5c0c1b4c3b1cfd455ac05ace994aed4b

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Aug-12 09:20:38
Detected languages Korean - Korea
Comments
CompanyName Microsoft Corporation
FileDescription WMI Provider Thread & Log Library
FileVersion 10.0.10586.0 (th2_release.151029-1700)
InternalName provthrd.dll
LegalCopyright Copyright ⓒ 2017
LegalTrademarks
OriginalFilename provthrd.dll
PrivateBuild
ProductName Microsoft Windows Operating System
ProductVersion 10, 0, 10586, 0
SpecialBuild

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 6.0 DLL
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryA
  • GetProcAddress
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Memory manipulation functions often used by packers:
  • VirtualAlloc
  • VirtualProtect
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 38/67 (Scanned on 2019-09-08 22:57:41) MicroWorld-eScan: Gen:Variant.Graftor.487501
McAfee: Trojan-HidCobra
AegisLab: Trojan.Win32.Generic.4!c
CrowdStrike: win/malicious_confidence_100% (W)
Alibaba: Trojan:Win32/Autophyte.33075565
K7GW: Trojan ( 0052cf421 )
Symantec: Trojan.Gen.MBT
ESET-NOD32: a variant of Win32/NukeSped.AU
APEX: Malicious
Paloalto: generic.ml
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Graftor.487501
Rising: Trojan.Agent!8.B1E (TFE:6:TEbwi7SsEO)
Endgame: malicious (high confidence)
Sophos: Mal/Generic-S
F-Secure: Trojan.TR/NukeSped.ngrmb
TrendMicro: TROJ_GEN.R002C0DI819
McAfee-GW-Edition: BehavesLike.Win32.Backdoor.fc
Trapmine: suspicious.low.ml.score
FireEye: Generic.mg.5c0c1b4c3b1cfd45
Emsisoft: Gen:Variant.Graftor.487501 (B)
SentinelOne: DFI - Suspicious PE
Avira: TR/NukeSped.ngrmb
Fortinet: W32/Generic.AU!tr
Arcabit: Trojan.Graftor.D7704D
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Autophyte.E!dha
AhnLab-V3: Backdoor/Win32.Akdoor.R206603
Acronis: suspicious
ALYac: Gen:Variant.Graftor.487501
MAX: malware (ai score=87)
Ad-Aware: Gen:Variant.Graftor.487501
Cylance: Unsafe
TrendMicro-HouseCall: TROJ_GEN.R002C0DI819
GData: Gen:Variant.Graftor.487501
AVG: FileRepMalware
Panda: Trj/GdSda.A
Qihoo-360: Win32/Trojan.c53

Hashes

MD5 5c0c1b4c3b1cfd455ac05ace994aed4b
SHA1 69cda1f1adeeed455b519f9cf188e7787b5efa07
SHA256 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520
SHA3 4d17870769a8f94e6d374a5c2ea93a930065de5e7da20c5f022192c851bb6e0f
SSDeep 6144:aR3SGkuDrOZm5Te5EXzO7h2ZMB6zJJ+KFvmjyFdzDs0dRb83hYnOQSzS7:aVSWrOZm5TeOjVMoJFFv+mdzDs+kYnO
Imports Hash 3ca68e2a005e05e2c4831de87ae091c0

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Aug-12 09:20:38
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x19000
SizeOfInitializedData 0x3e000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001934A (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1a000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x58000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 83b06d297acb20b05505da2d09905abd
SHA1 9d3649ea26dfadc11c22304af31f1b55e5536bf7
SHA256 ef21b2eda360be80d4ef2e139f71c3391480879d3d0e773f00642a1b46090c8e
SHA3 7e93df9d10c691e597e49a59c32e91d47152d590c12f56c7e14387ebf1208aab
VirtualSize 0x184d5
VirtualAddress 0x1000
SizeOfRawData 0x19000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.52351

.rdata

MD5 b2e739b37837f1c2b941660711daf98f
SHA1 680d68ed7b7f69f8771ba6c73d6aff1869b481bb
SHA256 b9e179d6533b5156329bae0bd53346d2e9fb311b1b3d5b65fda4815aec663a5e
SHA3 0633afa219119cfa09c3f8ff3a77438e3f275524250afc247997ac1d905935c8
VirtualSize 0x36cb
VirtualAddress 0x1a000
SizeOfRawData 0x4000
PointerToRawData 0x1a000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.95191

.data

MD5 cd8aa1387168caeb4604401aedb143eb
SHA1 44ad77692aef18a2a490100b3ac3c290db468090
SHA256 12ba1a7d57bda508846887538f6dda3d9c3657597edac0cc9754f58d79e11275
SHA3 f142e5e69cb48494b61764fd61435e6b679cc8242835274df52f6df739d1890e
VirtualSize 0x3370
VirtualAddress 0x1e000
SizeOfRawData 0x1000
PointerToRawData 0x1e000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 2.7186

.rsrc

MD5 8840ce03428c311935a20ac968c10ce7
SHA1 3f9fdc5e3e74306bea21721e4b9bc10151030981
SHA256 6e8f4c56d6674dbc7a29646a0c07efb6648b45052a04221c77aa29e82e0c835a
SHA3 417db688d04dcdabdfb0eb90e4c020c96268446a7caf2d4e5a24f48de58776ca
VirtualSize 0x34250
VirtualAddress 0x22000
SizeOfRawData 0x35000
PointerToRawData 0x1f000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.88822

.reloc

MD5 2f0ede5fcdada29ec11ad8cd25c53f77
SHA1 9267b1c2f34dc2952f1467be74de24a87e7da767
SHA256 f49e8149be66f57608a888d6bf3626f870f2713f095ed34b7863e8b3490ae353
SHA3 03ab2e2a60c703709491eaec42d4cc3982ef62c9bd649bd2541a932c038d89ce
VirtualSize 0xfc6
VirtualAddress 0x57000
SizeOfRawData 0x1000
PointerToRawData 0x54000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 4.92378

Imports

KERNEL32.dll GetProcessHeap
VirtualAlloc
VirtualProtect
VirtualFree
IsBadReadPtr
HeapFree
FreeLibrary
CloseHandle
CreateThread
LocalFree
FreeLibraryAndExitThread
Sleep
ReadFile
LocalAlloc
GetFileSize
CreateFileW
GetSystemDirectoryW
GetModuleHandleW
HeapAlloc
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
CreateDirectoryW
CopyFileW
FileTimeToSystemTime
GetACP
lstrlenW
LoadLibraryA
GetVolumeInformationW
GetProcAddress
USER32.dll wsprintfW
GetSystemMetrics
ADVAPI32.dll SetServiceStatus
RegisterServiceCtrlHandlerW
MSVCRT.dll wcschr
rand
srand
__CxxFrameHandler
fclose
fwprintf
_wfopen
wcsrchr
wcstombs
memcpy
strlen
memset
memmove
memcmp
malloc
strstr
sscanf
localtime
time
__dllonexit
_onexit
_initterm
_adjust_fdiv
_wcsicmp
wcscat
wcsncpy
swprintf
_wtoi
_waccess
wcscpy
wcslen
_vsnwprintf
wcsncmp
free
realloc
strncmp
??3@YAXPAX@Z
wcscmp

Delayed Imports

ServiceCtrlHandler

Ordinal 1
Address 0x7bc0

DllMain

Ordinal 2
Address 0x7b20

ServiceMain

Ordinal 3
Address 0x7c40

102

Type IMAG
Language Korean - Korea
Codepage UNKNOWN
Size 0x4608
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.91241
Detected Filetype Photoshop Graphics
MD5 ef39af37c34bff9eb233a50c59f240ae
SHA1 2ff9195abc2e91cc41bf0e7b66fbf3f7e2493a95
SHA256 dc179bcdd1202703b7c191fed6ceef9f68b4780e1bdf7a127af4b2b0a2111ec4
SHA3 095273ff88471c01981cd4fd79ec8ffc2de6dc4316912626a3b92922f378543d

103

Type JPG
Language Korean - Korea
Codepage UNKNOWN
Size 0x1dfb
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.92767
Detected Filetype JPEG graphic file
MD5 fef5171f68ee0efc89008b935686ac9d
SHA1 b0be11fca06340aa6d162d1963c4a3c89b1982d4
SHA256 8c6088c8aafa76d88560418d45a4dfdabccabe8d28f0987d251e986a43f574dd
SHA3 457f26b360d2197c7492275595bf8d7d0591cf74c33a10c67a1cd32083bd2d13

104

Type PNG
Language Korean - Korea
Codepage UNKNOWN
Size 0x1a933
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.98736
Detected Filetype PNG graphic file
MD5 f220804c3c6ca2fdca0a0c659890d137
SHA1 0bd61e734963725c60b4a633e7f49da2873303dd
SHA256 1ae73567ccfb0c04427bbbcecbcf3d6ce4a4d9ae8253e5c40d7ba434356131dc
SHA3 6c92cb55a9e529ddc565e69decfe0727d1bab65b0e059b3cddd45c52af90a864

105

Type PNG1
Language Korean - Korea
Codepage UNKNOWN
Size 0x12f76
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 7.98988
Detected Filetype PNG graphic file
MD5 bc87328afdf43333a981c50c406fc103
SHA1 76abcf2da3be549b7dc7ffe9429d564f9ed447f1
SHA256 19fa7b8ea654c7ff3d2062a4342203abbda53938d2ea8001ec61bdf52fb5c23d
SHA3 f6b9e406762fd3643d7e0722d2076e4d8f628674996217ff0dec84a94c0ab1e3

1

Type RT_VERSION
Language Korean - Korea
Codepage UNKNOWN
Size 0x3f8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48362
MD5 0301de03da83ef4a486ff993f4b063b1
SHA1 8979cb9f6792f822070665c8a6f6b4454d658fb7
SHA256 029c96679cd66ebf7c9882f3632db37a60fe788dd31563a605856239cd7f84dd
SHA3 026e512ccb61ac34df3f8575d87fa354390ef6045d157cc730ae8e9694a5123b

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.10586.0
ProductVersion 10.0.10586.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language Korean - Korea
Comments
CompanyName Microsoft Corporation
FileDescription WMI Provider Thread & Log Library
FileVersion (#2) 10.0.10586.0 (th2_release.151029-1700)
InternalName provthrd.dll
LegalCopyright Copyright ⓒ 2017
LegalTrademarks
OriginalFilename provthrd.dll
PrivateBuild
ProductName Microsoft Windows Operating System
ProductVersion (#2) 10, 0, 10586, 0
SpecialBuild
Resource LangID Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xe4e836e1
Unmarked objects 0
14 (7299) 5
12 (7291) 3
Imports (VS2003 (.NET) build 4035) 7
Total imports 115
C objects (VS98 build 8168) 19
C++ objects (VS98 build 8168) 10
Resource objects (VS98 cvtres build 1720) 1
Linker (VS98 build 8168) 3

Errors