Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Aug-12 09:20:38 |
Detected languages |
Korean - Korea
|
Comments | |
CompanyName | Microsoft Corporation |
FileDescription | WMI Provider Thread & Log Library |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | provthrd.dll |
LegalCopyright | Copyright ⓒ 2017 |
LegalTrademarks | |
OriginalFilename | provthrd.dll |
PrivateBuild | |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10, 0, 10586, 0 |
SpecialBuild |
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug) Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual C++ 6.0 DLL |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 38/67 (Scanned on 2019-09-08 22:57:41) |
MicroWorld-eScan:
Gen:Variant.Graftor.487501
McAfee: Trojan-HidCobra AegisLab: Trojan.Win32.Generic.4!c CrowdStrike: win/malicious_confidence_100% (W) Alibaba: Trojan:Win32/Autophyte.33075565 K7GW: Trojan ( 0052cf421 ) Symantec: Trojan.Gen.MBT ESET-NOD32: a variant of Win32/NukeSped.AU APEX: Malicious Paloalto: generic.ml Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Variant.Graftor.487501 Rising: Trojan.Agent!8.B1E (TFE:6:TEbwi7SsEO) Endgame: malicious (high confidence) Sophos: Mal/Generic-S F-Secure: Trojan.TR/NukeSped.ngrmb TrendMicro: TROJ_GEN.R002C0DI819 McAfee-GW-Edition: BehavesLike.Win32.Backdoor.fc Trapmine: suspicious.low.ml.score FireEye: Generic.mg.5c0c1b4c3b1cfd45 Emsisoft: Gen:Variant.Graftor.487501 (B) SentinelOne: DFI - Suspicious PE Avira: TR/NukeSped.ngrmb Fortinet: W32/Generic.AU!tr Arcabit: Trojan.Graftor.D7704D ZoneAlarm: HEUR:Trojan.Win32.Generic Microsoft: Trojan:Win32/Autophyte.E!dha AhnLab-V3: Backdoor/Win32.Akdoor.R206603 Acronis: suspicious ALYac: Gen:Variant.Graftor.487501 MAX: malware (ai score=87) Ad-Aware: Gen:Variant.Graftor.487501 Cylance: Unsafe TrendMicro-HouseCall: TROJ_GEN.R002C0DI819 GData: Gen:Variant.Graftor.487501 AVG: FileRepMalware Panda: Trj/GdSda.A Qihoo-360: Win32/Trojan.c53 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2017-Aug-12 09:20:38 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x19000 |
SizeOfInitializedData | 0x3e000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0001934A (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1a000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x58000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetProcessHeap
VirtualAlloc VirtualProtect VirtualFree IsBadReadPtr HeapFree FreeLibrary CloseHandle CreateThread LocalFree FreeLibraryAndExitThread Sleep ReadFile LocalAlloc GetFileSize CreateFileW GetSystemDirectoryW GetModuleHandleW HeapAlloc Module32FirstW CreateToolhelp32Snapshot FileTimeToLocalFileTime GetTickCount GetSystemInfo GetVersionExW WideCharToMultiByte CreateDirectoryW CopyFileW FileTimeToSystemTime GetACP lstrlenW LoadLibraryA GetVolumeInformationW GetProcAddress |
---|---|
USER32.dll |
wsprintfW
GetSystemMetrics |
ADVAPI32.dll |
SetServiceStatus
RegisterServiceCtrlHandlerW |
MSVCRT.dll |
wcschr
rand srand __CxxFrameHandler fclose fwprintf _wfopen wcsrchr wcstombs memcpy strlen memset memmove memcmp malloc strstr sscanf localtime time __dllonexit _onexit _initterm _adjust_fdiv _wcsicmp wcscat wcsncpy swprintf _wtoi _waccess wcscpy wcslen _vsnwprintf wcsncmp free realloc strncmp ??3@YAXPAX@Z wcscmp |
Ordinal | 1 |
---|---|
Address | 0x7bc0 |
Ordinal | 2 |
---|---|
Address | 0x7b20 |
Ordinal | 3 |
---|---|
Address | 0x7c40 |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.10586.0 |
ProductVersion | 10.0.10586.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | Korean - Korea |
Comments | |
CompanyName | Microsoft Corporation |
FileDescription | WMI Provider Thread & Log Library |
FileVersion (#2) | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | provthrd.dll |
LegalCopyright | Copyright ⓒ 2017 |
LegalTrademarks | |
OriginalFilename | provthrd.dll |
PrivateBuild | |
ProductName | Microsoft Windows Operating System |
ProductVersion (#2) | 10, 0, 10586, 0 |
SpecialBuild |
Resource LangID | Korean - Korea |
---|
XOR Key | 0xe4e836e1 |
---|---|
Unmarked objects | 0 |
14 (7299) | 5 |
12 (7291) | 3 |
Imports (VS2003 (.NET) build 4035) | 7 |
Total imports | 115 |
C objects (VS98 build 8168) | 19 |
C++ objects (VS98 build 8168) | 10 |
Resource objects (VS98 cvtres build 1720) | 1 |
Linker (VS98 build 8168) | 3 |