f4bc3bf04adcbbb53af01827467f3260

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2006-Dec-06 23:48:12
Detected languages English - United States
Debug artifacts sfxcab.pdb
CompanyName Microsoft Corporation
FileDescription Self-Extracting Cabinet
FileVersion 6.3.0004.1 built by: dnsrv
InternalName SFXCAB.EXE
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename SFXCAB.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 6.3.0004.1

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryA
Possibly launches other programs:
  • CreateProcessA
Uses Windows's Native API:
  • NtOpenProcessToken
  • NtAdjustPrivilegesToken
  • NtClose
  • NtShutdownSystem
Uses Microsoft's cryptographic API:
  • CryptAcquireContextA
  • CryptGenRandom
  • CryptReleaseContext
Functions related to the privilege level:
  • OpenProcessToken
Enumerates local disk drives:
  • GetDriveTypeA
Can shut the system down or lock the screen:
  • InitiateSystemShutdownA
Info The PE is digitally signed. Signer: Microsoft Corporation
Issuer: Microsoft Code Signing PCA
Safe VirusTotal score: 0/67 (Scanned on 2022-05-25 10:30:13) All the AVs think this file is safe.

Hashes

MD5 f4bc3bf04adcbbb53af01827467f3260
SHA1 f55de72f095cd05ad914ce1a98089d33bb2e3abd
SHA256 667866eda7d61598428a345cbff08bb50a294240f207ea3c3d17cd8dca26717f
SHA3 6ac37f70c3945c817995a16ae43f67c46d94b49a53fcabcb928c1a939f94e367
SSDeep 49152:T7SozWD1VZdnLi+xy/mggDRhW3qGY8gc9xXzoZza14C6NQUzy53fDiEV3OU2:8LLi0y/+GYhYXzSajlDiEBOz
Imports Hash a1f6f100bff4507a3332f3f0cdfc24f5

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xe0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 3
TimeDateStamp 2006-Dec-06 23:48:12
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Image Optional Header

Magic PE32
LinkerVersion 7.2
SizeOfCode 0x8600
SizeOfInitializedData 0x11e00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x000063FF (Section: .text)
BaseOfCode 0x2000
BaseOfData 0xc000
ImageBase 0x1000000
SectionAlignment 0x2000
FileAlignment 0x200
OperatingSystemVersion 5.2
ImageVersion 5.2
SubsystemVersion 4.0
Win32VersionValue 0
SizeOfImage 0x20000
SizeOfHeaders 0x400
Checksum 0x24d9b0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x40000
SizeofStackCommit 0x2000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 44a14be44a250e1ef492067fc5564d0d
SHA1 e6e6b79052d354f886b86f8d50515e9f955e5dbb
SHA256 e568e301bc7ca41090c6b358af97d8ef5bb43cf90fdfe6a8c103ccb94c4c978a
SHA3 bd2ad873002509f9144515acbd13e19679418c08ef35d30255eb3520475ac636
VirtualSize 0x841e
VirtualAddress 0x2000
SizeOfRawData 0x8600
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.509

.data

MD5 089bff4aa016c8b95f987a707adb9436
SHA1 4d6d01019eae181b83ac43ddd25da2dbc670cc63
SHA256 49a1cdd9930712996e9b3601aaf365a8ce022e53e2577810d92f41b6a5002cc3
SHA3 d295e01c31de4446e824924226096cd6506a0603c9f042e6989a27b976d758ab
VirtualSize 0x113f8
VirtualAddress 0xc000
SizeOfRawData 0x200
PointerToRawData 0x8a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 0.498823

.rsrc

MD5 6fc517351fde53ffae4d479662f04c10
SHA1 64113c7fd9248c898d126e95aea09874b857f3b8
SHA256 4eee4407c6972d45f1e484cd0725421a62580c95e6d61476577fbb65303e1533
SHA3 acbec77d372a5751e1893b5b806af1480d746ffe9522f62fd7127173874bf75c
VirtualSize 0x978
VirtualAddress 0x1e000
SizeOfRawData 0x23ce00
PointerToRawData 0x8c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 7.99948

Imports

msvcrt.dll __setusermatherr
_initterm
__getmainargs
__initenv
exit
_cexit
_adjust_fdiv
_exit
_c_exit
strncpy
strstr
_strlwr
strrchr
_stricmp
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_XcptFilter
_snprintf
sprintf
strchr
_strnicmp
_vsnprintf
ADVAPI32.dll InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
AllocateAndInitializeSid
OpenProcessToken
GetTokenInformation
GetLengthSid
InitiateSystemShutdownA
InitializeSecurityDescriptor
KERNEL32.dll CreateThread
GetFileSize
ExpandEnvironmentStringsA
CreateProcessA
GetExitCodeProcess
InitializeCriticalSectionAndSpinCount
LocalFileTimeToFileTime
SetFileTime
SetEndOfFile
CreateEventA
QueryDosDeviceA
GetDiskFreeSpaceA
GetSystemTime
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentDirectoryA
GetProcessHeap
CopyFileA
SetFileAttributesA
DosDateTimeToFileTime
SetEvent
GetVersionExA
ReadFile
SetFilePointer
MoveFileExA
RemoveDirectoryA
GetLastError
CreateDirectoryA
GetTickCount
SetErrorMode
FreeLibrary
GetProcAddress
LoadLibraryA
GetSystemDirectoryA
CloseHandle
DeviceIoControl
CreateFileA
GetDriveTypeA
HeapFree
FormatMessageA
LeaveCriticalSection
DeleteFileA
EnterCriticalSection
TerminateProcess
WaitForMultipleObjects
CreateEventW
FindFirstFileA
Sleep
SetEnvironmentVariableA
GetEnvironmentVariableA
WideCharToMultiByte
HeapAlloc
SetLastError
WriteFile
MoveFileA
ExitProcess
DeleteCriticalSection
FlushFileBuffers
WaitForSingleObject
OpenEventA
GetCurrentProcess
GetFileAttributesA
GetCommandLineA
GetModuleFileNameA
FindClose
FindNextFileA
SystemTimeToFileTime
USER32.dll SendDlgItemMessageA
SendMessageA
DialogBoxParamA
MessageBoxA
SetParent
EndDialog
LoadStringA
ShowWindow
ntdll.dll NtOpenProcessToken
NtAdjustPrivilegesToken
NtClose
NtShutdownSystem
COMCTL32.dll #17
SHELL32.dll SHBrowseForFolderA
SHGetPathFromIDListA

Delayed Imports

100

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0x11a
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.0946
MD5 04ccba883037b935de903dda668e26c5
SHA1 5f41961572e94020e3f25c6f8300223019574ed5
SHA256 13a38cc7c81f597a2007b44144ab44a3b721703d524815cc116b702a84a8d3f2
SHA3 09ead59f41d5437b891b1070fe920a6fe55b4b9730349d42ed3c5e8d56278588

107

Type RT_DIALOG
Language English - United States
Codepage UNKNOWN
Size 0xe0
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.9591
MD5 37927fe0f1be012004644fb2c933a8f3
SHA1 1520d706fb2f6db1c9530a70944fd7f285440523
SHA256 9e2e9f778e912576167b2ccc0c67da0e0f27dbe939092568bd33bb6b78333b6e
SHA3 8843ffd808429499cad210faa432132e79171c9f5f455a1dda8d3bddee4297ad

1

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x2da
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.27139
MD5 660f040d0410ec28adf49c0f608af397
SHA1 eac2476a260056e0ec4c013ccce3514519ad30de
SHA256 57d4c0ba932b483534452a14ff6dac44a8a9c1ac893c6ac501ee450db97456d9
SHA3 07a946e5b77095d57ea2b0be7c397f87839eb73ef4a1bd7b1412b1cc2d7ac628

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x378
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48544
MD5 2349cee4882b7bc6a08c773ef28e138f
SHA1 2174f8abace639735ccba0a397914abcfb0eb6c3
SHA256 953cb5ec7309db5eed2a16daa3906bc2c2b76c5b64b04f95e2c443bc6b13615b
SHA3 6841f5309bef283f198c96b2e50af5a0d1e4e3ed084f941716493912ba7432bb

String Table contents

File is corrupt
Extraction Complete
Extraction Failed
Extracting File:
Choose Directory For Extracted Files
To Directory:
Setup was unable to shutdown system.
Please shutdown your system manually.
Unable to find a volume for file extraction.
Please verify that you have proper permissions.
Unable to find a volume with enough disk space for file extraction.

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.3.4.1
ProductVersion 6.3.4.1
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_APP
Language English - United States
CompanyName Microsoft Corporation
FileDescription Self-Extracting Cabinet
FileVersion (#2) 6.3.0004.1 built by: dnsrv
InternalName SFXCAB.EXE
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename SFXCAB.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.3.0004.1
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2006-Dec-06 23:48:12
Version 0.0
SizeofData 35
AddressOfRawData 0x2740
PointerToRawData 0xb40
Referenced File sfxcab.pdb

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x100c028
SEHandlerTable 0x1002770
SEHandlerCount 1

RICH Header

XOR Key 0x121e42a4
Unmarked objects 0
ASM objects (VS2003 (.NET) build 4035) 1
Total imports 125
Imports (VS2003 (.NET) build 4035) 15
C objects (VS2003 (.NET) build 4035) 32
94 (VS2003 (.NET) build 4035) 1
Linker (VS2003 (.NET) build 4035) 1

Errors

<-- -->