Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2068-Jun-21 06:07:02 |
Detected languages |
English - United States
|
Debug artifacts |
wextract.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Win32 Cabinet Self-Extractor |
FileVersion | 11.00.18362.1 (WinBuild.160101.0800) |
InternalName | Wextract |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | WEXTRACT.EXE .MUI |
ProductName | Internet Explorer |
ProductVersion | 11.00.18362.1 |
Suspicious | PEiD Signature: |
FASM 1.5x
FASM v1.5x |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Malicious | The PE header may have been manually modified. |
Resource CABINET detected as a CAB Installer file.
The resource timestamps differ from the PE header:
|
Info | The PE is digitally signed. |
Signer: Bright Pattern
Issuer: Go Daddy Secure Certificate Authority - G2 |
Safe | VirusTotal score: 0/68 (Scanned on 2020-08-12 00:48:41) | All the AVs think this file is safe. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe8 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 5 |
TimeDateStamp | 2068-Jun-21 06:07:02 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
|
Magic | PE32 |
---|---|
LinkerVersion | 14.0 |
SizeOfCode | 0x6400 |
SizeOfInitializedData | 0x964200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00006A00 (Section: .text) |
BaseOfCode | 0x1000 |
BaseOfData | 0x8000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | A.0 |
ImageVersion | A.0 |
SubsystemVersion | 6.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x970000 |
SizeOfHeaders | 0x400 |
Checksum | 0x97ab1e |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x40000 |
SizeofStackCommit | 0x2000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
GetTokenInformation
RegDeleteValueA RegOpenKeyExA RegQueryInfoKeyA FreeSid OpenProcessToken RegSetValueExA RegCreateKeyExA LookupPrivilegeValueA AllocateAndInitializeSid RegQueryValueExA EqualSid RegCloseKey AdjustTokenPrivileges |
---|---|
KERNEL32.dll |
_lopen
_llseek CompareStringA GetLastError GetFileAttributesA GetSystemDirectoryA LoadLibraryA DeleteFileA GlobalAlloc GlobalFree CloseHandle WritePrivateProfileStringA IsDBCSLeadByte GetWindowsDirectoryA SetFileAttributesA GetProcAddress GlobalLock LocalFree RemoveDirectoryA FreeLibrary _lclose CreateDirectoryA GetPrivateProfileIntA GetPrivateProfileStringA GlobalUnlock ReadFile SizeofResource WriteFile GetDriveTypeA lstrcmpA SetFileTime SetFilePointer FindResourceA CreateMutexA GetVolumeInformationA ExpandEnvironmentStringsA GetCurrentDirectoryA FreeResource GetVersion SetCurrentDirectoryA GetTempPathA LocalFileTimeToFileTime CreateFileA SetEvent TerminateThread GetVersionExA LockResource GetSystemInfo CreateThread ResetEvent LoadResource ExitProcess GetModuleHandleW CreateProcessA FormatMessageA GetTempFileNameA DosDateTimeToFileTime CreateEventA GetExitCodeProcess FindNextFileA LocalAlloc GetShortPathNameA MulDiv GetDiskFreeSpaceA EnumResourceLanguagesA GetTickCount GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter TerminateProcess SetUnhandledExceptionFilter UnhandledExceptionFilter GetStartupInfoW Sleep FindClose GetCurrentProcess FindFirstFileA WaitForSingleObject GetModuleFileNameA LoadLibraryExA |
GDI32.dll |
GetDeviceCaps
|
USER32.dll |
SetWindowLongA
GetDlgItemTextA DialogBoxIndirectParamA ShowWindow MsgWaitForMultipleObjects SetWindowPos GetDC GetWindowRect DispatchMessageA GetDesktopWindow CharUpperA SetDlgItemTextA ExitWindowsEx MessageBeep EndDialog CharPrevA LoadStringA CharNextA EnableWindow ReleaseDC SetForegroundWindow PeekMessageA GetDlgItem SendMessageA SendDlgItemMessageA MessageBoxA SetWindowTextA GetWindowLongA CallWindowProcA GetSystemMetrics |
msvcrt.dll |
_controlfp
?terminate@@YAXXZ _acmdln _initterm __setusermatherr _except_handler4_common memcpy _ismbblead __p__fmode _cexit _exit exit __set_app_type __getmainargs _amsg_exit __p__commode _XcptFilter memcpy_s _vsnprintf memset |
COMCTL32.dll |
#17
|
Cabinet.dll |
#22
#23 #21 #20 |
VERSION.dll |
GetFileVersionInfoA
VerQueryValueA GetFileVersionInfoSizeA |
Please select a folder to store the extracted files. |
%s |
Failed to get disk space information from: %s. |
System Message: %s. |
A required resource cannot be located. |
Are you sure you want to cancel? |
Unable to retrieve operating system version information. |
Memory allocation request failed. |
Unable to create extraction thread. |
Cabinet is not valid. |
Filetable full. |
Can not change to destination folder. |
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup. |
That folder is invalid. Please make sure the folder exists and is writable. |
You must specify a folder with fully qualified pathname or choose Cancel. |
Could not update folder edit box. |
Could not load functions required for browser dialog. |
Could not load Shell32.dll required for browser dialog. |
Error creating process <%s>. Reason: %s |
The cluster size in this system is not supported. |
A required resource appears to be corrupted. |
Windows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation. |
Error loading %s |
GetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used. |
Windows 95 or Windows NT is required to install |
Could not create folder '%s' |
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. |
Do you still want to continue? |
Error retrieving Windows folder |
NT Shutdown: OpenProcessToken error. |
NT Shutdown: AdjustTokenPrivileges error. |
NT Shutdown: ExitWindowsEx error. |
Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file. |
The setup program could not retrieve the volume information for drive (%s) . |
System message: %s. |
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again. |
The installation program appears to be damaged or corrupted. Contact the vendor of this application. |
Command line option syntax error. Type Command /? for Help. |
Command line options: |
/Q -- Quiet modes for package, |
/T:<full path> -- Specifies temporary working folder, |
/C -- Extract files only to the folder when used also with /T. |
/C:<Cmd> -- Override Install Command defined by author. |
You must restart your computer before the new settings will take effect. |
Do you want to restart your computer now? |
Another copy of the '%s' package is already running on your system. Do you want to run another copy? |
Could not find the file: %s. |
You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator. |
The folder '%s' does not exist. Do you want to create it? |
Another copy of the '%s' package is already running on your system. You can only run one copy at a time. |
The '%s' package is not compatible with the version of Windows you are running. |
The '%s' package is not compatible with the version of the file: %s on your system. |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 11.0.18362.1 |
ProductVersion | 11.0.18362.1 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Win32 Cabinet Self-Extractor |
FileVersion (#2) | 11.00.18362.1 (WinBuild.160101.0800) |
InternalName | Wextract |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | WEXTRACT.EXE .MUI |
ProductName | Internet Explorer |
ProductVersion (#2) | 11.00.18362.1 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2068-Jun-21 06:07:02 |
Version | 0.0 |
SizeofData | 37 |
AddressOfRawData | 0x1474 |
PointerToRawData | 0x874 |
Referenced File | wextract.pdb |
Characteristics |
0
|
---|---|
TimeDateStamp | 2068-Jun-21 06:07:02 |
Version | 0.0 |
SizeofData | 472 |
AddressOfRawData | 0x149c |
PointerToRawData | 0x89c |
Characteristics |
0
|
---|---|
TimeDateStamp | 2068-Jun-21 06:07:02 |
Version | 0.0 |
SizeofData | 36 |
AddressOfRawData | 0x1674 |
PointerToRawData | 0xa74 |
Size | 0xa4 |
---|---|
TimeDateStamp | 1970-Jan-01 00:00:00 |
Version | 0.0 |
GlobalFlagsClear | (EMPTY) |
GlobalFlagsSet | (EMPTY) |
CriticalSectionDefaultTimeout | 0 |
DeCommitFreeBlockThreshold | 0 |
DeCommitTotalFreeThreshold | 0 |
LockPrefixTable | 0 |
MaximumAllocationSize | 0 |
VirtualMemoryThreshold | 0 |
ProcessAffinityMask | 0 |
ProcessHeapFlags | (EMPTY) |
CSDVersion | 0 |
Reserved1 | 0 |
EditList | 0 |
SecurityCookie | 0x408004 |
SEHandlerTable | 0x401470 |
SEHandlerCount | 1 |
GuardCFCheckFunctionPointer | 4235912 |
GuardCFDispatchFunctionPointer | 0 |
GuardCFFunctionTable | 0 |
GuardCFFunctionCount | 0 |
GuardFlags | (EMPTY) |
CodeIntegrity.Flags | 0 |
CodeIntegrity.Catalog | 0 |
CodeIntegrity.CatalogOffset | 0 |
CodeIntegrity.Reserved | 0 |
GuardAddressTakenIatEntryTable | 0 |
GuardAddressTakenIatEntryCount | 0 |
GuardLongJumpTargetTable | 0 |
GuardLongJumpTargetCount | 0 |
XOR Key | 0xf79b7f43 |
---|---|
Unmarked objects | 0 |
C++ objects (26715) | 1 |
ASM objects (26715) | 1 |
C objects (26715) | 20 |
Imports (26715) | 17 |
Total imports | 158 |
264 (26715) | 9 |
Resource objects (26715) | 1 |
Linker (26715) | 1 |