× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 46da5058c5bc04b520298337cd2614e3f27c6444222b04feefe7b3e7cb68ff83
File name: RemoveWAT.exe
Detection ratio: 0 / 41
Analysis date: 2010-03-25 16:53:30 UTC ( 5 years, 3 months ago ) View latest
Antivirus Result Update
AVG 20100325
AhnLab-V3 20100325
AntiVir 20100325
Antiy-AVL 20100324
Authentium 20100325
Avast 20100325
Avast5 20100325
BitDefender 20100325
CAT-QuickHeal 20100325
ClamAV 20100325
Comodo 20100325
F-Prot 20100324
F-Secure 20100325
Fortinet 20100324
GData 20100325
Ikarus 20100325
Jiangmin 20100325
K7AntiVirus 20100322
Kaspersky 20100325
McAfee 20100324
McAfee+Artemis 20100324
McAfee-GW-Edition 20100325
Microsoft 20100325
NOD32 20100325
Norman 20100325
PCTools 20100325
Panda 20100324
Prevx 20100325
Rising 20100325
Sophos 20100325
Sunbelt 20100325
Symantec 20100325
TheHacker 20100324
TrendMicro 20100325
VBA32 20100325
ViRobot 20100325
VirusBuster 20100325
a-squared 20100325
eSafe 20100324
eTrust-Vet 20100325
nProtect 20100325
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Developer metadata
Copyright
Copyright Hazar & Co. © 2010

Publisher Hazar & Co.
Product RemoveWAT
Original name RemoveWAT.exe
Internal name RemoveWAT.exe
File version 2.2.5.2
Description RemoveWAT
Comments Removes Windows Activation Technologies
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-03-02 15:57:06
Link date 4:57 PM 3/2/2010
Entry Point 0x0064359E
Number of sections 4
.NET details
Module Version ID 012b7df5-b5b4-41ff-bd05-362e2429293c
TypeLib ID 0e768eb8-c71c-4b52-bea8-92e4e837be70
PE sections
PE imports
_CorExeMain
Number of PE resources by type
RT_ICON 5
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 8
ExifTool file metadata
SubsystemVersion
4.0

Comments
Removes Windows Activation Technologies

InitializedDataSize
103424

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.2.5.2

LanguageCode
Neutral

FileFlagsMask
0x003f

FileDescription
RemoveWAT

CharacterSet
Unicode

LinkerVersion
8.0

EntryPoint
0x64359e

OriginalFileName
RemoveWAT.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright Hazar & Co. 2010

FileVersion
2.2.5.2

TimeStamp
2010:03:02 16:57:06+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
RemoveWAT.exe

ProductVersion
2.2.5.2

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Hazar & Co.

CodeSize
6559232

ProductName
RemoveWAT

ProductVersionNumber
2.2.5.2

FileTypeExtension
exe

ObjectFileType
Executable application

AssemblyVersion
2.2.5.2

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 588c9f669bfb9149c4f1d8e6729743ba
SHA1 75e0288583dd3301386b12de8f8c27eebdbdfc7a
SHA256 46da5058c5bc04b520298337cd2614e3f27c6444222b04feefe7b3e7cb68ff83
ssdeep
98304:/33yKMaL/eXV1i/kDxkmcL/eXV1i/kaRWYL/eXV1i/kmeM1qj4iwiANvSo2/CAy1:vyKnZrrLGA3PhsKPkG09Wp

authentihash 8d758c38f6ecea89bca386a4ffcd762ef88d31ef9d6677b9593b7830e315f30c
imphash f34d5f2d4577ed6d9ceec516c1f5a744
File size 6.4 MB ( 6663680 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

TrID DirectShow filter (38.4%)
Windows ActiveX control (22.2%)
Generic CIL Executable (.NET, Mono, etc.) (13.9%)
InstallShield setup (8.2%)
Win32 Executable MS Visual C++ (generic) (5.9%)
Tags
peexe assembly via-tor

VirusTotal metadata
First submission 2010-03-02 19:11:08 UTC ( 5 years, 4 months ago )
Last submission 2015-07-03 12:25:42 UTC ( 1 day, 8 hours ago )
File names Remove v2.2.5.exe
WIN7 - a.kılınçarslan.exe
test.exe
TrojAgent-OIK.exe
Remove WAT 2.4.5.exe
swat.exe
bestand.exe
RemoveWAT.exe
342.exe
Unconfirmed 32519.crdownload
WAT_Remover_by_digipassion.com.exe
RemoveWAT21.exe
Mircosoft Windows RemoveWAT.exe
RemoveWAT (3).exe
Removewat win7.exe
1.exe
RemoveWAT - kms-service.org.exe
Rw_tahasoft.com.exe
RemoveWAT.exe
RemoveWat 2.2.5.exe
Remove WAT 2.2.5.2.exe
sangar.exe
nakamora.exe
RemoveWAT_md5sum
vt-upload-uOqEL
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/doc/pua.html .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!