× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 15435d6fa8d6cdbb31e0536279998a212273689f2809c1200d8a9427abb3b8eb
File name: Setup.X86.en-US_O365HomePremRetail_3f7ae3aa-ac1f-4727-8ea7-41d86c...
Detection ratio: 1 / 54
Analysis date: 2016-01-24 20:41:32 UTC ( 1 year, 8 months ago ) View latest
Antivirus Result Update
Zillya Trojan.Bublik.Win32.18849 20160124
Ad-Aware 20160124
AegisLab 20160122
Yandex 20160124
AhnLab-V3 20160124
Alibaba 20160122
ALYac 20160124
Antiy-AVL 20160124
Arcabit 20160124
Avast 20160124
AVG 20160124
Avira (no cloud) 20160124
Baidu-International 20160124
BitDefender 20160124
Bkav 20160123
ByteHero 20160124
CAT-QuickHeal 20160123
ClamAV 20160124
CMC 20160111
Comodo 20160124
Cyren 20160124
DrWeb 20160124
Emsisoft 20160124
ESET-NOD32 20160124
F-Prot 20160124
F-Secure 20160123
Fortinet 20160124
GData 20160124
Ikarus 20160124
Jiangmin 20160124
K7AntiVirus 20160124
K7GW 20160124
Kaspersky 20160124
Malwarebytes 20160124
McAfee 20160124
McAfee-GW-Edition 20160124
Microsoft 20160124
eScan 20160124
NANO-Antivirus 20160124
nProtect 20160122
Panda 20160124
Qihoo-360 20160124
Rising 20160124
Sophos AV 20160124
SUPERAntiSpyware 20160124
Symantec 20160124
Tencent 20160124
TheHacker 20160124
TrendMicro 20160124
TrendMicro-HouseCall 20160124
VBA32 20160123
VIPRE 20160124
ViRobot 20160124
Zoner 20160124
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Product Microsoft Office 2016
Original name Bootstrapper.exe
Internal name Bootstrapper.exe
File version 16.0.6326.1019
Description Microsoft Office
Signature verification Signed file, verified signature
Signing date 6:39 PM 1/8/2016
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 6:42 PM 6/4/2015
Valid to 6:42 PM 9/4/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 8/31/2010
Valid to 11:29 PM 8/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status Valid
Issuer Microsoft Time-Stamp PCA
Valid from 7:14 PM 10/7/2015
Valid to 7:14 PM 1/7/2017
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F57A503564E884FCE7F088ECC0213C875D2D88BC
Serial number 33 00 00 00 89 62 0D 9E 95 D3 61 6B A8 00 00 00 00 00 89
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-01-06 14:17:13
Entry Point 0x0010992A
Number of sections 6
PE sections
Overlays
MD5 99524dc35a1e71ad97ab05eb8edb7e1b
File type data
Offset 3185152
Size 16064
Entropy 7.42
PE imports
RegCreateKeyExW
RegCloseKey
RegNotifyChangeKeyValue
EventWriteTransfer
EventWrite
AddAccessDeniedAce
CopySid
RegDeleteTreeW
OpenServiceW
QueryServiceConfigW
ControlService
InitializeAcl
RegDeleteKeyW
DeleteService
CryptHashData
InitializeSecurityDescriptor
ConvertSidToStringSidA
RegQueryValueExW
CryptCreateHash
SetSecurityDescriptorDacl
GetSidSubAuthorityCount
GetSidSubAuthority
ConvertStringSecurityDescriptorToSecurityDescriptorW
CreateWellKnownSid
OpenProcessToken
RegGetValueW
AddAccessAllowedAce
RegOpenKeyExW
SetServiceObjectSecurity
EventUnregister
LookupAccountNameW
ConvertSidToStringSidW
CreateServiceW
GetTokenInformation
CryptReleaseContext
CloseServiceHandle
IsValidSid
RegQueryInfoKeyW
GetSecurityDescriptorDacl
RegEnumKeyExW
CryptAcquireContextW
ChangeServiceConfig2W
GetLengthSid
CredWriteW
CreateProcessAsUserW
CryptDestroyHash
StartServiceW
OpenThreadToken
RegDeleteValueW
RevertToSelf
EventRegister
RegSetValueExW
FreeSid
CryptGetHashParam
OpenSCManagerW
RegEnumValueW
AllocateAndInitializeSid
CheckTokenMembership
QueryServiceStatusEx
EqualSid
EnumDependentServicesW
ChangeServiceConfigW
Ord(14)
Ord(10)
Ord(13)
GetDeviceCaps
GetTextMetricsW
SetDCPenColor
SelectObject
CreatePen
GetStockObject
SetDCBrushColor
CreateSolidBrush
SetTextColor
SetBkColor
GetTextExtentPoint32W
CreateFontW
Rectangle
DeleteObject
FreeMibTable
CreateSortedAddressPairs
GetStdHandle
GetDriveTypeW
CancelIoEx
ReleaseMutex
InterlockedPopEntrySList
GetOverlappedResult
WaitForSingleObject
LockResource
SignalObjectAndWait
FlsGetValue
ReleaseSRWLockExclusive
CreateTimerQueue
QueryFullProcessImageNameW
SystemTimeToTzSpecificLocalTime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
LocalAlloc
EnumSystemLocalesW
DuplicateHandle
OpenFileMappingA
SetErrorMode
UnregisterWait
FreeEnvironmentStringsW
InitializeSListHead
FileTimeToSystemTime
GetLocaleInfoW
SetStdHandle
GetTempPathA
WideCharToMultiByte
GetThreadIOPendingFlag
IsSystemResumeAutomatic
GetTempPathW
GetSystemTimeAsFileTime
GetCommandLineA
GetThreadTimes
GlobalMemoryStatusEx
HeapReAlloc
GetStringTypeW
QueryDepthSList
SetEvent
LocalFree
FormatMessageW
IsWow64Process
GetThreadPriority
InterlockedPushEntrySList
UnhandledExceptionFilter
LoadResource
GetStringTypeExW
FindClose
TlsGetValue
SetFileAttributesW
AcquireSRWLockShared
OutputDebugStringA
VirtualQuery
WerUnregisterMemoryBlock
FreeLibraryAndExitThread
SetLastError
LocaleNameToLCID
DeviceIoControl
CopyFileW
K32GetModuleFileNameExW
RemoveDirectoryW
TryEnterCriticalSection
IsDebuggerPresent
HeapAlloc
FlushFileBuffers
SwitchToThread
GetModuleFileNameA
LoadLibraryA
QueryPerformanceFrequency
GetPriorityClass
WerRegisterMemoryBlock
SetThreadPriority
AllocConsole
GetSystemDefaultLCID
LoadLibraryExW
MultiByteToWideChar
GetLocalTime
SetFilePointerEx
DeleteTimerQueueTimer
GetSystemPowerStatus
CreateMutexA
RegisterWaitForSingleObject
GetFullPathNameW
CreateSemaphoreA
CreateThread
GetSystemDirectoryW
MoveFileExW
RtlCaptureStackBackTrace
GetExitCodeThread
SetUnhandledExceptionFilter
CreateMutexW
MulDiv
IsProcessorFeaturePresent
GetUserDefaultLocaleName
DecodePointer
ReleaseSRWLockShared
WaitForMultipleObjectsEx
TerminateProcess
GetModuleHandleExW
GlobalAlloc
GetDiskFreeSpaceExW
QueryUnbiasedInterruptTime
SetEndOfFile
GetUserGeoID
GetCurrentThreadId
GetProcAddress
InitializeSRWLock
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
LoadLibraryW
OpenThread
GetVersionExW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlsSetValue
InitializeCriticalSectionEx
RtlUnwind
GetACP
FreeLibrary
ChangeTimerQueueTimer
AcquireSRWLockExclusive
LCMapStringW
OpenProcess
DeleteFileA
CreateTimerQueueTimer
GetStartupInfoW
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
SetFileInformationByHandle
GetProcessHeap
GetTempFileNameW
CreateWaitableTimerW
CompareStringW
WriteFile
GetFileSizeEx
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
CreateMemoryResourceNotification
ResetEvent
FreeConsole
CreateFileMappingA
FindFirstFileW
IsValidLocale
lstrcmpW
SetWaitableTimerEx
GetUserDefaultLCID
GetLocaleInfoEx
GetLogicalProcessorInformation
CreateEventExW
ReadConsoleW
GetFileInformationByHandleEx
GetProductInfo
GetProcessAffinityMask
CreateEventW
CreateFileW
CreateEventA
GetFileType
TlsSetValue
ExitProcess
LCMapStringEx
LeaveCriticalSection
GetNativeSystemInfo
GetLastError
AttachConsole
SystemTimeToFileTime
GetComputerNameW
GetSystemInfo
GlobalFree
GetConsoleCP
FindResourceW
UnregisterWaitEx
GetThreadLocale
GetEnvironmentStringsW
WaitForSingleObjectEx
GetShortPathNameA
CreateProcessW
GetQueuedCompletionStatus
CancelWaitableTimer
InterlockedFlushSList
GetCPInfoExW
SizeofResource
GetCurrentDirectoryW
CompareStringEx
CreateIoCompletionPort
ProcessIdToSessionId
GetCommandLineW
GetCPInfo
HeapSize
FlsAlloc
SetThreadAffinityMask
FindFirstFileExW
VerSetConditionMask
FlsFree
K32GetProcessMemoryInfo
EncodePointer
GetCurrentThread
OpenMutexA
RaiseException
ReleaseSemaphore
MapViewOfFile
TlsFree
GetModuleHandleA
ReadFile
GetTickCount64
CloseHandle
VerifyVersionInfoW
GetModuleHandleW
LoadLibraryExA
GetFileAttributesExW
GetLongPathNameW
GetNumaHighestNodeNumber
IsValidCodePage
UnmapViewOfFile
OpenSemaphoreA
PostQueuedCompletionStatus
VirtualFree
Sleep
OpenEventA
VirtualAlloc
GetCurrentProcessId
GetOEMCP
SysFreeString
VariantClear
VariantInit
SysAllocString
SetupIterateCabinetW
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust
GetAddrInfoW
WSAStartup
FreeAddrInfoW
GdipCloneBrush
GdipCreateFromHDC
GdipLoadImageFromStream
GdipCreateBitmapFromScan0
GdipDisposeImage
GdipGetImageHeight
GdipDeleteBrush
GdipAlloc
GdipDrawImageRectI
GdipCloneImage
GdiplusStartup
GdipGetImageWidth
GdipCreateSolidFill
GdipGetImageGraphicsContext
GdipFree
GdipDeleteGraphics
GdipDrawImageRectRectI
GdipFillRectangleI
CoRevokeInitializeSpy
CoTaskMemFree
IIDFromString
CoTaskMemAlloc
CreateStreamOnHGlobal
CoCreateGuid
StringFromIID
CoCreateInstance
CoRegisterInitializeSpy
CoUninitialize
CoInitializeEx
CLSIDFromString
StringFromGUID2
CoSetProxyBlanket
Number of PE resources by type
PNG 14
RT_STRING 9
RT_ICON 4
RT_MANIFEST 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 30
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
14.0

ImageVersion
0.0

ProductName
Microsoft Office 2016

FileVersionNumber
16.0.6326.1019

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

OSVersion
5.2

CharacterSet
Windows, Latin1

InitializedDataSize
1605120

FileTypeExtension
exe

OriginalFileName
Bootstrapper.exe

MIMEType
application/octet-stream

LegalTrademarks2
Windows is a registered trademark of Microsoft Corporation.

FileVersion
16.0.6326.1019

LegalTrademarks1
Microsoft is a registered trademark of Microsoft Corporation.

TimeStamp
2016:01:06 15:17:13+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Bootstrapper.exe

SubsystemVersion
5.2

ProductVersion
16.0.6326.1019

FileDescription
Microsoft Office

MOSEVersion
BETA

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
1579008

FileSubtype
0

ProductVersionNumber
16.0.6326.0

EntryPoint
0x10992a

ObjectFileType
Unknown

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
File identification
MD5 fab78a6dcd111565871c6c1529526331
SHA1 45151f0b58c473ffbae6ae191edb6cbdd92d9396
SHA256 15435d6fa8d6cdbb31e0536279998a212273689f2809c1200d8a9427abb3b8eb
ssdeep
49152:anUBJZsYIYKSv2nPFSCD65UwlEQ0/Ogucm8SdtuTj3ByjwYWlkssvNEsKgSFn3:dBJi1Ko0CD6KlRZm1wY2sI

authentihash 1193b49347d36f0681e5f29d58a02b9b6aff18b08ec756069ce6827820a6187e
imphash ec49f09ab446466d72e9722e1c1d9dd3
File size 3.1 MB ( 3201216 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2016-01-14 07:34:24 UTC ( 1 year, 9 months ago )
Last submission 2016-06-07 17:49:47 UTC ( 1 year, 4 months ago )
File names Setup.exe
Setup.X86.en-US_O365HomePremRetail_25b4adfc-e985-4b8e-b571-0de306944719_TX_DB_.exe
Setup.X86.en-US_O365HomePremRetail_91d1eea4-0261-4619-a524-2d81f84c77bb_TX_PR_.exe
Setup.X86.en-US_O365HomePremRetail_dd669ef5-496d-4065-a932-a5b12f7db228_TX_DB_.exe
Setup.X86.en-US_O365HomePremRetail_27a328eb-8d30-4fea-98dc-8947a1b40cb6_TX_PR_.exe
Setup.X86.en-US_O365HomePremRetail_8f07c94f-6b5b-4c3f-829e-c90253b1ef80_TX_PR_.exe
Setup.X86.en-US_O365HomePremRetail_3f7ae3aa-ac1f-4727-8ea7-41d86ca3f72e_TX_SG_.exe
Setup.X86.en-US_O365HomePremRetail_fdaa512e-d5d4-452d-9abe-aba7228aad32_TX_DB_.exe
Setup.X86.en-US_O365HomePremRetail_40ab30fc-8fe6-483a-9ae9-8044dcd50a82_TX_PR_.exe
Setup.X86.en-US_O365HomePremRetail_98a06ff5-cc14-401e-9588-d485b4a4488c_TX_DB_.exe
SetupOffice365.exe
Setup.X86.en-US_O365HomePremRetail_198f8a41-3b41-4304-ac22-96628d418526_TX_PR_.exe
Setup.X86.en-US_O365HomePremRetail_63459dfb-34f4-4800-8cc2-02ba1b0bd7ec_TX_SG_.exe
Setup.X86.en-US_O365HomePremRetail_ec28fdb4-1024-41dd-8863-b827b314f990_TX_DB_.exe
Setup.X86.en-US_O365HomePremRetail_e1071531-dbf9-4f13-99fc-a1de186711b1_TX_PR_.exe
Bootstrapper.exe
iukr6c2yyrz77oxgvymr5w3mxxms3e4w.exe
Setup.X86.en-US_O365HomePremRetail_c3e254d0-e133-49bc-b7c3-5360d80e3e32_TX_PR_ (1).exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!