× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d
File name: CPUMonitor
Detection ratio: 52 / 62
Analysis date: 2017-03-27 04:46:09 UTC ( 19 hours, 35 minutes ago )
Antivirus Result Update
Ad-Aware Trojan.GenericKD.3664468 20170327
AegisLab Heur.Advml.Gen!c 20170327
AhnLab-V3 Trojan/Win32.Kovter.R190722 20170326
ALYac Trojan.GenericKD.3664468 20170327
Antiy-AVL Trojan/Win32.Trickster 20170327
Arcabit Trojan.Generic.D37EA54 20170327
Avast Win32:Malware-gen 20170327
AVG Generic_vb.NLG 20170327
Avira (no cloud) TR/Dropper.VB.yjbnk 20170326
AVware Trojan.Win32.Generic!BT 20170327
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 20170323
BitDefender Trojan.GenericKD.3664468 20170327
CAT-QuickHeal Trojan.Trickster 20170325
ClamAV Win.Trojan.Agent-1813865 20170327
Comodo TrojWare.Win32.Generic.ufbrv 20170325
CrowdStrike Falcon (ML) malicious_confidence_100% (W) 20170130
Cyren W32/Agent.YQQM-4416 20170327
DrWeb Trojan.DownLoader22.63827 20170327
Emsisoft Trojan.GenericKD.3664468 (B) 20170327
Endgame malicious (high confidence) 20170317
ESET-NOD32 Win32/Agent.RYE 20170326
F-Prot W32/Agent.MZDV 20170327
F-Secure Trojan.GenericKD.3664468 20170327
Fortinet W32/Malicious_Behavior.VEX 20170327
GData Win32.Trojan.Agent.WZPNPY 20170327
Ikarus Trojan.Win32.Agent 20170326
Invincea virus.win32.virut.bo 20170203
Jiangmin Trojan.Trickster.n 20170327
K7GW Trojan ( 004f5bd31 ) 20170327
Kaspersky Trojan.Win32.Trickster.v 20170327
Malwarebytes Spyware.TrickBot 20170327
McAfee Generic.zv 20170327
McAfee-GW-Edition BehavesLike.Win32.Trojan.fc 20170327
Microsoft Trojan:Win32/Totbrick.A 20170327
eScan Trojan.GenericKD.3664468 20170327
NANO-Antivirus Trojan.Win32.Trickster.eiagqy 20170327
Palo Alto Networks (Known Signatures) generic.ml 20170327
Panda Trj/WLT.C 20170326
Qihoo-360 Win32/Trojan.BO.a07 20170327
Rising Trojan.Win32.Agent.bln (classic) 20170327
SentinelOne (Static ML) static engine - malicious 20170315
Sophos Troj/Agent-AUGP 20170327
Symantec Trojan Horse 20170326
Tencent Win32.Trojan.Trickster.Jmo 20170327
TrendMicro-HouseCall TSPY_VBZBOT.QGA 20170327
VBA32 TScope.Trojan.VB 20170324
VIPRE Trojan.Win32.Generic!BT 20170327
ViRobot Trojan.Win32.Agent.361292[h] 20170327
Webroot W32.Trojan.Gen 20170327
Yandex Trojan.Trickster! 20170323
ZoneAlarm by Check Point Trojan.Win32.Trickster.v 20170327
Zoner Trojan.Agent 20170327
Alibaba 20170327
Bkav 20170326
CMC 20170326
K7AntiVirus 20170327
Kingsoft 20170327
nProtect 20170327
SUPERAntiSpyware 20170326
Symantec Mobile Insight 20170326
TheHacker 20170327
TotalDefense 20170326
TrendMicro 20170327
Trustlook 20170327
WhiteArmor 20170315
Zillya 20170323
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
Copyright © 2001, The KPD-Team

Product CPU Monitor
Original name CPUMonitor.exe
Internal name CPUMonitor
File version 1.00.0128
Description CPU usage monitor
Comments CPU Monitor created by the KPD-Team, 2001.
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2016-11-02 08:10:51
Entry Point 0x000018EC
Number of sections 3
PE sections
Overlays
MD5 25f6e46ebb81f75f1fc095f44f9626bf
File type data
Offset 155648
Size 205644
Entropy 7.96
PE imports
_adj_fdivr_m64
__vbaGenerateBoundsError
_allmul
__vbaGet3
_adj_fprem
__vbaAryMove
__vbaRedim
__vbaCyVar
_adj_fdiv_r
__vbaRecAnsiToUni
__vbaObjSetAddref
Ord(100)
__vbaHresultCheckObj
_CIlog
Ord(706)
_adj_fptan
__vbaFileClose
__vbaI4Var
__vbaRecUniToAnsi
__vbaFreeVar
__vbaFreeStr
__vbaFreeStrList
__vbaI2I4
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
__vbaLenBstr
Ord(525)
Ord(707)
Ord(681)
_adj_fdiv_m32i
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
__vbaUbound
Ord(608)
__vbaLbound
__vbaFileOpen
Ord(711)
__vbaAryLock
EVENT_SINK_Release
__vbaOnError
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
__vbaChkstk
Ord(570)
__vbaAryUnlock
__vbaStrVarCopy
__vbaVarIndexLoad
__vbaVar2Vec
__vbaFreeVarList
__vbaStrVarMove
__vbaExitProc
__vbaAryConstruct2
Ord(520)
__vbaFreeObj
__vbaVarCopy
__vbaDateR8
_CIcos
__vbaDateVar
__vbaVarMove
__vbaErrorOverflow
__vbaNew2
__vbaR8IntI4
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m32
__vbaEnd
__vbaUI1ErrVar
_adj_fpatan
Ord(663)
EVENT_SINK_AddRef
__vbaStrCopy
Ord(632)
__vbaFPException
_adj_fdivr_m16i
Ord(552)
_adj_fdiv_m64
_CIsin
_CIsqrt
_adj_fdivr_m32
_CIatan
__vbaObjSet
__vbaVarCat
_CIexp
_CItan
__vbaFpI4
Ord(545)
Number of PE resources by type
RT_ICON 1
RT_STRING 1
01 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
RUSSIAN 2
NEUTRAL 2
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

Comments
CPU Monitor created by the KPD-Team, 2001.

LinkerVersion
6.0

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.128

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
CPU usage monitor

CharacterSet
Unicode

InitializedDataSize
24576

EntryPoint
0x18ec

OriginalFileName
CPUMonitor.exe

MIMEType
application/octet-stream

LegalCopyright
Copyright 2001, The KPD-Team

FileVersion
1.00.0128

TimeStamp
2016:11:02 09:10:51+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
CPUMonitor

ProductVersion
1.00.0128

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
The KPD-Team

CodeSize
139264

ProductName
CPU Monitor

ProductVersionNumber
1.0.0.128

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
Compressed bundles
File identification
MD5 0afaa4f4137b846e456e52f72faf9aa0
SHA1 46c8a1c9b01ea9a9110ff675e973d73859df5b2d
SHA256 d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d
ssdeep
6144:+yRw3ideyNCAG2DkxM0OJhJTq06GTvNSBQKxrygWqaiYo0yXPB8z0iRx+UV/v/vE:+931yYA7045SlygWqZuz0i6f

authentihash 4156c9e057c5aee2dc1896f7d094f99056b27186a784043f3c370e3c5dd37601
imphash ce2661420847e40dcdeeb7c2046d3f7f
File size 352.8 KB ( 361292 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (84.4%)
Win32 Dynamic Link Library (generic) (6.7%)
Win32 Executable (generic) (4.6%)
Generic Win/DOS Executable (2.0%)
DOS Executable Generic (2.0%)
Tags
peexe overlay

VirusTotal metadata
First submission 2016-11-02 12:05:32 UTC ( 4 months, 3 weeks ago )
Last submission 2017-03-15 10:25:31 UTC ( 1 week, 5 days ago )
File names sweezy.exe
artifact-d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d
SWEEZY.EXE
dododocdoc.exe
CPUMonitor
(d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d) - sweezy.exe
CPUMonitor.exe
d4b1fd9f55c11a5d63d417e43fd1bd871c5be842ed3ea1888981536da8dd9c6d.bin
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Deleted files
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.