× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 34ae8f7cfb1dce70fe49bc71f3f636df5739af8da6565bac3f65190be19cc4df
File name: vt-upload-TsLjv
Detection ratio: 24 / 53
Analysis date: 2014-06-25 19:20:47 UTC ( 4 years, 10 months ago )
Antivirus Result Update
Ad-Aware Gen:Variant.Kazy.398340 20140625
Yandex TrojanSpy.Zbot!PZQYaOdTrBs 20140624
AntiVir TR/Crypt.ZPACK.87778 20140625
Avast Win32:Malware-gen 20140625
AVG Zbot.KFH 20140625
BitDefender Gen:Variant.Kazy.398340 20140625
Bkav HW32.CDB.9f1a 20140625
Emsisoft Gen:Variant.Kazy.398340 (B) 20140625
ESET-NOD32 a variant of Win32/Kryptik.CEYB 20140625
F-Secure Gen:Variant.Kazy.398340 20140625
GData Gen:Variant.Kazy.398340 20140625
Kaspersky Trojan-Spy.Win32.Zbot.thge 20140625
Malwarebytes Spyware.Zbot.VXGen 20140625
McAfee PWSZbot-FXW!08632A196E88 20140625
McAfee-GW-Edition PWSZbot-FXW!08632A196E88 20140625
Microsoft PWS:Win32/Zbot 20140625
eScan Gen:Variant.Kazy.398340 20140625
Panda Generic Malware 20140625
Qihoo-360 Win32/Trojan.54c 20140625
Rising PE:Malware.XPACK-HIE/Heur!1.9C48 20140623
Sophos AV Mal/Generic-S 20140625
TrendMicro TROJ_GEN.R08NC0DFO14 20140625
TrendMicro-HouseCall TROJ_GEN.R08NC0DFO14 20140625
VIPRE Trojan.Win32.Generic!BT 20140625
AegisLab 20140625
AhnLab-V3 20140625
Antiy-AVL 20140625
Baidu-International 20140625
ByteHero 20140625
CAT-QuickHeal 20140625
ClamAV 20140625
CMC 20140624
Commtouch 20140625
Comodo 20140625
DrWeb 20140625
F-Prot 20140625
Fortinet 20140625
Ikarus 20140625
Jiangmin 20140625
K7AntiVirus 20140625
K7GW 20140625
Kingsoft 20140625
NANO-Antivirus 20140625
Norman 20140625
nProtect 20140625
SUPERAntiSpyware 20140625
Symantec 20140625
TheHacker 20140624
TotalDefense 20140625
VBA32 20140625
ViRobot 20140625
Zillya 20140625
Zoner 20140625
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
 2000

Publisher Just Great Software
Product Eqomog
Original name Qpgcjx.exe
Internal name Watywi
File version 3, 9, 5
Description Sek Yzat Ofity
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-01-15 01:41:17
Entry Point 0x0001F52B
Number of sections 5
PE sections
PE imports
InitializeAcl
RegSetKeySecurity
RegCreateKeyExA
SetEntriesInAclA
UnlockServiceDatabase
CryptCreateHash
BuildTrusteeWithSidA
SetEntriesInAuditListA
LsaRemovePrivilegesFromAccount
AreAnyAccessesGranted
SetEntriesInAuditListW
ReadEventLogW
BuildSecurityDescriptorA
RegLoadKeyA
CryptGetDefaultProviderA
LsaOpenSecret
QueryAllTracesA
GetLengthSid
I_ScSetServiceBitsA
RegUnLoadKeyA
LsaQueryInformationPolicy
GetEffectiveRightsFromAclW
LsaQuerySecurityObject
GetEffectiveRightsFromAclA
SystemFunction024
LsaSetSecret
ConvertSecurityDescriptorToAccessW
SystemFunction021
SetNamedSecurityInfoExA
ChangeServiceConfigW
SystemFunction029
RegOpenUserClassesRoot
CreateFileMappingW
CreateMutexW
WNetOpenEnumW
WNetDisconnectDialog1W
WNetGetUniversalNameW
WNetSetLastErrorA
WNetConnectionDialog1W
WNetEnumResourceW
WNetCancelConnectionW
WNetAddConnectionW
WNetSetLastErrorW
WNetCancelConnection2A
WNetCloseEnum
DsAddSidHistoryA
DsFreeNameResultA
DsMapSchemaGuidsA
DsAddSidHistoryW
DsFreeSpnArrayA
DsMakeSpnW
DsGetDomainControllerInfoW
DsBindWithSpnW
DsListServersForDomainInSiteA
DsGetSpnW
DsListServersInSiteW
DsListServersForDomainInSiteW
DsBindWithSpnA
DsReplicaConsistencyCheck
DsListDomainsInSiteW
DsBindWithCredW
DsRemoveDsDomainA
DsUnBindW
DsUnBindA
DsServerRegisterSpnA
DsWriteAccountSpnA
DsFreePasswordCredentials
DsReplicaSyncAllW
DsListSitesW
PdhEnumObjectsA
PdhUpdateLogW
PdhBrowseCountersA
PdhCalculateCounterFromRawValue
PdhValidatePathA
PdhBrowseCountersW
PdhGetDefaultPerfCounterA
PdhExpandCounterPathA
PdhGetDefaultPerfCounterW
PdhOpenLogW
PdhComputeCounterStatistics
PdhGetDataSourceTimeRangeW
PdhVbOpenQuery
PdhCollectQueryDataEx
PdhSelectDataSourceW
PdhMakeCounterPathA
PdhExpandWildCardPathW
PdhValidatePathW
PdhGetCounterTimeBase
I_RpcTransServerNewConnection
I_RpcTransDatagramAllocate2
I_RpcBCacheAllocate
NdrConformantVaryingArrayUnmarshall
NdrEncapsulatedUnionUnmarshall
NdrConformantVaryingStructMarshall
NdrByteCountPointerFree
NdrComplexArrayMarshall
RpcServerRegisterIf2
UuidEqual
RpcServerTestCancel
RpcBindingInqAuthClientA
NdrClientInitializeNew
NdrVaryingArrayMarshall
I_RpcBCacheFree
I_RpcTransDatagramAllocate
I_RpcBindingInqDynamicEndpointA
NdrComplexArrayUnmarshall
RpcServerUseAllProtseqsIfEx
I_RpcRequestMutex
RpcIfIdVectorFree
RpcServerUseProtseqIfW
NdrOleFree
I_RpcFree
RpcServerUseAllProtseqsEx
RpcMgmtSetComTimeout
NdrFullPointerXlatInit
NdrFreeBuffer
RpcObjectSetInqFn
RpcServerUseProtseqA
NdrServerUnmarshall
SamAddMultipleMembersToAlias
SamiSetBootKeyInformation
SamSetInformationDomain
SamConnectWithCreds
SamLookupDomainInSamServer
SamRemoveMemberFromGroup
SamQueryInformationUser
SamEnumerateDomainsInSamServer
SamiSetDSRMPassword
SamOpenGroup
SamGetDisplayEnumerationIndex
SamEnumerateGroupsInDomain
SamRemoveMemberFromAlias
SamRemoveMemberFromForeignDomain
SamAddMemberToAlias
SamTestPrivateFunctionsDomain
SamLookupIdsInDomain
SamSetInformationUser
SamDeleteUser
SamiLmChangePasswordUser
SamQueryInformationGroup
SamQueryDisplayInformation
CM_Get_Device_ID_List_ExA
SetupDiCancelDriverInfoSearch
SetupDiGetSelectedDriverA
CM_Get_Class_Name_ExA
CM_Get_Next_Res_Des
SetupSetDirectoryIdExA
CM_Get_Device_ID_List_ExW
SetupDiGetHwProfileListExA
SetupQueueCopySectionA
SetupDiSetClassInstallParamsW
SetupDiDeleteDeviceInterfaceRegKey
SetupDiGetDriverInfoDetailW
SetupDiGetHwProfileFriendlyNameA
SetupPromptForDiskW
CM_Get_Resource_Conflict_DetailsW
CM_Enumerate_Classes_Ex
SetupAddSectionToDiskSpaceListW
SetupScanFileQueueA
SetupDiGetClassDevsA
CM_Get_Class_NameW
SetupRemoveSectionFromDiskSpaceListA
CM_Get_Device_Interface_List_Size_ExA
SetupDiGetClassDevsW
CM_Query_Arbitrator_Free_Data
SetupDiInstallClassA
CM_Get_Child_Ex
SetupDiDeleteDeviceInterfaceData
CM_Detect_Resource_Conflict_Ex
CM_Create_DevNodeA
SetupDiCreateDeviceInfoList
SetupGetLineByIndexA
URLDownloadToFileA
FindMediaType
IsValidURL
CoInternetCompareUrl
CopyStgMedium
URLDownloadW
HlinkNavigateString
CoInternetCreateSecurityManager
CreateFormatEnumerator
EnumDesktopsA
UnregisterHotKey
DdeAccessData
BroadcastSystemMessageA
GetMouseMovePointsEx
SetSystemCursor
BroadcastSystemMessageW
LoadBitmapA
wvsprintfW
IsCharAlphaW
PeekMessageW
VkKeyScanA
DrawTextExW
ToUnicode
DdeUnaccessData
CreatePopupMenu
OemKeyScan
DdeNameService
GetKeyboardLayoutList
GetWindowInfo
SetScrollPos
DeleteMenu
LoadImageW
ModifyMenuW
EnumPropsExW
GetDialogBaseUnits
GetSystemMenu
DdeQueryStringA
CloseClipboard
GetGUIThreadInfo
DialogBoxIndirectParamA
WinStationSendWindowMessage
WinStationSendMessageW
_NWLogonSetAdmin
ServerQueryInetConnectorInformationA
_WinStationCallback
_WinStationNotifyLogoff
ServerQueryInetConnectorInformationW
WinStationInstallLicense
ServerGetInternetConnectorStatus
_WinStationReInitializeSecurity
WinStationRenameW
WinStationFreeMemory
WinStationNameFromLogonIdA
WinStationNameFromLogonIdW
_WinStationBreakPoint
WinStationVirtualOpen
WinStationReset
WinStationGetTermSrvCountersValue
WinStationWaitSystemEvent
_WinStationCheckForApplicationName
WinStationGetLanAdapterNameA
_WinStationReadRegistry
WinStationEnumerateLicenses
WinStationEnumerate_IndexedA
WinStationQueryUpdateRequired
_WinStationNotifyLogon
CryptCATCDFEnumMembersByCDFTagEx
WVTAsn1SpcLinkDecode
WVTAsn1SpcFinancialCriteriaInfoDecode
CryptCATCDFEnumAttributesWithCDFTag
CryptCATPutCatAttrInfo
WTHelperProvDataFromStateData
SoftpubLoadSignature
CryptCATAdminAddCatalog
CryptCATGetMemberInfo
WVTAsn1SpcSigInfoEncode
WVTAsn1CatNameValueDecode
CryptCATCDFEnumMembers
WVTAsn1SpcStatementTypeEncode
WTHelperGetKnownUsages
DriverCleanupPolicy
TrustFindIssuerCertificate
CryptCATAdminAcquireContext
CryptCATCDFEnumAttributes
WintrustCertificateTrust
OpenPersonalTrustDBDialog
WintrustAddActionID
CryptSIPVerifyIndirectData
WintrustRemoveActionID
CryptCATCDFClose
CryptCATEnumerateAttr
WinVerifyTrust
CryptCATCDFOpen
WVTAsn1CatMemberInfoDecode
WVTAsn1SpcSpAgencyInfoEncode
shutdown
WSARecv
WSAInstallServiceClassW
WSCGetProviderPath
connect
WPUCompleteOverlappedRequest
WSADuplicateSocketW
WSAResetEvent
htons
WSAConnect
WSAAsyncGetHostByName
inet_addr
WSAGetServiceClassInfoW
ntohs
WSAStringToAddressA
WSAGetServiceClassInfoA
WSAProviderConfigChange
WSAUnhookBlockingHook
inet_ntoa
closesocket
WSAEnumNameSpaceProvidersA
WSASetEvent
WSACancelBlockingCall
WSAIsBlocking
WSALookupServiceBeginA
WSAEnumNameSpaceProvidersW
getservbyname
Number of PE resources by type
RT_CURSOR 1
RT_VERSION 1
Number of PE resources by language
ENGLISH AUS 2
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

TimeStamp
2011:01:15 02:41:17+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
143360

LinkerVersion
7.1

FileAccessDate
2014:06:25 20:16:44+01:00

EntryPoint
0x1f52b

InitializedDataSize
159744

SubsystemVersion
4.0

ImageVersion
6.2

OSVersion
4.0

FileCreateDate
2014:06:25 20:16:44+01:00

UninitializedDataSize
0

File identification
MD5 08632a196e88203a70ff941cd1309587
SHA1 5a3dec38b787e960d30eb9fbd46f70c58e3baceb
SHA256 34ae8f7cfb1dce70fe49bc71f3f636df5739af8da6565bac3f65190be19cc4df
ssdeep
3072:nPYHP84+enlDmizolhzfQRstjbN4PGD8T6qrEFjcJbOwbImS4R3xWAOgc:nkUjelD9ok2t/NNBqrEbwgchdOh

imphash 7b88baa9a143328eab276310aaf102cb
File size 208.0 KB ( 212992 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe

VirusTotal metadata
First submission 2014-06-25 19:20:47 UTC ( 4 years, 10 months ago )
Last submission 2014-06-25 19:20:47 UTC ( 4 years, 10 months ago )
File names vt-upload-TsLjv
Watywi
Qpgcjx.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Created processes
Code injections in the following processes
Created mutexes
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
HTTP requests
DNS requests
TCP connections
UDP communications