× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: c6c8d501e011258dae05629bd5099ddc1a598751d734d2d141eb44f8bcc302ab
File name: 13d5f13aac11bc3d28e77b52c524b9499d3007558dcb9ff3229617e57e3cf635
Detection ratio: 0 / 64
Analysis date: 2017-07-17 14:15:25 UTC ( 1 year, 10 months ago )
Antivirus Result Update
Ad-Aware 20170717
AegisLab 20170717
AhnLab-V3 20170717
Alibaba 20170717
ALYac 20170717
Antiy-AVL 20170717
Arcabit 20170717
Avast 20170717
AVG 20170717
Avira (no cloud) 20170717
AVware 20170717
Baidu 20170717
BitDefender 20170717
Bkav 20170717
CAT-QuickHeal 20170717
ClamAV 20170717
CMC 20170717
Comodo 20170717
CrowdStrike Falcon (ML) 20170710
Cylance 20170717
Cyren 20170717
DrWeb 20170717
Emsisoft 20170717
Endgame 20170713
ESET-NOD32 20170717
F-Prot 20170717
F-Secure 20170717
Fortinet 20170629
GData 20170717
Ikarus 20170717
Sophos ML 20170607
Jiangmin 20170717
K7AntiVirus 20170717
K7GW 20170717
Kaspersky 20170717
Kingsoft 20170717
Malwarebytes 20170717
MAX 20170717
McAfee 20170717
McAfee-GW-Edition 20170717
Microsoft 20170717
eScan 20170717
NANO-Antivirus 20170717
nProtect 20170717
Palo Alto Networks (Known Signatures) 20170717
Panda 20170717
Qihoo-360 20170717
Rising 20170717
SentinelOne (Static ML) 20170516
Sophos AV 20170717
SUPERAntiSpyware 20170717
Symantec 20170717
Symantec Mobile Insight 20170717
Tencent 20170717
TheHacker 20170717
TotalDefense 20170717
TrendMicro 20170717
TrendMicro-HouseCall 20170717
Trustlook 20170717
VBA32 20170717
VIPRE 20170717
ViRobot 20170717
Webroot 20170717
WhiteArmor 20170713
Yandex 20170714
Zillya 20170714
ZoneAlarm by Check Point 20170717
Zoner 20170717
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) 2006 Macrovision Corporation

Product InstallShield
Original name Setup.exe
Internal name Setup
File version 12.0.49974
Description Setup.exe
Signature verification Signed file, verified signature
Signing date 9:10 AM 3/30/2009
Signers
[+] TDS Todos Data System AB
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2004 CA
Valid from 1:00 AM 5/11/2007
Valid to 12:59 AM 5/27/2009
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 6825C4A4108BCAFED722C05331C89F8C0EDC60DF
Serial number 3C 05 E1 95 B5 85 20 36 39 CF DA 99 BC 6C 64 4B
[+] VeriSign Class 3 Code Signing 2004 CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 7/16/2004
Valid to 12:59 AM 7/16/2014
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 197A4AEBDB25F0170079BB8C73CB2D655E0018A4
Serial number 41 91 A1 5A 39 78 DF CF 49 65 66 38 1D 4C 75 C2
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 1:00 AM 1/29/1996
Valid to 12:59 AM 8/2/2028
Valid usage Email Protection, Client Auth, Code Signing, Server Auth
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 1:00 AM 6/15/2007
Valid to 12:59 AM 6/15/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/4/2003
Valid to 12:59 AM 12/4/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-05-24 16:57:31
Entry Point 0x00022A29
Number of sections 4
PE sections
Overlays
MD5 737c6c53a2bd6b3472a341561a570af6
File type data
Offset 450560
Size 2749856
Entropy 7.71
PE imports
RegDeleteKeyA
GetTokenInformation
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegQueryValueA
FreeSid
RegQueryValueExA
AllocateAndInitializeSid
OpenThreadToken
RegSetValueExA
EqualSid
RegCreateKeyExA
RegOpenKeyExA
RegCreateKeyA
RegEnumKeyExA
GetDIBColorTable
SetMapMode
GetSystemPaletteEntries
PatBlt
SetStretchBltMode
SaveDC
TextOutA
CreateFontIndirectA
PlayMetaFile
GetDeviceCaps
CreateDCA
DeleteDC
RestoreDC
SetBkMode
SetMetaFileBitsEx
SetPixel
CreateSolidBrush
CreateHalftonePalette
RealizePalette
SetTextColor
CreatePatternBrush
GetObjectA
SelectObject
CreateBitmap
BitBlt
CreatePalette
GetStockObject
CreateDIBitmap
SetViewportOrgEx
SelectPalette
UnrealizeObject
SelectClipRgn
CreateCompatibleDC
StretchBlt
CreateRectRgn
DeleteObject
GetTextExtentPoint32A
SetWindowExtEx
SetWindowOrgEx
GetTextExtentPointA
SetBkColor
SetViewportExtEx
CreateCompatibleBitmap
DeleteMetaFile
GetPrivateProfileSectionNamesA
GetStdHandle
ReleaseMutex
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
HeapDestroy
GetLocalTime
FreeEnvironmentStringsA
DeleteCriticalSection
HeapReAlloc
lstrcatA
SetErrorMode
FreeEnvironmentStringsW
GetThreadContext
SetStdHandle
GetTempPathA
WideCharToMultiByte
GetStringTypeA
InterlockedExchange
WriteFile
GetDiskFreeSpaceA
GetStringTypeW
SetFileAttributesA
GetExitCodeProcess
LocalFree
ResumeThread
GetEnvironmentVariableA
LoadResource
FindClose
TlsGetValue
FormatMessageA
SetLastError
InitializeCriticalSection
WriteProcessMemory
CopyFileA
HeapAlloc
GetVersionExA
GetModuleFileNameA
QueryPerformanceFrequency
LoadLibraryExA
GetPrivateProfileStringA
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
FlushInstructionCache
CreateMutexA
GetModuleHandleA
CreateThread
SetUnhandledExceptionFilter
GetCurrentProcess
MulDiv
GetSystemDirectoryA
MoveFileExA
SetThreadContext
TerminateProcess
VirtualQuery
SearchPathA
GetCurrentThreadId
LeaveCriticalSection
HeapFree
EnterCriticalSection
SetHandleCount
lstrcmpiA
SetEvent
QueryPerformanceCounter
GetTickCount
IsBadWritePtr
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
FreeLibrary
GlobalSize
GetStartupInfoA
GetFileSize
AddAtomA
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetWindowsDirectoryA
GetProcAddress
VirtualProtectEx
CompareStringW
lstrcmpA
FindFirstFileA
lstrcpyA
ResetEvent
GetTempFileNameA
CreateFileMappingA
FindNextFileA
DuplicateHandle
GlobalLock
CreateEventA
GetFileType
TlsSetValue
CreateFileA
ExitProcess
InterlockedIncrement
GetLastError
SystemTimeToFileTime
LCMapStringW
UnmapViewOfFile
GetSystemInfo
lstrlenA
GlobalFree
LCMapStringA
GlobalUnlock
GetEnvironmentStringsW
FindResourceExA
GlobalAlloc
RemoveDirectoryA
GetShortPathNameA
GetAtomNameA
SizeofResource
WritePrivateProfileStringA
GetCurrentProcessId
LockResource
lstrlenW
GetCPInfo
HeapSize
GetCommandLineA
GetCurrentThread
GetSystemDefaultLangID
RaiseException
MapViewOfFile
SetFilePointer
ReadFile
CloseHandle
lstrcpynA
GetACP
GetVersion
FreeResource
GetEnvironmentStrings
CreateProcessA
HeapCreate
VirtualFree
Sleep
IsBadReadPtr
IsBadCodePtr
FindResourceA
VirtualAlloc
GetOEMCP
CompareStringA
LZCopy
LZClose
LZOpenFileA
LoadRegTypeLib
VariantChangeType
SafeArrayGetLBound
SafeArrayGetElement
SysAllocStringLen
RegisterTypeLib
VariantClear
SysAllocString
SysReAllocStringLen
SafeArrayGetUBound
VariantCopy
GetErrorInfo
SysFreeString
LoadTypeLib
SysStringLen
UuidToStringA
RpcStringFreeA
UuidCreate
SHGetMalloc
ShellExecuteExA
SHGetSpecialFolderLocation
SHBrowseForFolderA
SHGetPathFromIDListA
SetFocus
MapWindowPoints
GetSysColor
GetParent
MapDialogRect
ReleaseDC
SetPropA
EndDialog
BeginPaint
DrawIcon
CreateDialogIndirectParamA
GetClassInfoExA
DefWindowProcA
ShowWindow
PostThreadMessageA
GetPropA
SetWindowPos
SetWindowRgn
SendDlgItemMessageA
IsWindow
GetWindowRect
DispatchMessageA
EndPaint
PeekMessageA
SetDlgItemTextA
PostMessageA
MoveWindow
EnumChildWindows
GetDlgItemTextA
CallWindowProcA
IntersectRect
MessageBoxA
LoadImageA
GetWindowDC
SetWindowLongA
TranslateMessage
IsWindowEnabled
GetWindow
UpdateWindow
CharUpperA
CheckDlgButton
GetDC
RegisterClassExA
SystemParametersInfoA
RemovePropA
SetWindowTextA
CopyRect
GetWindowLongA
GetWindowPlacement
SendMessageA
SetForegroundWindow
GetClientRect
GetDlgItem
CreateDialogParamA
CharLowerBuffA
EnableMenuItem
ScreenToClient
InvalidateRect
wsprintfA
GetWindowTextLengthA
CreateWindowExA
LoadCursorA
LoadIconA
DrawTextA
GetMessageA
FillRect
LoadStringA
IsDlgButtonChecked
CharNextA
WaitForInputIdle
SetActiveWindow
GetDesktopWindow
InflateRect
GetDialogBaseUnits
GetClassNameA
IsDialogMessageA
MsgWaitForMultipleObjects
EnableWindow
GetWindowTextA
DrawFocusRect
DialogBoxIndirectParamA
DestroyWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
CoMarshalInterThreadInterfaceInStream
CoInitialize
CoTaskMemAlloc
CoRevokeClassObject
CoUninitialize
CoCreateGuid
CoCreateInstance
CoGetInterfaceAndReleaseStream
StringFromCLSID
CoRegisterClassObject
GetRunningObjectTable
CoReleaseMarshalData
CoTaskMemFree
StringFromGUID2
Number of PE resources by type
RT_STRING 132
RT_DIALOG 4
RT_ICON 4
RT_MANIFEST 1
TYPELIB 1
PUBLICKEY 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 8
TURKISH DEFAULT 7
ENGLISH US 6
SWEDISH 4
PORTUGUESE 4
CZECH DEFAULT 4
FRENCH 4
CHINESE SIMPLIFIED 4
SLOVENIAN DEFAULT 4
INDONESIAN DEFAULT 4
DUTCH 4
ITALIAN 4
CATALAN DEFAULT 4
FINNISH DEFAULT 4
SERBIAN CYRILLIC 4
PORTUGUESE BRAZILIAN 4
SPANISH 4
FRENCH CANADIAN 4
KOREAN 4
BASQUE DEFAULT 4
HUNGARIAN DEFAULT 4
GERMAN 4
BULGARIAN DEFAULT 4
POLISH DEFAULT 4
JAPANESE DEFAULT 4
DANISH DEFAULT 4
SLOVAK DEFAULT 4
GREEK DEFAULT 4
NORWEGIAN BOKMAL 4
CHINESE TRADITIONAL 4
THAI DEFAULT 4
SERBIAN DEFAULT 4
ROMANIAN 4
RUSSIAN 4
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
12.0.0.49974

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
172032

EntryPoint
0x22a29

OriginalFileName
Setup.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) 2006 Macrovision Corporation

FileVersion
12.0.49974

TimeStamp
2006:05:24 17:57:31+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Setup

ProductVersion
12.0

FileDescription
Setup.exe

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Macrovision Corporation

CodeSize
282624

ProductName
InstallShield

ProductVersionNumber
12.0.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
File identification
MD5 6804f65ff6e01140cb2f12c85dac2f58
SHA1 50c25765d321e38e7b776ebab008ba4ae8ccd12c
SHA256 c6c8d501e011258dae05629bd5099ddc1a598751d734d2d141eb44f8bcc302ab
ssdeep
98304:iTHc9l91zymdYNLOrUV5gM5ajmnpYTHc9lyeq:ik9/mLOAV5t8j9kyeq

authentihash 6b93f83661e42ab569f1685469454c9688b5fef5e9f61d8caf74683108ccf6db
imphash 3ef36b68401f1772a029a5b517cfa431
File size 3.1 MB ( 3200416 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID DirectShow filter (40.7%)
Windows ActiveX control (23.5%)
InstallShield setup (8.6%)
Win32 Executable MS Visual C++ (generic) (6.3%)
Win64 Executable (generic) (5.5%)
Tags
peexe armadillo signed overlay

VirusTotal metadata
First submission 2011-01-21 09:15:49 UTC ( 8 years, 4 months ago )
Last submission 2016-05-19 20:20:04 UTC ( 3 years ago )
File names NCR1_install_eng.exe
HTTP-FwSSda2U4NViRE52y4.exe
ncr1_install_eng[1].exe
HTTP-FZkkWo36rKhOrhPXoj.exe
Setup
HTTP-F2B7xo1DuYCnJe4D51.exe
HTTP-FMAJ3YRu1bZ4PM3Ba.exe
NCR1_install_eng.exe
ncr1_install_eng.exe.gr67tge.partial
NCR1_install_eng.exe
NCR1_install_eng.exe
Setup.exe
NCR1_install_eng.exe
13d5f13aac11bc3d28e77b52c524b9499d3007558dcb9ff3229617e57e3cf635
ncr1_install_eng.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Copied files
Moved files
Deleted files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
UDP communications