filenameADExploiter.EXE
size333824 (0x51800)
md5c7f2dd770a31353dbc2df899c5244f8d
typePE32+ executable (GUI) x86-64, for MS Windows
mimetypeapplication/x-dosexec
clamavOK
virustotal→ scan with virustotal.com
histogram

MZ Header

signatureMZ
bytes_in_last_block0x90
blocks_in_file3
num_relocs0
header_paragraphs4
min_extra_paragraphs0
max_extra_paragraphs0xffff
ss0
sp0xb8
checksum0
ip0
cs0
reloc_table_offset0x40
overlay_number0
reserved00
oem_id0
oem_info0
reserved20
reserved30
reserved40
reserved50
reserved60
lfanew0xf0

Rich Header

lib idversiontimes used
261257111
259257112
2602571118
2572571117
10160
264257119
255257111
258257111

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

PE Header

SignaturePE
Machine0x8664
NumberOfSections6
TimeDateStamp0x7bf15fac
PointerToSymbolTable0
NumberOfSymbols0
SizeOfOptionalHeader0xf0
Characteristics0x22
Magic0x20b
LinkerVersion14.12
SizeOfCode0x7200
SizeOfInitializedData0x4a200
SizeOfUninitializedData0
AddressOfEntryPoint0x77f0
BaseOfCode0x1000
ImageBase0x140000000
SectionAlignment0x1000
FileAlignment0x200
OperatingSystemVersion10.0
ImageVersion10.0
SubsystemVersion6.0
Reserved10
SizeOfImage0x58000
SizeOfHeaders0x400
CheckSum0x521ca
Subsystem2
DllCharacteristics0xc160
SizeOfStackReserve0x80000
SizeOfStackCommit0x2000
SizeOfHeapReserve0x100000
SizeOfHeapCommit0x1000
LoaderFlags0
NumberOfRvaAndSizes0x10

Packer / Compiler

AVI movie file

Sections

namevavsizeraw sizeflags
.text0x10000x71000x7200R-X CODE
.rdata0x90000x22a00x2400R-- IDATA
.data0xc0000x1e800x400RW- IDATA
.pdata0xe0000x3fc0x400R-- IDATA
.rsrc0xf0000x480000x47400R-- IDATA
.reloc0x570000x200x200R-- IDATA DISCARDABLE

Data Directory

typevasize
EXPORT00
IMPORT0xa2140xb4
RESOURCE0xf0000x473f4
EXCEPTION0xe0000x3fc
SECURITY00
BASERELOC0x570000x20
DEBUG0x9a000x54
ARCHITECTURE00
GLOBALPTR00
TLS00
LOAD_CONFIG0x90100x100
Bound_IAT00
IAT0x91100x520
Delay_IAT00
CLR_Header00
typenamesizecp
AVI#3001118021252
ICON#116401252
ICON#27441252
ICON#34881252
ICON#42961252
ICON#537521252
ICON#622161252
ICON#717361252
ICON#813841252
ICON#9557621252
ICON#1096401252
ICON#1142641252
ICON#1224401252
ICON#1311281252
DIALOG#20017541252
DIALOG#20024321252
DIALOG#20033581252
DIALOG#20044481252
DIALOG#20053041252
DIALOG#20062881252
STRING#631401252
STRING#7613121252
STRING#7714841252
STRING#8012001252
STRING#8310981252
STRING#859741252
RCDATAADMQCMD71252
RCDATACABINET1798021252
RCDATAEXTRACTOPT41252
RCDATAFILESIZES361252
RCDATAFINISHMSG71252
RCDATALICENSE71252
RCDATAPACKINSTSPACE41252
RCDATAPOSTRUNPROGRAM71252
RCDATAREBOOT41252
RCDATARUNPROGRAM181252
RCDATASHOWWINDOW41252
RCDATATITLE111252
RCDATAUPROMPT71252
RCDATAUSRQCMD71252
GROUP_ICON#30001881252
VERSION#110321252
MANIFEST#120221252
idlangstring
10001033Please select a folder to store the extracted files.
10011033%s
12001033Failed to get disk space information from: %s. System Message: %s.
12011033A required resource cannot be located.
12021033Are you sure you want to cancel?
12041033Unable to retrieve operating system version information.
12051033Memory allocation request failed.
12081033Unable to create extraction thread.
12101033Cabinet is not valid.
12111033Filetable full.
12121033Can not change to destination folder.
12131033Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.
12141033That folder is invalid. Please make sure the folder exists and is writable.
12151033You must specify a folder with fully qualified pathname or choose Cancel.
12161033Could not update folder edit box.
12171033Could not load functions required for browser dialog.
12181033Could not load Shell32.dll required for browser dialog.
12201033Error creating process <%s>. Reason: %s
12211033The cluster size in this system is not supported.
12221033A required resource appears to be corrupted.
12231033Windows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
12241033Error loading %s
12251033GetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used.
12261033Windows 95 or Windows NT is required to install
12271033Could not create folder '%s'
12281033To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. Do you still want to continue?
12641033Error retrieving Windows folder
12691033NT Shutdown: OpenProcessToken error.
12701033NT Shutdown: AdjustTokenPrivileges error.
12711033NT Shutdown: ExitWindowsEx error.
12721033Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.
12731033The setup program could not retrieve the volume information for drive (%s) . System message: %s.
12741033Setup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.
12751033The installation program appears to be damaged or corrupted. Contact the vendor of this application.
13121033Command line option syntax error. Type Command /? for Help.
13131033Command line options: /Q -- Quiet modes for package, /T:<full path> -- Specifies temporary working folder, /C -- Extract files only to the folder when used also with /T. /C:<Cmd> -- Override Install Command defined by author.
13141033You must restart your computer before the new settings will take effect. Do you want to restart your computer now?
13161033Another copy of the '%s' package is already running on your system. Do you want to run another copy?
13171033Could not find the file: %s.
13511033You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.
13541033The folder '%s' does not exist. Do you want to create it?
13551033Another copy of the '%s' package is already running on your system. You can only run one copy at a time.
13561033The '%s' package is not compatible with the version of Windows you are running.
13571033The '%s' package is not compatible with the version of the file: %s on your system.
module_namehintordfunction_name
ADVAPI32.dll368GetTokenInformation
ADVAPI32.dll626RegDeleteValueA
ADVAPI32.dll651RegOpenKeyExA
ADVAPI32.dll658RegQueryInfoKeyA
ADVAPI32.dll308FreeSid
ADVAPI32.dll533OpenProcessToken
ADVAPI32.dll680RegSetValueExA
ADVAPI32.dll611RegCreateKeyExA
ADVAPI32.dll430LookupPrivilegeValueA
ADVAPI32.dll32AllocateAndInitializeSid
ADVAPI32.dll664RegQueryValueExA
ADVAPI32.dll282EqualSid
ADVAPI32.dll603RegCloseKey
ADVAPI32.dll31AdjustTokenPrivileges
KERNEL32.dll1587_lopen
KERNEL32.dll1585_llseek
KERNEL32.dll151CompareStringA
KERNEL32.dll611GetLastError
KERNEL32.dll579GetFileAttributesA
KERNEL32.dll738GetSystemDirectoryA
KERNEL32.dll959LoadLibraryA
KERNEL32.dll273DeleteFileA
KERNEL32.dll818GlobalAlloc
KERNEL32.dll825GlobalFree
KERNEL32.dll134CloseHandle
KERNEL32.dll1566WritePrivateProfileStringA
KERNEL32.dll891IsDBCSLeadByte
KERNEL32.dll810GetWindowsDirectoryA
KERNEL32.dll1312SetFileAttributesA
KERNEL32.dll689GetProcAddress
KERNEL32.dll829GlobalLock
KERNEL32.dll972LocalFree
KERNEL32.dll1203RemoveDirectoryA
KERNEL32.dll431FreeLibrary
KERNEL32.dll1583_lclose
KERNEL32.dll180CreateDirectoryA
KERNEL32.dll679GetPrivateProfileIntA
KERNEL32.dll685GetPrivateProfileStringA
KERNEL32.dll836GlobalUnlock
KERNEL32.dll1136ReadFile
KERNEL32.dll1410SizeofResource
KERNEL32.dll1561WriteFile
KERNEL32.dll561GetDriveTypeA
KERNEL32.dll960LoadLibraryExA
KERNEL32.dll1324SetFileTime
KERNEL32.dll1320SetFilePointer
KERNEL32.dll407FindResourceA
KERNEL32.dll214CreateMutexA
KERNEL32.dll801GetVolumeInformationA
KERNEL32.dll1502WaitForSingleObject
KERNEL32.dll532GetCurrentDirectoryA
KERNEL32.dll435FreeResource
KERNEL32.dll798GetVersion
KERNEL32.dll1294SetCurrentDirectoryA
KERNEL32.dll760GetTempPathA
KERNEL32.dll970LocalFileTimeToFileTime
KERNEL32.dll194CreateFileA
KERNEL32.dll1308SetEvent
KERNEL32.dll1427TerminateThread
KERNEL32.dll799GetVersionExA
KERNEL32.dll983LockResource
KERNEL32.dll742GetSystemInfo
KERNEL32.dll240CreateThread
KERNEL32.dll1219ResetEvent
KERNEL32.dll965LoadResource
KERNEL32.dll354ExitProcess
KERNEL32.dll634GetModuleHandleW
KERNEL32.dll223CreateProcessA
KERNEL32.dll426FormatMessageA
KERNEL32.dll758GetTempFileNameA
KERNEL32.dll296DosDateTimeToFileTime
KERNEL32.dll187CreateEventA
KERNEL32.dll575GetExitCodeProcess
KERNEL32.dll357ExpandEnvironmentStringsA
KERNEL32.dll968LocalAlloc
KERNEL32.dll1594lstrcmpA
KERNEL32.dll398FindNextFileA
KERNEL32.dll539GetCurrentProcess
KERNEL32.dll381FindFirstFileA
KERNEL32.dll629GetModuleFileNameA
KERNEL32.dll719GetShortPathNameA
KERNEL32.dll1411Sleep
KERNEL32.dll723GetStartupInfoW
KERNEL32.dll1227RtlCaptureContext
KERNEL32.dll1234RtlLookupFunctionEntry
KERNEL32.dll1241RtlVirtualUnwind
KERNEL32.dll1460UnhandledExceptionFilter
KERNEL32.dll1395SetUnhandledExceptionFilter
KERNEL32.dll1426TerminateProcess
KERNEL32.dll1097QueryPerformanceCounter
KERNEL32.dll540GetCurrentProcessId
KERNEL32.dll544GetCurrentThreadId
KERNEL32.dll748GetSystemTimeAsFileTime
KERNEL32.dll778GetTickCount
KERNEL32.dll322EnumResourceLanguagesA
KERNEL32.dll555GetDiskFreeSpaceA
KERNEL32.dll1002MulDiv
KERNEL32.dll377FindClose
GDI32.dll621GetDeviceCaps
USER32.dll912ShowWindow
USER32.dll670MsgWaitForMultipleObjects
USER32.dll895SetWindowPos
USER32.dll324GetDC
USER32.dll492GetWindowRect
USER32.dll190DispatchMessageA
USER32.dll451GetSystemMetrics
USER32.dll31CallWindowProcA
USER32.dll899SetWindowTextA
USER32.dll656MessageBoxA
USER32.dll790SendDlgItemMessageA
USER32.dll795SendMessageA
USER32.dll334GetDlgItem
USER32.dll184DialogBoxIndirectParamA
USER32.dll483GetWindowLongPtrA
USER32.dll891SetWindowLongPtrA
USER32.dll832SetForegroundWindow
USER32.dll773ReleaseDC
USER32.dll241EnableWindow
USER32.dll49CharNextA
USER32.dll608LoadStringA
USER32.dll52CharPrevA
USER32.dll244EndDialog
USER32.dll655MessageBeep
USER32.dll273ExitWindowsEx
USER32.dll827SetDlgItemTextA
USER32.dll59CharUpperA
USER32.dll327GetDesktopWindow
USER32.dll693PeekMessageA
USER32.dll336GetDlgItemTextA
msvcrt.dll47void __cdecl terminate(void)

?terminate@@YAXXZ

msvcrt.dll210_commode
msvcrt.dll295_fmode
msvcrt.dll162_acmdln
msvcrt.dll87__C_specific_handler
msvcrt.dll1174memset
msvcrt.dll144__setusermatherr
msvcrt.dll409_ismbblead
msvcrt.dll193_cexit
msvcrt.dll270_exit
msvcrt.dll1074exit
msvcrt.dll142__set_app_type
msvcrt.dll127__getmainargs
msvcrt.dll174_amsg_exit
msvcrt.dll85_XcptFilter
msvcrt.dll1171memcpy_s
msvcrt.dll867_vsnprintf
msvcrt.dll381_initterm
msvcrt.dll1170memcpy
COMCTL32.dll17
Cabinet.dll20
Cabinet.dll21
Cabinet.dll23
Cabinet.dll22
VERSION.dll15VerQueryValueA
VERSION.dll4GetFileVersionInfoSizeA
VERSION.dllGetFileVersionInfoA

StringTable 040904B0

CompanyNameMicrosoft Corporation
FileDescriptionWin32 Cabinet Self-Extractor
FileVersion11.00.17134.1 (WinBuild.160101.0800)
InternalNameWextract
LegalCopyright© Microsoft Corporation. All rights reserved.
OriginalFilenameWEXTRACT.EXE .MUI
ProductNameInternet Explorer
ProductVersion11.00.17134.1

VS_FIXEDFILEINFO

FileVersion11.0.17134.1
ProductVersion11.0.17134.1
StrucVersion0x10000
FileFlagsMask0x3f
FileFlags0
FileOS0x40004
FileType1
FileSubtype0
offsetsizetypecomment
15c115HTM#
abf811794AVI#
109f455762PNG(256 x 256)#
1e3c6209978BINoverlay data past EOF#
Scanning the drive for archives:
1 file, 333824 bytes (326 KiB)


--
Type = PE
Physical Size = 333824
CPU = x64
64-bit = +
Characteristics = Executable LargeAddress
Created = 2035-11-23 07:37:16
Headers Size = 1024
Checksum = 336330
Name = WEXTRACT.EXE            .MUI
Image Size = 360448
Section Alignment = 4096
File Alignment = 512
Code Size = 29184
Initialized Data Size = 303616
Uninitialized Data Size = 0
Linker Version = 14.12
OS Version = 10.0
Image Version = 10.0
Subsystem Version = 6.0
Subsystem = Windows GUI
DLL Characteristics = Relocated NX-Compatible TerminalServerAware 0x4020
Stack Reserve = 524288
Stack Commit = 8192
Heap Reserve = 1048576
Heap Commit = 4096
Image Base = 5368709120
Comment = FileVersion: 11.0.17134.1
FileVersion: 11.00.17134.1 (WinBuild.160101.0800)
ProductVersion: 11.0.17134.1
ProductVersion: 11.00.17134.1
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor                                           
InternalName: Wextract                
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: WEXTRACT.EXE            .MUI
ProductName: Internet Explorer
----
Path = .rsrc/RCDATA/CABINET
Size = 179802
Packed Size = 179802
--
Path = .rsrc/RCDATA/CABINET
Type = Cab
Physical Size = 179802
Method = LZX:21
Blocks = 1
Volumes = 1
Volume Index = 0
ID = 5228

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2019-07-13 10:24:00 ....A       188504               ADExplorer.exe
2019-07-14 13:47:36 ....A          151               master.bat
2019-06-17 00:54:08 ....A        13824               PowerShdll.dll
2019-07-14 13:31:40 ....A          904               shell_ps_b64.ps1
------------------- ----- ------------ ------------  ------------------------
2019-07-14 13:47:36             203383       333824  4 files
offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable







[?] ignoring invalid PEdump::BITMAPINFOHEADER