63c59b27b703e4ae3c35a834fc0438dd

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2033-Jan-25 08:22:26
Detected languages English - United States
Debug artifacts WMNetMgr.pdb
CompanyName Microsoft Corporation
FileDescription Windows Media Network Plugin Manager DLL
FileVersion 12.0.16299.15 (WinBuild.160101.0800)
InternalName WMNetMgr.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WMNetMgr.dll
ProductName Microsoft® Windows® Operating System
ProductVersion 12.0.16299.15

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 - 8.0
Suspicious The PE is possibly packed. Unusual section name found: .didat
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • LoadLibraryA
  • LoadLibraryExA
  • LoadLibraryExW
  • GetProcAddress
 Can access the registry:
  • RegOpenKeyExW
  • RegDeleteKeyA
  • RegEnumKeyA
  • RegCreateKeyExA
  • RegDeleteKeyW
  • RegQueryValueExW
  • RegQueryValueExA
  • RegOpenKeyExA
  • RegDeleteValueW
  • RegCreateKeyExW
  • RegSetValueExW
  • RegEnumValueW
  • RegQueryInfoKeyW
  • RegEnumKeyExW
  • RegCloseKey
  • RegEnumKeyW
 Can create temporary files:
  • CreateFileW
  • CreateFileA
  • GetTempPathW
 Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAlloc
 Leverages the raw socket API to access the Internet:
  • #2
  • #3
  • #52
  • #22
  • #13
  • #112
  • #5
  • #11
  • #6
  • #51
  • #20
  • #16
  • #56
  • #23
  • #12
  • #55
  • #57
  • #7
  • getaddrinfo
  • getnameinfo
  • freeaddrinfo
  • #8
  • #9
  • #10
  • #21
  • #111
  • #17
  • #4
  • #19
  • #1
  • #101
  • WSAEnumNetworkEvents
  • #14
  • WSAEventSelect
  • #116
  • #115
  • #15
 Manipulates other processes:
  • OpenProcess

Hashes

MD5 63c59b27b703e4ae3c35a834fc0438dd
SHA1 a0ff9caafaf27951ec2526052abd2204b16e890d
SHA256 a84c175899382b299665759415565c2159bf6de5220b1b15cb47af8528d18c75
SHA3 1157d6374e6e7adb6e443005c3d25dc9ad5e26486dde97b8f9803bb1cd64c1bd
SSDeep 24576:iXasbYXxpRFdSxI8UA41W7Z7Fz02wGyIruyfc4/nmzPF+0ZSlqG2FBbfrzcveB4:xs3MPeFgEvR0tWLCm
Imports Hash 0836439154d28c436409081bce184d77

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 6
TimeDateStamp 2033-Jan-25 08:22:26
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 14.0
SizeOfCode 0x106a00
SizeOfInitializedData 0x38000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0003C8D0 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x108000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion A.0
ImageVersion A.0
SubsystemVersion A.0
Win32VersionValue 0
SizeOfImage 0x142000
SizeOfHeaders 0x400
Checksum 0x128687
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 1bc9abdb2e3efca8e1f3fa8762b98fed
SHA1 d04cde5caa9fe173560ca75e780a9e64c330e1d4
SHA256 7a2ebd0e616605f275cdc9a824494ab49368373af20a5d1c28f7fef68516d392
SHA3 85fcaedfc1c5bf997b24e4b31c63e616a560a7503b8d7255139493e70c74eb66
VirtualSize 0x106965
VirtualAddress 0x1000
SizeOfRawData 0x106a00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.60464

.data

MD5 b80fa557a2a31202e53e1e36c945d7fe
SHA1 a15013df8a377297da47d52a1cf39027ae54f077
SHA256 665d50bff3765aa4c49a669a1439ecf57feeb899cf6574764388965543c2a9d3
SHA3 9e8b9cfc075d62b69618d911288dc3c54018cfd28390f32b19fa76178cc594a3
VirtualSize 0x19abc
VirtualAddress 0x108000
SizeOfRawData 0x1a00
PointerToRawData 0x106e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.11892

.idata

MD5 3c538c2a35a5b5083b23a01f6be9d7fd
SHA1 a8d962cab21606c11616e830b44d7bc866fa30ec
SHA256 73a0d6973347ee080ab532201850bf02a006766003a7abaa1eea25129842cb0f
SHA3 03d8d23f3b0b5515bec41e78588b707f4f2bff05ebed2800df904fb4f09a7762
VirtualSize 0x19c6
VirtualAddress 0x122000
SizeOfRawData 0x1a00
PointerToRawData 0x108800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.67817

.didat

MD5 e9359d8ea1f81acffb460c03b25cda19
SHA1 19ac7373df222f0dce9633c9085a086baf734ab6
SHA256 a34448e5e5a289125e061021609ecb1d11d9224ad2c3a31e1057a6f876546e05
SHA3 57e6a8bc81e0b37f8d7280facde722d96482513b43131f8745c6c1e9d2d37d3c
VirtualSize 0x13c
VirtualAddress 0x124000
SizeOfRawData 0x200
PointerToRawData 0x10a200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.18799

.rsrc

MD5 9720d08c029986580fea733103aecbe8
SHA1 cd493673bc44b0b5a206d743400db8330036b4dc
SHA256 a99cd70ffe3eeb44f804579d35b4f983d5e1111ff2f021cf66341bf7bdc1bb6b
SHA3 3d6089e100bb84406a97435d75d1235a65f5f350805eab64349d07279f744a5f
VirtualSize 0xe7d8
VirtualAddress 0x125000
SizeOfRawData 0xe800
PointerToRawData 0x10a400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.42723

.reloc

MD5 4aaf2b6a27f94f89f7e3cf0e2c7510d6
SHA1 e8093cd102646dd5cec767adb5cfec67e28ea5fe
SHA256 429276f5b21a129c9482c8437c9f9c5c74dc5acd17fa1af76f62a928dedb061c
SHA3 d614f2d22fd21cb31e04a79b05dfe83ba0eb5d7a64d256c1dd6ebb14fc85f106
VirtualSize 0xdf68
VirtualAddress 0x134000
SizeOfRawData 0xe000
PointerToRawData 0x118c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.77751

Imports

msvcrt.dll strncpy_s
strtoul
strcpy_s
strcat_s
strchr
sprintf_s
_beginthreadex
_vsnprintf
qsort
srand
wcsrchr
wcstok
wcspbrk
iswcntrl
wcsstr
_ltow
wcstoul
wcstol
_ultow
_ultow_s
swscanf
_ltoa_s
_ultoa_s
strncmp
_strnicmp
tolower
calloc
_wtoi
sscanf_s
strstr
isspace
memmove
strpbrk
_atoi64
rand
iswspace
wcsftime
time
gmtime
wcsncmp
_stricmp
iswxdigit
isdigit
isalpha
iswdigit
iswalpha
isxdigit
strnlen
_unlock
__dllonexit
_onexit
memset
memchr
_i64tow_s
_ui64tow_s
wcschr
toupper
towupper
__CxxFrameHandler3
_wcsicmp
_vsnwprintf
_ftol2
_ftol2_sse
memcmp
_callnewh
_XcptFilter
_amsg_exit
_initterm
?terminate@@YAXXZ
_except_handler4_common
towlower
_wcsnicmp
_purecall
wcscpy_s
realloc
wcscat_s
malloc
free
_lock
_ltow_s
_strlwr
_strupr
iswupper
strrchr
atoi
strcspn
strspn
_ui64tow
memcpy
WMASF.DLL #9
#7
#5
ASFSendTimeToTime
ASFGetTimeBase
#11
KERNEL32.dll lstrcmpiW
lstrcpynW
VirtualProtect
VirtualAlloc
VirtualQuery
GetSystemInfo
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
LoadLibraryW
DisableThreadLibraryCalls
HeapDestroy
lstrcpyW
CreateEventW
CloseHandle
WaitForSingleObject
GetTickCount
Sleep
ResetEvent
GetCurrentThreadId
SetEvent
HeapFree
GetProcessHeap
HeapAlloc
WideCharToMultiByte
OpenMutexW
CreateDirectoryW
DeleteFileW
FindResourceW
LockResource
CreateFileW
WriteFile
FreeResource
WaitForSingleObjectEx
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
SetLastError
InitializeCriticalSectionAndSpinCount
IsDebuggerPresent
IsProcessorFeaturePresent
LoadLibraryA
GetSystemDirectoryA
GetVersionExA
SetThreadPriority
FreeLibraryAndExitThread
GetModuleHandleA
GetCurrentThread
CreateEventA
VirtualFree
ReleaseSemaphore
HeapSize
CreateSemaphoreA
TlsAlloc
TlsFree
TlsGetValue
SetThreadAffinityMask
TlsSetValue
GetExitCodeThread
GetSystemDefaultLCID
LocalFree
FormatMessageW
GetVersionExW
CreateFileA
DeleteFileA
CopyFileA
CopyFileW
SetFilePointer
SetEndOfFile
GetStdHandle
GlobalLock
GlobalUnlock
GlobalAlloc
GlobalFree
GetFileSize
ReadFile
GetLocalTime
SystemTimeToFileTime
GetComputerNameW
lstrlenW
OpenProcess
GetExitCodeProcess
QueryPerformanceFrequency
GetThreadLocale
FileTimeToSystemTime
GetModuleHandleExA
LocalAlloc
LoadLibraryExA
GetVersion
GetModuleHandleW
GetTempFileNameW
ExpandEnvironmentStringsW
GetFileAttributesW
GetTempPathW
SearchPathW
CompareFileTime
GetWindowsDirectoryW
GetLocaleInfoA
GetSystemTime
CreateThread
LoadLibraryExW
GetProcAddress
GetLastError
FreeLibrary
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
WaitForMultipleObjects
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatus
RaiseException
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetModuleHandleExW
DebugBreak
USER32.dll CharNextW
PostQuitMessage
CreateWindowExA
DefWindowProcA
RegisterClassA
GetWindowLongA
SetWindowLongA
PostMessageA
DestroyWindow
DispatchMessageA
GetMessageA
CharPrevW
ADVAPI32.dll RegOpenKeyExW
RegDeleteKeyA
RegEnumKeyA
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
RegCreateKeyExA
RegDeleteKeyW
TraceEvent
DeregisterEventSource
ReportEventW
RegisterEventSourceW
IsTextUnicode
RegQueryValueExW
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegEnumKeyExW
RegCloseKey
RegEnumKeyW
ole32.dll CLSIDFromString
StringFromGUID2
CreateStreamOnHGlobal
CoCreateGuid
CoInitializeEx
CoUninitialize
CoCreateInstance
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
CoInitialize
WS2_32.dll (delay-loaded) #2
#3
#52
#22
#13
#112
#5
#11
#6
#51
#20
#16
#56
#23
#12
#55
#57
#7
getaddrinfo
getnameinfo
freeaddrinfo
#8
#9
#10
#21
#111
#17
#4
#19
#1
#101
WSAEnumNetworkEvents
#14
WSAEventSelect
#116
#115
#15

Delayed Imports

Attributes 0x1
Name WS2_32.dll
ModuleHandle 0x109c74
DelayImportAddressTable 0x1240a4
DelayImportNameTable 0x107528
BoundDelayImportTable 0x10777c
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

DllCanUnloadNow

Ordinal 1
Address 0x3b5f0

DllGetClassObject

Ordinal 2
Address 0x3b430

DllRegisterServer

Ordinal 3
Address 0x4f050

DllUnregisterServer

Ordinal 4
Address 0x4f070

101

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x2e3
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.24201
MD5 eca3aeaa880650f2c75206d172112705
SHA1 adc7b4937eb24090b4a4ab142abe060e423effe2
SHA256 a06262add797c27a0972fba181bf106154dfa7b5201ec990d568e0987be4d1b0
SHA3 211897252772eeba28784f23d3b5e7f8355aa1adc8683db69e5acb4efa074555

102

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x28a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.3094
MD5 3a557ff29866944fdc7625ea04897d61
SHA1 45def5770589d59136d04f0fecfb505e4c95d9b7
SHA256 49ed9e2ee0eb07d7045d49ae0d7bbf9e3b64ae279015759d93a3db054bf38d3a
SHA3 8386ce4229e7dd301194527b97d33e1f22c4376df8dcc0873409a4db29cc2d65

103

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x27cc
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.79035
MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA3 743c0bf1d40360598a5516fd185b04d8d3a6581bccfa5462cbbd3af46b3cfa2e

104

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x1f2
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.10391
MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA3 c79dab96f436e93f88a66774a8c3cbf0576f3e0af276d881976377dda5058956

1001

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x3b6
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.34655
MD5 7254f0cce4186471ae908a162c85057e
SHA1 b8d3dbf1722f7618764481748a28e1dd7808192d
SHA256 a87febed8920703da64bef6e2d139e9c26946cc3604320ae24931f995e7f1280
SHA3 c593b7d9088323dbb96f44f15dbdd35156ff7eeb7e821daecd0243146bb4b2d1

1003

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x3ad
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.27428
MD5 857c509d53198eb51cf6bf519bb656e2
SHA1 7684455bdd8d3a7848a680b274f7b90ffebc1053
SHA256 12a27149f6af31e68514b6cda2e2a2adc901052783debb2495bac137f69558df
SHA3 16c0ce544b93394ed1c20ba9db359078db14804db55e3d4dadaeb2d00617a456

2001

Type REGISTRY
Language English - United States
Codepage UNKNOWN
Size 0x48f
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.71292
MD5 5331a8210339f01ba4d3c818f48544b7
SHA1 2f274863bc2018f3cd9ffae2ad7dcd1c5c7df89a
SHA256 16f421e137396d21abafa8c64d48b05bf0c0b7120cd9bb3d070e470a9b93342c
SHA3 60ef46c137fad7b5868a770c8fd4b4f721efc86dd98b6641004bf5def8293168

1

Type TYPELIB
Language English - United States
Codepage UNKNOWN
Size 0xa6a4
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 5.07596
MD5 57d33fbf738177722a4b8f00ba0bffd1
SHA1 4163e6368f24849a868628cb86a8739340aa34fa
SHA256 f57ade1c4ce2180a6f5a7e04187e911ebe702ca2819daa4082a42fa8224ba3e9
SHA3 f746bec8be9cb5dadbcee8dbe2e7a0821aca16dc90d676b5d0a94b767a9a0e56

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3c8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.49153
MD5 33afa665b23a1edde4717720ab948ac0
SHA1 48331d3a1d0293575a2e0bd871b3a2282ebac832
SHA256 99d661d6098247899f1cc7df9f768b40da0096f1e8c1f710ba3a91375c9809f0
SHA3 ec4b0d9a75728bf3743b6432ea683447003973c98b2d41ade7f0723a591ed330

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 12.0.16299.15
ProductVersion 12.0.16299.15
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
CompanyName Microsoft Corporation
FileDescription Windows Media Network Plugin Manager DLL
FileVersion (#2) 12.0.16299.15 (WinBuild.160101.0800)
InternalName WMNetMgr.dll
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename WMNetMgr.dll
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 12.0.16299.15
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2033-Jan-25 08:22:26
Version 0.0
SizeofData 37
AddressOfRawData 0x16a08
PointerToRawData 0x15e08
Referenced File WMNetMgr.pdb

IMAGE_DEBUG_TYPE_POGO

Characteristics 0
TimeDateStamp 2033-Jan-25 08:22:26
Version 0.0
SizeofData 1252
AddressOfRawData 0x16a30
PointerToRawData 0x15e30

UNKNOWN

Characteristics 0
TimeDateStamp 2033-Jan-25 08:22:26
Version 0.0
SizeofData 0
AddressOfRawData 0
PointerToRawData 0

TLS Callbacks

StartAddressOfRawData 0x10105b64
EndAddressOfRawData 0x10105b6c
AddressOfIndex 0x10109c70
AddressOfCallbacks 0x10005534
SizeOfZeroFill 0
Characteristics IMAGE_SCN_ALIGN_4BYTES
Callbacks (EMPTY)

Load Configuration

Size 0xa0
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x101094d8
SEHandlerTable 0x10010870
SEHandlerCount 99
GuardCFCheckFunctionPointer 269624388
GuardCFDispatchFunctionPointer 0
GuardCFFunctionTable 0
GuardCFFunctionCount 0
GuardFlags (EMPTY)
CodeIntegrity.Flags 0
CodeIntegrity.Catalog 0
CodeIntegrity.CatalogOffset 0
CodeIntegrity.Reserved 0
GuardAddressTakenIatEntryTable 0
GuardAddressTakenIatEntryCount 0
GuardLongJumpTargetTable 0
GuardLongJumpTargetCount 0

RICH Header

XOR Key 0xbb138816
Unmarked objects 0
ASM objects (VS2017 v15.?.? build 25203) 12
C objects (VS2017 v15.?.? build 25203) 16
Total imports 385
Imports (VS2017 v15.?.? build 25203) 13
C++ objects (VS2017 v15.?.? build 25203) 8
Exports (VS2017 v15.?.? build 25203) 1
270 (VS2017 v15.?.? build 25203) 208
Resource objects (VS2017 v15.?.? build 25203) 1
Linker (VS2017 v15.?.? build 25203) 1

Errors

<-- -->