Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2017-Aug-21 16:39:06 |
Detected languages |
English - United States
Korean - Korea |
Comments | |
CompanyName | Microsoft Corporation |
FileDescription | Extensible Wizard Type Plugin for DUI |
FileVersion | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | xwtpdui.dll |
LegalCopyright | Copyright ⓒ 2017 |
LegalTrademarks | |
OriginalFilename | xwtpdui.dll.mui |
PrivateBuild | |
ProductName | xwtpdui.dll.mui |
ProductVersion | xwtpdui.dll.mui |
SpecialBuild |
Info | Matching compiler(s): |
Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug) Microsoft Visual C++ 6.0 - 8.0 Microsoft Visual C++ 6.0 DLL |
Info | Cryptographic algorithms detected in the binary: |
Uses constants related to CRC32
Uses constants related to MD5 Uses constants related to SHA1 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | VirusTotal score: 53/70 (Scanned on 2019-12-12 06:35:35) |
MicroWorld-eScan:
Gen:Variant.Graftor.487501
CAT-QuickHeal: Trojan.Generic ALYac: Trojan.Nukesped.A Cylance: Unsafe Zillya: Trojan.NukeSped.Win32.161 Sangfor: Malware K7AntiVirus: Trojan ( 0052cf421 ) Alibaba: Trojan:Win32/Autophyte.dd617905 K7GW: Trojan ( 0052cf421 ) CrowdStrike: win/malicious_confidence_100% (W) TrendMicro: BKDR_HOPLIGHT.ZKGJ BitDefenderTheta: Gen:NN.ZedlaF.33548.ju8@aG4CQCdG Cyren: W32/Trojan.CTPG-1488 Symantec: Trojan Horse ESET-NOD32: a variant of Win32/NukeSped.AU TrendMicro-HouseCall: BKDR_HOPLIGHT.ZKGJ Paloalto: generic.ml ClamAV: Win.Trojan.HiddenCobra-7402602-0 Kaspersky: HEUR:Trojan.Win32.Generic BitDefender: Gen:Variant.Graftor.487501 Avast: FileRepMalware Endgame: malicious (high confidence) Sophos: Troj/NukeSpe-D Comodo: Malware@#2qmxvr3gy50vq F-Secure: Trojan.TR/AD.APTLazerus.ifaaj VIPRE: Trojan.Win32.Generic!BT McAfee-GW-Edition: Trojan-HidCobra Trapmine: suspicious.low.ml.score FireEye: Gen:Variant.Graftor.487501 Emsisoft: Gen:Variant.Graftor.487501 (B) Ikarus: Trojan.Win32.NukeSped F-Prot: W32/Trojan3.AOLD Jiangmin: Trojan.Generic.eabws Webroot: W32.Trojan.Gen Avira: TR/AD.APTLazerus.ifaaj Antiy-AVL: Trojan/Win32.Autophyte Microsoft: Trojan:Win32/Autophyte.E!dha Arcabit: Trojan.Graftor.D7704D ViRobot: Trojan.Win32.S.Agent.147456.APR ZoneAlarm: HEUR:Trojan.Win32.Generic GData: Gen:Variant.Graftor.487501 AhnLab-V3: Trojan/Win32.Agent.C3464073 McAfee: Trojan-HidCobra MAX: malware (ai score=100) VBA32: BScope.Trojan.Autophyte Malwarebytes: Trojan.NukeSped Yandex: Trojan.Agent!KBRo0JOtvGU MaxSecure: Trojan.Malware.7164915.susgen Fortinet: W32/NukeSped.AU!tr Ad-Aware: Gen:Variant.Graftor.487501 AVG: FileRepMalware Panda: Generic Malware Qihoo-360: Win32/Trojan.e04 |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2017-Aug-21 16:39:06 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x1c000 |
SizeOfInitializedData | 0xa000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x0001C85A (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x1d000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x1000 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x27000 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
KERNEL32.dll |
GetProcAddress
LoadLibraryA LocalFree CloseHandle GetModuleHandleW GetVolumeInformationW Module32FirstW CreateToolhelp32Snapshot FileTimeToLocalFileTime GetTickCount GetSystemInfo GetVersionExW WideCharToMultiByte CreateDirectoryW Sleep CopyFileW FileTimeToSystemTime GetACP lstrlenW FindFirstFileW FindNextFileW GetLastError FindClose UnmapViewOfFile WriteFile GetCurrentProcess DuplicateHandle CreateFileW CreateFileMappingW MapViewOfFile GetFileType GetFileInformationByHandle GetSystemTime GetLocalTime SystemTimeToFileTime GetFileSize SetFilePointer ReadFile FileTimeToDosDateTime |
---|---|
USER32.dll |
GetSystemMetrics
wsprintfW |
SHLWAPI.dll |
wnsprintfW
|
MSVCRT.dll |
__CxxFrameHandler
wcstombs fclose srand _wfopen wcsrchr memcpy strlen memset memmove memcmp malloc strstr sscanf localtime time mktime ??2@YAPAXI@Z _EH_prolog strcat strcpy _stricmp _tzset __dllonexit _onexit _initterm _adjust_fdiv rand wcscmp wcschr _wcsicmp wcsncpy swprintf _wtoi wcscat _waccess wcscpy wcslen wcsncmp free strncmp ??3@YAXPAX@Z fwprintf |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 10.0.10586.0 |
ProductVersion | 10.0.10586.0 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_DLL
|
Language | English - United States |
Comments | |
CompanyName | Microsoft Corporation |
FileDescription | Extensible Wizard Type Plugin for DUI |
FileVersion (#2) | 10.0.10586.0 (th2_release.151029-1700) |
InternalName | xwtpdui.dll |
LegalCopyright | Copyright ⓒ 2017 |
LegalTrademarks | |
OriginalFilename | xwtpdui.dll.mui |
PrivateBuild | |
ProductName | xwtpdui.dll.mui |
ProductVersion (#2) | xwtpdui.dll.mui |
SpecialBuild |
Resource LangID | Korean - Korea |
---|
XOR Key | 0x64e836d9 |
---|---|
Unmarked objects | 0 |
14 (7299) | 5 |
12 (7291) | 3 |
Imports (VS2003 (.NET) build 4035) | 7 |
Total imports | 111 |
C objects (VS98 build 8168) | 19 |
C++ objects (VS98 build 8168) | 10 |
Resource objects (VS98 cvtres build 1720) | 1 |
Linker (VS98 build 8168) | 3 |