× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: a6b8a5a92503b57fae2353fee6c7e208b50999f661bade900d8c686392fb7fca
File name: bitdefender_prof_v9.exe
Detection ratio: 2 / 57
Analysis date: 2016-04-01 02:59:12 UTC ( 2 years, 7 months ago ) View latest
Antivirus Result Update
ClamAV Html.Trojan.GenericFakeAV-2 20160401
NANO-Antivirus Marker.Script.EICAR.dymlmx 20160401
Ad-Aware 20160401
AegisLab 20160331
AhnLab-V3 20160330
Alibaba 20160323
ALYac 20160401
Antiy-AVL 20160401
Arcabit 20160401
Avast 20160401
AVG 20160401
Avira (no cloud) 20160401
AVware 20160401
Baidu 20160331
Baidu-International 20160331
BitDefender 20160401
Bkav 20160331
CAT-QuickHeal 20160331
CMC 20160322
Comodo 20160401
Cyren 20160401
DrWeb 20160331
Emsisoft 20160401
ESET-NOD32 20160401
F-Prot 20160401
F-Secure 20160401
Fortinet 20160330
GData 20160331
Ikarus 20160331
Jiangmin 20160401
K7AntiVirus 20160331
K7GW 20160401
Kaspersky 20160401
Kingsoft 20160401
Malwarebytes 20160401
McAfee 20160401
McAfee-GW-Edition 20160331
Microsoft 20160401
eScan 20160401
nProtect 20160331
Panda 20160331
Qihoo-360 20160401
Rising 20160401
Sophos AV 20160401
SUPERAntiSpyware 20160401
Symantec 20160331
Tencent 20160401
TheHacker 20160330
TotalDefense 20160330
TrendMicro 20160401
TrendMicro-HouseCall 20160401
VBA32 20160331
VIPRE 20160401
ViRobot 20160401
Yandex 20160316
Zillya 20160331
Zoner 20160331
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name WEXTRACT.EXE
Internal name Wextract
File version 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Description Win32 Cabinet Self-Extractor
Signature verification Signed file, verified signature
Signing date 8:58 AM 4/11/2006
Signers
[+] SOFTWIN
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2004 CA
Valid from 1:00 AM 2/14/2006
Valid to 12:59 AM 3/6/2008
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 71EDA3426E9531ECFEEE60BD75DE89FA15497166
Serial number 46 46 0F DE 16 F4 AD 69 94 40 34 77 29 F5 39 5E
[+] VeriSign Class 3 Code Signing 2004 CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2008
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 817E78267300CB0FE5D631357851DB366123A690
Serial number 0D E9 2B F0 D4 D8 29 88 18 32 05 09 5E 9A 76 88
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT CAB, appended
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-08-04 06:01:37
Entry Point 0x0000645C
Number of sections 3
PE sections
Overlays
MD5 c7ef7a023c1c4e158650423bcc6afd59
File type data
Offset 20030464
Size 5744
Entropy 7.26
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
AdjustTokenPrivileges
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
RegQueryInfoKeyA
GetDeviceCaps
GetLastError
GetSystemTimeAsFileTime
DosDateTimeToFileTime
ReadFile
GetStartupInfoA
GetSystemInfo
lstrlenA
GetFileAttributesA
GlobalFree
WaitForSingleObject
LoadLibraryA
GetExitCodeProcess
QueryPerformanceCounter
MulDiv
ExitProcess
SetFileTime
GetVersionExA
GlobalUnlock
GetModuleFileNameA
IsDBCSLeadByte
GetShortPathNameA
FreeLibrary
GetCurrentProcess
GetVolumeInformationA
LoadLibraryExA
SizeofResource
GetCurrentDirectoryA
GetPrivateProfileStringA
WritePrivateProfileStringA
LocalAlloc
lstrcatA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
UnhandledExceptionFilter
_llseek
GetCommandLineA
GlobalLock
EnumResourceLanguagesA
TerminateThread
GetTempPathA
CreateMutexA
GetModuleHandleA
_lclose
CreateThread
lstrcmpiA
SetFilePointer
lstrcmpA
FindFirstFileA
GetCurrentProcessId
CreateEventA
lstrcpyA
_lopen
CloseHandle
GetTempFileNameA
lstrcpynA
FindNextFileA
GetSystemDirectoryA
GetDiskFreeSpaceA
ExpandEnvironmentStringsA
FreeResource
SetFileAttributesA
SetEvent
LocalFree
FindResourceA
TerminateProcess
CreateProcessA
RemoveDirectoryA
SetUnhandledExceptionFilter
LockResource
LoadResource
WriteFile
GlobalAlloc
LocalFileTimeToFileTime
FindClose
FormatMessageA
GetTickCount
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetProcAddress
SetCurrentDirectoryA
ResetEvent
CharPrevA
EndDialog
ShowWindow
MessageBeep
SetWindowPos
SendDlgItemMessageA
GetSystemMetrics
GetWindowRect
DispatchMessageA
EnableWindow
SetDlgItemTextA
GetDlgItemTextA
MessageBoxA
PeekMessageA
SetWindowLongA
CharUpperA
GetDC
ReleaseDC
SetWindowTextA
GetWindowLongA
SendMessageA
GetDlgItem
wsprintfA
LoadStringA
CharNextA
GetDesktopWindow
CallWindowProcA
MsgWaitForMultipleObjects
SetForegroundWindow
ExitWindowsEx
DialogBoxIndirectParamA
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
Number of PE resources by type
RT_RCDATA 14
RT_STRING 7
RT_DIALOG 6
RT_ICON 2
Struct(255) 1
AVI 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 33
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
7.1

ImageVersion
5.1

FileSubtype
0

FileVersionNumber
6.0.2900.2180

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Win32 Cabinet Self-Extractor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
19990016

EntryPoint
0x645c

OriginalFileName
WEXTRACT.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

TimeStamp
2004:08:04 07:01:37+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Wextract

ProductVersion
6.00.2900.2180

SubsystemVersion
4.0

OSVersion
5.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
39424

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.0.2900.2180

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 9e60c6c028a7465f07ae2d9727f30a11
SHA1 acb9110c57c75f6825055bbc503a4800b350acff
SHA256 a6b8a5a92503b57fae2353fee6c7e208b50999f661bade900d8c686392fb7fca
ssdeep
393216:gNNIN13KrEUW42F4W7v0twv1tVEPT8UqWEBL2sZd2wau1Tg3p3T+U:G0JrUp/wMm1sPQUq9QsZkwt+3T1

authentihash 8473c5b4f0b14f1de5947582db2f6535a48251b18632871f1b6a39f95397fef9
imphash 0ebb3c09b06b1666d307952e824c8697
File size 19.1 MB ( 20036208 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 MS Cabinet Self-Extractor (WExtract stub) (88.8%)
Win64 Executable (generic) (8.0%)
Win32 Executable (generic) (1.3%)
OS/2 Executable (generic) (0.5%)
Generic Win/DOS Executable (0.5%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2009-07-11 13:16:48 UTC ( 9 years, 4 months ago )
Last submission 2018-05-07 05:12:55 UTC ( 6 months, 2 weeks ago )
File names Wextract
bitdefender_prof_v9.exe
WEXTRACT.EXE
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: Suspici.436E6684.

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications