× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: d69beaf6af51d5fde4896a6d6e68a10a1fd4b1165533e8878fc0cbc12469b2a6
File name: SysTool.exe
Detection ratio: 41 / 70
Analysis date: 2018-11-24 16:04:21 UTC ( 5 months, 3 weeks ago )
Antivirus Result Update
Ad-Aware Application.Elex.H 20181124
AhnLab-V3 PUP/Win32.Elex.C932763 20181124
Arcabit PUP.Adware.WProtManager 20181124
Avast Win32:SupTab-P [Adw] 20181124
AVG Win32:SupTab-P [Adw] 20181124
BitDefender Application.Elex.H 20181124
Bkav W32.HfsAdware.C6FC 20181123
CAT-QuickHeal PUA.Cherishedt1.Gen 20181124
Comodo ApplicUnwnt@#2lrwoyuoxzk5l 20181124
Cybereason malicious.e11254 20180225
Cyren W32/Trojan.ERSX-9096 20181124
DrWeb Adware.Mutabaha.328 20181124
Emsisoft Application.Elex.H (B) 20181124
Endgame malicious (high confidence) 20181108
ESET-NOD32 Win32/Adware.ELEX.PBH 20181124
F-Secure Adware:W32/Elex 20181124
Fortinet Riskware/Elex 20181124
GData Win32.Adware.Graftor.B 20181124
Ikarus not-a-virus:AdWare.ELEX 20181124
Sophos ML heuristic 20181108
Jiangmin AdWare.PriceGong.e 20181124
Kaspersky not-a-virus:AdWare.Win32.WProtManager.dd 20181124
Malwarebytes PUP.Optional.WindowsProtectManager 20181124
MAX malware (ai score=73) 20181124
McAfee Generic PUP.y 20181124
McAfee-GW-Edition Generic PUP.y 20181124
Microsoft BrowserModifier:Win32/SupTab 20181124
eScan Application.Elex.H 20181124
NANO-Antivirus Riskware.Win32.WProtManager.eapldy 20181124
Panda PUP/Generic 20181124
SentinelOne (Static ML) static engine - malicious 20181011
Symantec PUA.Gen.2 20181123
Tencent Win32.Trojan.Suspicious.Yffh 20181124
TrendMicro ADW_WPROTMANAGER 20181124
TrendMicro-HouseCall ADW_WPROTMANAGER 20181124
VBA32 BScope.Adware.Elex 20181123
ViRobot Adware.Agent.708264 20181124
Webroot W32.Trojan.Gen 20181124
Yandex PUA.Mutabaha! 20181123
Zillya Adware.WProtManagerCRTD.Win32.8290 20181123
ZoneAlarm by Check Point not-a-virus:AdWare.Win32.WProtManager.dd 20181124
AegisLab 20181124
Alibaba 20180921
ALYac 20181124
Antiy-AVL 20181124
Avast-Mobile 20181124
Avira (no cloud) 20181124
Babable 20180918
Baidu 20181123
ClamAV 20181124
CMC 20181124
CrowdStrike Falcon (ML) 20181022
Cylance 20181124
eGambit 20181124
F-Prot 20181124
K7AntiVirus 20181124
K7GW 20181124
Kingsoft 20181124
Palo Alto Networks (Known Signatures) 20181124
Qihoo-360 20181124
Rising 20181124
Sophos AV 20181124
SUPERAntiSpyware 20181121
Symantec Mobile Insight 20181121
TACHYON 20181124
TheHacker 20181118
TotalDefense 20181124
Trapmine 20180918
Trustlook 20181124
VIPRE 20181124
Zoner 20181124
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) DTools by 2001

Product DTools
Original name DTools.exe
Internal name SysTool.exe
File version 20.0.0.2294
Description DTools
Signature verification Signed file, verified signature
Signing date 8:31 AM 7/27/2015
Signers
[+] Cherished Technology Limited
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer GlobalSign CodeSigning CA - SHA256 - G2
Valid from 8:00 AM 4/20/2015
Valid to 4:35 AM 10/21/2015
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 3BC789134CBECCD9A5B0AE4735714A639991066A
Serial number 11 21 27 3D 65 85 2C B1 4B 64 58 65 05 49 E3 C3 36 6D
[+] GlobalSign CodeSigning CA - SHA256 - G2
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 8/2/2011
Valid to 11:00 AM 8/2/2019
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 4E34C4841080D07059EFC1F3C5DE4D79905A36FF
Serial number 04 00 00 00 00 01 31 89 C6 37 E8
[+] GlobalSign Root CA - R3
Status Valid
Issuer GlobalSign
Valid from 11:00 AM 3/18/2009
Valid to 11:00 AM 3/18/2029
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, Timestamp Signing, EFS, IPSEC Tunnel, IPSEC User
Algorithm sha256RSA
Thumbprint D69B561148F01C77C54578C10926DF5B856976AD
Serial number 04 00 00 00 00 01 21 58 53 08 A2
Counter signers
[+] Symantec Time Stamping Services Signer - G4
Status Valid
Issuer Symantec Time Stamping Services CA - G2
Valid from 1:00 AM 10/18/2012
Valid to 12:59 AM 12/30/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 65439929B67973EB192D6FF243E6767ADF0834E4
Serial number 0E CF F4 38 C8 FE BF 35 6E 04 D8 6A 98 1B 1A 50
[+] Symantec Time Stamping Services CA - G2
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 12/21/2012
Valid to 12:59 AM 12/31/2020
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 6C07453FFDDA08B83707C09B82FB3D15F35336B1
Serial number 7E 93 EB FB 7C C6 4E 59 EA 4B 9A 77 D4 06 FC 3B
[+] Thawte Timestamping CA
Status Valid
Issuer Thawte Timestamping CA
Valid from 1:00 AM 1/1/1997
Valid to 12:59 AM 1/1/2021
Valid usage Timestamp Signing
Algorithm md5RSA
Thumbrint BE36A4562FB2EE05DBB3D32323ADF445084ED656
Serial number 00
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2015-07-27 07:18:51
Entry Point 0x00042CAF
Number of sections 5
PE sections
Overlays
MD5 f3dfc68dc40ee6de9be63a7d8ab02f6e
File type data
Offset 702464
Size 5800
Entropy 7.40
PE imports
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
OpenServiceW
AdjustTokenPrivileges
ControlService
LookupPrivilegeValueW
DeleteService
CryptHashData
RegQueryValueExW
CryptCreateHash
QueryServiceStatusEx
ChangeServiceConfig2W
ConvertStringSidToSidW
RegisterEventSourceW
OpenProcessToken
DeregisterEventSource
RegOpenKeyExW
SetTokenInformation
CreateServiceW
GetTokenInformation
DuplicateTokenEx
CryptReleaseContext
CryptAcquireContextA
SetServiceStatus
CreateProcessAsUserW
CryptDestroyHash
StartServiceW
RegSetValueExW
EnumDependentServicesW
CryptGetHashParam
OpenSCManagerW
ReportEventW
RegisterServiceCtrlHandlerExW
StartServiceCtrlDispatcherW
CloseServiceHandle
GetStdHandle
GetDriveTypeW
VerifyVersionInfoA
InterlockedPopEntrySList
WaitForSingleObject
SignalObjectAndWait
CreateTimerQueue
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
FreeLibraryAndExitThread
GetConsoleMode
UnhandledExceptionFilter
SetFilePointer
ExpandEnvironmentStringsA
FreeEnvironmentStringsW
InitializeSListHead
FileTimeToSystemTime
GetLocaleInfoW
SetStdHandle
WideCharToMultiByte
InterlockedExchange
WriteFile
GetSystemTimeAsFileTime
GetThreadTimes
HeapReAlloc
GetStringTypeW
ResumeThread
SetEvent
LocalFree
GetThreadPriority
InterlockedPushEntrySList
CreateEventW
OutputDebugStringW
GetLogicalDriveStringsW
FindClose
InterlockedDecrement
QueryDosDeviceW
FormatMessageA
GetFullPathNameW
EncodePointer
OutputDebugStringA
GetEnvironmentVariableW
SetLastError
PeekNamedPipe
DeviceIoControl
InitializeCriticalSection
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
VerSetConditionMask
LoadLibraryExA
GetPrivateProfileStringA
SetThreadPriority
GetUserDefaultLCID
EnumSystemLocalesW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteTimerQueueTimer
RegisterWaitForSingleObject
CreateThread
GetSystemDirectoryW
MoveFileExW
InterlockedFlushSList
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
ExitThread
DecodePointer
SetEnvironmentVariableA
SetPriorityClass
TerminateProcess
CreateSemaphoreW
GetModuleHandleExW
GlobalAlloc
ChangeTimerQueueTimer
SetEndOfFile
GetCurrentThreadId
InterlockedIncrement
SleepEx
WriteConsoleW
CreateToolhelp32Snapshot
AreFileApisANSI
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
TerminateThread
LoadLibraryW
GetVersionExW
FreeLibrary
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
LoadLibraryA
RtlUnwind
OpenProcess
GetWindowsDirectoryA
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetProcessHeap
QueryDepthSList
CompareStringW
GetFileInformationByHandle
CreateTimerQueueTimer
IsValidLocale
DuplicateHandle
FindFirstFileExW
WaitForMultipleObjects
GetProcessAffinityMask
GetTimeZoneInformation
CreateFileW
GetFileType
TlsSetValue
ExitProcess
LeaveCriticalSection
GetLastError
IsValidCodePage
LCMapStringW
GetShortPathNameW
GlobalFree
GetConsoleCP
UnregisterWaitEx
TlsGetValue
GetSystemWindowsDirectoryW
GetEnvironmentStringsW
Process32NextW
SwitchToThread
UnregisterWait
GetCurrentProcessId
ProcessIdToSessionId
GetCommandLineW
GetCPInfo
HeapSize
RaiseException
SetThreadAffinityMask
Process32FirstW
GetCurrentThread
GetSystemDefaultLangID
ReadConsoleW
ReleaseSemaphore
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FileTimeToLocalFileTime
GetNumaHighestNodeNumber
GetCurrentDirectoryW
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
EnumProcesses
EnumProcessModules
GetModuleFileNameExW
wsprintfW
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
DeleteUrlCacheEntryW
Ord(301)
Ord(50)
Ord(27)
Ord(22)
Ord(60)
Ord(79)
Ord(46)
Ord(30)
Ord(211)
Ord(143)
Ord(200)
Ord(33)
Ord(32)
Ord(26)
Ord(41)
Ord(35)
getaddrinfo
accept
ioctlsocket
WSAStartup
freeaddrinfo
connect
getsockname
htons
WSASetLastError
select
gethostname
getsockopt
closesocket
send
ntohs
WSAGetLastError
listen
__WSAFDIsSet
WSACleanup
getpeername
recv
WSAIoctl
setsockopt
socket
bind
recvfrom
sendto
Number of PE resources by type
RT_ICON 6
RT_GROUP_ICON 2
EXE_NTX 1
RT_MANIFEST 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 9
CHINESE SIMPLIFIED 2
PE resources
ExifTool file metadata
SubsystemVersion
5.1

InitializedDataSize
223744

ImageVersion
0.0

ProductName
DTools

FileVersionNumber
20.0.0.2294

UninitializedDataSize
0

LanguageCode
English (British)

FileFlagsMask
0x003f

ImageFileCharacteristics
Executable, 32-bit

CharacterSet
Unicode

LinkerVersion
11.0

FileTypeExtension
exe

OriginalFileName
DTools.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
20.0.0.2294

TimeStamp
2015:07:27 08:18:51+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
SysTool.exe

ProductVersion
20.0.0.2294

FileDescription
DTools

OSVersion
5.1

FileOS
Windows NT 32-bit

LegalCopyright
Copyright (C) DTools by 2001

MachineType
Intel 386 or later, and compatibles

CompanyName
DTools LIMITED

CodeSize
487424

FileSubtype
0

ProductVersionNumber
20.0.0.2294

EntryPoint
0x42caf

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Execution parents
Compressed bundles
File identification
MD5 579fd11e112542a0d5d43838cca08309
SHA1 1d3b422025ed9e1a28286bb788b417682a108b61
SHA256 d69beaf6af51d5fde4896a6d6e68a10a1fd4b1165533e8878fc0cbc12469b2a6
ssdeep
12288:toimRm8kEyvLYag4kEe0GC776Fp1G6z/p6RUPynlgoxg5cPuiLdWhT3kU:bYmpHA/pZ6lpg7T3v

authentihash 3b6f4f69dbb86cc5a00ed815c9d073fe5b6c803b8e1ffa3e1ef429f1bd35fcba
imphash 6d16f42e388a64fc6f59b7e94b258200
File size 691.7 KB ( 708264 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win64 Executable (generic) (61.7%)
Win32 Dynamic Link Library (generic) (14.7%)
Win32 Executable (generic) (10.0%)
OS/2 Executable (generic) (4.5%)
Generic Win/DOS Executable (4.4%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2015-07-27 16:19:13 UTC ( 3 years, 9 months ago )
Last submission 2018-10-09 16:58:52 UTC ( 7 months, 1 week ago )
File names ProtectWindowsManager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe1
protectwindowsmanager.exe
wpm_v20.0.0.2294.exe
ProtectWindowsManager.exe
PROTECTWINDOWSMANAGER.EXE
protectwindowsmanager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
579FD11E112542A0D5D43838CCA08309
DTools.exe
ProtectWindowsManager(1).exe
b30b0a17f77fb5e97e73e9b4c9aa6f91_ProtectWindowsManager.exe.safe
ProtectWindowsManager.exe
wpm_v20.0.0.2294.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
SysTool.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
ProtectWindowsManager.exe
Advanced heuristic and reputation engines
TrendMicro-HouseCall
TrendMicro's heuristic engine has flagged this file as: TROJ_GEN.R0E2H05H615.

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Runtime DLLs