Manalyze report for f315be41d9765d69ad60f0b4d29e4300

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2017-Aug-21 16:39:06
Detected languages	English - United States Korean - Korea
Comments
CompanyName	Microsoft Corporation
FileDescription	Extensible Wizard Type Plugin for DUI
FileVersion	`10.0.10586.0 (th2_release.151029-1700)`
InternalName	xwtpdui.dll
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	xwtpdui.dll.mui
PrivateBuild
ProductName	xwtpdui.dll.mui
ProductVersion	`xwtpdui.dll.mui`
SpecialBuild

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 DLL (Debug)` `Microsoft Visual C++ 6.0 - 8.0` `Microsoft Visual C++ 6.0 DLL`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Enumerates local disk drives: GetVolumeInformationW`
Malicious	VirusTotal score: 53/70 (Scanned on 2019-12-12 06:35:35)	`MicroWorld-eScan: Gen:Variant.Graftor.487501` `CAT-QuickHeal: Trojan.Generic` `ALYac: Trojan.Nukesped.A` `Cylance: Unsafe` `Zillya: Trojan.NukeSped.Win32.161` `Sangfor: Malware` `K7AntiVirus: Trojan ( 0052cf421 )` `Alibaba: Trojan:Win32/Autophyte.dd617905` `K7GW: Trojan ( 0052cf421 )` `CrowdStrike: win/malicious_confidence_100% (W)` `TrendMicro: BKDR_HOPLIGHT.ZKGJ` `BitDefenderTheta: Gen:NN.ZedlaF.33548.ju8@aG4CQCdG` `Cyren: W32/Trojan.CTPG-1488` `Symantec: Trojan Horse` `ESET-NOD32: a variant of Win32/NukeSped.AU` `TrendMicro-HouseCall: BKDR_HOPLIGHT.ZKGJ` `Paloalto: generic.ml` `ClamAV: Win.Trojan.HiddenCobra-7402602-0` `Kaspersky: HEUR:Trojan.Win32.Generic` `BitDefender: Gen:Variant.Graftor.487501` `Avast: FileRepMalware` `Endgame: malicious (high confidence)` `Sophos: Troj/NukeSpe-D` `Comodo: Malware@#2qmxvr3gy50vq` `F-Secure: Trojan.TR/AD.APTLazerus.ifaaj` `VIPRE: Trojan.Win32.Generic!BT` `McAfee-GW-Edition: Trojan-HidCobra` `Trapmine: suspicious.low.ml.score` `FireEye: Gen:Variant.Graftor.487501` `Emsisoft: Gen:Variant.Graftor.487501 (B)` `Ikarus: Trojan.Win32.NukeSped` `F-Prot: W32/Trojan3.AOLD` `Jiangmin: Trojan.Generic.eabws` `Webroot: W32.Trojan.Gen` `Avira: TR/AD.APTLazerus.ifaaj` `Antiy-AVL: Trojan/Win32.Autophyte` `Microsoft: Trojan:Win32/Autophyte.E!dha` `Arcabit: Trojan.Graftor.D7704D` `ViRobot: Trojan.Win32.S.Agent.147456.APR` `ZoneAlarm: HEUR:Trojan.Win32.Generic` `GData: Gen:Variant.Graftor.487501` `AhnLab-V3: Trojan/Win32.Agent.C3464073` `McAfee: Trojan-HidCobra` `MAX: malware (ai score=100)` `VBA32: BScope.Trojan.Autophyte` `Malwarebytes: Trojan.NukeSped` `Yandex: Trojan.Agent!KBRo0JOtvGU` `MaxSecure: Trojan.Malware.7164915.susgen` `Fortinet: W32/NukeSped.AU!tr` `Ad-Aware: Gen:Variant.Graftor.487501` `AVG: FileRepMalware` `Panda: Generic Malware` `Qihoo-360: Win32/Trojan.e04`

Hashes

MD5	`f315be41d9765d69ad60f0b4d29e4300`
SHA1	`f60c2bd78436a14e35a7e85feccb319d3cc040eb`
SHA256	`fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5`
SHA3	`846b3d809a79576075c4e99046e403e330ebab226c3fbacfea90733195b7327b`
SSDeep	`3072:pQWbIWSG5bzxbT33FiDZWTNArLioB4Gwhes:pR3SGtJ33YDZWTNMLiGah`
Imports Hash	`00c4520b07e61d244e7e7b942ebae39f`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2017-Aug-21 16:39:06
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x1c000`
SizeOfInitializedData	`0xa000`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0001C85A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x1d000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x1000`
OperatingSystemVersion	`4.0`
ImageVersion	`0.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x27000`
SizeOfHeaders	`0x1000`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`cd39ffb10726106d9b85172804784b97`
SHA1	`cf00fdc973bf751436d06741366181479a20fb0b`
SHA256	`2d84473df700efce0f16b4f531a541ef7aa8e0a5293e5a600ffd67901fb22d17`
SHA3	`c7cb5455e02a1bcd7007f7a632e0e620b02f29cae1f3f5e157abeaede4e51ecc`
VirtualSize	`0x1ba30`
VirtualAddress	`0x1000`
SizeOfRawData	`0x1c000`
PointerToRawData	`0x1000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.62084`

.rdata

MD5	`3ab93f20dc7859f5510efbf121790dd7`
SHA1	`588d3b66a613cd7dcc2fb4f8b752c56219fa7361`
SHA256	`f5e8a5898282132e3a63f9012f329f9a2a1b636b889a3ac97f6ade7833541571`
SHA3	`43483e9ac6399aa43d8f3942a1edd3fdbf2bb46f18a67eca405089804645756e`
VirtualSize	`0x37a2`
VirtualAddress	`0x1d000`
SizeOfRawData	`0x4000`
PointerToRawData	`0x1d000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.99169`

.data

MD5	`9fdf9be0cd049c58cb3718927458e69c`
SHA1	`d1dd24e8aa0a7e4087bb64eef6d6fadc367685d7`
SHA256	`d498f4c662f80ff1bc4b5f4defb73d8514e42828805c9517f532dc5602630892`
SHA3	`52d83125875ba5db4074033dcf7dbf33c43862dab1bc96904f5961f77d8e2369`
VirtualSize	`0x36e4`
VirtualAddress	`0x21000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x21000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.88083`

.rsrc

MD5	`330d3d9d2c3c1a342547cea468095f2a`
SHA1	`688ae9cd2bd5a654c4451cc41f0829dd4acec3b4`
SHA256	`64849c5f5618e73bb00f78f7a4dfba50cac5ae095c689e11aa6a9aa8a1936d84`
SHA3	`9c4ad2f9d3ce9c80419bb82f1281539b24d46cb6e2c3ff150df8dd0775471d22`
VirtualSize	`0x438`
VirtualAddress	`0x25000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x22000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`1.13803`

.reloc

MD5	`cefd737bf48bc8375f92c8f7d9755e3a`
SHA1	`156e7be7125f83a0fec728e6273f0b9423c3446c`
SHA256	`f95b528a19b4866eab0d39b0cd56f865f433f2ba3072923a41f84d6c0985bcde`
SHA3	`6afa6943e1ca7147a5aef629a470740c78c05b03ea10f2e7e49a35cc9acaab33`
VirtualSize	`0xd94`
VirtualAddress	`0x26000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x23000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.22155`

Imports

KERNEL32.dll	`GetProcAddress` `LoadLibraryA` `LocalFree` `CloseHandle` `GetModuleHandleW` `GetVolumeInformationW` `Module32FirstW` `CreateToolhelp32Snapshot` `FileTimeToLocalFileTime` `GetTickCount` `GetSystemInfo` `GetVersionExW` `WideCharToMultiByte` `CreateDirectoryW` `Sleep` `CopyFileW` `FileTimeToSystemTime` `GetACP` `lstrlenW` `FindFirstFileW` `FindNextFileW` `GetLastError` `FindClose` `UnmapViewOfFile` `WriteFile` `GetCurrentProcess` `DuplicateHandle` `CreateFileW` `CreateFileMappingW` `MapViewOfFile` `GetFileType` `GetFileInformationByHandle` `GetSystemTime` `GetLocalTime` `SystemTimeToFileTime` `GetFileSize` `SetFilePointer` `ReadFile` `FileTimeToDosDateTime`
USER32.dll	`GetSystemMetrics` `wsprintfW`
SHLWAPI.dll	`wnsprintfW`
MSVCRT.dll	`__CxxFrameHandler` `wcstombs` `fclose` `srand` `_wfopen` `wcsrchr` `memcpy` `strlen` `memset` `memmove` `memcmp` `malloc` `strstr` `sscanf` `localtime` `time` `mktime` `??2@YAPAXI@Z` `_EH_prolog` `strcat` `strcpy` `_stricmp` `_tzset` `__dllonexit` `_onexit` `_initterm` `_adjust_fdiv` `rand` `wcscmp` `wcschr` `_wcsicmp` `wcsncpy` `swprintf` `_wtoi` `wcscat` `_waccess` `wcscpy` `wcslen` `wcsncmp` `free` `strncmp` `??3@YAXPAX@Z` `fwprintf`

Delayed Imports

1

Type	`RT_VERSION`
Language	Korean - Korea
Codepage	UNKNOWN
Size	`0x3d8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.4956`
MD5	`e5fae483b7334e69e5366765849eccfa`
SHA1	`b7f8642dc90d595f6901ff1f39f4bba010eb2cae`
SHA256	`697b331bb3fe296167c5ea6f20ffceae684041d42d81f4d21e0ff3e93b142f12`
SHA3	`ca69c3df14c4517923a6e5400c5e2be4cb1f7f82139cf26e155977d4fd875acb`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	10.0.10586.0
ProductVersion	10.0.10586.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_DLL`
Language	English - United States
Comments
CompanyName	Microsoft Corporation
FileDescription	Extensible Wizard Type Plugin for DUI
FileVersion (#2)	10.0.10586.0 (th2_release.151029-1700)
InternalName	xwtpdui.dll
LegalCopyright	Copyright ⓒ 2017
LegalTrademarks
OriginalFilename	xwtpdui.dll.mui
PrivateBuild
ProductName	xwtpdui.dll.mui
ProductVersion (#2)	xwtpdui.dll.mui
SpecialBuild

Resource LangID	Korean - Korea

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x64e836d9`
Unmarked objects	`0`
14 (7299)	`5`
12 (7291)	`3`
Imports (VS2003 (.NET) build 4035)	`7`
Total imports	`111`
C objects (VS98 build 8168)	`19`
C++ objects (VS98 build 8168)	`10`
Resource objects (VS98 cvtres build 1720)	`1`
Linker (VS98 build 8168)	`3`

f315be41d9765d69ad60f0b4d29e4300

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors