f315be41d9765d69ad60f0b4d29e4300

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2017-Aug-21 16:39:06
Detected languages English - United States
Korean - Korea
Comments
CompanyName Microsoft Corporation
FileDescription Extensible Wizard Type Plugin for DUI
FileVersion 10.0.10586.0 (th2_release.151029-1700)
InternalName xwtpdui.dll
LegalCopyright Copyright ⓒ 2017
LegalTrademarks
OriginalFilename xwtpdui.dll.mui
PrivateBuild
ProductName xwtpdui.dll.mui
ProductVersion xwtpdui.dll.mui
SpecialBuild

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Microsoft Visual C++ 6.0 DLL (Debug)
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ 6.0 DLL
Info Cryptographic algorithms detected in the binary: Uses constants related to CRC32
Uses constants related to MD5
Uses constants related to SHA1
Suspicious The PE contains functions most legitimate programs don't use. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
Enumerates local disk drives:
  • GetVolumeInformationW
Malicious VirusTotal score: 42/69 (Scanned on 2019-09-09 06:40:04) MicroWorld-eScan: Gen:Variant.Graftor.487501
McAfee: Trojan-HidCobra
Cylance: Unsafe
K7AntiVirus: Trojan ( 0052cf421 )
Alibaba: Trojan:Win32/Autophyte.7219d415
K7GW: Trojan ( 0052cf421 )
CrowdStrike: win/malicious_confidence_100% (W)
TrendMicro: TROJ_GEN.R002C0DI819
F-Prot: W32/Trojan3.AOLD
Symantec: Trojan.Gen.MBT
Avast: Win32:Dh-A [Heur]
Kaspersky: HEUR:Trojan.Win32.Generic
BitDefender: Gen:Variant.Graftor.487501
Paloalto: generic.ml
AegisLab: Trojan.Win32.Generic.4!c
Tencent: Win32.Trojan.Generic.Dzsv
Endgame: malicious (high confidence)
Emsisoft: Gen:Variant.Graftor.487501 (B)
F-Secure: Trojan.TR/NukeSped.cllrw
McAfee-GW-Edition: BehavesLike.Win32.PWSYunsip.ch
Fortinet: W32/NukeSped.AU!tr
Trapmine: suspicious.low.ml.score
FireEye: Gen:Variant.Graftor.487501
Sophos: Mal/Generic-S
Cyren: W32/Trojan.CTPG-1488
Avira: TR/NukeSped.cllrw
MAX: malware (ai score=100)
Antiy-AVL: Trojan/Win32.Autophyte
Arcabit: Trojan.Graftor.D7704D
ViRobot: Trojan.Win32.S.Agent.147456.APR
ZoneAlarm: HEUR:Trojan.Win32.Generic
Microsoft: Trojan:Win32/Autophyte.E!dha
AhnLab-V3: Trojan/Win32.Agent.C3464073
ALYac: Trojan.Nukesped.A
Ad-Aware: Gen:Variant.Graftor.487501
ESET-NOD32: a variant of Win32/NukeSped.AU
TrendMicro-HouseCall: TROJ_GEN.R002C0DI819
Ikarus: Trojan.Win32.NukeSped
GData: Gen:Variant.Graftor.487501
AVG: Win32:Dh-A [Heur]
Panda: Trj/GdSda.A
Qihoo-360: Win32/Trojan.e04

Hashes

MD5 f315be41d9765d69ad60f0b4d29e4300
SHA1 f60c2bd78436a14e35a7e85feccb319d3cc040eb
SHA256 fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5
SHA3 846b3d809a79576075c4e99046e403e330ebab226c3fbacfea90733195b7327b
SSDeep 3072:pQWbIWSG5bzxbT33FiDZWTNArLioB4Gwhes:pR3SGtJ33YDZWTNMLiGah
Imports Hash 00c4520b07e61d244e7e7b942ebae39f

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe8

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2017-Aug-21 16:39:06
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED

Image Optional Header

Magic PE32
LinkerVersion 6.0
SizeOfCode 0x1c000
SizeOfInitializedData 0xa000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0001C85A (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x1d000
ImageBase 0x10000000
SectionAlignment 0x1000
FileAlignment 0x1000
OperatingSystemVersion 4.0
ImageVersion 0.0
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x27000
SizeOfHeaders 0x1000
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 cd39ffb10726106d9b85172804784b97
SHA1 cf00fdc973bf751436d06741366181479a20fb0b
SHA256 2d84473df700efce0f16b4f531a541ef7aa8e0a5293e5a600ffd67901fb22d17
SHA3 c7cb5455e02a1bcd7007f7a632e0e620b02f29cae1f3f5e157abeaede4e51ecc
VirtualSize 0x1ba30
VirtualAddress 0x1000
SizeOfRawData 0x1c000
PointerToRawData 0x1000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.62084

.rdata

MD5 3ab93f20dc7859f5510efbf121790dd7
SHA1 588d3b66a613cd7dcc2fb4f8b752c56219fa7361
SHA256 f5e8a5898282132e3a63f9012f329f9a2a1b636b889a3ac97f6ade7833541571
SHA3 43483e9ac6399aa43d8f3942a1edd3fdbf2bb46f18a67eca405089804645756e
VirtualSize 0x37a2
VirtualAddress 0x1d000
SizeOfRawData 0x4000
PointerToRawData 0x1d000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.99169

.data

MD5 9fdf9be0cd049c58cb3718927458e69c
SHA1 d1dd24e8aa0a7e4087bb64eef6d6fadc367685d7
SHA256 d498f4c662f80ff1bc4b5f4defb73d8514e42828805c9517f532dc5602630892
SHA3 52d83125875ba5db4074033dcf7dbf33c43862dab1bc96904f5961f77d8e2369
VirtualSize 0x36e4
VirtualAddress 0x21000
SizeOfRawData 0x1000
PointerToRawData 0x21000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.88083

.rsrc

MD5 330d3d9d2c3c1a342547cea468095f2a
SHA1 688ae9cd2bd5a654c4451cc41f0829dd4acec3b4
SHA256 64849c5f5618e73bb00f78f7a4dfba50cac5ae095c689e11aa6a9aa8a1936d84
SHA3 9c4ad2f9d3ce9c80419bb82f1281539b24d46cb6e2c3ff150df8dd0775471d22
VirtualSize 0x438
VirtualAddress 0x25000
SizeOfRawData 0x1000
PointerToRawData 0x22000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 1.13803

.reloc

MD5 cefd737bf48bc8375f92c8f7d9755e3a
SHA1 156e7be7125f83a0fec728e6273f0b9423c3446c
SHA256 f95b528a19b4866eab0d39b0cd56f865f433f2ba3072923a41f84d6c0985bcde
SHA3 6afa6943e1ca7147a5aef629a470740c78c05b03ea10f2e7e49a35cc9acaab33
VirtualSize 0xd94
VirtualAddress 0x26000
SizeOfRawData 0x1000
PointerToRawData 0x23000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.22155

Imports

KERNEL32.dll GetProcAddress
LoadLibraryA
LocalFree
CloseHandle
GetModuleHandleW
GetVolumeInformationW
Module32FirstW
CreateToolhelp32Snapshot
FileTimeToLocalFileTime
GetTickCount
GetSystemInfo
GetVersionExW
WideCharToMultiByte
CreateDirectoryW
Sleep
CopyFileW
FileTimeToSystemTime
GetACP
lstrlenW
FindFirstFileW
FindNextFileW
GetLastError
FindClose
UnmapViewOfFile
WriteFile
GetCurrentProcess
DuplicateHandle
CreateFileW
CreateFileMappingW
MapViewOfFile
GetFileType
GetFileInformationByHandle
GetSystemTime
GetLocalTime
SystemTimeToFileTime
GetFileSize
SetFilePointer
ReadFile
FileTimeToDosDateTime
USER32.dll GetSystemMetrics
wsprintfW
SHLWAPI.dll wnsprintfW
MSVCRT.dll __CxxFrameHandler
wcstombs
fclose
srand
_wfopen
wcsrchr
memcpy
strlen
memset
memmove
memcmp
malloc
strstr
sscanf
localtime
time
mktime
??2@YAPAXI@Z
_EH_prolog
strcat
strcpy
_stricmp
_tzset
__dllonexit
_onexit
_initterm
_adjust_fdiv
rand
wcscmp
wcschr
_wcsicmp
wcsncpy
swprintf
_wtoi
wcscat
_waccess
wcscpy
wcslen
wcsncmp
free
strncmp
??3@YAXPAX@Z
fwprintf

Delayed Imports

1

Type RT_VERSION
Language Korean - Korea
Codepage UNKNOWN
Size 0x3d8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.4956
MD5 e5fae483b7334e69e5366765849eccfa
SHA1 b7f8642dc90d595f6901ff1f39f4bba010eb2cae
SHA256 697b331bb3fe296167c5ea6f20ffceae684041d42d81f4d21e0ff3e93b142f12
SHA3 ca69c3df14c4517923a6e5400c5e2be4cb1f7f82139cf26e155977d4fd875acb

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 10.0.10586.0
ProductVersion 10.0.10586.0
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language English - United States
Comments
CompanyName Microsoft Corporation
FileDescription Extensible Wizard Type Plugin for DUI
FileVersion (#2) 10.0.10586.0 (th2_release.151029-1700)
InternalName xwtpdui.dll
LegalCopyright Copyright ⓒ 2017
LegalTrademarks
OriginalFilename xwtpdui.dll.mui
PrivateBuild
ProductName xwtpdui.dll.mui
ProductVersion (#2) xwtpdui.dll.mui
SpecialBuild
Resource LangID Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0x64e836d9
Unmarked objects 0
14 (7299) 5
12 (7291) 3
Imports (VS2003 (.NET) build 4035) 7
Total imports 111
C objects (VS98 build 8168) 19
C++ objects (VS98 build 8168) 10
Resource objects (VS98 cvtres build 1720) 1
Linker (VS98 build 8168) 3

Errors