× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6a9bbb6d3b7bebef178eb54dc23a4ed036f7447d763db8ff14ad7e7931026c9a
File name: pdfelement_setup_full1042.exe
Detection ratio: 0 / 55
Analysis date: 2015-10-15 10:58:06 UTC ( 3 years, 7 months ago ) View latest
Antivirus Result Update
Ad-Aware 20151015
AegisLab 20151015
Yandex 20151014
AhnLab-V3 20151015
Alibaba 20151015
ALYac 20151015
Antiy-AVL 20151015
Arcabit 20151015
Avast 20151014
AVG 20151015
Avira (no cloud) 20151015
Baidu-International 20151015
BitDefender 20151015
Bkav 20151014
ByteHero 20151015
CAT-QuickHeal 20151015
ClamAV 20151015
CMC 20151014
Comodo 20151015
Cyren 20151015
DrWeb 20151015
Emsisoft 20151015
ESET-NOD32 20151015
F-Prot 20151015
F-Secure 20151015
Fortinet 20151015
GData 20151015
Ikarus 20151015
Jiangmin 20151014
K7AntiVirus 20151015
K7GW 20151015
Kaspersky 20151015
Kingsoft 20151015
Malwarebytes 20151015
McAfee 20151015
McAfee-GW-Edition 20151015
Microsoft 20151015
eScan 20151015
NANO-Antivirus 20151015
nProtect 20151015
Panda 20151015
Qihoo-360 20151015
Rising 20151014
Sophos AV 20151015
SUPERAntiSpyware 20151015
Symantec 20151014
Tencent 20151015
TheHacker 20151012
TrendMicro 20151015
TrendMicro-HouseCall 20151015
VBA32 20151014
VIPRE 20151015
ViRobot 20151015
Zillya 20151014
Zoner 20151015
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright 2015 Wondershare Corporation

Product PDFelement
File version 1.2.1.1
Description pdfelement_setup_full1042.exe
Signature verification Signed file, verified signature
Signing date 1:54 PM 5/19/2015
Signers
[+] Shenzhen Wondershare Information Technology Co., Ltd.
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid from 11:00 PM 07/25/2013
Valid to 10:59 PM 09/24/2015
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 9523B0C3C67D84DE20B507984B8AB6771187B048
Serial number 52 09 CE 41 1D C7 80 94 7A C0 E4 E9 E3 B9 5D 44
[+] VeriSign Class 3 Code Signing 2010 CA
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 02/08/2010
Valid to 11:59 PM 02/07/2020
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 495847A93187CFB8C71F840CB7B41497AD95C64F
Serial number 52 00 E5 AA 25 56 FC 1A 86 ED 96 C9 D4 4B 33 C7
[+] VeriSign
Status Valid
Issuer VeriSign Class 3 Public Primary Certification Authority - G5
Valid from 12:00 AM 11/08/2006
Valid to 10:59 PM 07/16/2036
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm sha1RSA
Thumbprint 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Serial number 18 DA D1 9E 26 7D E8 BB 4A 21 58 CD CC 6B 3B 4A
Counter signers
[+] GlobalSign TSA for MS Authenticode - G2
Status Valid
Issuer GlobalSign Timestamping CA - G2
Valid from 12:00 AM 02/03/2015
Valid to 12:00 AM 03/03/2026
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint B36308B4D4CDED4FCFBD66B955FAE3BFB12C29E6
Serial number 11 21 06 A0 81 D3 3F D8 7A E5 82 4C C1 6B 52 09 4E 03
[+] GlobalSign Timestamping CA - G2
Status Valid
Issuer GlobalSign Root CA
Valid from 09:00 AM 04/13/2011
Valid to 12:00 PM 01/28/2028
Valid usage All
Algorithm sha1RSA
Thumbrint C0E49D2D7D90A5CD427F02D9125694D5D6EC5B71
Serial number 04 00 00 00 00 01 2F 4E E1 52 D7
[+] GlobalSign Root CA - R1
Status Valid
Issuer GlobalSign Root CA
Valid from 11:00 AM 09/01/1998
Valid to 12:00 PM 01/28/2028
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, OCSP Signing, EFS, IPSEC Tunnel, IPSEC User, IPSEC IKE Intermediate
Algorithm sha1RSA
Thumbrint B1BC968BD4F49D622AA89A81F2150152A41D829C
Serial number 04 00 00 00 00 01 15 4B 5A C3 94
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-03-30 02:41:41
Entry Point 0x0005070D
Number of sections 5
PE sections
Overlays
MD5 a3f93f3ed1b81bdfb0b63d911d2a6c6e
File type data
Offset 790528
Size 6728
Entropy 7.35
PE imports
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
RegSetValueExW
FreeSid
RegEnumKeyExW
RegOpenKeyExW
CheckTokenMembership
AllocateAndInitializeSid
RegQueryValueExW
Ord(17)
_TrackMouseEvent
GetCharABCWidthsW
GetTextMetricsW
TextOutW
CreateFontIndirectW
SetStretchBltMode
CreatePen
SaveDC
CreateRectRgnIndirect
CombineRgn
GetClipBox
Rectangle
GetObjectA
LineTo
DeleteDC
RestoreDC
SetBkMode
SetWindowOrgEx
GetObjectW
BitBlt
CreateDIBSection
SetTextColor
GetDeviceCaps
ExtTextOutW
MoveToEx
GetStockObject
ExtSelectClipRgn
CreateRoundRectRgn
SelectClipRgn
RoundRect
StretchBlt
CreateCompatibleDC
DeleteObject
CreateSolidBrush
SelectObject
SetBkColor
GetTextExtentPoint32W
CreateCompatibleBitmap
CreatePenIndirect
GetStdHandle
GetConsoleOutputCP
WaitForSingleObject
HeapDestroy
DuplicateHandle
GetExitCodeProcess
FreeEnvironmentStringsA
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
GetLocaleInfoA
UnhandledExceptionFilter
SetErrorMode
FreeEnvironmentStringsW
GetLocaleInfoW
SetStdHandle
GetCPInfo
GetProcAddress
GetStringTypeA
InterlockedExchange
GetTempPathW
GetTimeZoneInformation
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetOEMCP
InitializeCriticalSection
LoadResource
TlsGetValue
MoveFileW
SetFileAttributesW
GetEnvironmentVariableW
SetLastError
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
GetModuleFileNameA
EnumSystemLocalesA
GetSystemDefaultLCID
InterlockedDecrement
MultiByteToWideChar
SetFilePointerEx
SetFilePointer
CreateThread
SetUnhandledExceptionFilter
MulDiv
ExitThread
SetEnvironmentVariableA
TerminateProcess
CreateSemaphoreW
WriteConsoleA
VirtualQuery
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
TerminateThread
LoadLibraryW
GetVersionExW
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
LoadLibraryA
RtlUnwind
GetStartupInfoA
SystemTimeToFileTime
GetFileSize
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
CompareStringW
WriteFile
GetFileSizeEx
CompareStringA
IsValidLocale
lstrcmpW
GetUserDefaultLCID
CreateEventW
CreateFileW
GetFileType
TlsSetValue
CreateFileA
ExitProcess
LeaveCriticalSection
GetLastError
DosDateTimeToFileTime
LCMapStringW
lstrlenA
GetConsoleCP
FindResourceW
LCMapStringA
GetEnvironmentStringsW
lstrlenW
CreateProcessW
GetEnvironmentStrings
GetCurrentDirectoryW
GetCurrentProcessId
LockResource
SetFileTime
WideCharToMultiByte
HeapSize
GetCommandLineA
InterlockedCompareExchange
RaiseException
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FreeResource
GetFileAttributesExW
SizeofResource
IsValidCodePage
HeapCreate
FindResourceExW
VirtualFree
Sleep
VirtualAlloc
SysFreeString
VariantClear
VariantInit
SysAllocString
SHGetFolderPathW
SHBrowseForFolderW
SHGetPathFromIDListW
Shell_NotifyIconW
ShellExecuteW
Ord(165)
SHGetSpecialFolderLocation
ShellExecuteExW
SHFileOperationW
SHGetMalloc
MapWindowPoints
SetWindowRgn
PostQuitMessage
SetWindowPos
IsWindow
EndPaint
SetActiveWindow
DispatchMessageW
GetCursorPos
ReleaseDC
SendMessageW
GetClientRect
DefWindowProcW
DrawTextW
LoadImageW
ClientToScreen
GetWindowTextW
GetWindowTextLengthW
InvalidateRgn
PtInRect
GetClassInfoExW
GetPropW
CreateCaret
GetMessageW
ShowWindow
SetPropW
EnableWindow
TranslateMessage
GetWindow
RegisterClassW
IsZoomed
IsIconic
SetTimer
FillRect
CreateAcceleratorTableW
CreateWindowExW
GetWindowLongW
GetUpdateRect
DestroyWindow
SetFocus
GetMonitorInfoW
BeginPaint
OffsetRect
SetCaretPos
KillTimer
CharPrevW
GetParent
GetSystemMetrics
SetWindowLongW
GetWindowRect
InflateRect
SetCapture
ReleaseCapture
PostMessageW
CreatePopupMenu
ShowCaret
GetLastActivePopup
SetWindowTextW
BringWindowToTop
ScreenToClient
TrackPopupMenu
LoadCursorW
LoadIconW
FindWindowExW
GetDC
SetForegroundWindow
IntersectRect
HideCaret
FindWindowW
wvsprintfW
MessageBoxW
GetMenu
RegisterClassExW
MoveWindow
AppendMenuW
AdjustWindowRectEx
GetSysColor
GetKeyState
MonitorFromWindow
SetRect
InvalidateRect
CharNextW
CallWindowProcW
IsRectEmpty
GetFocus
wsprintfW
SetCursor
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
socket
closesocket
inet_addr
send
ioctlsocket
WSAStartup
gethostbyname
WSAGetLastError
connect
WSACleanup
inet_ntoa
htons
recv
select
GdipCloneBrush
GdipCreateFontFromDC
GdiplusShutdown
GdipCreateFromHDC
GdipCreateFontFromLogfontA
GdipFree
GdipDrawString
GdipSetStringFormatAlign
GdipCreateStringFormat
GdipDeleteStringFormat
GdipAlloc
GdiplusStartup
GdipDeleteBrush
GdipCreateLineBrushI
GdipSetStringFormatLineAlign
GdipDeleteGraphics
GdipSetTextRenderingHint
GdipDeleteFont
OleLockRunning
CoUninitialize
CoInitialize
CoCreateGuid
CoCreateInstance
CLSIDFromProgID
CLSIDFromString
Number of PE resources by type
PNG 4
XML 3
RT_ICON 2
RT_VERSION 2
RT_GROUP_ICON 2
EXE 1
RT_MANIFEST 1
ZIPRES 1
Number of PE resources by language
CHINESE SIMPLIFIED 9
NEUTRAL 6
ENGLISH US 1
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
9.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.2.1.1

LanguageCode
Neutral

FileFlagsMask
0x0017

FileDescription
pdfelement_setup_full1042.exe

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

InitializedDataSize
329216

EntryPoint
0x5070d

MIMEType
application/octet-stream

LegalCopyright
Copyright 2015 Wondershare Corporation

FileVersion
1.2.1.1

TimeStamp
2015:03:30 04:41:41+02:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
5.1.9

SubsystemVersion
5.0

OSVersion
5.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
460288

ProductName
PDFelement

ProductVersionNumber
1.2.1.1

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 377545aa9c021b9f267e2c79989e2194
SHA1 6e3d7962ba07f26b59b8f12b3d80538bdaf674d9
SHA256 6a9bbb6d3b7bebef178eb54dc23a4ed036f7447d763db8ff14ad7e7931026c9a
ssdeep
24576:zZF+VJiWZenEwqdnSH8iSbDc9OGB1H8YaS+pIWkIdoWgsEktzmO:zCkoiSk9v+pITsgVQzmO

authentihash 94b26caa37f3f45c253b2b0a6415e1ff8b14ba15a7677621c081b18bff6e1dcf
imphash 821328d236f0186b594b8d5b9bb62869
File size 778.6 KB ( 797256 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Windows ActiveX control (60.5%)
Win32 Executable MS Visual C++ (generic) (16.2%)
Win64 Executable (generic) (14.3%)
Win32 Dynamic Link Library (generic) (3.4%)
Win32 Executable (generic) (2.3%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-05-20 23:22:12 UTC ( 4 years ago )
Last submission 2019-03-10 20:09:52 UTC ( 2 months, 1 week ago )
File names pdfelement_setup_full1042.exe
pdfelement_setup_full1042.exe
pdfelement_setup_full1042.exe
37_24#T16#10370
682811
pdfelement_setup_full1042.exe
pdfelement_full1042.exe
pdfelement_setup_full104220170702-7245-j4icws.exe
filename
pdfelement_setup_full1042.exe
pdfelement_setup_full1042.exe
pdfelement_setup_full1042.exe
pdfelement_setup_full1042.exe
pdfelement_setup_full1042 (1).exe
6A9BBB6D3B7BEBEF178EB54DC23A4ED036F7447D763DB8FF14AD7E7931026C9A
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Opened mutexes
Searched windows
Opened service managers
Opened services
Hooking activity
Runtime DLLs
Additional details
The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged.
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications