× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 69b61b2c00323cea3686315617d0f452e205dae10c47e02cbe1ea96fea38f582
File name: WindowsInstaller-KB893803-v2-x86.exe
Detection ratio: 0 / 68
Analysis date: 2018-09-30 12:22:13 UTC ( 6 months, 2 weeks ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20180930
AVG 20180930
AVware 20180925
Ad-Aware 20180930
AegisLab 20180930
AhnLab-V3 20180930
Alibaba 20180921
Antiy-AVL 20180930
Arcabit 20180930
Avast 20180930
Avast-Mobile 20180928
Avira (no cloud) 20180930
Babable 20180918
Baidu 20180930
BitDefender 20180930
Bkav 20180928
CAT-QuickHeal 20180929
CMC 20180930
ClamAV 20180930
Comodo 20180930
CrowdStrike Falcon (ML) 20180723
Cybereason 20180225
Cylance 20180930
Cyren 20180930
DrWeb 20180930
ESET-NOD32 20180930
Emsisoft 20180930
Endgame 20180730
F-Prot 20180930
F-Secure 20180930
Fortinet 20180930
GData 20180930
Ikarus 20180930
Sophos ML 20180717
Jiangmin 20180930
K7AntiVirus 20180930
K7GW 20180930
Kaspersky 20180930
Kingsoft 20180930
MAX 20180930
Malwarebytes 20180930
McAfee 20180930
McAfee-GW-Edition 20180930
eScan 20180930
Microsoft 20180930
NANO-Antivirus 20180930
Palo Alto Networks (Known Signatures) 20180930
Panda 20180930
Qihoo-360 20180930
Rising 20180930
SUPERAntiSpyware 20180907
SentinelOne (Static ML) 20180926
Sophos AV 20180930
Symantec 20180929
TACHYON 20180930
Tencent 20180930
TheHacker 20180927
TrendMicro 20180930
TrendMicro-HouseCall 20180930
VBA32 20180928
VIPRE 20180930
ViRobot 20180929
Webroot 20180930
Yandex 20180927
Zillya 20180928
ZoneAlarm by Check Point 20180925
Zoner 20180927
eGambit 20180930
Symantec Mobile Insight 20180924
Trustlook 20180930
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product MSI 3.1
Original name SFXCAB.EXE
Internal name SFXCAB.EXE
File version 3.1
Description Update Package
Signature verification Signed file, verified signature
Signing date 12:24 AM 5/5/2005
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer Microsoft Code Signing PCA
Valid from 12:20 AM 01/06/2005
Valid to 11:30 PM 04/05/2006
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint A25800BB7577F5854B3823B82228D94140D0244E
Serial number 61 05 87 58 00 03 00 00 00 5A
[+] Microsoft Code Signing PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Authority
Valid from 08:00 AM 05/23/2002
Valid to 08:00 AM 09/25/2011
Valid usage Code Signing
Algorithm md5RSA
Thumbprint B04EDD83D679F4081BC1D2BDBC5F6B3BE5C64C3E
Serial number 6A 0B 99 4F C0 00 0C AB 11 D8 22 EF 7D 6C 79 7E
[+] Microsoft Root Authority
Status Valid
Issuer Microsoft Root Authority
Valid from 08:00 AM 01/10/1997
Valid to 08:00 AM 12/31/2020
Valid usage All
Algorithm md5RSA
Thumbprint A43489159A520F0D93D032CCAF37E7FE20A8B419
Serial number 00 C1 00 8B 3C 3C 88 11 D1 3E F6 63 EC DF 40
Counter signers
[+] VeriSign Time Stamping Services Signer
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 01:00 AM 12/04/2003
Valid to 12:59 AM 12/04/2008
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 817E78267300CB0FE5D631357851DB366123A690
Serial number 0D E9 2B F0 D4 D8 29 88 18 32 05 09 5E 9A 76 88
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 01:00 AM 12/04/2003
Valid to 12:59 AM 12/04/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 01:00 AM 01/01/1997
Valid to 12:59 AM 01/01/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
F-PROT CAB, appended
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2004-11-11 21:11:30
Entry Point 0x00005E02
Number of sections 3
PE sections
Overlays
MD5 17e7b7ccdc9f5fc04a8ca1453772f8d5
File type data
Offset 2578944
Size 6928
Entropy 7.37
PE imports
SetSecurityDescriptorDacl
GetTokenInformation
InitiateSystemShutdownA
CryptReleaseContext
OpenProcessToken
CryptAcquireContextA
AddAccessAllowedAce
AllocateAndInitializeSid
InitializeSecurityDescriptor
CryptGenRandom
InitializeAcl
GetLengthSid
GetSystemTime
GetLastError
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
GetDiskFreeSpaceA
GetFileAttributesA
DeviceIoControl
SetEvent
FreeLibrary
GetCurrentDirectoryA
LocalFileTimeToFileTime
WaitForSingleObject
GetTickCount
SystemTimeToFileTime
GetVersionExA
FlushFileBuffers
LoadLibraryA
RemoveDirectoryA
DeleteCriticalSection
GetCurrentProcess
DosDateTimeToFileTime
GetDriveTypeA
GetModuleFileNameA
GetFileSize
CreateDirectoryA
DeleteFileA
WideCharToMultiByte
ExitProcess
SetErrorMode
GetCommandLineA
GetProcAddress
GetProcessHeap
CreateThread
SetFilePointer
ReadFile
WriteFile
FindFirstFileA
CloseHandle
FindNextFileA
GetSystemDirectoryA
WaitForMultipleObjects
MoveFileExA
ExpandEnvironmentStringsA
SetEnvironmentVariableA
SetFileAttributesA
GetExitCodeProcess
QueryDosDeviceA
MoveFileA
TerminateProcess
CreateProcessA
CreateEventW
GetEnvironmentVariableA
CreateEventA
FindClose
CopyFileA
Sleep
FormatMessageA
SetEndOfFile
SetFileTime
CreateFileA
HeapAlloc
OpenEventA
SetLastError
LeaveCriticalSection
SHGetPathFromIDListA
SHBrowseForFolderA
SendDlgItemMessageA
LoadStringA
SetParent
EndDialog
SendMessageA
MessageBoxA
DialogBoxParamA
ShowWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
strchr
strstr
_strcmpi
_stricmp
_strlwr
sprintf
toupper
_snprintf
_strnicmp
strrchr
strncpy
NtShutdownSystem
NtAdjustPrivilegesToken
NtOpenProcessToken
NtClose
Number of PE resources by type
RT_DIALOG 2
RT_VERSION 2
RT_STRING 1
Number of PE resources by language
ENGLISH US 4
NEUTRAL 1
PE resources
Debug information
ExifTool file metadata
ProcArchitecture
x86

SubsystemVersion
4.0

InstallerVersion
6.1.22.0

LinkerVersion
8.0

ImageVersion
6.0

ProductName
MSI 3.1

FileVersionNumber
3.1.0.0

UninitializedDataSize
0

LanguageCode
Neutral

FileFlagsMask
0x003f

BuildDate
2004/12/06

ImageFileCharacteristics
No relocs, Executable, 32-bit, Removable run from swap, Net run from swap

CharacterSet
Unicode

InitializedDataSize
8192

KBArticleNumber
884016

FileTypeExtension
exe

OriginalFileName
SFXCAB.EXE

InstallationType
Full

Subsystem
Windows GUI

FileVersion
3.1

SupportLink
"http://go.microsoft.com/fwlink/?LinkId=33342"

TimeStamp
2004:11:11 22:11:30+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SFXCAB.EXE

PackageType
update

ProductVersion
3.1

FileDescription
Update Package

InstallerEngine
update.exe

OSVersion
6.0

FileOS
Windows NT 32-bit

LegalCopyright
Microsoft Corporation. All rights reserved.

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

Appliesto
Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 2003

CodeSize
32256

FileSubtype
0

ProductVersionNumber
3.1.0.0

Warning
Possibly corrupt Version resource

EntryPoint
0x5e02

ObjectFileType
Executable application

MIMEType
application/octet-stream

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
PCAP parents
File identification
MD5 342f79337765760ad4e392eb67d5ed2c
SHA1 8318455b36ba0a748307459279d46f2f4cdb5a0e
SHA256 69b61b2c00323cea3686315617d0f452e205dae10c47e02cbe1ea96fea38f582
ssdeep
49152:nKiC/rk62xWNol+5gOsLO66qJ6021cJjLtk4pWGNG5VGFPNqJyoTL:orZ23AbsK6Ro022JjL2WEiVqJZL

authentihash 59c2620f06d378dda6d936c8119f9e09a0be0142a7b33721f149b319e18f7142
imphash f676e16c67a815430fbcd6d520ece6e4
File size 2.5 MB ( 2585872 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (48.1%)
Microsoft Visual C++ compiled executable (generic) (25.4%)
Win32 Dynamic Link Library (generic) (10.1%)
Win32 Executable (generic) (6.9%)
OS/2 Executable (generic) (3.1%)
Tags
peexe nsrl overlay signed via-tor trusted software-collection

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with windowsinstaller-kb893803-v2-x86.exe as its name.
VirusTotal metadata
First submission 2007-10-30 10:42:25 UTC ( 11 years, 5 months ago )
Last submission 2019-03-19 20:10:27 UTC ( 1 month ago )
File names Installer.exe
_Getintopc.com_WindowsInstaller-KB893803-v2-x86.exe
bb47c3f0c359bcdf22e7cd6337a49db60bd66608d7643dba8466252e31e7f0f8
windowsinstaller31v2.exe
InstMsiW.exe
ISSetupFile.SetupFile7
KB893803-v2-x86.exe
instmsi3.exe
WindowsInstaller3.1_x86.exe
69b61b2c00323cea_windowsinstaller-kb893803-v2-x86.exe
WindowsInstallerKB893803v2x
WINDOWSINSTALLER-KB893803-V2-X86.EXE
Update31.exe
setup.exe
Windows Installer KB893803 v2.0 x86.exe
6-(bo sung neu cai Net 2.0 bi loi) WindowsInstaller.exe
windowsinstaller.exe
update.exe
InstMSI31.exe
Microsoft-Windows-Installer.exe
File1
1320085360_WindowsInstaller-KB893803-v2-x86.ex_
69b61b2c00323cea_WindowsInstaller-KB893803-v2-x86.exe
INSTWI31.EXE
WindowsInstaller-KB893803-v2-x86.exe
National Software Reference Library (NIST)
The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a reference data set of information. This file was found in the NSRL dataset, in the following products and with the following file names.
Products MSDN Subscriptions Library (Microsoft)
MSDN Disc 3538 (Microsoft)
MSDN Disc 3070 (Microsoft)
MSDN Disc 3071 (Microsoft)
MSDN Disc 3076 (Microsoft)
MSDN Disc 3096 (Microsoft)
MSDN Disc 3089 (Microsoft)
Visual Studio 2005 Team Suite (Microsoft)
MSDN Disc 3073 (Microsoft)
Visual Studio 2005 (Microsoft)
Visual Studio 2005 Team Foundation Server (Microsoft)
MSDN Disc 2436.27 (Microsoft)
ElectionReporting, ElectionResults, Optech Ballot Wizard, SPR Host, WinEDS (Ciber)
Encarta 2007 Premium (Microsoft)
Student with Encarta Premium 2007 (Microsoft)
Quicken Personal Finances 2007 Home & Business (Intuit Inc.)
ACT! 2007 Version 9.0 (Sage Software)
MSDN Disc 2436.28 (Microsoft)
MSDN Subscriptions Library Disc 1 (Microsoft)
Quicken Personal Finances 2007 Deluxe (Intuit Inc.)
File names WindowsInstaller-KB893803-v2-x86.exe
FL_WindowsInstaller_KB884016_v2_x86_exe_123586_____X86.3643236F_FC70_11D3_A536_0090278A1BB8, WindowsInstaller-KB893803-v2-x86.exe
INSTWI31.EXE
INSTWI31.EXE, MSIINSTALLER.EXE
INSTMSI3.EXE
MSI31redist.exe
FL_WindowsInstaller_KB884016_v2_x86_exe_123586_123586_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8, WindowsInstaller-KB893803-v2-x86.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!