× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b21d33135e67e3486b154b11f7961d8e1cfd7a603267fb60febb4a6feab5cf87
File name: NDP46-KB3045557-x86-x64-AllOS-ENU.exe
Detection ratio: 0 / 57
Analysis date: 2016-03-24 12:38:09 UTC ( 2 years, 3 months ago ) View latest
Antivirus Result Update
Ad-Aware 20160324
AegisLab 20160324
Yandex 20160316
AhnLab-V3 20160324
Alibaba 20160323
ALYac 20160324
Antiy-AVL 20160324
Arcabit 20160324
Avast 20160324
AVG 20160324
Avira (no cloud) 20160324
AVware 20160324
Baidu 20160324
Baidu-International 20160324
BitDefender 20160324
Bkav 20160324
ByteHero 20160324
CAT-QuickHeal 20160323
ClamAV 20160324
CMC 20160322
Comodo 20160324
Cyren 20160324
DrWeb 20160324
Emsisoft 20160324
ESET-NOD32 20160324
F-Prot 20160324
F-Secure 20160324
Fortinet 20160324
GData 20160324
Ikarus 20160324
Jiangmin 20160324
K7AntiVirus 20160324
K7GW 20160323
Kaspersky 20160324
Malwarebytes 20160324
McAfee 20160324
McAfee-GW-Edition 20160324
Microsoft 20160324
eScan 20160324
NANO-Antivirus 20160324
nProtect 20160324
Panda 20160324
Qihoo-360 20160324
Rising 20160324
Sophos AV 20160324
SUPERAntiSpyware 20160324
Symantec 20160324
Tencent 20160324
TheHacker 20160323
TotalDefense 20160324
TrendMicro 20160324
TrendMicro-HouseCall 20160324
VBA32 20160324
VIPRE 20160324
ViRobot 20160324
Zillya 20160324
Zoner 20160324
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft .NET Framework 4.6
Original name NDP46-KB3045557-x86-x64-AllOS-ENU.exe
Internal name NDP46-KB3045557-x86-x64-AllOS-ENU.exe
File version 4.6.00081.00
Description Microsoft .NET Framework 4.6 Setup
Signature verification Signed file, verified signature
Signing date 11:17 PM 6/22/2015
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Code Signing PCA
Valid from 6:42 PM 6/4/2015
Valid to 6:42 PM 9/4/2016
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
Serial number 33 00 00 01 0A 2C 79 AE D7 79 7B A6 AC 00 01 00 00 01 0A
[+] Microsoft Code Signing PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 11:19 PM 8/31/2010
Valid to 11:29 PM 8/31/2020
Valid usage All
Algorithm sha1RSA
Thumbprint 3CAF9BA2DB5570CAF76942FF99101B993888E257
Serial number 61 33 26 1A 00 00 00 00 00 31
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 6:32 PM 3/20/2015
Valid to 6:32 PM 6/20/2016
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 5740FB2B2D092E26E2E9DFFAE9E53412B9F7D21B
Serial number 33 00 00 00 6F 65 2D 58 6D 07 11 46 28 00 00 00 00 00 6F
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Packers identified
F-PROT 7Z
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-11-18 21:56:32
Entry Point 0x0001894B
Number of sections 6
PE sections
Overlays
MD5 f502db04940991493f8c86d697f69c1b
File type data
Offset 188416
Size 65256272
Entropy 8.00
PE imports
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
SetEntriesInAclW
CryptReleaseContext
CreateWellKnownSid
CryptGenRandom
InitializeSecurityDescriptor
CryptAcquireContextW
DecryptFileW
Ord(23)
Ord(20)
Ord(22)
GetStdHandle
GetDriveTypeW
FileTimeToSystemTime
WaitForSingleObject
GetFileAttributesW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
FileTimeToDosDateTime
GetConsoleMode
SetErrorMode
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
WriteFile
GetTimeZoneInformation
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetOEMCP
LocalFree
FormatMessageW
InitializeCriticalSection
GetLogicalDriveStringsW
FindClose
InterlockedDecrement
QueryDosDeviceW
SetFileAttributesW
GetEnvironmentVariableW
SetLastError
GetSystemTime
DeviceIoControl
RemoveDirectoryW
IsDebuggerPresent
ExitProcess
GetModuleFileNameA
HeapSetInformation
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
SystemTimeToTzSpecificLocalTime
SetFilePointerEx
CreateThread
SetEnvironmentVariableW
MoveFileExW
GetSystemDirectoryW
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
TerminateProcess
SetCurrentDirectoryW
GlobalAlloc
LocalFileTimeToFileTime
GetDiskFreeSpaceExW
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
GetExitCodeProcess
QueryPerformanceCounter
GetTickCount
TlsAlloc
FlushFileBuffers
RtlUnwind
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetProcessHeap
GetComputerNameW
CompareStringW
GetModuleFileNameW
ExpandEnvironmentStringsW
FindNextFileW
ResetEvent
FindFirstFileW
DuplicateHandle
WaitForMultipleObjects
SetEvent
CreateEventW
CreateFileW
CreateEventA
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
DosDateTimeToFileTime
LCMapStringW
GetSystemInfo
lstrlenA
GlobalFree
GetConsoleCP
GetEnvironmentStringsW
lstrlenW
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
SetFileTime
GetCommandLineW
WideCharToMultiByte
HeapSize
GetCommandLineA
RaiseException
TlsFree
SetFilePointer
ReadFile
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
HeapCreate
CreateProcessW
Sleep
VariantClear
SysAllocString
UuidCreate
UuidToStringW
RpcStringFreeW
SHGetPathFromIDListW
SHBrowseForFolderW
CommandLineToArgvW
PathRemoveExtensionW
GetWindowThreadProcessId
SetWindowLongW
MessageBoxW
SendMessageW
GetTopWindow
EndDialog
GetWindowLongW
CharUpperW
DialogBoxParamW
LoadStringW
SetWindowTextW
GetDlgItem
PostQuitMessage
GetWindow
PostMessageW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
PE exports
Number of PE resources by type
RT_STRING 3
RT_DIALOG 2
RT_ICON 2
RT_VERSION 2
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 10
NEUTRAL 1
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
10.0

FileSubtype
0

FileVersionNumber
4.6.81.0

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
29696

EntryPoint
0x1894b

OriginalFileName
NDP46-KB3045557-x86-x64-AllOS-ENU.exe

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
4.6.00081.00

TimeStamp
2014:11:18 22:56:32+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
NDP46-KB3045557-x86-x64-AllOS-ENU.exe

ProductVersion
4.6.00081.00

FileDescription
Microsoft .NET Framework 4.6 Setup

OSVersion
5.1

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
157696

ProductName
Microsoft .NET Framework 4.6

ProductVersionNumber
4.6.81.0

Warning
Possibly corrupt Version resource

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
PE resource-wise parents
Compressed bundles
File identification
MD5 88bc05e20114a4506f40c36911de92fa
SHA1 3049a85843eaf65e89e2336d5fe6e85e416797be
SHA256 b21d33135e67e3486b154b11f7961d8e1cfd7a603267fb60febb4a6feab5cf87
ssdeep
1572864:ZYTXVPHDe12o5v022LPDceEYMRT8pkNpiwiG8VnDV:4g1jKPLoLTR8VnZ

authentihash 31cd23326690dad77ad81876b40cb768e5ca4639cc9b2d3608f9cc27c8e54253
imphash fa7ad1da1bd0aad446375362ef77bd51
File size 62.4 MB ( 65444688 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (42.7%)
OS/2 Executable (generic) (19.2%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-07-20 15:52:23 UTC ( 2 years, 11 months ago )
Last submission 2018-06-10 02:14:22 UTC ( 1 week, 6 days ago )
File names bit2027.tmp
bitff98.tmp
bit3c7.tmp
bitb133.tmp
b21d33135e67e3486b154b11f7961d8e1cfd7a603267fb60febb4a6feab5cf87-content_5875b8f9-da6c-4339-8829-55ec494823e9.1.src000a8.temp
NDP46-KB3045557-x86-x64-AllOS-ENU.exe
path_hash-9b52b38d5626ce676aa99f30fd08569f633c7b4cb7f83037a696967bfa2d2deb
net famework 4.6.exe
Microsoft .NET Framework 4.6 Full.exe
bit8603.tmp
bitf247.tmp
bit2bb.tmp
Microsoft .NET Framework 4.6-x86-x64.exe
bitbed2.tmp
bit2fdd.tmp
bitc2c7.tmp
bitdd43.tmp
djiesoft.com_dotnetfx_4.6_x86_x64.exe
b21d33135e67e3486b154b11f7961d8e1cfd7a603267fb60febb4a6feab5cf87-content_a76c9a3d-6b7d-4177-a3d9-09ec1e15ffcd.1.pr100505.temp
1.exe
bit1862.tmp
bitcfcf.tmp
bitba9b.tmp
bit809f.tmp
ndp46-kb3045557-x86-x64-allos-enu (1).exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!