Manalyze report for 5c0c1b4c3b1cfd455ac05ace994aed4b

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-12 09:20:38
Detected languages	Korean - Korea
Comments
CompanyName	Microsoft Corporation
FileDescription	WMI Provider Thread & Log Library
FileVersion	`10.0.10586.0 (th2_release.151029-1700)`
InternalName	provthrd.dll
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	provthrd.dll
PrivateBuild
ProductName	Microsoft Windows Operating System
ProductVersion	`10, 0, 10586, 0`
SpecialBuild

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 6.0 DLL`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: LoadLibraryA GetProcAddress` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` `Enumerates local disk drives: GetVolumeInformationW`
Malicious	VirusTotal score: 38/67 (Scanned on 2019-09-08 22:57:41)	`MicroWorld-eScan: Gen:Variant.Graftor.487501` `McAfee: Trojan-HidCobra` `AegisLab: Trojan.Win32.Generic.4!c` `CrowdStrike: win/malicious_confidence_100% (W)` `Alibaba: Trojan:Win32/Autophyte.33075565` `K7GW: Trojan ( 0052cf421 )` `Symantec: Trojan.Gen.MBT` `ESET-NOD32: a variant of Win32/NukeSped.AU` `APEX: Malicious` `Paloalto: generic.ml` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Graftor.487501` `Rising: Trojan.Agent!8.B1E (TFE:6:TEbwi7SsEO)` `Endgame: malicious (high confidence)` `Sophos: Mal/Generic-S` `F-Secure: Trojan.TR/NukeSped.ngrmb` `TrendMicro: TROJ_GEN.R002C0DI819` `McAfee-GW-Edition: BehavesLike.Win32.Backdoor.fc` `Trapmine: suspicious.low.ml.score` `FireEye: Generic.mg.5c0c1b4c3b1cfd45` `Emsisoft: Gen:Variant.Graftor.487501 (B)` `SentinelOne: DFI - Suspicious PE` `Avira: TR/NukeSped.ngrmb` `Fortinet: W32/Generic.AU!tr` `Arcabit: Trojan.Graftor.D7704D` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `Microsoft: Trojan:Win32/Autophyte.E!dha` `AhnLab-V3: Backdoor/Win32.Akdoor.R206603` `Acronis: suspicious` `ALYac: Gen:Variant.Graftor.487501` `MAX: malware (ai score=87)` `Ad-Aware: Gen:Variant.Graftor.487501` `Cylance: Unsafe` `TrendMicro-HouseCall: TROJ_GEN.R002C0DI819` `GData: Gen:Variant.Graftor.487501` `AVG: FileRepMalware` `Panda: Trj/GdSda.A` `Qihoo-360: Win32/Trojan.c53`

Hashes

MD5	`5c0c1b4c3b1cfd455ac05ace994aed4b`
SHA1	`69cda1f1adeeed455b519f9cf188e7787b5efa07`
SHA256	`8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520`
SHA3	`4d17870769a8f94e6d374a5c2ea93a930065de5e7da20c5f022192c851bb6e0f`
SSDeep	`6144:aR3SGkuDrOZm5Te5EXzO7h2ZMB6zJJ+KFvmjyFdzDs0dRb83hYnOQSzS7:aVSWrOZm5TeOjVMoJFFv+mdzDs+kYnO`
Imports Hash	`3ca68e2a005e05e2c4831de87ae091c0`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Aug-12 09:20:38
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x19000`
SizeOfInitializedData	`0x3e000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001934A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1a000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x58000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`83b06d297acb20b05505da2d09905abd`
SHA1	`9d3649ea26dfadc11c22304af31f1b55e5536bf7`
SHA256	`ef21b2eda360be80d4ef2e139f71c3391480879d3d0e773f00642a1b46090c8e`
SHA3	`7e93df9d10c691e597e49a59c32e91d47152d590c12f56c7e14387ebf1208aab`
VirtualSize	`0x184d5`
VirtualAddress	`0x1000`
SizeOfRawData	`0x19000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.52351`

.rdata

MD5	`b2e739b37837f1c2b941660711daf98f`
SHA1	`680d68ed7b7f69f8771ba6c73d6aff1869b481bb`
SHA256	`b9e179d6533b5156329bae0bd53346d2e9fb311b1b3d5b65fda4815aec663a5e`
SHA3	`0633afa219119cfa09c3f8ff3a77438e3f275524250afc247997ac1d905935c8`
VirtualSize	`0x36cb`
VirtualAddress	`0x1a000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1a000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.95191`

.data

MD5	`cd8aa1387168caeb4604401aedb143eb`
SHA1	`44ad77692aef18a2a490100b3ac3c290db468090`
SHA256	`12ba1a7d57bda508846887538f6dda3d9c3657597edac0cc9754f58d79e11275`
SHA3	`f142e5e69cb48494b61764fd61435e6b679cc8242835274df52f6df739d1890e`
VirtualSize	`0x3370`
VirtualAddress	`0x1e000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x1e000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.7186`

.rsrc

MD5	`8840ce03428c311935a20ac968c10ce7`
SHA1	`3f9fdc5e3e74306bea21721e4b9bc10151030981`
SHA256	`6e8f4c56d6674dbc7a29646a0c07efb6648b45052a04221c77aa29e82e0c835a`
SHA3	`417db688d04dcdabdfb0eb90e4c020c96268446a7caf2d4e5a24f48de58776ca`
VirtualSize	`0x34250`
VirtualAddress	`0x22000`
SizeOfRawData	`0x35000`
PointerToRawData	`0x1f000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`7.88822`

.reloc

MD5	`2f0ede5fcdada29ec11ad8cd25c53f77`
SHA1	`9267b1c2f34dc2952f1467be74de24a87e7da767`
SHA256	`f49e8149be66f57608a888d6bf3626f870f2713f095ed34b7863e8b3490ae353`
SHA3	`03ab2e2a60c703709491eaec42d4cc3982ef62c9bd649bd2541a932c038d89ce`
VirtualSize	`0xfc6`
VirtualAddress	`0x57000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x54000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.92378`

Imports

KERNEL32.dll	`GetProcessHeap` `VirtualAlloc` `VirtualProtect` `VirtualFree` `IsBadReadPtr` `HeapFree` `FreeLibrary` `CloseHandle` `CreateThread` `LocalFree` `FreeLibraryAndExitThread` `Sleep` `ReadFile` `LocalAlloc` `GetFileSize` `CreateFileW` `GetSystemDirectoryW` `GetModuleHandleW` `HeapAlloc` `Module32FirstW` `CreateToolhelp32Snapshot` `FileTimeToLocalFileTime` `GetTickCount` `GetSystemInfo` `GetVersionExW` `WideCharToMultiByte` `CreateDirectoryW` `CopyFileW` `FileTimeToSystemTime` `GetACP` `lstrlenW` `LoadLibraryA` `GetVolumeInformationW` `GetProcAddress`
USER32.dll	`wsprintfW` `GetSystemMetrics`
ADVAPI32.dll	`SetServiceStatus` `RegisterServiceCtrlHandlerW`
MSVCRT.dll	`wcschr` `rand` `srand` `__CxxFrameHandler` `fclose` `fwprintf` `_wfopen` `wcsrchr` `wcstombs` `memcpy` `strlen` `memset` `memmove` `memcmp` `malloc` `strstr` `sscanf` `localtime` `time` `__dllonexit` `_onexit` `_initterm` `_adjust_fdiv` `_wcsicmp` `wcscat` `wcsncpy` `swprintf` `_wtoi` `_waccess` `wcscpy` `wcslen` `_vsnwprintf` `wcsncmp` `free` `realloc` `strncmp` `??3@YAXPAX@Z` `wcscmp`

Delayed Imports

ServiceCtrlHandler

Ordinal	`1`
Address	`0x7bc0`

DllMain

Ordinal	`2`
Address	`0x7b20`

ServiceMain

Ordinal	`3`
Address	`0x7c40`

102

Type	`IMAG`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x4608`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.91241`
Detected Filetype	Photoshop Graphics
MD5	`ef39af37c34bff9eb233a50c59f240ae`
SHA1	`2ff9195abc2e91cc41bf0e7b66fbf3f7e2493a95`
SHA256	`dc179bcdd1202703b7c191fed6ceef9f68b4780e1bdf7a127af4b2b0a2111ec4`
SHA3	`095273ff88471c01981cd4fd79ec8ffc2de6dc4316912626a3b92922f378543d`

103

Type	`JPG`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x1dfb`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.92767`
Detected Filetype	JPEG graphic file
MD5	`fef5171f68ee0efc89008b935686ac9d`
SHA1	`b0be11fca06340aa6d162d1963c4a3c89b1982d4`
SHA256	`8c6088c8aafa76d88560418d45a4dfdabccabe8d28f0987d251e986a43f574dd`
SHA3	`457f26b360d2197c7492275595bf8d7d0591cf74c33a10c67a1cd32083bd2d13`

104

Type	`PNG`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x1a933`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98736`
Detected Filetype	PNG graphic file
MD5	`f220804c3c6ca2fdca0a0c659890d137`
SHA1	`0bd61e734963725c60b4a633e7f49da2873303dd`
SHA256	`1ae73567ccfb0c04427bbbcecbcf3d6ce4a4d9ae8253e5c40d7ba434356131dc`
SHA3	`6c92cb55a9e529ddc565e69decfe0727d1bab65b0e059b3cddd45c52af90a864`

105

Type	`PNG1`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x12f76`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`7.98988`
Detected Filetype	PNG graphic file
MD5	`bc87328afdf43333a981c50c406fc103`
SHA1	`76abcf2da3be549b7dc7ffe9429d564f9ed447f1`
SHA256	`19fa7b8ea654c7ff3d2062a4342203abbda53938d2ea8001ec61bdf52fb5c23d`
SHA3	`f6b9e406762fd3643d7e0722d2076e4d8f628674996217ff0dec84a94c0ab1e3`

1

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x3f8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.48362`
MD5	`0301de03da83ef4a486ff993f4b063b1`
SHA1	`8979cb9f6792f822070665c8a6f6b4454d658fb7`
SHA256	`029c96679cd66ebf7c9882f3632db37a60fe788dd31563a605856239cd7f84dd`
SHA3	`026e512ccb61ac34df3f8575d87fa354390ef6045d157cc730ae8e9694a5123b`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.10586.0
ProductVersion	10.0.10586.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	Korean - Korea
Comments
CompanyName	Microsoft Corporation
FileDescription	WMI Provider Thread & Log Library
FileVersion (#2)	10.0.10586.0 (th2_release.151029-1700)
InternalName	provthrd.dll
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	provthrd.dll
PrivateBuild
ProductName	Microsoft Windows Operating System
ProductVersion (#2)	10, 0, 10586, 0
SpecialBuild

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xe4e836e1`
Unmarked objects	`0`
14 (7299)	`5`
12 (7291)	`3`
Imports (VS2003 (.NET) build 4035)	`7`
Total imports	`115`
C objects (VS98 build 8168)	`19`
C++ objects (VS98 build 8168)	`10`
Resource objects (VS98 cvtres build 1720)	`1`
Linker (VS98 build 8168)	`3`

5c0c1b4c3b1cfd455ac05ace994aed4b

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

ServiceCtrlHandler

DllMain

ServiceMain

102

103

104

105

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors