× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 47a5f2871836e33bc473279183300468fb330526e0e702f1ca2770cc195b7e7e
File name: JamesSearsWard32Screensaver.exe
Detection ratio: 0 / 51
Analysis date: 2014-06-09 05:04:41 UTC ( 4 years, 5 months ago ) View latest
Antivirus Result Update
Ad-Aware 20140609
AegisLab 20140609
Yandex 20140608
AhnLab-V3 20140609
AntiVir 20140609
Antiy-AVL 20140609
Avast 20140609
AVG 20140609
Baidu-International 20140608
BitDefender 20140609
Bkav 20140606
ByteHero 20140609
CAT-QuickHeal 20140607
ClamAV 20140609
CMC 20140609
Commtouch 20140609
Comodo 20140609
DrWeb 20140609
Emsisoft 20140609
ESET-NOD32 20140609
F-Prot 20140609
F-Secure 20140608
Fortinet 20140608
GData 20140609
Ikarus 20140609
K7AntiVirus 20140606
K7GW 20140606
Kaspersky 20140609
Kingsoft 20140609
Malwarebytes 20140609
McAfee 20140609
McAfee-GW-Edition 20140608
Microsoft 20140609
eScan 20140609
NANO-Antivirus 20140609
Norman 20140609
nProtect 20140608
Panda 20140608
Qihoo-360 20140609
Rising 20140608
Sophos AV 20140609
SUPERAntiSpyware 20140608
Symantec 20140609
Tencent 20140609
TheHacker 20140606
TotalDefense 20140608
TrendMicro 20140609
TrendMicro-HouseCall 20140609
VBA32 20140607
VIPRE 20140609
ViRobot 20140609
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Packers identified
F-PROT UPX_LZMA, UPX
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x001A3D20
Number of sections 3
PE sections
Overlays
MD5 00674124d2ef392afd5e27690306e695
File type application/x-ms-dos-executable
Offset 399872
Size 7566454
Entropy 7.82
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
RegFlushKey
ImageList_Add
SaveDC
WNetGetConnectionA
CoInitialize
VariantCopy
ShellExecuteA
VerQueryValueA
Number of PE resources by type
RT_STRING 30
RT_BITMAP 23
RT_GROUP_CURSOR 9
RT_CURSOR 9
RT_RCDATA 6
RT_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 78
LATVIAN DEFAULT 6
PE resources
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

FileTypeExtension
exe

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

CodeSize
389120

LinkerVersion
2.25

EntryPoint
0x1a3d20

InitializedDataSize
12288

SubsystemVersion
4.0

ImageVersion
0.0

OSVersion
4.0

UninitializedDataSize
1331200

File identification
MD5 2e5c3e59938ba138075fe9e917d28830
SHA1 3b5385b097f90226539971f5c4fbcc3093438602
SHA256 47a5f2871836e33bc473279183300468fb330526e0e702f1ca2770cc195b7e7e
ssdeep
196608:23GiBsNSqNEgYTBkjNK5c2Z7CBJNlkysMAZc:23rSyajn2Z7Cps1Zc

authentihash 18e77a42e725d0c42f545ee674ca84bcba9f84f15771a05c0c16abf3bd823cfd
imphash 6728e51da9081b6ca376b0f885311676
File size 7.6 MB ( 7966326 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (41.1%)
Win32 EXE Yoda's Crypter (35.7%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Win16/32 Executable Delphi generic (2.7%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2014-06-09 05:04:41 UTC ( 4 years, 5 months ago )
Last submission 2014-06-09 05:04:41 UTC ( 4 years, 5 months ago )
File names JamesSearsWard32Screensaver.exe
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.