampingca.crl0, http://sv.symcd.com0&, http://sf.symcb.com/sf.crl0a, http://www.mcafee.com, http://s2.symcb.com0, http://ocsp.thawte.com0, https://d.symcb.com/rpa0., http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://www.symauth.com/rpa00, http://sf.symcb.com/sf.crt0, http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(, http://ts-ocsp.ws.symantec.com0;, http://sf.symcd.com0&, http://ts-ocsp.ws.symantec.com07, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: @kernel32.dll, Mscoree.dll, WAdvapi32.dll, OLEAUT32.DLL, SHLWAPI.dll, SHELL32.dll, ADVAPI32.dll, ole32.dll, USER32.dll, KERNEL32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 108032
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 357459
Suspicous: False cancel

Sections
Allowed: .text, .rdata, .data, .gfids, .tls, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 6
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 6
Linker
Version: 14.0
Suspicious: False cancel
Subsystem
Version: 6.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 85842
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: mscoree.dll, oleaut32.dll, shlwapi.dll, shell32.dll, advapi32.dll, ole32.dll, user32.dll, kernel32.dll
hasLibs: True check_circle
Suspicious: @kernel32.dll, wadvapi32.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2019-06-18 09:41:07
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
ldr
.text: 1

pushret
.rdata: 5

pushpopmath
.rsrc: 2
.text: 2
.rdata: 10
.reloc: 11

sizeofimage
.text: 1

garbagebytes
.rdata: 3

hookdetection
.rdata: 1

stealthimport
.rdata: 1

peb ntglobalflag
.text: 1

isdebbugerpresent
.text: 1

software breakpoint
.reloc: 3

programcontrolflowchange
.rdata: 3

cpuinstructionsresultscomparison
.rdata: 6

AVclass
None
1
VirusTotal
md5
d08d4ba1dffbec58387790c004d31278
sha1
9ff5e3ec8ec8127e804d93c30f4f7faee868fa73
SCANS (DETECTION RATE = 0.00%)
CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20191218
version: 2019.9.16.1
detected: False cancel

APEX
update: 20191217
version: 5.95
detected: False cancel

Bkav
update: 20191217
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20191218
version: 11.84.32858
detected: False cancel

ALYac
update: 20191218
version: 1.1.1.5
detected: False cancel

Avira
update: 20191218
version: 8.3.3.8
detected: False cancel

Cyren
update: 20191218
version: 6.2.2.2
detected: False cancel

DrWeb
update: 20191218
version: 7.0.42.9300
detected: False cancel

GData
update: 20191218
version: A:25.24281B:26.17035
detected: False cancel

Panda
update: 20191217
version: 4.6.4.2
detected: False cancel

VBA32
update: 20191217
version: 4.3.0
detected: False cancel

VIPRE
update: 20191218
version: 80120
detected: False cancel

Zoner
update: 20191217
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20191217
version: 0.102.1.0
detected: False cancel

Comodo
update: 20191218
version: 31856
detected: False cancel

McAfee
update: 20191218
version: 6.0.6.653
detected: False cancel

Rising
update: 20191218
version: 25.0.0.24
detected: False cancel

Sophos
update: 20191218
version: 4.98.0
detected: False cancel

Yandex
update: 20191217
version: 5.5.2.24
detected: False cancel

Zillya
update: 20191217
version: 2.0.0.3978
detected: False cancel

Acronis
update: 20191211
version: 1.1.1.58
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20191218
version: 1.0.0.865
detected: False cancel

Endgame
update: 20190918
version: 3.0.15
detected: False cancel

FireEye
update: 20191218
version: 29.7.0.0
detected: False cancel

Sangfor
update: 20191213
version: 1.0
detected: False cancel

TACHYON
update: 20191218
version: 2019-12-18.03
detected: False cancel

Tencent
update: 20191218
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20191218
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20191218
version: 1.0.0.403
detected: False cancel

Ad-Aware
update: 20191218
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20191218
version: 4.2
detected: False cancel

Emsisoft
update: 20191218
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20191218
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20191218
version: 6.2.137.0
detected: False cancel

Invincea
update: 20191211
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20191218
version: 16.0.100
detected: False cancel

Kingsoft
update: 20191218
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20191218
version: 1.0
detected: False cancel

Symantec
update: 20191217
version: 1.11.0.0
detected: False cancel

Trapmine
update: 20191216
version: 3.2.16.890
detected: False cancel

AhnLab-V3
update: 20191218
version: 3.16.5.25880
detected: False cancel

Kaspersky
update: 20191218
version: 15.0.1.13
detected: False cancel

MaxSecure
update: 20191217
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20191218
version: 1.1.16600.7
detected: False cancel

Qihoo-360
update: 20191218
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20191218
version: 1.0
detected: False cancel

Cybereason
update: 20190616
version: 1.2.449
detected: False cancel

ESET-NOD32
update: 20191218
version: 20529
detected: False cancel

TrendMicro
update: 20191218
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20191218
version: 7.2
detected: False cancel

CrowdStrike
update: 20190702
version: 1.0
detected: False cancel

K7AntiVirus
update: 20191218
version: 11.84.32858
detected: False cancel

SentinelOne
update: 20191216
version: 1.12.0.54
detected: False cancel

Avast-Mobile
update: 20191217
version: 191217-00
detected: False cancel

Malwarebytes
update: 20191218
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20191218
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20191217
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20191218
version: 1.0.134.25031
detected: False cancel

BitDefenderTheta
update: 20191217
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20191218
version: 14.0.297.0
detected: False cancel

SUPERAntiSpyware
update: 20191217
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20191218
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20191218
version: 10.0.0.1040
detected: False cancel

total
65
sha256
56abbdf19c4b3ccf319a31c6cc4eadbee5c0913d3519d73a8e28d38bc1c6d3b5
scan_id
56abbdf19c4b3ccf319a31c6cc4eadbee5c0913d3519d73a8e28d38bc1c6d3b5-1576658992
resource
d08d4ba1dffbec58387790c004d31278
positives
0
scan_date
2019-12-18 08:49:52
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace

Process
Trace

Analysis
Reason
Blue Screen

Status
Execution Failed

Results
0

Registry
Trace

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 99.73%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 89.65%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 72.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 76.36%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download