× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 5bb1a8e70b40d2f58fa49b6a1f8dc5918cd3ac1893dddc8c049d97574afe20ef
File name: AUDIO.exe
Detection ratio: 56 / 57
Analysis date: 2016-12-10 14:55:01 UTC ( 2 years, 2 months ago ) View latest
Antivirus Result Update
Ad-Aware Generic.Malware.DHVQ.DFAA387E 20161210
AegisLab Troj.W32.Qhost.aird!c 20161210
AhnLab-V3 HEUR/Fakon.mwf 20161210
ALYac Generic.Malware.DHVQ.DFAA387E 20161210
Antiy-AVL Worm/Win32.VB 20161210
Arcabit Generic.Malware.DHVQ.DFAA387E 20161210
Avast Win32:GenMalicious-HFA [Trj] 20161210
AVG Win32/DH{TA?} 20161210
Avira (no cloud) TR/Crypt.CFI.Gen 20161210
AVware Trojan.Win32.Generic!BT 20161210
Baidu Win32.Worm.Autorun.ah 20161207
BitDefender Generic.Malware.DHVQ.DFAA387E 20161210
Bkav W32.NusdengoLTK.Trojan 20161210
CAT-QuickHeal Trojan.Dynamer.27869 20161210
ClamAV Win.Trojan.Agent-1117483 20161210
CMC Worm.Win32.VB!O 20161210
Comodo TrojWare.Win32.Agent.~JH1 20161210
CrowdStrike Falcon (ML) malicious_confidence_100% (D) 20161024
Cyren W32/A-47c77774!Eldorado 20161210
DrWeb Trojan.KillFiles.8725 20161210
Emsisoft Generic.Malware.DHVQ.DFAA387E (B) 20161210
ESET-NOD32 Win32/AutoRun.VB.AAO 20161210
F-Prot W32/A-47c77774!Eldorado 20161210
F-Secure Generic.Malware.DHVQ.DFAA387E 20161210
Fortinet W32/Generic.AC.1135!tr 20161210
GData Generic.Malware.DHVQ.DFAA387E 20161210
Ikarus Worm.Win32.VB 20161210
Sophos ML trojan.win32.peals.b!gfc 20161202
Jiangmin Trojan/Qhost.flk 20161210
K7AntiVirus Backdoor ( 04c51b9d1 ) 20161210
K7GW Backdoor ( 04c51b9d1 ) 20161210
Kaspersky Trojan.Win32.Crypt.ddc 20161210
Kingsoft Win32.Troj.Generic_01.k.(kcloud) 20161210
Malwarebytes Worm.AutoRun 20161210
McAfee W32/YahLover.worm.gen 20161210
McAfee-GW-Edition BehavesLike.Win32.Worm.cm 20161210
Microsoft Worm:Win32/Autorun.AHY 20161210
eScan Generic.Malware.DHVQ.DFAA387E 20161210
NANO-Antivirus Trojan.Win32.KillFiles.cvpiiw 20161210
Panda Trj/CI.A 20161210
Qihoo-360 Win32/Trojan.3e6 20161210
Rising Trojan.Generic-icFHC4c1dzJ (cloud) 20161210
Sophos AV Mal/Autorun-BF 20161210
SUPERAntiSpyware Trojan.Agent/Gen-Malent 20161210
Symantec W32.SillyFDC 20161210
Tencent Win32.Trojan.Crypt.Glq 20161210
TheHacker W32/VB.ck 20161130
TotalDefense Win32/FakeFLDR_i 20161210
TrendMicro WORM_YAHLOVER.SM 20161210
TrendMicro-HouseCall WORM_YAHLOVER.SM 20161210
VBA32 Worm.VB 20161209
VIPRE Trojan.Win32.Generic!BT 20161210
ViRobot Worm.Win32.A.VB.132608[h] 20161210
Yandex Worm.VB!AKNOSc7Z2m4 20161209
Zillya Worm.AutoRun.Win32.35490 20161209
Zoner I-Worm.AutoRun.VB.AAO 20161210
Alibaba 20161209
nProtect 20161210
Trustlook 20161210
WhiteArmor 20161207
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Product z 3 r 0 _ x
Original name Dosya Klasörü.exe
Internal name Dosya Klasörü
File version 8.01.0008
Packers identified
F-PROT UPX_LZMA
PEiD UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2011-01-04 13:49:16
Entry Point 0x00076580
Number of sections 3
PE sections
Overlays
MD5 90a9157cbd7dab381d6c39c843e43dc0
File type ASCII text
Offset 131584
Size 39424
Entropy 0.00
PE imports
VirtualFree
ExitProcess
VirtualProtect
LoadLibraryA
VirtualAlloc
GetProcAddress
Ord(581)
Number of PE resources by type
RT_ICON 13
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 14
ENGLISH US 1
PE resources
ExifTool file metadata
UninitializedDataSize
434176

LinkerVersion
6.0

ImageVersion
8.1

FileSubtype
0

FileVersionNumber
8.1.0.8

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

InitializedDataSize
81920

EntryPoint
0x76580

OriginalFileName
Dosya Klas r .exe

MIMEType
application/octet-stream

FileVersion
8.01.0008

TimeStamp
2011:01:04 14:49:16+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Dosya Klas r

ProductVersion
8.01.0008

SubsystemVersion
4.0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
53248

ProductName
z 3 r 0 _ x

ProductVersionNumber
8.1.0.8

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 0986570aa29ba546e7565ae8ac89a91f
SHA1 51d6f148eac1c43a104a863828e82d485d6ef5bc
SHA256 5bb1a8e70b40d2f58fa49b6a1f8dc5918cd3ac1893dddc8c049d97574afe20ef
ssdeep
1536:wZx8gcK8ossZDulaPnPuhkvJJth5SLnouy8uQkgB54vP:wZx8gJscuAnU+JYoutueXI

authentihash 0d89ff52dfdf5ce91a0685158bc5196d8c74740e7c19ad6880e5ec7d254b28c5
imphash 3243b13e562279ab7fbe2f31e45d3a95
File size 167.0 KB ( 171008 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (39.3%)
Win32 EXE Yoda's Crypter (38.6%)
Win32 Dynamic Link Library (generic) (9.5%)
Win32 Executable (generic) (6.5%)
Generic Win/DOS Executable (2.9%)
Tags
peexe upx overlay

VirusTotal metadata
First submission 2013-10-25 02:20:56 UTC ( 5 years, 3 months ago )
Last submission 2014-06-03 14:12:20 UTC ( 4 years, 8 months ago )
File names Dosya Klasörü
AUDIO.exe
musallat.exe
Dosya Klasörü.exe
vt-upload-vsbgT
vt-upload-ShgiD
Advanced heuristic and reputation engines
ClamAV
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: https://www.clamav.net/documents/potentially-unwanted-applications-pua .

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Created processes
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications