× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 886e8ba792af1250b359c8ccd8834f4d7d77badc3e8deae9cb6d8e8577842df7
File name: 4pSrchMn.exe
Detection ratio: 8 / 43
Analysis date: 2013-01-07 21:52:40 UTC ( 6 years, 2 months ago ) View latest
Antivirus Result Update
Avast Win32:FunWeb-K [PUP] 20130107
AVG AdInstaller.FunWeb 20130107
ClamAV Adware.MyWebSearch-18 20130107
Comodo ApplicUnwnt.Win32.MyWebSearch.~AAB 20130107
Kingsoft Win32.Troj.Generic.a.(kcloud) 20130107
Malwarebytes PUP.MyWebSearch 20130107
Norman W32/MyWebSearch.AUQ 20130107
VIPRE MyWebSearch.J (v) (not malicious) 20130107
Yandex 20130107
AhnLab-V3 20130107
AntiVir 20130107
Antiy-AVL 20130107
BitDefender 20130107
ByteHero 20121226
CAT-QuickHeal 20130107
Commtouch 20130107
DrWeb 20130107
Emsisoft 20130107
eSafe 20130103
ESET-NOD32 20130107
F-Prot 20130107
F-Secure 20130107
Fortinet 20130107
GData 20130107
Ikarus 20130107
Jiangmin 20121221
K7AntiVirus 20130107
Microsoft 20130107
eScan 20130107
NANO-Antivirus 20130107
nProtect 20130107
Panda 20130107
PCTools 20130107
Rising 20130104
Sophos AV 20130107
SUPERAntiSpyware 20130107
Symantec 20130107
TheHacker 20130107
TotalDefense 20130107
TrendMicro 20130107
TrendMicro-HouseCall 20130107
VBA32 20130105
ViRobot 20130107
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © 2006, 2007, 2008, 2009, 2010, 2011

Product MindSpark Toolbar Platform SearchScope Monitor
Original name t8SrchMn.exe
Internal name t8SrchMn
File version 1, 0, 0, 12
Description MindSpark Toolbar Platform SearchScope Monitor
Signature verification Signed file, verified signature
Signing date 7:42 AM 12/3/2011
Signers
[+] Mindspark Interactive Network
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer VeriSign Class 3 Code Signing 2009-2 CA
Valid from 12:00 AM 05/31/2010
Valid to 11:59 PM 05/06/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 9FCB24A7661183FCB8AD11F8EDF81351886CFC18
Serial number 41 73 0E B0 E6 D9 2A 47 6E 16 62 8A 0D BE FB 36
[+] VeriSign Class 3 Code Signing 2009-2 CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 12:00 AM 05/21/2009
Valid to 11:59 PM 05/20/2019
Valid usage Client Auth, Code Signing
Algorithm sha1RSA
Thumbprint 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Serial number 65 52 26 E1 B2 2E 18 E1 59 0F 29 85 AC 22 E7 5C
[+] VeriSign Class 3 Public Primary CA
Status Valid
Issuer Class 3 Public Primary Certification Authority
Valid from 12:00 AM 01/29/1996
Valid to 11:59 PM 08/01/2028
Valid usage Server Auth, Client Auth, Email Protection, Code Signing
Algorithm md2RSA
Thumbprint 742C3192E607E424EB4549542BE1BBC53E6174E2
Serial number 70 BA E4 1D 10 D9 29 34 B6 38 CA 7B 03 CC BA BF
Counter signers
[+] VeriSign Time Stamping Services Signer - G2
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 12:00 AM 06/15/2007
Valid to 11:59 PM 06/14/2012
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE
Serial number 38 25 D7 FA F8 61 AF 9E F4 90 E7 26 B5 D6 5A D5
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/04/2003
Valid to 11:59 PM 12/03/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-12-03 07:20:57
Entry Point 0x00001B5C
Number of sections 4
PE sections
Overlays
MD5 b021f19803d9d28111d1860c32e06a2a
File type data
Offset 36864
Size 5672
Entropy 7.20
PE imports
RegDeleteKeyA
RegFlushKey
RegCloseKey
RegNotifyChangeKeyValue
RegQueryValueExA
RegSetValueExA
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
GetSystemTime
GetLastError
HeapFree
EnterCriticalSection
ReleaseMutex
LoadResource
CreateFileMappingA
GetFileAttributesA
WaitForSingleObject
FreeLibrary
HeapAlloc
SystemTimeToFileTime
GetVersionExA
GetModuleFileNameA
lstrlenW
GetLocalTime
DeleteCriticalSection
GetStartupInfoA
LoadLibraryExA
CompareFileTime
lstrcatA
LockResource
DuplicateHandle
OpenFileMappingA
MapViewOfFile
GetCommandLineA
GetProcAddress
DebugBreak
GetProcessHeap
OpenMutexA
CreateMutexA
lstrlenA
lstrcmpiA
GetModuleHandleA
lstrcpyA
GetCurrentProcess
ResetEvent
GetSystemTimeAsFileTime
lstrcpynA
GetSystemDirectoryA
HeapReAlloc
GetDriveTypeA
LocalFree
CreateProcessA
InitializeCriticalSection
UnmapViewOfFile
CreateEventA
Sleep
GetTickCount
CloseHandle
ExitProcess
FindResourceA
SetLastError
LeaveCriticalSection
wsprintfA
SetWindowsHookExA
DispatchMessageA
UnhookWindowsHookEx
CharNextA
PeekMessageA
MsgWaitForMultipleObjects
TranslateMessage
GetKeyboardType
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
CLSIDFromString
Number of PE resources by type
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 2
PE resources
Debug information
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
1.0.0.12

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
MindSpark Toolbar Platform SearchScope Monitor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
24576

EntryPoint
0x1b5c

OriginalFileName
t8SrchMn.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 2006, 2007, 2008, 2009, 2010, 2011

FileVersion
1, 0, 0, 12

TimeStamp
2011:12:03 07:20:57+00:00

FileType
Win32 EXE

PEType
PE32

InternalName
t8SrchMn

ProductVersion
2, 3, 0, 0

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
MindSpark

CodeSize
20480

ProductName
MindSpark Toolbar Platform SearchScope Monitor

ProductVersionNumber
2.3.0.0

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 cca818a157a991cfd0b0d17c0c6d4ecd
SHA1 585a73eb1dfa6b0b5c5ff5d76212fd8d0cef4df4
SHA256 886e8ba792af1250b359c8ccd8834f4d7d77badc3e8deae9cb6d8e8577842df7
ssdeep
768:WRYGQ5OE2RcrXRiAOj/eI+J6j9eaXmaLWhbC:WRYGQ0Rc9iA/I+J6heIxaxC

authentihash 0265379fa7c2f005068125adcf08f24224ebe7e046bc0bbf8eef8cc82d9f3523
imphash dbe1fec87620a7021dbbcfe5896b45ca
File size 41.5 KB ( 42536 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (64.5%)
Win32 Dynamic Link Library (generic) (13.6%)
Win32 Executable (generic) (9.3%)
OS/2 Executable (generic) (4.1%)
Generic Win/DOS Executable (4.1%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2011-12-09 05:08:12 UTC ( 7 years, 3 months ago )
Last submission 2018-06-02 21:58:43 UTC ( 9 months, 3 weeks ago )
File names 64SrchMn.exe.vir
4zSrchMn.exv
4jsrchmn.exe
4aSrchMn.exe
7iSrchMn.exe
57SrchMn.exe
908bb1e9-3675-ed11-4e63-9635b2243f23_1d1ebe81629787a
65SrchMn.exe
1gSrchMn.exe
1pSrchMn.exe
60SrchMn.exe
vti-rescan
886e8ba792af1250_4zsrchmn.exe
2jSrchMn.exe
39SrchMn.exe
b1d488e4-d266-e7c5-1258-161ad66d2841_1d1c5c068ab2ccb
0e8037cb-eece-36d4-e591-df7cc24d4eb1_1d207698baae494
E81638E8285404DAA676008877B7B6009F35D830.exe
T8SRCHMN.EXE
49SrchMn.exe
6fe72261-4ca1-3462-5cab-f8f59f9088d5_1d1facee91f59cb
585a73eb1dfa6b0b5c5ff5d76212fd8d0cef4df4
file-3491070_exee
886e8ba792af1250_4jsrchmn.exe
57SrchMn.exe_
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!