× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 955faa2fcec977b29fb7dc49a80b8c7916c410b70ad973c7883ed8537126f81f
File name: Diskmon.exe
Detection ratio: 0 / 68
Analysis date: 2019-03-14 08:43:33 UTC ( 1 week, 1 day ago )
Antivirus Result Update
Acronis 20190313
Ad-Aware 20190314
AegisLab 20190314
AhnLab-V3 20190313
Alibaba 20190306
ALYac 20190314
Antiy-AVL 20190314
Arcabit 20190314
Avast 20190314
Avast-Mobile 20190313
AVG 20190314
Avira (no cloud) 20190314
Babable 20180918
Baidu 20190306
BitDefender 20190314
Bkav 20190313
CAT-QuickHeal 20190313
ClamAV 20190313
CMC 20190314
Comodo 20190314
CrowdStrike Falcon (ML) 20190212
Cybereason 20190109
Cyren 20190314
DrWeb 20190314
eGambit 20190314
Emsisoft 20190314
Endgame 20190215
ESET-NOD32 20190314
F-Prot 20190314
F-Secure 20190314
Fortinet 20190314
GData 20190314
Ikarus 20190313
Sophos ML 20190313
Jiangmin 20190314
K7AntiVirus 20190314
K7GW 20190314
Kaspersky 20190314
Kingsoft 20190314
Malwarebytes 20190314
MAX 20190314
McAfee 20190314
McAfee-GW-Edition 20190314
Microsoft 20190314
eScan 20190314
NANO-Antivirus 20190314
Palo Alto Networks (Known Signatures) 20190314
Panda 20190313
Qihoo-360 20190314
Rising 20190314
SentinelOne (Static ML) 20190311
Sophos AV 20190314
SUPERAntiSpyware 20190314
Symantec 20190314
Symantec Mobile Insight 20190220
TACHYON 20190314
Tencent 20190314
TheHacker 20190308
TotalDefense 20190314
Trapmine 20190301
TrendMicro-HouseCall 20190314
Trustlook 20190314
VBA32 20190313
ViRobot 20190314
Webroot 20190314
Yandex 20190314
Zillya 20190313
ZoneAlarm by Check Point 20190314
Zoner 20190314
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright © 1996-2003 Mark Russinovich

Product Sysinternals Diskmon
Original name Diskmon.exe
Internal name Diskmon
File version 2.01
Description Disk Monitor
Signature verification Signed file, verified signature
Signing date 10:06 PM 11/1/2006
Signers
[+] Microsoft Corporation
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Code Signing PCA
Valid from 07:43 PM 04/04/2006
Valid to 07:53 PM 10/04/2007
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint 564E01066387F26C912010D06BD78D3CF1E845AB
Serial number 61 46 9E CB 00 04 00 00 00 65
[+] Microsoft Code Signing PCA
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown.
Issuer Microsoft Root Authority
Valid from 05:44 PM 04/04/2006
Valid to 07:00 AM 04/26/2012
Valid usage Code Signing
Algorithm sha1RSA
Thumbprint D07EA64088A80085F01BD40AA4EAD82F470482A6
Serial number 6A 0B 99 4F C0 00 1D AB 11 DA C4 02 A1 66 27 BA
[+] Microsoft Root Authority
Status Valid
Issuer Microsoft Root Authority
Valid from 07:00 AM 01/10/1997
Valid to 07:00 AM 12/31/2020
Valid usage All
Algorithm md5RSA
Thumbprint A43489159A520F0D93D032CCAF37E7FE20A8B419
Serial number 00 C1 00 8B 3C 3C 88 11 D1 3E F6 63 EC DF 40
Counter signers
[+] VeriSign Time Stamping Services Signer
Status This certificate or one of the certificates in the certificate chain is not time valid., The revocation status of the certificate or one of the certificates in the certificate chain is unknown., Error 65536 (0x10000), The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.
Issuer VeriSign Time Stamping Services CA
Valid from 12:00 AM 12/04/2003
Valid to 11:59 PM 12/03/2008
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 817E78267300CB0FE5D631357851DB366123A690
Serial number 0D E9 2B F0 D4 D8 29 88 18 32 05 09 5E 9A 76 88
[+] VeriSign Time Stamping Services CA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Thawte Timestamping CA
Valid from 12:00 AM 12/04/2003
Valid to 11:59 PM 12/03/2013
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D
Serial number 47 BF 19 95 DF 8D 52 46 43 F7 DB 6D 48 0D 31 A4
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 12:00 AM 01/01/1997
Valid to 11:59 PM 12/31/2020
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
Packers identified
PEiD Armadillo v1.71
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2006-08-16 00:08:00
Entry Point 0x0000B4B8
Number of sections 4
PE sections
Overlays
MD5 0b0ab7f690f8f32400f6723afc8d4bf2
File type data
Offset 217088
Size 6968
Entropy 7.37
PE imports
GetTokenInformation
LookupPrivilegeValueA
RegOpenKeyA
RegCloseKey
LookupAccountSidW
OpenProcessToken
AdjustTokenPrivileges
RegQueryValueExA
RegSetValueExA
LookupAccountSidA
RegCreateKeyA
CreateToolbarEx
Ord(17)
GetDeviceCaps
GetObjectA
EndPage
CreateFontIndirectA
SelectObject
StartDocA
GetStockObject
EndDoc
ExtTextOutA
CreateSolidBrush
StartPage
GetTextMetricsA
SetBkMode
SetBkColor
CreateCompatibleDC
DeleteObject
GetTextExtentPoint32A
SetTextColor
SetMapMode
GetSystemTime
GetLastError
HeapFree
GetStdHandle
EnterCriticalSection
LCMapStringW
SetHandleCount
LoadLibraryA
lstrlenA
GetOEMCP
LCMapStringA
HeapDestroy
ExitProcess
TlsAlloc
GlobalUnlock
GetEnvironmentStringsW
FlushFileBuffers
GetModuleFileNameA
RtlUnwind
lstrlenW
FreeLibrary
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
CreateThread
SystemTimeToFileTime
GetEnvironmentStrings
LocalAlloc
GetUserDefaultLangID
OpenProcess
GetCPInfo
UnhandledExceptionFilter
InterlockedDecrement
MultiByteToWideChar
GetTickCount
FreeEnvironmentStringsW
GetCommandLineA
GlobalLock
FileTimeToSystemTime
ExitThread
SetStdHandle
GetModuleHandleA
WideCharToMultiByte
GetProcAddress
GetStringTypeA
SetFilePointer
ReadFile
lstrcatA
GlobalReAlloc
lstrcpyA
GetCurrentProcess
CloseHandle
GetTimeFormatA
lstrcpynA
GetACP
HeapReAlloc
GetStringTypeW
GetVersion
FileTimeToLocalFileTime
GetProcessHeap
LocalFree
TerminateProcess
ResumeThread
FormatMessageA
InitializeCriticalSection
HeapCreate
WriteFile
GlobalAlloc
VirtualFree
ReadProcessMemory
TlsGetValue
Sleep
GetFileType
SetEndOfFile
TlsSetValue
CreateFileA
HeapAlloc
GetCurrentThreadId
InterlockedIncrement
VirtualAlloc
SetLastError
LeaveCriticalSection
VariantChangeType
SafeArrayAccessData
SafeArrayGetLBound
SafeArrayGetElement
SafeArrayUnaccessData
VariantClear
SysAllocString
SafeArrayDestroy
SafeArrayGetUBound
SysFreeString
VariantInit
SHGetFileInfoA
ShellExecuteA
Shell_NotifyIconA
SetFocus
EmptyClipboard
RegisterClassA
GetParent
GetMessageA
PostMessageA
EndDialog
LoadMenuA
ReleaseCapture
CheckRadioButton
KillTimer
DestroyMenu
RegisterWindowMessageA
ScreenToClient
ShowWindow
SetWindowPos
GetSystemMetrics
IsIconic
LoadIconA
PostQuitMessage
GetWindowRect
InflateRect
EnableWindow
SetDlgItemTextA
SetCapture
MoveWindow
GetDlgItemTextA
MessageBoxA
ChildWindowFromPoint
SetWindowLongA
TranslateMessage
IsWindowEnabled
GetSysColor
CheckDlgButton
GetDC
GetCursorPos
DrawTextA
SetWindowTextA
CheckMenuItem
DestroyIcon
LoadStringA
SetClipboardData
DrawIconEx
IsZoomed
SendMessageA
DialogBoxParamA
GetClientRect
SetTimer
GetDlgItem
WinHelpA
EnableMenuItem
ClientToScreen
DefWindowProcA
InvalidateRect
LoadAcceleratorsA
GetSubMenu
CreateWindowExA
LoadCursorA
UpdateWindow
TrackPopupMenu
DestroyWindow
TranslateAcceleratorA
IsDlgButtonChecked
GetSysColorBrush
DispatchMessageA
CallWindowProcA
GetFocus
IsDialogMessageA
ReleaseDC
CloseClipboard
InvalidateRgn
OpenClipboard
GetMenu
DialogBoxIndirectParamA
SetCursor
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
PrintDlgA
ChooseColorA
FindTextA
GetSaveFileNameA
ChooseFontA
CoCreateInstance
CoInitialize
CoSetProxyBlanket
Number of PE resources by type
RT_ICON 7
RT_GROUP_ICON 4
RT_DIALOG 3
RT_STRING 3
RT_GROUP_CURSOR 1
RT_MANIFEST 1
RT_MENU 1
RT_ACCELERATOR 1
RT_BITMAP 1
RT_CURSOR 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 24
PE resources
ExifTool file metadata
UninitializedDataSize
0

LinkerVersion
6.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
2.0.1.0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

FileDescription
Disk Monitor

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
159744

EntryPoint
0xb4b8

OriginalFileName
Diskmon.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 1996-2003 Mark Russinovich

FileVersion
2.01

TimeStamp
2006:08:16 01:08:00+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Diskmon

ProductVersion
2.01

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Sysinternals

CodeSize
77824

ProductName
Sysinternals Diskmon

ProductVersionNumber
2.0.1.0

FileTypeExtension
exe

ObjectFileType
Font

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Execution parents
PE resource-wise parents
Overlay parents
Compressed bundles
File identification
MD5 0942c078fe8941282372bb6b5d73e2c8
SHA1 7641a96e88ae6eccd1efefee75a3f00a86e31cce
SHA256 955faa2fcec977b29fb7dc49a80b8c7916c410b70ad973c7883ed8537126f81f
ssdeep
1536:EORIuzZYHJ8DHhbEGRs4gaSZ8DxyTpL67Bo6+DDJKKBsdXsxJ6OVPBtvdkmVnTAG:EOR2JgWw5g3LKByhmeJ6OVJthh0k6U

authentihash a8b199a1ffb32c9b6e9d61cbadb359f23b46525abc119466ff85912ad602cb42
imphash 934543d446cf80015b5041258a567c79
File size 218.8 KB ( 224056 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID InstallShield setup (32.5%)
Win32 Executable MS Visual C++ (generic) (23.6%)
Win64 Executable (generic) (20.9%)
Windows screen saver (9.9%)
Win32 Dynamic Link Library (generic) (4.9%)
Tags
peexe armadillo signed overlay

VirusTotal metadata
First submission 2009-02-22 06:40:23 UTC ( 10 years, 1 month ago )
Last submission 2019-03-14 08:43:33 UTC ( 1 week, 1 day ago )
File names sbs_ve_ambr_20150610225639.455_ 787973
sbs_ve_ambr_20150523220056.416_ 233208
sbs_ve_ambr_20150911212350.485_ 151090
sbs_ve_ambr_20150329232351.508_ 844657
dss_5207653549332214020.hplbtr
sbs_ve_ambr_20150925185808.446_ 469949
sbs_ve_ambr_20150910184528.213_ 182162
sbs_ve_ambr_20150710230046.901_ 460095
fil05581B35B687B3BA64D4A5F667996D66
dss_4878401252189479468.jz7ots
sbs_ve_ambr_20150428220357.912_ 239168
sbs_ve_ambr_20160128172242.334_ 87977
dss_4817599713356257723.gslxzn
Diskmon.exe
955faa2fcec977b2_a306.tmp.exe
sbs_ve_ambr_20160226053535.804_ 181132
529
043020151639176056_diskmon.exe
sbs_ve_ambr_20150913232042.922_ 1583773
sbs_ve_ambr_20151018231802.439_ 816405
sbs_ve_ambr_20150925185754.170_ 469244
D__C1_SysinternalsSuite_Diskmon.exe
tmpfcc5.tmp
sbs_ve_ambr_20151028185153.384_ 309403
dss_5139437358392634467.bjhwij
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!