Manalyze report for 448524fd62dec1151c75b55b86587784

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2009-Sep-14 15:28:07
Detected languages	English - United States Russian - Russia
CompanyName	Microsoft Corporation
FileDescription	Java Virtual Mashine
FileVersion	`5.00.3805.0000`
InternalName	MSJAVAVM
LegalCopyright	Copyright (C) Microsoft Corp. 1997-2000.
OriginalFilename	MsJavaVM.dll
ProductName	Microsoft(R) Windows (R) Operating System
ProductVersion	`5.00.3805.0000`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++` `Microsoft Visual C++ v6.0`
Suspicious	PEiD Signature:	`HQR data file`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`May have dropper capabilities: %TEMP% %temp%`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Can access the registry: RegEnumValueA RegDeleteValueA RegCreateKeyA RegQueryValueExA RegSetValueExA RegCreateKeyExA RegCloseKey` `Possibly launches other programs: CreateProcessA` `Can create temporary files: GetTempPathA GetTempPathW CreateFileA` `Leverages the raw socket API to access the Internet: inet_ntoa gethostbyname WSAStartup WSACleanup` `Enumerates local disk drives: GetVolumeInformationA GetDriveTypeA`
Malicious	VirusTotal score: 52/67 (Scanned on 2021-11-08 09:23:45)	`Elastic: malicious (high confidence)` `DrWeb: Win32.HLLW.Autoruner.35241` `MicroWorld-eScan: Gen:Variant.Doina.8448` `FireEye: Generic.mg.448524fd62dec115` `ALYac: Backdoor.Turla.A` `Cylance: Unsafe` `Zillya: Worm.AutoRun.Win32.6053` `Sangfor: Worm.Win32.Autorun.giqh` `K7AntiVirus: P2PWorm ( 004ca5911 )` `Alibaba: Worm:Win32/Autorun.dfa423b6` `K7GW: P2PWorm ( 004ca5911 )` `CrowdStrike: win/malicious_confidence_90% (W)` `BitDefenderTheta: Gen:NN.ZedlaF.34266.lu8@aSFuPYoc` `Cyren: W32/AutoRun.M.gen!Eldorado` `ESET-NOD32: Win32/AutoRun.ADR` `APEX: Malicious` `Paloalto: generic.ml` `ClamAV: Win.Worm.Autorun-376` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Doina.8448` `NANO-Antivirus: Trojan.Win32.AutoRun.crptlv` `Avast: Win32:Turla-F [Trj]` `Tencent: Win32.Worm.Autorun.Pciv` `Ad-Aware: Gen:Variant.Doina.8448` `Sophos: W32/Autorun-ZB` `Comodo: Worm.Win32.Autorun.DAA@4l3wiy` `VIPRE: Worm.Win32.AutoRun` `TrendMicro: WORM_OTORUN.SML` `McAfee-GW-Edition: W32/Autorun.worm.mq` `Emsisoft: Gen:Variant.Doina.8448 (B)` `GData: Win32.Rootkit.Uroburos.C` `Jiangmin: Worm/AutoRun.mit` `Webroot: Trojan:Win32/Remdruk.A` `Avira: WORM/Autorun.giqh` `MAX: malware (ai score=100)` `Antiy-AVL: Trojan/Generic.ASMalwS.896B49` `Kingsoft: Win32.Troj.Undef.(kcloud)` `ViRobot: Worm.Win32.Autorun.185344.E` `Microsoft: Worm:Win32/Autorun.JE` `Cynet: Malicious (score: 99)` `AhnLab-V3: Worm/Win32.AutoRun.R1836` `McAfee: W32/Autorun.worm.mq` `TACHYON: Worm/W32.AutoRun.185344` `VBA32: BScope.Trojan-Dropper.Injector` `Malwarebytes: Malware.AI.909372737` `TrendMicro-HouseCall: WORM_OTORUN.SML` `Rising: Backdoor.[Turla]ComRAT!1.C333 (CLASSIC)` `Yandex: Worm.Autorun.Gen.24` `Ikarus: Worm.Win32.AutoRun` `eGambit: Unsafe.AI_Score_99%` `Fortinet: W32/AutoRun.BDJ!tr` `AVG: Win32:Turla-F [Trj]`

Hashes

MD5	`448524fd62dec1151c75b55b86587784`
SHA1	`f6bab0a6230b65122af95ed9951164168767257a`
SHA256	`cf5e73c4517c8547732f01a6fd614f9ad1aa628b9fc6a82d3b2f222f7b2a0433`
SHA3	`56cbcb5f7c6ddf81ba813adc6d861585361395ad36c8ee31cfdfea6668c511c5`
SSDeep	`3072:HkaXIL816mbgFOuXoczloKBE6E1E3grpp22yzXkslJzDg:EAIL8165FObwloK26Jgb2YszD`
Imports Hash	`d459a20c774efe7abb74187fb303b5ad`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2009-Sep-14 15:28:07
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x23600`
SizeOfInitializedData	`0xc600`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001B41A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x25000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x33000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`0b9cad955d7ad9027e00bfcf01357d18`
SHA1	`e0c2aa5864e47662ce34a1b9933fe9d1962a9c78`
SHA256	`e9038beb093a94b9c7b2e40f101a4682a8ab5d7b69cac927bed9685ccf9e64be`
SHA3	`2db763c2cb870e2136440481a32902b1218967c4af0b323c3f9a4dccee7ffeb2`
VirtualSize	`0x234f5`
VirtualAddress	`0x1000`
SizeOfRawData	`0x23600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.46101`

.rdata

MD5	`e07804a806dccaf9348251e82e3d5073`
SHA1	`116d16ee2ccff6cded362a917b116544769a1165`
SHA256	`161edc835895d400ce943c3381131d72cb3a0e6ff04c7a7d99a089104b2f328f`
SHA3	`67cfde4c97470e586ac67710195189e16cf8888bb7c60bd5bfb079c9cbbaaf18`
VirtualSize	`0x1f3d`
VirtualAddress	`0x25000`
SizeOfRawData	`0x2000`
PointerToRawData	`0x23a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.00903`

.data

MD5	`cf89596340a6ada4a1cf3786efc2cd86`
SHA1	`ec3cc7b09f7039b11e07ffa76b35ae7102830842`
SHA256	`8c9ab7ccfb6fa62d85229a46ff82274fd606066cffb21ac6af04568ebbc7260e`
SHA3	`df25e4034885a2708317642d74aff4ea3a239fe0daa3d0156f2dc52b1ce1347f`
VirtualSize	`0x73a5`
VirtualAddress	`0x27000`
SizeOfRawData	`0x4800`
PointerToRawData	`0x25a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.1277`

.rsrc

MD5	`e48be759786402cb85e57962d3b63b74`
SHA1	`bb12f63421510a0988c52e6abf4ecb811fb00f5a`
SHA256	`9142df719b1d055184c4ba375ba381a5983300ad612cbb2ab4c13d3d1b3eb125`
SHA3	`493e12751a650f7cdc7eab2054371dac9d45202b68706376b1a017f23973e1cb`
VirtualSize	`0x888`
VirtualAddress	`0x2f000`
SizeOfRawData	`0xa00`
PointerToRawData	`0x2a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.38621`

.reloc

MD5	`bbd1a5fa10227dc4bce657f0f9e170fa`
SHA1	`a6d6fc3c6f51df4464ccc10d997e39aa36295676`
SHA256	`915d37ab9fa3285beed2b7a509f1a2fda8b9b6abec112b27e36592d4ffe1b75b`
SHA3	`4547488779840166f2336c4963f6b8d14d622089774b6df27e5d4764dcee4918`
VirtualSize	`0x27ce`
VirtualAddress	`0x30000`
SizeOfRawData	`0x2800`
PointerToRawData	`0x2ac00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.52085`

Imports

KERNEL32.dll	`FindNextFileA` `DeleteFileA` `FindFirstFileA` `GetTempFileNameA` `GetTempPathA` `FreeLibrary` `GetProcAddress` `LoadLibraryA` `UnmapViewOfFile` `GetLastError` `MapViewOfFile` `CreateFileMappingA` `GetFileSize` `lstrcmpA` `SetLastError` `SetFileAttributesA` `OpenEventA` `WriteFile` `CopyFileA` `Sleep` `GetVolumeInformationA` `GetDriveTypeA` `ExitProcess` `SetFilePointer` `ReadFile` `GetModuleHandleA` `GetModuleFileNameA` `CreateProcessA` `GetSystemTime` `GetSystemDirectoryA` `SetFileTime` `lstrcatA` `GetLocalTime` `GetPrivateProfileStringA` `GetTempPathW` `FindClose` `GetEnvironmentVariableW` `GetComputerNameW` `GetTimeZoneInformation` `MultiByteToWideChar` `lstrcatW` `lstrlenW` `GetVersionExA` `GetComputerNameA` `lstrcpyA` `GetTickCount` `FileTimeToSystemTime` `GetWindowsDirectoryA` `GetEnvironmentVariableA` `TerminateProcess` `WaitForSingleObject` `CreateDirectoryA` `CreateMutexA` `ReleaseMutex` `OutputDebugStringA` `GetFileTime` `GetDiskFreeSpaceExA` `GetDiskFreeSpaceA` `SetEnvironmentVariableA` `CompareStringW` `CompareStringA` `GetStringTypeW` `GetStringTypeA` `CreateFileA` `lstrlenA` `GetFileInformationByHandle` `CloseHandle` `FileTimeToLocalFileTime` `FileTimeToDosDateTime` `GetFileAttributesA` `GetWindowsDirectoryW` `IsBadCodePtr` `IsBadReadPtr` `GetOEMCP` `GetACP` `GetCPInfo` `GetEnvironmentStringsW` `GetEnvironmentStrings` `FreeEnvironmentStringsW` `FreeEnvironmentStringsA` `HeapAlloc` `HeapFree` `GetFileType` `EnterCriticalSection` `LeaveCriticalSection` `RaiseException` `RtlUnwind` `ResumeThread` `CreateThread` `TlsSetValue` `TlsGetValue` `ExitThread` `InterlockedDecrement` `InterlockedIncrement` `GetCommandLineA` `GetVersion` `GetCurrentProcess` `HeapReAlloc` `HeapSize` `HeapDestroy` `HeapCreate` `VirtualFree` `VirtualAlloc` `IsBadWritePtr` `InitializeCriticalSection` `DeleteCriticalSection` `GetCurrentThreadId` `TlsAlloc` `TlsFree` `SetStdHandle` `SetEndOfFile` `SetHandleCount` `GetStdHandle` `GetStartupInfoA` `FlushFileBuffers` `SetUnhandledExceptionFilter` `UnhandledExceptionFilter` `WideCharToMultiByte` `LCMapStringA` `LCMapStringW`
USER32.dll	`DefWindowProcA` `wsprintfA` `RegisterClassExA` `CreateWindowExA` `SendMessageA` `CharLowerBuffA` `wsprintfW` `GetMessageA` `TranslateMessage` `DispatchMessageA`
ADVAPI32.dll	`RegEnumValueA` `RegDeleteValueA` `RegCreateKeyA` `RegQueryValueExA` `RegSetValueExA` `RegCreateKeyExA` `RegCloseKey`
RPCRT4.dll	`UuidToStringA` `UuidCreate` `RpcStringFreeA`
WS2_32.dll	`inet_ntoa` `gethostbyname` `WSAStartup` `WSACleanup`

Delayed Imports

Entry

Ordinal	`1`
Address	`0x4010`

AddAtomT

Ordinal	`2`
Address	`0x4070`

AddAtomS

Ordinal	`3`
Address	`0x4340`

102

Type	`CONFIG`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0xe0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0.49343`
MD5	`231068ae08cc477691e0293a95fba6ed`
SHA1	`c25dfbb61e7b4c1d6bdf16bd45f8237fd7b59e8b`
SHA256	`8bf39d6f8c0e8e71f8ed59bc5b13b9a10ec0eaa2d60c58b05a98c172c286e1f5`
SHA3	`7f3eff3287d5a80cefb442e39add43c8c6fd80b613c53aefc4c46c122626a46b`

1

Type	`RT_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x134`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.14151`
MD5	`216372bfc20f8f32318ef19b09cd2e16`
SHA1	`1e07e5f0b44d56a91e40f2d72e85a5b7b3560a96`
SHA256	`946370032ee874d7b229ac7cb89703f59dee1de76607bcc6bd82d8e437cc8074`
SHA3	`97b6a32531803fd1e6502cd2af2e464828db6b2b39190c346aa9b9cbea5693be`

2

Type	`RT_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x134`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.14151`
MD5	`216372bfc20f8f32318ef19b09cd2e16`
SHA1	`1e07e5f0b44d56a91e40f2d72e85a5b7b3560a96`
SHA256	`946370032ee874d7b229ac7cb89703f59dee1de76607bcc6bd82d8e437cc8074`
SHA3	`97b6a32531803fd1e6502cd2af2e464828db6b2b39190c346aa9b9cbea5693be`

103

Type	`RT_GROUP_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.83876`
Detected Filetype	Cursor file
MD5	`a2baa01ccdea3190e4998a54dbc202a4`
SHA1	`e8217df98038141ab4e449cb979b1c3bbea12da3`
SHA256	`c53efa8085835ba129c1909beaff8a67b45f50837707f22dfff0f24d8cd26710`
SHA3	`8874564c406835306368adf5e869422e1bb97109b97c1499caa8af219990e8dc`
Preview

104

Type	`RT_GROUP_CURSOR`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.91924`
Detected Filetype	Cursor file
MD5	`aff0f5e372bd49ceb9f615b9a04c97df`
SHA1	`e3205724d7ee695f027ab5ea8d8e1a453aaad0dd`
SHA256	`b07e022f8ef0a8e5fd3f56986b2e5bf06df07054e9ea9177996b0a6c27d74d7c`
SHA3	`9cb042121a5269b80d18c3c5a94c0e453890686aedade960097752377dfa9712`
Preview

1 (#2)

Type	`RT_VERSION`
Language	Russian - Russia
Codepage	UNKNOWN
Size	`0x364`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4665`
MD5	`d6ef4e31aa352a54d1515a57804604c1`
SHA1	`3d6668ce771a954152c867717672b5437d1bc88c`
SHA256	`96297a8f9c64719132e6eb427c3e655e5c22294e55715fd3116f39c42cb9703f`
SHA3	`63b5d275fde61066a867c2ef300535e8204389538258ec3edcf270f6510f58da`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.0.3805.0
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Java Virtual Mashine
FileVersion (#2)	5.00.3805.0000
InternalName	MSJAVAVM
LegalCopyright	Copyright (C) Microsoft Corp. 1997-2000.
OriginalFilename	MsJavaVM.dll
ProductName	Microsoft(R) Windows (R) Operating System
ProductVersion (#2)	5.00.3805.0000

Resource LangID	Russian - Russia

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x92def87d`
Unmarked objects	`0`
C++ objects (8047)	`1`
12 (7291)	`3`
C objects (VS98 SP6 build 8804)	`122`
14 (7299)	`24`
Imports (2179)	`11`
Total imports	`153`
C++ objects (VS98 SP6 build 8804)	`21`
Resource objects (VS98 SP6 cvtres build 1736)	`1`
Linker (VC++ 6.0 SP5 imp/exp build 8447)	`1`

448524fd62dec1151c75b55b86587784

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

Entry

AddAtomT

AddAtomS

102

1

2

103

104

1 (#2)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors