d5f4ab6063b3b3795b1c0f0cf30c7dfb
Summary
| Architecture |
IMAGE_FILE_MACHINE_I386
|
|---|---|
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| Compilation Date | 1997-Jul-15 11:48:12 |
| Detected languages |
English - United States
|
| Debug artifacts |
exe\wextract.dbg
|
| CompanyName | Microsoft Corporation |
| FileDescription | Win32 Cabinet Self-Extractor |
| FileVersion | 4.71.1015.0 |
| InternalName | Wextract |
| LegalCopyright | Copyright (C) Microsoft Corp. 1995 |
| OriginalFilename | WEXTRACT.EXE |
| ProductName | Microsoft(R) Windows NT(R) Operating System |
| ProductVersion | 4.71.1015.0 |
Plugin Output
| Info | Matching compiler(s): | Microsoft Visual C++ v6.0 SPx |
| Suspicious | Strings found in the binary may indicate undesirable behavior: |
Contains references to system / monitoring tools:
|
| Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
| Malicious | The PE header may have been manually modified. |
Resource CABINET detected as a CAB Installer file.
The resource timestamps differ from the PE header:
|
| Info | The PE is digitally signed. |
Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA |
| Safe | VirusTotal score: 0/66 (Scanned on 2018-08-06 18:27:12) | All the AVs think this file is safe. |
Hashes
DOS Header
| e_magic | MZ |
|---|---|
| e_cblp | 0x90 |
| e_cp | 0x3 |
| e_crlc | 0 |
| e_cparhdr | 0x4 |
| e_minalloc | 0 |
| e_maxalloc | 0xffff |
| e_ss | 0 |
| e_sp | 0xb8 |
| e_csum | 0 |
| e_ip | 0 |
| e_cs | 0 |
| e_ovno | 0 |
| e_oemid | 0 |
| e_oeminfo | 0 |
| e_lfanew | 0x80 |
PE Header
| Signature | PE |
|---|---|
| Machine |
IMAGE_FILE_MACHINE_I386
|
| NumberofSections | 3 |
| TimeDateStamp | 1997-Jul-15 11:48:12 |
| PointerToSymbolTable | 0 |
| NumberOfSymbols | 739 |
| SizeOfOptionalHeader | 0xe0 |
| Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_RELOCS_STRIPPED
|
Image Optional Header
| Magic | PE32 |
|---|---|
| LinkerVersion | 6.0 |
| SizeOfCode | 0x9000 |
| SizeOfInitializedData | 0x4ae00 |
| SizeOfUninitializedData | 0 |
| AddressOfEntryPoint | 0x00002723 (Section: .text) |
| BaseOfCode | 0x1000 |
| BaseOfData | 0xa000 |
| ImageBase | 0x1000000 |
| SectionAlignment | 0x1000 |
| FileAlignment | 0x200 |
| OperatingSystemVersion | 5.0 |
| ImageVersion | 5.0 |
| SubsystemVersion | 4.0 |
| Win32VersionValue | 0 |
| SizeOfImage | 0x57000 |
| SizeOfHeaders | 0x200 |
| Checksum | 0x5d1f8 |
| Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
| SizeofStackReserve | 0x40000 |
| SizeofStackCommit | 0x1000 |
| SizeofHeapReserve | 0x100000 |
| SizeofHeapCommit | 0x1000 |
| LoaderFlags | 0 |
| NumberOfRvaAndSizes | 16 |
.text
.data
.rsrc
Imports
| ADVAPI32.dll |
RegCloseKey
EqualSid AllocateAndInitializeSid GetTokenInformation OpenProcessToken AdjustTokenPrivileges LookupPrivilegeValueA FreeSid RegDeleteValueA RegOpenKeyExA RegSetValueExA RegQueryValueExA RegCreateKeyExA RegQueryInfoKeyA |
|---|---|
| KERNEL32.dll |
lstrcatA
GetFileAttributesA GetShortPathNameA GetPrivateProfileStringA GetPrivateProfileIntA GetCurrentProcess lstrlenA lstrcmpiA lstrcpyA GetModuleFileNameA FreeLibrary LocalAlloc GetLastError GetSystemDirectoryA LoadLibraryA FindClose FindNextFileA DeleteFileA SetFileAttributesA lstrcmpA FindFirstFileA _lclose _llseek _lopen GetWindowsDirectoryA GetProcAddress RemoveDirectoryA GlobalUnlock GlobalLock GlobalAlloc ExitProcess GetModuleHandleA GetStartupInfoA CloseHandle LoadResource FindResourceA CreateMutexA SetEvent CreateEventA SetCurrentDirectoryA CreateThread ResetEvent TerminateThread GetVersionExA LocalFree GetExitCodeProcess WaitForSingleObject CreateProcessA GetTempPathA FreeResource LockResource SizeofResource CreateFileA ReadFile WriteFile SetFilePointer SetFileTime LocalFileTimeToFileTime DosDateTimeToFileTime GetTempFileNameA GetSystemInfo GetDiskFreeSpaceA GetDriveTypeA lstrcpynA GetVolumeInformationA GetCurrentDirectoryA LoadLibraryExA GetCommandLineA CreateDirectoryA GlobalFree FormatMessageA IsDBCSLeadByte |
| GDI32.dll |
GetDeviceCaps
|
| USER32.dll |
EndDialog
wsprintfA ExitWindowsEx CharNextA CharUpperA GetDesktopWindow SetWindowLongA GetWindowLongA CallWindowProcA GetDlgItem SetForegroundWindow SetWindowTextA SendDlgItemMessageA EnableWindow GetDlgItemTextA SendMessageA DispatchMessageA LoadStringA PeekMessageA MessageBoxA CharPrevA SetWindowPos ReleaseDC GetDC GetWindowRect ShowWindow DialogBoxIndirectParamA SetDlgItemTextA MessageBeep MsgWaitForMultipleObjects |
| COMCTL32.dll |
#17
|
| VERSION.dll |
GetFileVersionInfoSizeA
VerQueryValueA GetFileVersionInfoA |
Delayed Imports
3001
1
2
2001
2002
2003
2004
2005
2006
63
66
76
77
80
82
83
85
ADMQCMD
CABINET
EXTRACTOPT
FILESIZES
FINISHMSG
LICENSE
PACKINSTSPACE
POSTRUNPROGRAM
REBOOT
RUNPROGRAM
SHOWWINDOW
TITLE
UPROMPT
USRQCMD
3000
1 (#2)
String Table contents
| Please select a folder to store the extracted files. |
| %s |
| DEBUG: <%s> <%s> |
| Failed to get disk space information from: %s. |
| System Message: %s. |
| A required resource cannot be located. |
| Are you sure you want to cancel? |
| Unable to retrieve operating system version information. |
| Memory allocation request failed. |
| Unable to register window class. |
| Failed to create requested window. |
| Unable to create extraction thread. |
| No valid folder can be located for extracted files. |
| Cabinet is not valid. |
| Filetable full. |
| Can not change to destination folder. |
| Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup. |
| That folder is invalid. Please make sure the folder exists and is writable. |
| You must specify a folder with fully qualified pathname or choose Cancel. |
| Could not update folder edit box. |
| Could not load functions required for browser dialog. |
| Could not load Shell32.dll required for browser dialog. |
| Installation failed. |
| Error creating process <%s>. Reason: %s |
| The cluster size in this system is not supported. |
| A required resource appears to be corrupted. |
| Windows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation. |
| Error loading %s |
| GetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used. |
| Windows 95 or Windows NT is required to install |
| Could not create folder '%s' |
| To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. |
| Do you still want to continue? |
| Error retrieving Windows folder |
| NT Shutdown: OpenProcessToken error. |
| NT Shutdown: AdjustTokenPrivileges error. |
| NT Shutdown: ExitWindowsEx error. |
| Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file. |
| The setup program could not retrieve the volume information for drive (%s) . |
| System message: %s. |
| Setup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again. |
| The installation program appears to be damaged or corrupted. Contact the vendor of this application. |
| FDI Extraction completed successfully. |
| Cabinet file not found. |
| Cabinet is not formed properly. |
| Cabinet data is corrupt. This executable is damaged and installation is not possible. |
| FDI memory allocation failure. |
| FDI compression type not supported. |
| FDI decompression failure. |
| Unable to create a requested file. |
| Cabinet reserve size mismatch. |
| Wrong cabinet file. |
| FDI user canceled or halted. |
| Command line option syntax error. Type Command /? for Help. |
| Command line options: |
| /Q -- Quiet modes for package, |
| /T:<full path> -- Specifies temporary working folder, |
| /C -- Extract files only to the folder when used also with /T. |
| /C:<Cmd> -- Override Install Command defined by author. |
| You must restart your computer before the new settings will take effect. |
| Do you want to restart your computer now? |
| You must restart your computer before the new settings will take effect. |
| Do you want to restart your computer now? |
| Another copy of the '%s' package is already running on your system. Do you want to run another copy? |
| You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator. |
| There is not enough free space in the Windows temp folder or in the current folder. Please enter a new folder below. |
| The setup program is preparing to run. |
| Please wait... |
| The folder '%s' does not exist. Do you want to create it? |
| Another copy of the '%s' package is already running on your system. You can only run one copy at a time. |
| The '%s' package is not compatible with the version of Windows you are running. |
| The '%s' package is not compatible with the version of the file: %s on your system. |
Version Info
| Signature | 0xfeef04bd |
|---|---|
| StructVersion | 0x10000 |
| FileVersion | 4.71.1015.0 |
| ProductVersion | 4.71.1015.0 |
| FileFlags | (EMPTY) |
| FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
| FileType |
VFT_APP
|
| Language | English - United States |
| CompanyName | Microsoft Corporation |
| FileDescription | Win32 Cabinet Self-Extractor |
| FileVersion (#2) | 4.71.1015.0 |
| InternalName | Wextract |
| LegalCopyright | Copyright (C) Microsoft Corp. 1995 |
| OriginalFilename | WEXTRACT.EXE |
| ProductName | Microsoft(R) Windows NT(R) Operating System |
| ProductVersion (#2) | 4.71.1015.0 |
| Resource LangID | English - United States |
|---|
IMAGE_DEBUG_TYPE_MISC
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 1997-Jul-15 11:48:12 |
| Version | 0.0 |
| SizeofData | 272 |
| AddressOfRawData | 0 |
| PointerToRawData | 0x54e00 |
| Referenced File | exe\wextract.dbg |
IMAGE_DEBUG_TYPE_FPO
| Characteristics |
0
|
|---|---|
| TimeDateStamp | 1997-Jul-15 11:48:12 |
| Version | 0.0 |
| SizeofData | 2512 |
| AddressOfRawData | 0 |
| PointerToRawData | 0x54f10 |