filenamec1aa5d85
size4520448 (0x44fa00)
md5f9af820cd81bd7cfcc0fd503d0496c69
typePE32+ executable (GUI) x86-64, for MS Windows
mimetypeapplication/x-dosexec
clamavOK
virustotal→ scan with virustotal.com
histogram

MZ Header

signatureMZ
bytes_in_last_block0x90
blocks_in_file3
num_relocs0
header_paragraphs4
min_extra_paragraphs0
max_extra_paragraphs0xffff
ss0
sp0xb8
checksum0
ip0
cs0
reloc_table_offset0x40
overlay_number0
reserved00
oem_id0
oem_info0
reserved20
reserved30
reserved40
reserved50
reserved60
lfanew0xf0

Rich Header

lib idversiontimes used
205655011
2066550165
2076550116
2036550117
10211
210655019
126507271
201655011
204655011

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

PE Header

SignaturePE
Machine0x8664
NumberOfSections6
TimeDateStamp0x525b93b6
PointerToSymbolTable0
NumberOfSymbols0
SizeOfOptionalHeader0xf0
Characteristics0x22
Magic0x20b
LinkerVersion11.0
SizeOfCode0x8000
SizeOfInitializedData0x447600
SizeOfUninitializedData0
AddressOfEntryPoint0x7f1c
BaseOfCode0x1000
ImageBase0x140000000
SectionAlignment0x1000
FileAlignment0x200
OperatingSystemVersion6.3
ImageVersion6.3
SubsystemVersion5.2
Reserved10
SizeOfImage0x455000
SizeOfHeaders0x400
CheckSum0x4505f9
Subsystem2
DllCharacteristics0x8160
SizeOfStackReserve0x80000
SizeOfStackCommit0x2000
SizeOfHeapReserve0x100000
SizeOfHeapCommit0x1000
LoaderFlags0
NumberOfRvaAndSizes0x10

Packer / Compiler

AVI movie file

Sections

namevavsizeraw sizeflags
.text0x10000x7fa00x8000R-X CODE
.data0x90000x1e600x200RW- IDATA
.pdata0xb0000x4080x600R-- IDATA
.idata0xc0000x15d40x1600R-- IDATA
.rsrc0xe0000x4460000x445400R-- IDATA
.reloc0x4540000x2040x400R-- IDATA DISCARDABLE

Data Directory

typevasize
EXPORT00
IMPORT0xc5280xb4
RESOURCE0xe0000x4452ac
EXCEPTION0xb0000x408
SECURITY00
BASERELOC0x4540000x18
DEBUG0x10400x1c
ARCHITECTURE00
GLOBALPTR00
TLS00
LOAD_CONFIG0x13c00x94
Bound_IAT00
IAT0xc0000x528
Delay_IAT00
CLR_Header00
typenamesizecp
AVI#3001118021252
ICON#116401252
ICON#27441252
ICON#34881252
ICON#42961252
ICON#537521252
ICON#622161252
ICON#717361252
ICON#813841252
ICON#9557621252
ICON#1096401252
ICON#1142641252
ICON#1224401252
ICON#1311281252
DIALOG#20017541252
DIALOG#20017801252
DIALOG#20024321252
DIALOG#20024201252
DIALOG#20033581252
DIALOG#20033641252
DIALOG#20044481252
DIALOG#20044481252
DIALOG#20053041252
DIALOG#20053021252
DIALOG#20062881252
DIALOG#20062701252
STRING#631401252
STRING#631501252
STRING#7613121252
STRING#7615861252
STRING#7714841252
STRING#7717321252
STRING#8012001252
STRING#8013661252
STRING#8310981252
STRING#8312541252
STRING#859741252
STRING#859481252
RCDATAADMQCMD71252
RCDATACABINET43550291252
RCDATAEXTRACTOPT41252
RCDATAFILESIZES361252
RCDATAFINISHMSG71252
RCDATALICENSE71252
RCDATAPACKINSTSPACE41252
RCDATAPOSTRUNPROGRAM71252
RCDATAREBOOT41252
RCDATARUNPROGRAM131252
RCDATASHOWWINDOW41252
RCDATATITLE161252
RCDATAUPROMPT71252
RCDATAUSRQCMD71252
GROUP_ICON#30001881252
VERSION#110521252
VERSION#111001252
MANIFEST#115151252
idlangstring
10001033Please select a folder to store the extracted files.
10011033%s
10001046Selecione uma pasta para armazenar os arquivos extraídos.
10011046%s
12001033Failed to get disk space information from: %s. System Message: %s.
12011033A required resource cannot be located.
12021033Are you sure you want to cancel?
12041033Unable to retrieve operating system version information.
12051033Memory allocation request failed.
12081033Unable to create extraction thread.
12101033Cabinet is not valid.
12111033Filetable full.
12121033Can not change to destination folder.
12131033Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.
12141033That folder is invalid. Please make sure the folder exists and is writable.
12151033You must specify a folder with fully qualified pathname or choose Cancel.
12001046Falha ao obter informações de espaço em disco de: %s. Mensagem do sistema: %s.
12011046Um recurso necessário não pode ser encontrado.
12021046Tem certeza de que deseja cancelar?
12041046Não é possível recuperar as informações de versão do sistema operacional.
12051046Falha do pedido de alocação de memória.
12081046Não é possível criar thread de extração.
12101046O arquivo de gabinete (.cab) não é válido.
12111046Tabela de arquivos cheia.
12121046Não é possível mudar para a pasta de destino.
12131046Não foi possível encontrar uma unidade com %s KB de espaço livre em disco para instalar o programa. Libere espaço e pressione 'Repetir' ou pressione 'Cancelar' para sair da instalação.
12141046Pasta inválida. Certifique-se de que a pasta existe e de que permite gravação.
12151046Especifique uma pasta com um nome de caminho totalmente qualificado ou clique em Cancelar.
12161033Could not update folder edit box.
12171033Could not load functions required for browser dialog.
12181033Could not load Shell32.dll required for browser dialog.
12201033Error creating process <%s>. Reason: %s
12211033The cluster size in this system is not supported.
12221033A required resource appears to be corrupted.
12231033Windows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
12241033Error loading %s
12251033GetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used.
12261033Windows 95 or Windows NT is required to install
12271033Could not create folder '%s'
12281033To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue. Do you still want to continue?
12161046Não foi possível atualizar a caixa de edição da pasta.
12171046Não foi possível carregar as funções necessárias à caixa de diálogo do navegador.
12181046Não foi possível carregar Shell32.dll, necessário à caixa de diálogo do navegador.
12201046Erro ao criar o processo <%s>. Causa: %s
12211046Não há suporte para o tamanho do cluster deste sistema.
12221046Um recurso necessário parece estar corrompido.
12231046A instalação requer o Windows 95 ou o Windows NT 4.0 beta 2 ou posterior.
12241046Erro ao carregar %s
12251046Falha de GetProcAddress() na função '%s'. Possível causa: a versão incorreta de advpack.dll está sendo usada.
12261046O Windows 95 ou o Windows NT é necessário para esta instalação
12271046Não foi possível criar a pasta '%s'
12281046Para instalar este programa, você precisa de %s KB de espaço livre na unidade %s. É recomendável que você libere o espaço em disco necessário antes de continuar. Deseja continuar mesmo assim?
12641033Error retrieving Windows folder
12691033NT Shutdown: OpenProcessToken error.
12701033NT Shutdown: AdjustTokenPrivileges error.
12711033NT Shutdown: ExitWindowsEx error.
12721033Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.
12731033The setup program could not retrieve the volume information for drive (%s) . System message: %s.
12741033Setup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.
12751033The installation program appears to be damaged or corrupted. Contact the vendor of this application.
12641046Erro ao recuperar a pasta do Windows
12691046Desligamento do NT: erro OpenProcessToken.
12701046Desligamento do NT: erro AdjustTokenPrivileges.
12711046Desligamento do NT: erro ExitWindowsEx.
12721046Falha ao extrair arquivo. Causa mais provável: memória insuficiente (espaço em disco insuficiente para arquivo de permuta) ou arquivo de gabinete (.cab) corrompido.
12731046As informações de volume da unidade (%s) não puderam ser recuperadas. Mensagem do sistema: %s.
12741046Não foi possível encontrar uma unidade com %s KB de espaço livre em disco para instalar o programa. Libere espaço e tente novamente.
12751046O programa de instalação parece estar danificado ou corrompido. Entre em contato com o fornecedor do aplicativo.
13121033Command line option syntax error. Type Command /? for Help.
13131033Command line options: /Q -- Quiet modes for package, /T:<full path> -- Specifies temporary working folder, /C -- Extract files only to the folder when used also with /T. /C:<Cmd> -- Override Install Command defined by author.
13141033You must restart your computer before the new settings will take effect. Do you want to restart your computer now?
13161033Another copy of the '%s' package is already running on your system. Do you want to run another copy?
13171033Could not find the file: %s.
13121046Erro de sintaxe da opção de linha de comando. Digite o comando /? para obter ajuda.
13131046Opções de linha de comando: /Q -- Modos silenciosos para o pacote, /T:<caminho completo> -- Especifica a pasta de trabalho, /C -- Extrai somente arquivos para a pasta quando usado também com /T. /C:<comando> -- Substitui o comando de instalação definido pelo autor.
13141046É necessário reiniciar o computador para que as novas configurações tenham efeito. Deseja reiniciar o computador agora?
13161046Uma outra cópia do pacote '%s' já está sendo executada no sistema. Deseja executar outra cópia?
13171046Não foi possível encontrar o arquivo: %s.
13511033You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.
13541033The folder '%s' does not exist. Do you want to create it?
13551033Another copy of the '%s' package is already running on your system. You can only run one copy at a time.
13561033The '%s' package is not compatible with the version of Windows you are running.
13571033The '%s' package is not compatible with the version of the file: %s on your system.
13511046Você não possui privilégios de administrador neste computador. Algumas instalações só serão concluídas com êxito quando executadas por um administrador.
13541046A pasta '%s' não existe. Deseja criá-la?
13551046Uma outra cópia do pacote '%s' já está sendo executada no sistema. Apenas uma cópia pode ser executada de cada vez.
13561046O pacote '%s' não é compatível com a versão do Windows que está sendo executada.
13571046O pacote '%s' não é compatível com a versão do arquivo: %s do sistema.
module_namehintordfunction_name
ADVAPI32.dll530OpenProcessToken
ADVAPI32.dll367GetTokenInformation
ADVAPI32.dll673RegSetValueExA
ADVAPI32.dll280EqualSid
ADVAPI32.dll657RegQueryValueExA
ADVAPI32.dll428LookupPrivilegeValueA
ADVAPI32.dll604RegCreateKeyExA
ADVAPI32.dll644RegOpenKeyExA
ADVAPI32.dll651RegQueryInfoKeyA
ADVAPI32.dll619RegDeleteValueA
ADVAPI32.dll32AllocateAndInitializeSid
ADVAPI32.dll307FreeSid
ADVAPI32.dll31AdjustTokenPrivileges
ADVAPI32.dll596RegCloseKey
KERNEL32.dll666GetPrivateProfileIntA
KERNEL32.dll567GetFileAttributesA
KERNEL32.dll872IsDBCSLeadByte
KERNEL32.dll723GetSystemDirectoryA
KERNEL32.dll818GlobalUnlock
KERNEL32.dll705GetShortPathNameA
KERNEL32.dll173CreateDirectoryA
KERNEL32.dll370FindFirstFileA
KERNEL32.dll598GetLastError
KERNEL32.dll676GetProcAddress
KERNEL32.dll1173RemoveDirectoryA
KERNEL32.dll1282SetFileAttributesA
KERNEL32.dll807GlobalFree
KERNEL32.dll366FindClose
KERNEL32.dll672GetPrivateProfileStringA
KERNEL32.dll936LoadLibraryA
KERNEL32.dll945LocalAlloc
KERNEL32.dll1524WritePrivateProfileStringA
KERNEL32.dll616GetModuleFileNameA
KERNEL32.dll387FindNextFileA
KERNEL32.dll144CompareStringA
KERNEL32.dll1545_lopen
KERNEL32.dll127CloseHandle
KERNEL32.dll949LocalFree
KERNEL32.dll264DeleteFileA
KERNEL32.dll343ExitProcess
KERNEL32.dll286DosDateTimeToFileTime
KERNEL32.dll186CreateFileA
KERNEL32.dll396FindResourceA
KERNEL32.dll1290SetFilePointer
KERNEL32.dll800GlobalAlloc
KERNEL32.dll346ExpandEnvironmentStringsA
KERNEL32.dll1465WaitForSingleObject
KERNEL32.dll1278SetEvent
KERNEL32.dll621GetModuleHandleW
KERNEL32.dll415FormatMessageA
KERNEL32.dll1294SetFileTime
KERNEL32.dll1519WriteFile
KERNEL32.dll549GetDriveTypeA
KERNEL32.dll783GetVolumeInformationA
KERNEL32.dll1391TerminateThread
KERNEL32.dll1374SizeofResource
KERNEL32.dll179CreateEventA
KERNEL32.dll563GetExitCodeProcess
KERNEL32.dll215CreateProcessA
KERNEL32.dll1107ReadFile
KERNEL32.dll1264SetCurrentDirectoryA
KERNEL32.dll1543_llseek
KERNEL32.dll1189ResetEvent
KERNEL32.dll960LockResource
KERNEL32.dll727GetSystemInfo
KERNEL32.dll937LoadLibraryExA
KERNEL32.dll206CreateMutexA
KERNEL32.dll520GetCurrentDirectoryA
KERNEL32.dll781GetVersionExA
KERNEL32.dll780GetVersion
KERNEL32.dll745GetTempPathA
KERNEL32.dll231CreateThread
KERNEL32.dll947LocalFileTimeToFileTime
KERNEL32.dll1375Sleep
KERNEL32.dll423FreeResource
KERNEL32.dll792GetWindowsDirectoryA
KERNEL32.dll1552lstrcmpA
KERNEL32.dll1541_lclose
KERNEL32.dll811GlobalLock
KERNEL32.dll527GetCurrentProcess
KERNEL32.dll942LoadResource
KERNEL32.dll420FreeLibrary
KERNEL32.dll709GetStartupInfoW
KERNEL32.dll1197RtlCaptureContext
KERNEL32.dll1204RtlLookupFunctionEntry
KERNEL32.dll1211RtlVirtualUnwind
KERNEL32.dll1424UnhandledExceptionFilter
KERNEL32.dll1360SetUnhandledExceptionFilter
KERNEL32.dll1390TerminateProcess
KERNEL32.dll1020OutputDebugStringA
KERNEL32.dll1072QueryPerformanceCounter
KERNEL32.dll528GetCurrentProcessId
KERNEL32.dll532GetCurrentThreadId
KERNEL32.dll733GetSystemTimeAsFileTime
KERNEL32.dll761GetTickCount
KERNEL32.dll312EnumResourceLanguagesA
KERNEL32.dll979MulDiv
KERNEL32.dll543GetDiskFreeSpaceA
KERNEL32.dll743GetTempFileNameA
GDI32.dll502GetDeviceCaps
USER32.dll731SetForegroundWindow
USER32.dll600MsgWaitForMultipleObjects
USER32.dll694SendDlgItemMessageA
USER32.dll455GetWindowLongPtrA
USER32.dll463GetWindowRect
USER32.dll310GetDC
USER32.dll586MessageBoxA
USER32.dll623PeekMessageA
USER32.dll681ReleaseDC
USER32.dll318GetDlgItem
USER32.dll791SetWindowPos
USER32.dll808ShowWindow
USER32.dll787SetWindowLongPtrA
USER32.dll180DispatchMessageA
USER32.dll795SetWindowTextA
USER32.dll228EnableWindow
USER32.dll29CallWindowProcA
USER32.dll174DialogBoxIndirectParamA
USER32.dll320GetDlgItemTextA
USER32.dll563LoadStringA
USER32.dll585MessageBeep
USER32.dll57CharUpperA
USER32.dll47CharNextA
USER32.dll260ExitWindowsEx
USER32.dll50CharPrevA
USER32.dll231EndDialog
USER32.dll313GetDesktopWindow
USER32.dll727SetDlgItemTextA
USER32.dll699SendMessageA
USER32.dll428GetSystemMetrics
msvcrt.dll48void __cdecl terminate(void)

?terminate@@YAXXZ

msvcrt.dll296_fmode
msvcrt.dll163_acmdln
msvcrt.dll88__C_specific_handler
msvcrt.dll382_initterm
msvcrt.dll145__setusermatherr
msvcrt.dll410_ismbblead
msvcrt.dll194_cexit
msvcrt.dll1175memset
msvcrt.dll1171memcpy
msvcrt.dll271_exit
msvcrt.dll1075exit
msvcrt.dll143__set_app_type
msvcrt.dll128__getmainargs
msvcrt.dll175_amsg_exit
msvcrt.dll86_XcptFilter
msvcrt.dll262_errno
msvcrt.dll868_vsnprintf
msvcrt.dll211_commode
COMCTL32.dll17
Cabinet.dll22
Cabinet.dll23
Cabinet.dll21
Cabinet.dll20
VERSION.dllGetFileVersionInfoA
VERSION.dll4GetFileVersionInfoSizeA
VERSION.dll15VerQueryValueA

StringTable 040904B0

CompanyNameMicrosoft Corporation
FileDescriptionWin32 Cabinet Self-Extractor
FileVersion11.00.9600.16428 (winblue_gdr.131013-1700)
InternalNameWextract
LegalCopyright© Microsoft Corporation. All rights reserved.
OriginalFilenameWEXTRACT.EXE .MUI
ProductNameInternet Explorer
ProductVersion11.00.9600.16428

StringTable 041604B0

CompanyNameMicrosoft Corporation
FileDescriptionAutoextrator de arquivo de gabinete Win32
FileVersion11.00.9600.16428 (winblue_gdr.131013-1700)
InternalNameWextract
LegalCopyright© Microsoft Corporation. Todos os direitos reservados.
OriginalFilenameWEXTRACT.EXE .MUI
ProductNameInternet Explorer
ProductVersion11.00.9600.16428

VS_FIXEDFILEINFO

FileVersion11.0.9600.16428
ProductVersion11.0.9600.16428
StrucVersion0x10000
FileFlagsMask0x3f
FileFlags0
FileOS0x40004
FileType1
FileSubtype0
offsetsizetypecomment
15c115HTM#
ad3011794AVI#
10b2c55762PNG(256 x 256)#
1e4fe4396290BINoverlay data past EOF#
Scanning the drive for archives:
1 file, 4520448 bytes (4415 KiB)


--
Type = PE
Physical Size = 4520448
CPU = x64
64-bit = +
Characteristics = Executable LargeAddress
Created = 2013-10-14 06:48:22
Headers Size = 1024
Checksum = 4523513
Name = WEXTRACT.EXE            .MUI
Image Size = 4542464
Section Alignment = 4096
File Alignment = 512
Code Size = 32768
Initialized Data Size = 4486656
Uninitialized Data Size = 0
Linker Version = 11.0
OS Version = 6.3
Image Version = 6.3
Subsystem Version = 5.2
Subsystem = Windows GUI
DLL Characteristics = Relocated NX-Compatible TerminalServerAware 0x20
Stack Reserve = 524288
Stack Commit = 8192
Heap Reserve = 1048576
Heap Commit = 4096
Image Base = 5368709120
Comment = FileVersion: 11.0.9600.16428
FileVersion: 11.00.9600.16428 (winblue_gdr.131013-1700)
ProductVersion: 11.0.9600.16428
ProductVersion: 11.00.9600.16428
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor                                           
FileDescription: Autoextrator de arquivo de gabinete Win32                                           
InternalName: Wextract                
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalCopyright: © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename: WEXTRACT.EXE            .MUI
ProductName: Internet Explorer
----
Path = .rsrc/1046/RCDATA/CABINET
Size = 4355029
Packed Size = 4355029
--
Path = .rsrc/1046/RCDATA/CABINET
Type = Cab
Physical Size = 4355029
Method = LZX:21
Blocks = 1
Volumes = 1
Volume Index = 0
ID = 1988

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2017-07-31 13:29:30 ....A      4462080               SistemsD.exe
2017-07-31 13:41:48 ....A        95232               rtl93.dll
------------------- ----- ------------ ------------  ------------------------
2017-07-31 13:41:48            4557312      4520448  2 files
offset:( 0x )size:( 0x )hotkeys:-=[]<>, offset/size fields are also editable











[?] ignoring invalid PEdump::BITMAPINFOHEADER