× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 6573fce3705e3d6e76baa149ec8e3846cf082ea3190735ae1657ffc36e344880
File name: 6573FCE3705E3D6E76BAA149EC8E3846CF082EA3190735AE1657FFC36E344880
Detection ratio: 1 / 57
Analysis date: 2016-04-03 03:50:02 UTC ( 2 years, 7 months ago ) View latest
Antivirus Result Update
Baidu Multi.Threats.InArchive 20160402
Ad-Aware 20160403
AegisLab 20160403
AhnLab-V3 20160402
Alibaba 20160401
ALYac 20160403
Antiy-AVL 20160403
Arcabit 20160403
Avast 20160403
AVG 20160403
Avira (no cloud) 20160402
AVware 20160403
Baidu-International 20160402
BitDefender 20160403
Bkav 20160402
CAT-QuickHeal 20160402
ClamAV 20160402
CMC 20160401
Comodo 20160402
Cyren 20160403
DrWeb 20160403
Emsisoft 20160403
ESET-NOD32 20160402
F-Prot 20160403
F-Secure 20160403
Fortinet 20160402
GData 20160403
Ikarus 20160402
Jiangmin 20160403
K7AntiVirus 20160402
K7GW 20160403
Kaspersky 20160402
Kingsoft 20160403
Malwarebytes 20160403
McAfee 20160403
McAfee-GW-Edition 20160403
Microsoft 20160402
eScan 20160403
NANO-Antivirus 20160403
nProtect 20160401
Panda 20160402
Qihoo-360 20160403
Rising 20160403
Sophos AV 20160403
SUPERAntiSpyware 20160403
Symantec 20160331
Tencent 20160403
TheHacker 20160330
TotalDefense 20160402
TrendMicro 20160403
TrendMicro-HouseCall 20160403
VBA32 20160401
VIPRE 20160403
ViRobot 20160402
Yandex 20160316
Zillya 20160402
Zoner 20160403
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © 2010-2015, Process Hacker Team. Licensed under the GNU GPL, v3.

Product Process Hacker
File version 2.36 (r6153)
Description Process Hacker Setup
Comments This installation was built with Inno Setup.
Signature verification Signed file, verified signature
Signing date 11:30 AM 6/29/2015
Signers
[+] Wen Jia Liu
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer DigiCert High Assurance Code Signing CA-1
Valid from 1:00 AM 10/30/2013
Valid to 1:00 PM 11/4/2015
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint B2B9F4F23889FD643590B2AF5A9AB750D100253B
Serial number 03 E9 01 7D 54 CD 93 F0 94 D0 A2 AB 7F C0 E3 F5
[+] DigiCert High Assurance Code Signing CA-1
Status Valid
Issuer DigiCert High Assurance EV Root CA
Valid from 1:00 PM 2/11/2011
Valid to 1:00 PM 2/10/2026
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint E308F829DC77E80AF15EDD4151EA47C59399AB46
Serial number 02 C4 D1 E5 8A 4A 68 0C 56 8D A3 04 7E 7E 4D 5F
[+] DigiCert
Status Valid
Issuer DigiCert High Assurance EV Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbprint 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Serial number 02 AC 5C 26 6A 0B 40 9B 8F 0B 79 F2 AE 46 25 77
Counter signers
[+] DigiCert Timestamp Responder
Status Valid
Issuer DigiCert Assured ID CA-1
Valid from 1:00 AM 10/22/2014
Valid to 1:00 AM 10/22/2024
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 614D271D9102E30169822487FDE5DE00A352B01D
Serial number 03 01 9A 02 3A FF 58 B1 6B D6 D5 EA E6 17 F0 66
[+] DigiCert Assured ID CA-1
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2021
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing
Algorithm sha1RSA
Thumbrint 19A09B5A36F4DD99727DF783C17A51231A56C117
Serial number 06 FD F9 03 96 03 AD EA 00 0A EB 3F 27 BB BA 1B
[+] DigiCert
Status Valid
Issuer DigiCert Assured ID Root CA
Valid from 1:00 AM 11/10/2006
Valid to 1:00 AM 11/10/2031
Valid usage Server Auth, Client Auth, Email Protection, Code Signing, Timestamp Signing
Algorithm sha1RSA
Thumbrint 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Serial number 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Packers identified
F-PROT INNO, appended
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x0000A5F8
Number of sections 8
PE sections
Overlays
MD5 8921d478fa5394450f8259a31c60e2be
File type data
Offset 150016
Size 1868792
Entropy 8.00
PE imports
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegQueryValueExA
AdjustTokenPrivileges
RegOpenKeyExA
InitCommonControls
GetSystemTime
GetLastError
GetEnvironmentVariableA
GetStdHandle
EnterCriticalSection
GetUserDefaultLangID
GetSystemInfo
GetFileAttributesA
GetExitCodeProcess
ExitProcess
CreateDirectoryA
VirtualProtect
GetVersionExA
RemoveDirectoryA
RtlUnwind
LoadLibraryA
DeleteCriticalSection
GetCurrentProcess
SizeofResource
GetLocaleInfoA
LocalAlloc
LockResource
IsDBCSLeadByte
DeleteFileA
GetWindowsDirectoryA
GetSystemDefaultLCID
SetErrorMode
MultiByteToWideChar
GetCommandLineA
GetProcAddress
FormatMessageA
SetFilePointer
RaiseException
WideCharToMultiByte
GetModuleHandleA
ReadFile
InterlockedExchange
WriteFile
CloseHandle
GetACP
GetFullPathNameA
LocalFree
CreateProcessA
GetModuleFileNameA
InitializeCriticalSection
LoadResource
VirtualQuery
VirtualFree
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
FindResourceA
VirtualAlloc
GetFileSize
SetLastError
LeaveCriticalSection
SysStringLen
SysAllocStringLen
VariantCopyInd
VariantClear
VariantChangeTypeEx
CharPrevA
CreateWindowExA
LoadStringA
DispatchMessageA
CallWindowProcA
MessageBoxA
PeekMessageA
SetWindowLongA
MsgWaitForMultipleObjects
TranslateMessage
ExitWindowsEx
DestroyWindow
Number of PE resources by type
RT_ICON 13
RT_STRING 6
RT_MANIFEST 1
RT_RCDATA 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 16
NEUTRAL 7
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
This installation was built with Inno Setup.

LinkerVersion
2.25

ImageVersion
6.0

FileSubtype
0

FileVersionNumber
2.36.0.6153

LanguageCode
Neutral

FileFlagsMask
0x003f

FileDescription
Process Hacker Setup

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

CharacterSet
Unicode

InitializedDataSize
108544

EntryPoint
0xa5f8

MIMEType
application/octet-stream

LegalCopyright
Copyright 2010-2015, Process Hacker Team. Licensed under the GNU GPL, v3.

FileVersion
2.36 (r6153)

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

ProductVersion
2.36 (r6153)

UninitializedDataSize
0

OSVersion
1.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
wj32

CodeSize
40448

ProductName
Process Hacker

ProductVersionNumber
2.36.0.6153

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
PE resource-wise parents
Compressed bundles
File identification
MD5 0067fe2957da6732dfcb5a5842346454
SHA1 0acf5f4c30bc187797548c72eeab24a133f42fd9
SHA256 6573fce3705e3d6e76baa149ec8e3846cf082ea3190735ae1657ffc36e344880
ssdeep
49152:U92FfOjyf6+rBWJW0X1U4DiA5miGgALJCDx5nWQDao9:eLukWk1XDbXGCTWQ+Q

authentihash add3241b91ca7ccb31184a106c806393de301a313d657bce158c841af8327dce
imphash 884310b1928934402ea6fec1dbd3cf5e
File size 1.9 MB ( 2018808 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Inno Setup installer (73.3%)
Win32 Executable Delphi generic (9.4%)
Windows screen saver (8.7%)
Win32 Executable (generic) (3.0%)
Win16/32 Executable Delphi generic (1.3%)
Tags
software-collection overlay peexe signed via-tor

VirusTotal metadata
First submission 2015-06-29 12:54:58 UTC ( 3 years, 4 months ago )
Last submission 2018-11-16 08:15:04 UTC ( 4 days, 13 hours ago )
File names Process Hacker v2.36 (r6153).exe
Process Hacker Darkswamp (1).exe
processhacker-2.36-setup.exe1
processhacker-2.36-setup.exe
processhacker-2.36-setup.exe
processhacker-2.36-setup.exe
processhacker-2.36-setup.exe
processhacker-2.36-setup.exe
ProcessHackerV2.36r6153.exe
process-hacker-2-36-en-win.exe
processhacker-2.36-setup.exe
processhacker-2.36-setup.exe
processhacke .exe
processhacker-2.36-setup.exe
Process Hacker 2.36.exe
processhacker-2.36-setup(1).exe
ProcessHacker_Setup.exe
filename
1
processhacker-2.36-setup (1).exe
Process Hacker 'Darkswamp.exe
2c0b0dd7ce6ab76dbbb1030b348cad7c5203f0785213e4bef626509cba5dc0a7796963f428b6ac8a44534079007943b4c04551354c7a5b25fdf23634218cc9a4
proc5esshacker-2.36-setup.exe
2.exe
processhacker-2.36-setup.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Created mutexes
Opened mutexes
Runtime DLLs