× Куки вимкнені! Цей сайт потребує ввімкнення куків для правильної роботи
SHA256: b0a729e1bd3dcfbe3ccfbc4078a58c8acd7d6a6711e3f86e6efe07e661cb52cc
Назва файлу: corrupt_docx_salvager_setup_2.0.4_without_adware.exe
Співвідношення виявлення: 1 / 57
Дата дослідження: 2016-09-08 13:10:41 UTC ( 2 роки, 8 місяців тому ) Переглянути останні
Противірус Підсумок Оновлення
Sophos ML virus.win32.sality.at 20160830
Ad-Aware 20160908
AegisLab 20160908
AhnLab-V3 20160907
Alibaba 20160908
ALYac 20160908
Antiy-AVL 20160908
Arcabit 20160908
Avast 20160908
AVG 20160908
Avira (no cloud) 20160908
AVware 20160908
Baidu 20160908
BitDefender 20160908
Bkav 20160908
CAT-QuickHeal 20160907
ClamAV 20160907
CMC 20160908
Comodo 20160908
CrowdStrike Falcon (ML) 20160725
Cyren 20160908
DrWeb 20160908
Emsisoft 20160908
ESET-NOD32 20160908
F-Prot 20160908
F-Secure 20160908
Fortinet 20160908
GData 20160908
Ikarus 20160908
Jiangmin 20160908
K7AntiVirus 20160908
K7GW 20160908
Kaspersky 20160908
Kingsoft 20160908
Malwarebytes 20160908
McAfee 20160908
McAfee-GW-Edition 20160908
Microsoft 20160908
eScan 20160908
NANO-Antivirus 20160908
nProtect 20160908
Panda 20160907
Qihoo-360 20160908
Rising 20160908
Sophos AV 20160908
SUPERAntiSpyware 20160908
Symantec 20160908
Tencent 20160908
TheHacker 20160908
TrendMicro 20160908
TrendMicro-HouseCall 20160908
VBA32 20160907
VIPRE 20160908
ViRobot 20160908
Yandex 20160907
Zillya 20160908
Zoner 20160908
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright

Product Corrupt DOCX Salvager
File version
Description Corrupt DOCX Salvager Setup
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 6:50 AM 4/16/2015
Signers
[+] Paul Dudley Pruitt
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer COMODO RSA Code Signing CA
Valid from 12:00 AM 04/06/2015
Valid to 11:59 PM 04/05/2016
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 1162A064D501BAD3870E845282D1B9188B5CC13E
Serial number 28 ED 42 28 D3 EA 7B DF DE A2 A5 9A 32 B0 88 33
[+] COMODO RSA Code Signing CA
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 12:00 AM 05/09/2013
Valid to 11:59 PM 05/08/2028
Valid usage Code Signing
Algorithm sha384RSA
Thumbprint B69E752BBE88B4458200A7C0F4F5B3CCE6F35B47
Serial number 2E 7C 87 CC 0E 93 4A 52 FE 94 FD 1C B7 CD 34 AF
[+] Sectigo (formerly Comodo CA)
Status Valid
Issuer COMODO RSA Certification Authority
Valid from 01:00 AM 01/19/2010
Valid to 12:59 AM 01/19/2038
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha384RSA
Thumbprint AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
Serial number 4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D
Counter signers
[+] COMODO Time Stamping Signer
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer UTN-USERFirst-Object
Valid from 12:00 AM 05/10/2010
Valid to 11:59 PM 05/10/2015
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3DBB6DB5085C6DD5A1CA7F9CF84ECB1A3910CAC8
Serial number 47 8A 8E FB 59 E1 D8 3F 0C E1 42 D2 A2 87 07 BE
[+] Sectigo (UTN Object)
Status Valid
Issuer UTN-USERFirst-Object
Valid from 06:31 PM 07/09/1999
Valid to 06:40 PM 07/09/2019
Valid usage EFS, Timestamp Signing, Code Signing
Algorithm sha1RSA
Thumbrint E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Serial number 44 BE 0C 8B 50 00 24 B4 11 D3 36 2D E0 B3 5F 1B
Packers identified
F-PROT INNO
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x0000A5F8
Number of sections 8
PE sections
Overlays
MD5 f0c0e145ad13b90e87701af015d38677
File type data
Offset 55296
Size 4514904
Entropy 8.00
PE imports
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegQueryValueExA
AdjustTokenPrivileges
RegOpenKeyExA
InitCommonControls
GetSystemTime
GetLastError
GetEnvironmentVariableA
GetStdHandle
EnterCriticalSection
GetUserDefaultLangID
GetSystemInfo
GetFileAttributesA
GetExitCodeProcess
ExitProcess
CreateDirectoryA
VirtualProtect
GetVersionExA
RemoveDirectoryA
RtlUnwind
LoadLibraryA
DeleteCriticalSection
GetCurrentProcess
SizeofResource
GetLocaleInfoA
LocalAlloc
LockResource
IsDBCSLeadByte
DeleteFileA
GetWindowsDirectoryA
GetSystemDefaultLCID
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
FormatMessageA
SetFilePointer
RaiseException
WideCharToMultiByte
GetModuleHandleA
ReadFile
InterlockedExchange
WriteFile
CloseHandle
GetACP
GetFullPathNameA
LocalFree
CreateProcessA
GetModuleFileNameA
InitializeCriticalSection
LoadResource
VirtualQuery
VirtualFree
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
FindResourceA
VirtualAlloc
GetFileSize
SetLastError
LeaveCriticalSection
SysStringLen
SysAllocStringLen
VariantCopyInd
VariantClear
VariantChangeTypeEx
CharPrevA
CreateWindowExA
LoadStringA
DispatchMessageA
CallWindowProcA
MessageBoxA
PeekMessageA
SetWindowLongA
MsgWaitForMultipleObjects
TranslateMessage
ExitWindowsEx
DestroyWindow
Number of PE resources by type
RT_STRING 6
RT_ICON 1
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 7
ENGLISH US 4
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
This installation was built with Inno Setup.

InitializedDataSize
13824

ImageVersion
6.0

ProductName
Corrupt DOCX Salvager

FileVersionNumber
0.0.0.0

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

CharacterSet
Unicode

LinkerVersion
2.25

FileTypeExtension
exe

MIMEType
application/octet-stream

TimeStamp
1992:06:20 00:22:17+02:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
2.0.4

FileDescription
Corrupt DOCX Salvager Setup

OSVersion
1.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
S2 Services

CodeSize
40448

FileSubtype
0

ProductVersionNumber
0.0.0.0

EntryPoint
0xa5f8

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 b38d621773fea5b446c360fc0f1a9c42
SHA1 dd6d078afc4e97678bd217734a64aa1c51baa42d
SHA256 b0a729e1bd3dcfbe3ccfbc4078a58c8acd7d6a6711e3f86e6efe07e661cb52cc
ssdeep
98304:apGFxvRP+6uuUDLMS+IAqUHshhiYUl3Q4zT3vVq7mL5XQ+/44bNIS/1Ts:447PuBDLMnIIMh54X3amJQ+t2Ms

authentihash 4ebd7f89a1326af8ccf96f488733642235f0968e5d78bc7287e5d2ce36d0d082
imphash 884310b1928934402ea6fec1dbd3cf5e
Розмір файлу 4.4 Мб ( 4570200 bytes )
Тип файлу Win32 EXE
Чарівні букви
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Inno Setup installer (70.2%)
Win32 Executable Delphi generic (9.0%)
Windows screen saver (8.3%)
Win32 Dynamic Link Library (generic) (4.2%)
Win32 Executable (generic) (2.8%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-04-22 14:35:38 UTC ( 4 роки, 1 місяць тому )
Last submission 2018-11-10 14:52:16 UTC ( 6 місяців, 2 тижні тому )
Назви файлів output.20822417.txt
corrupt_docx_salvager_setup_2.0.3.exe
corrupt_docx_salvager_setup_2.0.4.exe
output.26000667.txt
20822417
B0A729E1BD3DCFBE3CCFBC4078A58C8ACD7D6A6711E3F86E6EFE07E661CB52CC
corrupt_docx_salvager_setup_2.0.4.exe
corrupt_docx_salvager_setup_2.0.3.exe
output.26629287.txt
corrupt_docx_salvager_setup_2.0.4_without_adware.exe
26000667
corrupt_docx_salvager_setup_2.0.4_without_adware.exe
26629287
corrupt_docx_salvager_setup_2.0.2.exe
document_salvager.exe
filename
corrupt_docx_salvager_setup_2.0.2.exe
corrupt_docx_salvager_setup_2.0.4.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
Немає дописів. Жоден член VirusTotal Спільноти ще не писав з цього приводу, Ви можете стати першим, хто зробить це!

Напишіть свій допис…

?
Залишити допис

Ви не ввійшли в систему. Лише зареєстровані користувачі можуть залишати дописи, увійдіть для отримання прав!

Немає голосів. Наразі ніхто не проголосував з цього приводу, Ви можете стати першим, хто зробить це!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications