× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1b7b29308b5a17c7d94486f53c441752663d77d90294f005d06f1bb101e1e5a6
File name: WinCDEmu-3.6.exe
Detection ratio: 0 / 46
Analysis date: 2013-04-04 07:08:40 UTC ( 1 year ago ) View latest
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
AVG 20130403
Agnitum 20130403
AhnLab-V3 20130404
AntiVir 20130404
Antiy-AVL 20130404
Avast 20130404
BitDefender 20130404
ByteHero 20130322
CAT-QuickHeal 20130404
ClamAV 20130404
Commtouch 20130404
Comodo 20130404
DrWeb 20130404
ESET-NOD32 20130404
Emsisoft 20130404
F-Prot 20130404
F-Secure 20130404
Fortinet 20130404
GData 20130404
Ikarus 20130404
Jiangmin 20130404
K7AntiVirus 20130402
Kaspersky 20130404
Kingsoft 20130401
Malwarebytes 20130403
McAfee 20130404
McAfee-GW-Edition 20130404
MicroWorld-eScan 20130404
Microsoft 20130404
NANO-Antivirus 20130404
Norman 20130403
PCTools 20130404
Panda 20130403
Rising 20130403
SUPERAntiSpyware 20130404
Sophos 20130404
Symantec 20130404
TheHacker 20130404
TotalDefense 20130403
TrendMicro 20130404
TrendMicro-HouseCall 20130404
VBA32 20130403
VIPRE 20130404
ViRobot 20130404
eSafe 20130403
nProtect 20130404
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
LGPL

Publisher Sysprogs UG (haftungsbeschraenkt)
Product WinCDEmu
Original name WinCDEmu-installer.exe
File version 3.6
Description WinCDEmu installer
Comments http://wincdemu.sysprogs.org/
Signature verification Signed file, verified signature
Signing date 7:13 PM 8/8/2011
Signers
[+] Sysprogs UG (haftungsbeschraenkt)
Status Certificate out of its validity period
Valid from 1:00 AM 8/8/2011
Valid to 12:59 AM 8/8/2012
Valid usage Code Signing
Algorithm SHA1
Thumbrint 63D7DF05D30F33DEC7254DCDA6A194CC8E2FADAC
Serial number 17 34 AA 23 F6 C8 8B 7F 2E 7F C6 8F 71 18 42 3E
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Valid from 1:00 AM 2/8/2010
Valid to 12:59 AM 2/8/2020
Valid usage Client Auth, Code Signing
Algorithm SHA1
Thumbrint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Valid from 1:00 AM 11/8/2006
Valid to 12:59 AM 7/17/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm SHA1
Thumbrint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status Certificate out of its validity period
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status Certificate out of its validity period
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm MD5
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-06-20 11:35:37
Entry Point 0x000810F0
Number of sections 3
PE sections
PE imports
RegOpenKeyA
FillRgn
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
ShellExecuteA
CoInitialize
Number of PE resources by type
RT_DIALOG 11
RT_ICON 9
RT_STRING 5
RT_GROUP_ICON 5
RT_MANIFEST 1
RT_BITMAP 1
RT_VERSION 1
Number of PE resources by language
RUSSIAN 24
ENGLISH US 6
NEUTRAL SYS DEFAULT 3
ExifTool file metadata
CodeSize
163840

SubsystemVersion
5.0

Comments
http://wincdemu.sysprogs.org/

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
3.6.0.0

LanguageCode
Neutral

FileFlagsMask
0x0017

FileDescription
WinCDEmu installer

CharacterSet
Unicode

InitializedDataSize
40960

FileOS
Win32

MIMEType
application/octet-stream

LegalCopyright
LGPL

FileVersion
3.6

TimeStamp
2011:06:20 12:35:37+01:00

FileType
Win32 EXE

PEType
PE32

FileAccessDate
2014:04:15 16:10:34+01:00

ProductVersion
3.6

UninitializedDataSize
364544

OSVersion
5.0

FileCreateDate
2014:04:15 16:10:34+01:00

OriginalFilename
WinCDEmu-installer.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
SysProgs.org

LegalTrademarks
SysProgs.org

ProductName
WinCDEmu

ProductVersionNumber
3.6.0.0

EntryPoint
0x810f0

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Compressed bundles
File identification
MD5 b88b3fb326acf9d6882c9901d297d6a1
SHA1 ab69a293680948da9bc865d29becb02bad5b2d94
SHA256 1b7b29308b5a17c7d94486f53c441752663d77d90294f005d06f1bb101e1e5a6
ssdeep
24576:EhsirfWd7N4NGJ38WytDJ6MWcOgRVB71NOtcDI5AluVu+hHs4m:EhsggN4N6sD4HcZbXy0IquVhHsh

imphash 2f45dc341e82cb821aa3706313cfae94
File size 812.0 KB ( 831496 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe via-tor signed upx mz

VirusTotal metadata
First submission 2011-08-13 23:56:51 UTC ( 2 years, 8 months ago )
Last submission 2014-04-15 15:11:28 UTC ( 16 hours, 5 minutes ago )
File names WinCDEmu-3.6.exe
WinCDEmu-3.6 (1).exe
b88b3fb326acf9d6882c9901d297d6a1
Win CD Emu v3.6.exe
WinCDEmu-3.6.exe
WinCDEmu-3.6.exe?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fwincdemu%2Ffiles%2Fwincdemu%2F3.6%2FWinCDEmu-3.6.exe%2Fdownload&ts=1327004786&use_mirror=superb-sea2
download
WinCDEmu-installer.exe
WinCDEmu-3.6(1).exe
WinCDEmu-3.6.exe
wincdemu-3.6(1).exe
winCDEmu portable.exe
testando.exe
WinCDEmu 3.6.exe
B88B3FB326ACF9D6882C9901D297D6A1
WinCDEmu-3.6.exe
WinCDEmu.exe
Эмулятор (WinCDEmu-3.6).exe
WinCDEmu-3.6_2.exe
WinCDEmu_download.chip.eu.exe
WinCDEmu-3.6(2).exe
output.11322152.txt
file-2652423_exe
WinCDEmu_3.6.exe
11322152
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!