× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 1170bdee4c5bcc15a5cd70831ba0d84ac838f202d7cf2b64f8c9a8e0d73a75f6
File name: filename
Detection ratio: 1 / 58
Analysis date: 2016-08-30 08:50:32 UTC ( 2 years, 5 months ago ) View latest
Antivirus Result Update
CMC Trojan-Dropper.Win32.Halk!O 20160830
Ad-Aware 20160830
AegisLab 20160830
AhnLab-V3 20160830
Alibaba 20160830
ALYac 20160830
Antiy-AVL 20160830
Arcabit 20160830
Avast 20160830
AVG 20160830
Avira (no cloud) 20160830
AVware 20160830
Baidu 20160830
BitDefender 20160830
Bkav 20160830
CAT-QuickHeal 20160830
ClamAV 20160830
Comodo 20160830
CrowdStrike Falcon (ML) 20160725
Cyren 20160830
DrWeb 20160830
Emsisoft 20160830
ESET-NOD32 20160830
F-Prot 20160830
F-Secure 20160830
Fortinet 20160830
GData 20160830
Ikarus 20160830
Sophos ML 20160830
Jiangmin 20160830
K7AntiVirus 20160830
K7GW 20160830
Kaspersky 20160830
Kingsoft 20160830
Malwarebytes 20160830
McAfee 20160830
McAfee-GW-Edition 20160830
Microsoft 20160830
eScan 20160830
NANO-Antivirus 20160830
nProtect 20160830
Panda 20160830
Qihoo-360 20160830
Rising 20160830
Sophos AV 20160830
SUPERAntiSpyware 20160830
Symantec 20160830
Tencent 20160830
TheHacker 20160829
TotalDefense 20160830
TrendMicro 20160830
TrendMicro-HouseCall 20160830
VBA32 20160829
VIPRE 20160830
ViRobot 20160830
Yandex 20160830
Zillya 20160830
Zoner 20160830
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
PEiD Install Stub 32-bit
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1999-10-06 10:33:39
Entry Point 0x00001020
Number of sections 7
PE sections
Overlays
MD5 eea027d5588040e539c41bdffdc91f85
File type data
Offset 7680
Size 1373458
Entropy 8.00
PE imports
lstrlenA
FreeLibrary
ExitProcess
GetModuleFileNameA
LoadLibraryA
GetWindowsDirectoryA
lstrcatA
DeleteFileA
GetCurrentDirectoryA
GetProcAddress
GetModuleHandleA
GetTempPathA
CompareStringA
SetFilePointer
ReadFile
WriteFile
CloseHandle
lstrcpyA
VirtualFree
CreateFileA
VirtualAlloc
InterlockedIncrement
wsprintfA
LoadCursorA
MessageBoxA
FindWindowA
ShowWindow
SetCursor
Number of PE resources by type
RT_ICON 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 2
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
1999:10:06 11:33:39+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
2560

LinkerVersion
3.0

ImageFileCharacteristics
Executable, No line numbers, No symbols, 32-bit

EntryPoint
0x1020

InitializedDataSize
4608

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
0

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
File identification
MD5 4644161d2ab9364a6c6f59a2f3af99d5
SHA1 bb9467ba30367071a63c46cdcc29ef5c05ce228a
SHA256 1170bdee4c5bcc15a5cd70831ba0d84ac838f202d7cf2b64f8c9a8e0d73a75f6
ssdeep
24576:BU4WED/JA02REhPuiDoMAtwrfxKodisatjngpgsHoPFS9ouh7xB:edaRldPu4+mrZdFaJnigsckVB

authentihash 4dba37ccb4cfdcec5673cd553f7a2a7902fc2b12a4c863e7c5465369c0b3ef66
imphash a3cd138f09c17f81fb64526d63cb2df6
File size 1.3 MB ( 1381138 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID InstallShield setup (49.0%)
Win64 Executable (generic) (31.4%)
Win32 Dynamic Link Library (generic) (7.4%)
Win32 Executable (generic) (5.1%)
OS/2 Executable (generic) (2.3%)
Tags
installstub peexe overlay

VirusTotal metadata
First submission 2009-08-26 15:47:40 UTC ( 9 years, 6 months ago )
Last submission 2018-08-05 13:02:21 UTC ( 6 months, 3 weeks ago )
File names install.exe
restorer2000.exe
filename
4644161D2AB9364A6C6F59A2F3AF99D5
Restorer 2000 Pro v2.0.exe
r2k_20_en_pro.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Deleted files
Created processes
Shell commands
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.