PUP.ProcessHacker

Analysis Report

General information

Family Name: PUP.ProcessHacker
Signature status: No Signature

Known Samples

MD5: d3ff67603d13b9c1f957ff5a097d0821
SHA1: c42ff0e1aa805eeb9b8e1e01d00b0fe66c717106
File Size: 9.03 MB, 9028096 bytes
MD5: 2689be732e6dbb077b3d2292886d4cfa
SHA1: 8903b5c73902f8a8486f2de55f257c2b7e2e53ab
File Size: 2.61 MB, 2614272 bytes
MD5: 8c524f964caefdf4d7422604c32ba610
SHA1: 545c4d5e5aa42cc84262e181389bc927ed0e4759
SHA256: C60DFE039A03DF84FA83AC7CD2133DD0BA38FDE0B4481CB63593BC61EF59A224
File Size: 865.79 KB, 865792 bytes
MD5: 1d0dbd284013c28725484850b1cf2616
SHA1: 19cf429d2a8c2b6a0e3b0671fa8238916ef6dfe4
SHA256: 897FD3CE8431BC062A5E4D36692CF09A3AD64B7E8E0D37493C69447AF504D4C3
File Size: 369.43 KB, 369429 bytes
MD5: 20f0721d3ddfad8ffd6b6937e91eb9f4
SHA1: e88c7f5f71ed623556cc738523ef929bbf8f6967
SHA256: D2D3A15D8BFFE2FF7F0374D41212CFA1B5327DC681A62A2F04D5197F07BCF739
File Size: 154.62 KB, 154624 bytes
Show More
MD5: 4ec2797c85ce9da86c8fbddcdbb8ad0a
SHA1: 4b7c953f2682b496bff582c9fbb4316fee77aca8
SHA256: 077E17BA55765A135649C22E049F031E7D5C20AA8B57A33A81E578D3C80E5CE0
File Size: 77.82 KB, 77824 bytes
MD5: 852671989d5968d7746a12aa8c36f46b
SHA1: a66447b3088993d27167b3a4f05ff019b8756adf
SHA256: 5E06233F332F29E91D87C9B7D2EDE4A37D7848058230AD08B1090C15A472CE26
File Size: 200.70 KB, 200704 bytes
MD5: 4de05750d219d29e7665fd1913338217
SHA1: 4eabf2c63eb58b01ebbc258eb51335e6c6911997
SHA256: D7847A1280098B7F0F8BB13EE966FF8AC0AFAC7F6306E26245E13992C74C45C3
File Size: 2.48 MB, 2479669 bytes
MD5: db1680e4ba86a1ab121e56af1dc4b30e
SHA1: b4a1b480b74f6d7d2be4a6fe4a37d84f626cd4fc
SHA256: 487D4F743B9845FAF4B2A37C992D21B17094AD2F301421441827907BC53E197A
File Size: 2.41 MB, 2406157 bytes
MD5: bbc2f92c20aeedfc3d10c4ce42fc312a
SHA1: d2fff127e605f1fda465a0e44505a2ea4c58b46f
SHA256: 02A0584D31D841F8CA341142AA04697D3CAF4F47E32EFB300226645909B1BA86
File Size: 393.21 KB, 393207 bytes
MD5: 469cbb94b809f4e15bcfebe1a8f2b10c
SHA1: 666d262d914616839746d7c81c6278ed87344b5b
SHA256: 20908C91466FD02B6907FE29A6D6A8B102228E830B957F4629258021E7B64C9A
File Size: 9.02 MB, 9020416 bytes
MD5: b8ca7ca99731137bf60a52a59c45e22e
SHA1: 0de86837ab5dd60d30cc65b846a7140651e10470
SHA256: B7DB05F2171444AD2ACF0EC2A352485EA110C2B16CCC1EE753CF7C9EB26C7B96
File Size: 3.24 MB, 3235840 bytes
MD5: bfd8b8822b0d37b0ef790d18df4cf3ae
SHA1: c8053c878e4bcea7bd67a8712b109a9824e19500
SHA256: F67E564F6B824D30A08641EA468C1245ECD53EF59B660C9C2C943171B46E6C03
File Size: 540.42 KB, 540425 bytes
MD5: eb3dbff6f41dc119b5c3eb7abc72fffb
SHA1: f853e38cb95bfe820a44c75226ca6172eca76347
SHA256: E80128C898D6E320A16B013FA4760E38BA21D380C372016E588478A94BE206DE
File Size: 3.88 MB, 3883008 bytes
MD5: 9430400e1617d462da705c64dcc12a83
SHA1: c21e425f66b84f38f655e69867f081a9282199fc
SHA256: 5AC7E344893A0E659F8DE76899845055CA1F5EC5F2B2B3813E969DCC69FE4DAC
File Size: 3.18 MB, 3177984 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 3.2.25113.1114
Comments
  • 8961e261
  • 24247173
  • System Informer
  • This installation was built with Inno Setup.
Company Name
  • Microsoft
  • Process Hacker
  • Synaptics
  • Winsider Seminars & Solutions
  • Winsider Seminars & Solutions, Inc.
  • wj32
  • wj32
File Description
  • PE Viewer
  • Process Hacker
  • Process Hacker - Setup
  • Process Hacker Setup
  • Synaptics Pointing Device Driver
  • System Informer
  • System Informer - Chocolatey Shim
File Version
  • 4.0.26074.335
  • 3.2.25319.2238
  • 3.2.25289.2438
  • 3.2.25113.1114
  • 3.0.8899.4372
  • 3.0.8761.4234
  • 3.0.8576.4049
  • 2.39 (r124)
  • 2.24.0.4900
  • 2.4
Show More
  • 1.00
  • 1.0.0.4
Internal Name
  • peview
  • Process Hacker
  • processhacker-setup.exe
  • ProcessHacker.exe
  • System Informer
  • SystemInformer.exe
  • TJprojMain
  • Win
Legal Copyright
  • Copyright (c) Winsider Seminars & Solutions, Inc. All rights reserved.
  • Copyright (c) Winsider Seminars & Solutions, Inc. All rights reserved., Copyright © 2017 - Present Chocolatey Software, Inc ("Chocolatey")
  • Copyright © 2010-2016, Process Hacker Team. Licensed under the GNU GPL, v3.
  • Licensed under the GNU GPL, v3.
  • Licensed under the GNU GPL, v3. Copyright (C) 2017
  • Licensed under the GNU GPL, v3. Copyright (C) 2021
Original Filename
  • DotNetTools.dll
  • peview.exe
  • processhacker-setup.exe
  • ProcessHacker.exe
  • SystemInformer.exe
  • System Informer.exe
  • TJprojMain.exe
  • Win.exe
Product Name
  • Process Hacker
  • Process Hacker
  • Project1
  • Synaptics Pointing Device Driver
  • System Informer
  • System Informer - Chocolatey Shim
  • Win
Product Version
  • 4.0.26074.335
  • 3.2.25319.2238
  • 3.2.25289.2438
  • 3.2.25113.1114 - Chocolatey Shim: 1.0.0
  • 3.0.8899.4372
  • 3.0.8761.4234
  • 3.0.8576.4049
  • 2.39 (r124)
  • 2.24.0.4900
  • 2.4
Show More
  • 1.00
  • 1.0.0.0

File Traits

  • .NET
  • 2+ executable sections
  • Badsig nsis
  • dll
  • fptable
  • GetConsoleWindow
  • HighEntropy
  • Inno
  • InnoSetup Installer
  • Installer Manifest
Show More
  • Installer Version
  • ntdll
  • Nullsoft Installer
  • WriteProcessMemory
  • x64
  • x86

Block Information

Similar Families

  • Farfli.DH
  • GameHack.GF
  • SteamStealer.C
  • Trojan.Agent.Gen.JC
  • Trojan.Kryptik.Gen.NU
Show More
  • Trojan.Kryptik.Gen.RL
  • Trojan.Kryptik.Gen.UG
  • Trojan.ShellcodeRunner.Gen.DZ

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateDirectoryObject
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKeyedEvent
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryDirectoryObject
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryMutant
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateDIBSection
  • win32u.dll!NtGdiCreatePatternBrushInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal

17 additional items are not displayed above.

Service Control
  • OpenSCManager
  • OpenService
Keyboard Access
  • GetKeyState
Other Suspicious
  • SetWindowsHookEx

Trending

Most Viewed

Loading...