× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 54cc8e77eb8205aa4f18d0725f2440fc35e543dc546158695d9954d71a36542a
File name: SyncToySetupPackage_v21_x64.exe
Detection ratio: 0 / 57
Analysis date: 2016-04-03 03:53:04 UTC ( 2 years, 2 months ago ) View latest
Antivirus Result Update
Ad-Aware 20160403
AegisLab 20160403
AhnLab-V3 20160402
Alibaba 20160401
ALYac 20160403
Antiy-AVL 20160403
Arcabit 20160403
Avast 20160403
AVG 20160403
Avira (no cloud) 20160402
AVware 20160403
Baidu 20160402
Baidu-International 20160402
BitDefender 20160403
Bkav 20160402
CAT-QuickHeal 20160402
ClamAV 20160402
CMC 20160401
Comodo 20160402
Cyren 20160403
DrWeb 20160403
Emsisoft 20160403
ESET-NOD32 20160402
F-Prot 20160403
F-Secure 20160403
Fortinet 20160402
GData 20160403
Ikarus 20160402
Jiangmin 20160403
K7AntiVirus 20160402
K7GW 20160403
Kaspersky 20160402
Kingsoft 20160403
Malwarebytes 20160403
McAfee 20160403
McAfee-GW-Edition 20160403
Microsoft 20160402
eScan 20160403
NANO-Antivirus 20160403
nProtect 20160401
Panda 20160402
Qihoo-360 20160403
Rising 20160403
Sophos AV 20160403
SUPERAntiSpyware 20160403
Symantec 20160331
Tencent 20160403
TheHacker 20160330
TotalDefense 20160402
TrendMicro 20160403
TrendMicro-HouseCall 20160403
VBA32 20160401
VIPRE 20160403
ViRobot 20160402
Yandex 20160316
Zillya 20160402
Zoner 20160403
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name SFXCAB.EXE
Internal name SFXCAB.EXE
File version 6.3.0015.0 built by: dnsrv
Description Self-Extracting Cabinet
Signature verification Signed file, verified signature
Signing date 12:38 AM 10/20/2009
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Code Signing PCA
Valid from 10:24 PM 10/22/2008
Valid to 10:34 PM 1/22/2010
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 9E95C625D81B2BA9C72FD70275C3699613AF61E3
Serial number 61 06 27 81 00 00 00 00 00 08
[+] Microsoft Code Signing PCA
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Root Authority
Valid from 11:31 PM 8/22/2007
Valid to 8:00 AM 8/25/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3036E3B25B88A55B86FC90E6E9EAAD5081445166
Serial number 2E AB 11 DC 50 FF 5C 9D CB C0
[+] Microsoft Root Authority
Status Valid
Issuer Microsoft Root Authority
Valid from 8:00 AM 1/10/1997
Valid to 8:00 AM 12/31/2020
Valid usage All
Algorithm md5RSA
Thumbprint A43489159A520F0D93D032CCAF37E7FE20A8B419
Serial number 00 C1 00 8B 3C 3C 88 11 D1 3E F6 63 EC DF 40
Counter signers
[+] Microsoft Timestamping Service
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Timestamping PCA
Valid from 2:53 AM 9/16/2006
Valid to 3:03 AM 9/16/2011
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint A1DC024FC8B2A76745D4661F663B8741C3D35313
Serial number 61 47 52 BA 00 00 00 00 00 04
[+] Microsoft Timestamping PCA
Status The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Root Authority
Valid from 2:04 AM 9/16/2006
Valid to 8:00 AM 9/15/2019
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 3EA99A60058275E0ED83B892A909449F8C33B245
Serial number 6A 0B 99 4F C0 00 25 AB 11 DB 45 1F 58 7A 67 A2
[+] Microsoft Root Authority
Status Valid
Issuer Microsoft Root Authority
Valid from 8:00 AM 1/10/1997
Valid to 8:00 AM 12/31/2020
Valid usage All
Algorithm md5RSA
Thumbrint A43489159A520F0D93D032CCAF37E7FE20A8B419
Serial number 00 C1 00 8B 3C 3C 88 11 D1 3E F6 63 EC DF 40
Packers identified
F-PROT CAB
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2007-12-21 07:26:24
Entry Point 0x000063FF
Number of sections 3
PE sections
Overlays
MD5 f2d3cc5a780d632addb32c9a06c14248
File type data
Offset 3623936
Size 6008
Entropy 7.38
PE imports
SetSecurityDescriptorDacl
GetTokenInformation
InitiateSystemShutdownA
CryptReleaseContext
OpenProcessToken
CryptAcquireContextA
AddAccessAllowedAce
AllocateAndInitializeSid
CryptGenRandom
InitializeAcl
GetLengthSid
InitializeSecurityDescriptor
GetSystemTime
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
DosDateTimeToFileTime
GetFileAttributesA
DeviceIoControl
WaitForSingleObject
GetExitCodeProcess
QueryPerformanceCounter
CopyFileA
GetTickCount
CreateDirectoryA
FlushFileBuffers
GetVersionExA
RemoveDirectoryA
LoadLibraryA
FreeLibrary
DeleteCriticalSection
GetCurrentProcess
EnterCriticalSection
GetDriveTypeA
LocalFileTimeToFileTime
GetFileSize
WaitForMultipleObjects
SetFileTime
DeleteFileA
GetCurrentDirectoryA
UnhandledExceptionFilter
SetErrorMode
GetCommandLineA
GetProcAddress
GetProcessHeap
ExitProcess
CreateThread
SetFilePointer
ReadFile
SetUnhandledExceptionFilter
WriteFile
FindFirstFileA
CloseHandle
GetSystemTimeAsFileTime
FindNextFileA
GetModuleFileNameA
GetSystemDirectoryA
GetDiskFreeSpaceA
MoveFileExA
ExpandEnvironmentStringsA
SetEnvironmentVariableA
SetFileAttributesA
SetEvent
QueryDosDeviceA
MoveFileA
TerminateProcess
CreateProcessA
CreateEventW
WideCharToMultiByte
GetEnvironmentVariableA
CreateEventA
FindClose
Sleep
FormatMessageA
SetEndOfFile
SystemTimeToFileTime
CreateFileA
HeapAlloc
GetCurrentThreadId
OpenEventA
GetCurrentProcessId
SetLastError
LeaveCriticalSection
SHGetPathFromIDListA
SHBrowseForFolderA
SendDlgItemMessageA
LoadStringA
SetParent
EndDialog
SendMessageA
MessageBoxA
DialogBoxParamA
ShowWindow
__p__fmode
_stricmp
strncpy
_cexit
_c_exit
__initenv
exit
sprintf
strrchr
__setusermatherr
__p__commode
_XcptFilter
_except_handler3
_strlwr
_adjust_fdiv
__getmainargs
_controlfp
_vsnprintf
strstr
strchr
_snprintf
_strnicmp
_initterm
_exit
__set_app_type
NtShutdownSystem
NtAdjustPrivilegesToken
NtOpenProcessToken
NtClose
Number of PE resources by type
RT_DIALOG 2
RT_MANIFEST 1
RT_STRING 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 5
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
7.1

ImageVersion
5.2

FileSubtype
0

FileVersionNumber
6.3.15.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
3584

EntryPoint
0x63ff

OriginalFileName
SFXCAB.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.3.0015.0 built by: dnsrv

TimeStamp
2007:12:21 08:26:24+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SFXCAB.EXE

ProductVersion
6.3.0015.0

FileDescription
Self-Extracting Cabinet

OSVersion
5.2

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
34304

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.3.15.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 ad84897ea846740ef6fa7e87f144df87
SHA1 5edd34287d90b53e04bbb2796cac3a833cc40e73
SHA256 54cc8e77eb8205aa4f18d0725f2440fc35e543dc546158695d9954d71a36542a
ssdeep
49152:lKD8ChyVR57efsyyNNpDArDCc2tNlOq54KaTCfRHRDn0BlOsS+HxsMnbdvG6Qq:cwTTyyNNg2tOhifNB8OsS+RsMbtZQq

authentihash a686412e085af89e08cecad53ab4bd728011d639bad95bd1e14712fb99ee7ab0
imphash a1f6f100bff4507a3332f3f0cdfc24f5
File size 3.5 MB ( 3629944 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (82.1%)
Win32 Executable MS Visual C++ (generic) (7.3%)
Win64 Executable (generic) (6.4%)
Win32 Dynamic Link Library (generic) (1.5%)
Win32 Executable (generic) (1.0%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2009-11-13 07:16:38 UTC ( 8 years, 7 months ago )
Last submission 2018-06-15 00:50:45 UTC ( 4 days, 17 hours ago )
File names synctoysetuppackage_v21_x64.exe.tmp
bdp+r6pf.exe.part
0510201710574711953_synctoysetuppackage_v21_x64.exe
8b2c27d6_8c0_crypt_io_copy.tmp
zlnbgppm.exe.part
5a1c31cb15868fdd409ec711034631dd.exe
7lzsonnv.exe.part
synctoysetuppackage_v21_x64.exe.icmwuqv.partial
055100af_970_crypt_io_copy.tmp
synctoysetuppackage_-{2292272d-d817-44d6-9892-a6d97cda57e5}-v1095419.exe
synctoysetuppackage_v21_x64[1].exe
SyncToySetupPackage_v21_x6420170702-15470-1gx5n5g.exe
ad84897ea846740ef6fa7e87f144df87
SyncToy 2.1 (64-bit).exe
vs061nit.s72
SyncToySetupPackage_v21_x64 (1).exe
SyncToySetupPackage_v21_x64--ad84897ea846740ef6fa7e87f144df87--20130518.exe
synctoysetuppackage_v21_x64.exe.s857hxy.partial
fspd0f20b670afe46bcb02c35d6d1f72042.tmp
SyncToySetupPackage_v21_x64.exe
file-3003670_exe
SyncToySetupPackage_v21_x64.exe
fsp9ab913d7ba0e4819a7d41c755b5362e1.tmp
857334
unconfirmed 102241.crdownload
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!