Manalyze report for 5733177bcf16ee78b99543c9b0ab81ea

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2008-Apr-14 00:11:25
Detected languages	English - United States
Debug artifacts	msctfime.pdb
CompanyName	Microsoft Corporation
FileDescription	Microsoft Text Frame Work Service IME
FileVersion	`5.1.2600.5512 (xpsp.080413-2105)`
InternalName	MSCTFIME
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MSCTFIME.IME
ProductName	Microsoft® Windows® Operating System
ProductVersion	`5.1.2600.5512`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 7.1` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 7.0 DLL`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExA LoadLibraryA LoadLibraryW` `Can access the registry: RegOpenKeyExA RegCloseKey RegQueryValueExW RegCreateKeyExA RegSetValueExA RegQueryValueExA` `Functions related to the privilege level: CheckTokenMembership` `Can take screenshots: GetDC BitBlt CreateCompatibleDC`

Hashes

MD5	`5733177bcf16ee78b99543c9b0ab81ea`
SHA1	`434c43fc87679a37aa054c0c18e190ccb39a4439`
SHA256	`6504d3d665ac8ab27a44f863f9c1a23ff3b68eac0512f418712cc0d56f739e24`
SHA3	`b8ad13d4c9c2357d35550219954db299ad7af2fe4fb19ecd076cc3ba677de2bc`
SSDeep	`3072:italxxzZLwxUPpwrBxNuUoN+Y+pRNFocH129+jWUR8COMDCK3:aI3ZsxLHwfOhH2+qUuCWE`
Imports Hash	`464eb2235972f816249ede204068b8db`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`4`
TimeDateStamp	2008-Apr-14 00:11:25
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`7.1`
SizeOfCode	`0x26c00`
SizeOfInitializedData	`0x4800`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00019FE1 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x28000`
ImageBase	`0x755c0000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`5.1`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x2e000`
SizeOfHeaders	`0x400`
Checksum	`0x2d2b7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`56f4678d7990847d914ff7aed52cfcdf`
SHA1	`c0f8251a712ab554ddef0b72b8b7390bee0760bb`
SHA256	`7a4fefca596716b975b2273368a01a7d09bbffd3031815098d9f278c8a99cc79`
SHA3	`9fa39d3835dc9fbe5bdd5bcbc776ea34b7d66d74ef92f6516b1a50593c881073`
VirtualSize	`0x26a59`
VirtualAddress	`0x1000`
SizeOfRawData	`0x26c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.54601`

.data

MD5	`b1fda7a92dda5f7fc4589fcbc5e35e5a`
SHA1	`14efd72c83bf5606b5fd0303ffd228693212bcf9`
SHA256	`67ccb8aca6930ee915866863f3d784f75fbc055cd681eb07ed4659fe6c0d5a95`
SHA3	`8d9cf417bc195d2a7de14ecbe5099472f611db8285ccffe38bac7f8769d265ec`
VirtualSize	`0x568`
VirtualAddress	`0x28000`
SizeOfRawData	`0x200`
PointerToRawData	`0x27000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.02323`

.rsrc

MD5	`abad6f06caf759dcb82931a87598dc70`
SHA1	`afa86c9f69a977546cddfb1ada6b3704568c839f`
SHA256	`627cac3085e816b73ddb8fa05ff62d45b180a4d0ae7a13468d6b7cb13d3181ec`
SHA3	`89855b9a9782cc75ba0f57453053cde03d4a1dcbd71aa42b96df9687e13c1b53`
VirtualSize	`0x1528`
VirtualAddress	`0x29000`
SizeOfRawData	`0x1600`
PointerToRawData	`0x27200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.16257`

.reloc

MD5	`5dd8b0b3d31f86f212004c5129de3be8`
SHA1	`4a6f287d9dbb559a04d87ff6893ca600c25c1848`
SHA256	`c353e45f27089c1f5166dd84169fe965fd4227c4e1b116ecec7d3e7c4a525f0e`
SHA3	`18c3292b3474765235e53fae0868b2046bc9bacf04a996d144c43d71da2ee636`
VirtualSize	`0x2ba0`
VirtualAddress	`0x2b000`
SizeOfRawData	`0x2c00`
PointerToRawData	`0x28800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.28616`

Imports

msvcrt.dll	`strncmp` `_vsnprintf` `_ftol` `_except_handler3` `wcsncpy` `_adjust_fdiv` `malloc` `_initterm` `free` `wcscpy` `memmove` `wcstoul`
USER32.dll	`DrawTextExW` `DrawTextExA` `RegisterWindowMessageA` `UnregisterClassW` `LoadIconA` `LoadCursorA` `GetClassInfoExW` `RegisterClassExW` `GetActiveWindow` `GetCaretBlinkTime` `BeginPaint` `EndPaint` `GetSysColor` `CreateWindowExW` `GetSystemMetrics` `MapWindowPoints` `SetWindowPos` `DestroyWindow` `GetCursorPos` `MoveWindow` `IsWindowVisible` `ShowWindow` `LoadImageA` `DestroyIcon` `PtInRect` `ScreenToClient` `InvalidateRect` `SetWindowLongA` `DefWindowProcA` `KillTimer` `SetTimer` `GetWindowLongA` `SystemParametersInfoA` `GetDC` `SetRect` `ReleaseDC` `GetClientRect` `ClientToScreen` `PostMessageW` `PostMessageA` `GetFocus` `IsWindow` `ToUnicode` `GetKeyboardLayout` `CreateWindowExA` `ReleaseCapture` `SetCapture` `AdjustWindowRectEx` `WindowFromPoint` `RegisterClassExA` `GetClassInfoExA` `SetCursor` `GetDoubleClickTime` `DrawEdge` `DrawIconEx` `FillRect` `GetIconInfo` `OffsetRect` `InflateRect` `IntersectRect` `GetSysColorBrush` `DrawStateA` `FrameRect` `GetCursor` `GetKeyState` `keybd_event` `SendMessageW` `IsWindowUnicode` `GetWindowRect` `SendMessageA` `GetKeyboardState`
ADVAPI32.dll	`RegOpenKeyExA` `RegCloseKey` `RegQueryValueExW` `RegCreateKeyExA` `RegSetValueExA` `FreeSid` `AllocateAndInitializeSid` `CheckTokenMembership` `RegQueryValueExA`
KERNEL32.dll	`WideCharToMultiByte` `IsDBCSLeadByteEx` `GetLocaleInfoW` `GetProcAddress` `InitializeCriticalSectionAndSpinCount` `DeleteCriticalSection` `TlsAlloc` `TlsFree` `GetVersionExA` `GetACP` `QueryPerformanceCounter` `GetTickCount` `GetCurrentThreadId` `GetCurrentProcessId` `GetSystemTimeAsFileTime` `TerminateProcess` `GetCurrentProcess` `MultiByteToWideChar` `SetUnhandledExceptionFilter` `FreeLibrary` `LeaveCriticalSection` `EnterCriticalSection` `LoadLibraryExA` `lstrcmpA` `LocalFree` `LocalAlloc` `IsBadWritePtr` `lstrlenA` `lstrlenW` `lstrcpynA` `GetSystemDirectoryA` `GetSystemWindowsDirectoryA` `GetSystemDirectoryW` `GetSystemWindowsDirectoryW` `GetModuleHandleA` `LoadLibraryA` `GetModuleHandleW` `LoadLibraryW` `LocalReAlloc` `GetLastError` `InterlockedDecrement` `InterlockedIncrement` `TlsGetValue` `TlsSetValue` `GetModuleFileNameA` `LoadResource` `FindResourceA` `GetSystemDefaultLangID` `EnumResourceLanguagesA` `GetWindowsDirectoryA` `UnhandledExceptionFilter`
GDI32.dll	`Polyline` `BitBlt` `CreateFontIndirectW` `CreateFontIndirectA` `SelectObject` `GetTextMetricsA` `DeleteObject` `MoveToEx` `ExtCreatePen` `GetTextColor` `SetTextColor` `SetBkColor` `PatBlt` `DeleteDC` `SetViewportOrgEx` `CreateCompatibleBitmap` `GetDeviceCaps` `CreateCompatibleDC` `SetBkMode` `CreatePen` `CreateFontA` `CreateSolidBrush` `CreateDCA` `CreateDIBSection` `CreateRectRgn` `GetClipRgn` `IntersectClipRect` `ExtSelectClipRgn` `GetViewportExtEx` `GetWindowExtEx` `GetTextExtentPointA` `GetTextExtentPoint32W` `GetTextAlign` `SetTextAlign` `ExtTextOutA` `ExtTextOutW` `GetObjectA` `TranslateCharsetInfo` `GetCurrentObject` `GetObjectW` `CreateBitmap` `CreateBrushIndirect` `LineTo` `GetStockObject`
IMM32.dll	`ImmDestroyIMCC` `ImmNotifyIME` `ImmEnumInputContext` `ImmGetContext` `ImmGetDefaultIMEWnd` `ImmSetConversionStatus` `ImmGetAppCompatFlags` `ImmSetCompositionStringW` `ImmGetProperty` `ImmCreateIMCC` `ImmLockIMC` `ImmUnlockIMC` `ImmLockIMCC` `ImmUnlockIMCC` `ImmGetIMCCSize` `ImmReSizeIMCC` `ImmRequestMessageA` `ImmSetOpenStatus` `ImmGetCompositionFontA` `ImmGetCompositionStringW` `CtfImmGenerateMessage` `CtfImmIsCiceroStartedInThread`

Delayed Imports

CtfImeDispatchDefImeMessage

Ordinal	`1`
Address	`0x13818`

CtfImeCreateInputContext

Ordinal	`2`
Address	`0x19699`

CtfImeCreateThreadMgr

Ordinal	`3`
Address	`0x19590`

CtfImeDestroyInputContext

Ordinal	`4`
Address	`0x1913a`

CtfImeDestroyThreadMgr

Ordinal	`5`
Address	`0x1961b`

CtfImeEscapeEx

Ordinal	`6`
Address	`0x196fe`

CtfImeGetGuidAtom

Ordinal	`7`
Address	`0x19737`

CtfImeInquireExW

Ordinal	`8`
Address	`0x19548`

CtfImeIsGuidMapEnable

Ordinal	`9`
Address	`0x1931a`

CtfImeIsIME

Ordinal	`10`
Address	`0x1976b`

CtfImeProcessCicHotkey

Ordinal	`11`
Address	`0x19979`

CtfImeSelectEx

Ordinal	`12`
Address	`0x192c5`

CtfImeSetActiveContextAlways

Ordinal	`13`
Address	`0x196c7`

CtfImeThreadDetach

Ordinal	`14`
Address	`0x19365`

ImeConfigure

Ordinal	`15`
Address	`0x1940e`

ImeConversionList

Ordinal	`16`
Address	`0x190c5`

ImeDestroy

Ordinal	`17`
Address	`0x190cf`

ImeEnumRegisterWord

Ordinal	`18`
Address	`0x190c5`

ImeEscape

Ordinal	`19`
Address	`0x76f9`

ImeGetRegisterWordStyle

Ordinal	`20`
Address	`0x19120`

ImeInquire

Ordinal	`21`
Address	`0x76f9`

ImeProcessKey

Ordinal	`22`
Address	`0x19899`

ImeRegisterWord

Ordinal	`23`
Address	`0x76f9`

ImeSelect

Ordinal	`24`
Address	`0x19120`

ImeSetActiveContext

Ordinal	`25`
Address	`0x19120`

ImeSetCompositionString

Ordinal	`26`
Address	`0x1946d`

ImeToAsciiEx

Ordinal	`27`
Address	`0x194af`

ImeUnregisterWord

Ordinal	`28`
Address	`0x76f9`

NotifyIME

Ordinal	`29`
Address	`0x19507`

UIWndProc

Ordinal	`30`
Address	`0x1912a`

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`1.56329`
MD5	`20958172d74698e016eadeb3f305e0a7`
SHA1	`f9fe9226564ad85f907194c8a531f432758af3e4`
SHA256	`6bc2b30e10d6a36a60b84e97cecd6c76ca55d5556c7bd1e345ee3c689b0e73fb`
SHA3	`9079ce392f1751398774d71dc88a42f2c895bd949f92167869cb2a83c307d449`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x368`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.79904`
MD5	`6278856a609f9a1f9caba64036219092`
SHA1	`e7745549eee0d3c9350d85c675225d9ab3208812`
SHA256	`4ac1c29d2793fba884d57dbb1f1b92769eee61f790a1e7aed269683a3a4790f8`
SHA3	`47ae47a1e727ff2c5a594612d34edb3141111a98c9e657b22e62733b30e07be7`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.78844`
MD5	`7728b89d613a1679a86d04fdee111bb4`
SHA1	`c6bc9fe8b0046ee1cbea791bb62f6db4ae5e1a8b`
SHA256	`9f69a070398a88504cbad257b22643de50dd4ca51e418c7767e938532f5756f5`
SHA3	`d410a67794e8bbb5b6b566c6abd04c62c2e7d769cafa96eb62324127f623178d`

7

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x64`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.79435`
MD5	`db031a96dba58aef036c00f15c630a50`
SHA1	`0458bf61ba5f459fd8e727981190465c09b633ab`
SHA256	`02d82f38979ca58ddb6f25817d968e02de68593e5cbc3c87b3cd8ceac9832db5`
SHA3	`56d169f07348a69f547cc28a2f5639100ba20575db392e33aeea76d7bd36550a`

33

Type	`RT_STRING`
Language	English - United States
Codepage	UNKNOWN
Size	`0x64`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.44698`
MD5	`ec5476a4bc31d467f76abd044a05168e`
SHA1	`14dfab5694192dcc144aa0e8d7af78afa1fda197`
SHA256	`be7e07151c4a839231142855ac0e2e66be7bf21b237ea0f6fe6db3b3d4069a8c`
SHA3	`89aea4781c3ca369aa1842561de1d6802828ce675cb57a81e4e29997d68207ed`

256

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x14`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.16096`
Detected Filetype	Icon file
MD5	`42cf62b780813706e75fb9f2b2e8c258`
SHA1	`a022d5c1cfdd8aace0089f3e72f2eedd41bda464`
SHA256	`a0c9d012e2bf6b2fe05c2d97cb5594d97cf2f539e97935c12abd7a3562f4d9bf`
SHA3	`0aafc8e3d8b6bde595537da4ffe0efc5fe53f01dafe336a2a5828b6a71283d3c`

257

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x22`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.32824`
Detected Filetype	Icon file
MD5	`510dcc2344434f652449e31fce16f0fe`
SHA1	`535b66c645f50a07b0e3a2acfcb98a78d1cdd3fc`
SHA256	`17aac386f4b3c05d83edfde36300e7e9c774aaf6b7885d98842fc5ee1403f00f`
SHA3	`ad4ea962d297963c351bf8c4dafbd8db8e495d3dd9c6b2b04efd1643802ee912`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3a4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.56529`
MD5	`f068f6c4143c317bc6bef3ca73ff18cb`
SHA1	`14abc2c52e462f12c3a087633911a93ef748b5c7`
SHA256	`a2eb37482800d8da0f61a2f26e67a8f86fe343c2201505ed4e0b5598b9d90e68`
SHA3	`fd6b85ce74c86b885b3795780241121ec461eb9e4706fe8b20cee9348af0a057`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x278`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.89809`
MD5	`2e97a7ad434a4e932574cbb453792884`
SHA1	`94aaeb36512a19f4da8b467c60af9a238db00ecd`
SHA256	`f9de6bf1ab7efc8ba5a58f6263f1444b3a198950b2b1788ec46d533d80df20a7`
SHA3	`27640e216a72cee332c69d968302e3d08f108dc66d122dece91190cd6c6877af`

String Table contents

OK
Cancel
&Abort
&Retry
&Ignore
&Yes
&No
Enter
Finalize the string
Conversion

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	5.1.2600.5512
ProductVersion	5.1.2600.5512
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DRV`
FileSubtype	VFT2_DRV_INPUTMETHOD
Language	UNKNOWN
CompanyName	Microsoft Corporation
FileDescription	Microsoft Text Frame Work Service IME
FileVersion (#2)	5.1.2600.5512 (xpsp.080413-2105)
InternalName	MSCTFIME
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	MSCTFIME.IME
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	5.1.2600.5512

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2008-Apr-13 18:39:30
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x4398`
PointerToRawData	`0x3798`
Referenced File	msctfime.pdb

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x755e8050`
SEHandlerTable	`0x755c43c0`
SEHandlerCount	`1`

RICH Header

XOR Key	`0xb7ba2ba6`
Unmarked objects	`0`
Total imports	`238`
Imports (VS2003 (.NET) build 4035)	`13`
ASM objects (VS2003 (.NET) build 4035)	`2`
Exports (VS2003 (.NET) build 4035)	`1`
94 (VS2003 (.NET) build 4035)	`1`
C objects (VS2003 (.NET) build 4035)	`18`
C++ objects (VS2003 (.NET) build 4035)	`69`
Linker (VS2003 (.NET) build 4035)	`1`

Errors

[!] Error: [plugin_virustotal] VirusTotal API request rate limit reached!