57ae55c31db3b173648820af1cb778df

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2006-Dec-06 23:48:12
Detected languages English - United States
Debug artifacts sfxcab.pdb
CompanyName Microsoft Corporation
FileDescription Self-Extracting Cabinet
FileVersion 6.3.0004.1 built by: dnsrv
InternalName SFXCAB.EXE
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename SFXCAB.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 6.3.0004.1

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
 Possibly launches other programs:
  • CreateProcessA
 Uses Windows's Native API:
  • NtOpenProcessToken
  • NtAdjustPrivilegesToken
  • NtClose
  • NtShutdownSystem
 Uses Microsoft's cryptographic API:
  • CryptAcquireContextA
  • CryptGenRandom
  • CryptReleaseContext
 Functions related to the privilege level:
  • OpenProcessToken
 Enumerates local disk drives:
  • GetDriveTypeA
 Can shut the system down or lock the screen:
  • InitiateSystemShutdownA
Info The PE is digitally signed. Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA
Safe VirusTotal score: 0/61 (Scanned on 2022-01-07 05:35:19) All the AVs think this file is safe.

Hashes

MD5 57ae55c31db3b173648820af1cb778df
SHA1 0fbccb931eb87efd1597e43df576c48113e913e3
SHA256 b1ab5008e25eb7bd05983391ca6451bf409450d499dde21b2be79bdd836a9134
SHA3 d439a5d82088af1b837d65e2904a2859d80ff72da53b04cf48ced97040977ec3
SSDeep 49152:2BEXWP/WZ1J5Yr+YVDLYLSL/luABDeizs/uaXf5scdW0wlPuUFGEAgjMY92Pk0XU:PGP/8J5oFVDLWSLfTz8uaXxscdpUFGET
Imports Hash a1f6f100bff4507a3332f3f0cdfc24f5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2006-Dec-06 23:48:12
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Image Optional Header

Magic PE32
LinkerVersion 7.2
SizeOfCode 0x8600
SizeOfInitializedData 0x11e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000063FF (Section: .text)
BaseOfCode 0x2000
BaseOfData 0xc000
ImageBase 0x1000000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 5.2
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x20000
SizeOfHeaders 0x400
Checksum 0x29abff
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x40000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 44a14be44a250e1ef492067fc5564d0d
SHA1 e6e6b79052d354f886b86f8d50515e9f955e5dbb
SHA256 e568e301bc7ca41090c6b358af97d8ef5bb43cf90fdfe6a8c103ccb94c4c978a
SHA3 bd2ad873002509f9144515acbd13e19679418c08ef35d30255eb3520475ac636
VirtualSize 0x841e
VirtualAddress 0x2000
SizeOfRawData 0x8600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.509

.data

MD5 3f646014d85d25be486b59e336e77dcd
SHA1 b522ffc6ee8f50d6c79d72e48d3fe7d4d90a918c
SHA256 25303d7f34a3984632680e5492f9dbdc7103d9e791e9ce3063b6097bf12ae22a
SHA3 3e8838ef309f0defef631b942f107644681d46fc3afa5ee7d4977f05a1707517
VirtualSize 0x113f8
VirtualAddress 0xc000
SizeOfRawData 0x200
PointerToRawData 0x8a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.494917

.rsrc

MD5 daeccfe60c40b66a7e980cf7b4015a47
SHA1 e37339a4e242baf8a627aaeee60dcd2f18a5eed1
SHA256 162127a720ff3fb008184678912edbeade887fd49406daab5009020d7519f100
SHA3 2e24422d1749b6f4a40e2b51e32125357689bcd9bfccedcfe9febb7688b08ecc
VirtualSize 0x978
VirtualAddress 0x1e000
SizeOfRawData 0x283400
PointerToRawData 0x8c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99948

Imports

msvcrt.dll __setusermatherr
_initterm
__getmainargs
__initenv
exit
_cexit
_adjust_fdiv
_exit
_c_exit
strncpy
strstr
_strlwr
strrchr
_stricmp
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_XcptFilter
_snprintf
sprintf
strchr
_strnicmp
_vsnprintf
ADVAPI32.dll InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
AllocateAndInitializeSid
OpenProcessToken
GetTokenInformation
GetLengthSid
InitiateSystemShutdownA
InitializeSecurityDescriptor
KERNEL32.dll CreateThread
GetFileSize
ExpandEnvironmentStringsA
CreateProcessA
GetExitCodeProcess
InitializeCriticalSectionAndSpinCount
LocalFileTimeToFileTime
SetFileTime
SetEndOfFile
CreateEventA
QueryDosDeviceA
GetDiskFreeSpaceA
GetSystemTime
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentDirectoryA
GetProcessHeap
CopyFileA
SetFileAttributesA
DosDateTimeToFileTime
SetEvent
GetVersionExA
ReadFile
SetFilePointer
MoveFileExA
RemoveDirectoryA
GetLastError
CreateDirectoryA
GetTickCount
SetErrorMode
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
CloseHandle
DeviceIoControl
CreateFileA
GetDriveTypeA
HeapFree
FormatMessageA
LeaveCriticalSection
DeleteFileA
EnterCriticalSection
TerminateProcess
WaitForMultipleObjects
CreateEventW
FindFirstFileA
Sleep
SetEnvironmentVariableA
GetEnvironmentVariableA
WideCharToMultiByte
HeapAlloc
SetLastError
WriteFile
MoveFileA
ExitProcess
DeleteCriticalSection
FlushFileBuffers
WaitForSingleObject
OpenEventA
GetCurrentProcess
GetFileAttributesA
GetCommandLineA
GetModuleFileNameA
FindClose
FindNextFileA
SystemTimeToFileTime
USER32.dll SendDlgItemMessageA
SendMessageA
DialogBoxParamA
MessageBoxA
SetParent
EndDialog
LoadStringA
ShowWindow
ntdll.dll NtOpenProcessToken
NtAdjustPrivilegesToken
NtClose
NtShutdownSystem
COMCTL32.dll #17
SHELL32.dll SHBrowseForFolderA
SHGetPathFromIDListA

Delayed Imports

100

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.0946
MD5 04ccba883037b935de903dda668e26c5
SHA1 5f41961572e94020e3f25c6f8300223019574ed5
SHA256 13a38cc7c81f597a2007b44144ab44a3b721703d524815cc116b702a84a8d3f2
SHA3 09ead59f41d5437b891b1070fe920a6fe55b4b9730349d42ed3c5e8d56278588

107

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xe0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.9591
MD5 37927fe0f1be012004644fb2c933a8f3
SHA1 1520d706fb2f6db1c9530a70944fd7f285440523
SHA256 9e2e9f778e912576167b2ccc0c67da0e0f27dbe939092568bd33bb6b78333b6e
SHA3 8843ffd808429499cad210faa432132e79171c9f5f455a1dda8d3bddee4297ad

1

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x2da
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.27139
MD5 660f040d0410ec28adf49c0f608af397
SHA1 eac2476a260056e0ec4c013ccce3514519ad30de
SHA256 57d4c0ba932b483534452a14ff6dac44a8a9c1ac893c6ac501ee450db97456d9
SHA3 07a946e5b77095d57ea2b0be7c397f87839eb73ef4a1bd7b1412b1cc2d7ac628

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x378
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48544
MD5 2349cee4882b7bc6a08c773ef28e138f
SHA1 2174f8abace639735ccba0a397914abcfb0eb6c3
SHA256 953cb5ec7309db5eed2a16daa3906bc2c2b76c5b64b04f95e2c443bc6b13615b
SHA3 6841f5309bef283f198c96b2e50af5a0d1e4e3ed084f941716493912ba7432bb

String Table contents

File is corrupt
Extraction Complete
Extraction Failed
Extracting File:
Choose Directory For Extracted Files
To Directory:
Setup was unable to shutdown system.
Please shutdown your system manually.
Unable to find a volume for file extraction.
Please verify that you have proper permissions.
Unable to find a volume with enough disk space for file extraction.

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.3.4.1
ProductVersion 6.3.4.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Self-Extracting Cabinet
FileVersion (#2) 6.3.0004.1 built by: dnsrv
InternalName SFXCAB.EXE
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename SFXCAB.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.3.0004.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2006-Dec-06 23:48:12
Version 0.0
SizeofData 35
AddressOfRawData 0x2740
PointerToRawData 0xb40
Referenced File sfxcab.pdb

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x100c028
SEHandlerTable 0x1002770
SEHandlerCount 1

RICH Header

XOR Key 0x121e42a4
Unmarked objects 0
ASM objects (VS2003 (.NET) build 4035) 1
Total imports 125
Imports (VS2003 (.NET) build 4035) 15
C objects (VS2003 (.NET) build 4035) 32
94 (VS2003 (.NET) build 4035) 1
Linker (VS2003 (.NET) build 4035) 1

Errors

<-- -->