× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 2af2a9494f64509cb5dfa5f349eb3b36920d44835db3197e9e92bf3e5e107508
File name: ualppahbpkjnineyh.exe
Detection ratio: 7 / 46
Analysis date: 2013-08-01 11:05:20 UTC ( 5 years, 7 months ago ) View latest
Antivirus Result Update
Avast Win32:ScreenLocker-L [Trj] 20130801
Fortinet W32/Krap.JI!tr 20130801
Kaspersky UDS:DangerousObject.Multi.Generic 20130801
Panda Trj/dtcontx.G 20130801
TheHacker Posible_Worm32 20130731
TrendMicro PAK_Generic.001 20130801
TrendMicro-HouseCall PAK_Generic.001 20130801
Yandex 20130731
AhnLab-V3 20130801
AntiVir 20130801
Antiy-AVL 20130801
AVG 20130801
BitDefender 20130801
ByteHero 20130724
CAT-QuickHeal 20130801
ClamAV 20130801
Commtouch 20130801
Comodo 20130801
DrWeb 20130801
Emsisoft 20130801
ESET-NOD32 20130801
F-Prot 20130801
F-Secure 20130801
GData 20130801
Ikarus 20130801
Jiangmin 20130801
K7AntiVirus 20130731
K7GW 20130731
Kingsoft 20130723
Malwarebytes 20130801
McAfee 20130801
McAfee-GW-Edition 20130801
Microsoft 20130801
eScan 20130801
NANO-Antivirus 20130801
Norman 20130801
nProtect 20130801
PCTools 20130801
Rising 20130801
Sophos AV 20130801
SUPERAntiSpyware 20130801
Symantec 20130801
TotalDefense 20130801
VBA32 20130801
VIPRE 20130801
ViRobot 20130801
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Entry Point 0x000235F0
Number of sections 3
PE sections
PE imports
ImmUnlockIMCC
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
BSTR_UserMarshal
NdrStubCall2
CoGetMalloc
Number of PE resources by type
RT_ACCELERATOR 11
RT_CURSOR 2
RT_ICON 1
RT_STRING 1
AVI 1
DATA 1
PNG 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL DEFAULT 14
ITALIAN 2
ARABIC SAUDI ARABIA 1
NEUTRAL 1
CHINESE TRADITIONAL 1
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
0000:00:00 00:00:00

FileType
Win32 EXE

PEType
PE32

CodeSize
61440

LinkerVersion
5.0

EntryPoint
0x235f0

InitializedDataSize
12288

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
5.0

UninitializedDataSize
81920

Compressed bundles
File identification
MD5 dda3b490cd01690e12b280e5bb935bce
SHA1 ca4175a0c526d1be74fd1b00668e0799e41f0e76
SHA256 2af2a9494f64509cb5dfa5f349eb3b36920d44835db3197e9e92bf3e5e107508
ssdeep
1536:d89S87ZkhqOvhBAHHJx1u4XIQ7ggCR3bu8yoXMkPw2OQo:dwL7ZkhhZO8wXggCRbu8yofPw2OT

authentihash a919737165351afdbb3e7d9adbdf77abbda70c3d668d14dc99117876fd77aa46
imphash 953d64337654d2b2c5fc3d69d311f0ea
File size 69.5 KB ( 71168 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe upx

VirusTotal metadata
First submission 2013-08-01 11:01:06 UTC ( 5 years, 7 months ago )
Last submission 2014-05-12 13:56:55 UTC ( 4 years, 10 months ago )
File names mhxiksaafdrhotltj.exe_
2af2a9494f64509cb5dfa5f349eb3b36920d44835db3197e9e92bf3e5e107508
mhxiksaafdrhotltj.exe
ualppahbpkjnineyh.exe
vti-rescan
pprtc.exe
_wkhjvflacwscfhuvl._exe_
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Opened service managers
Opened services
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections