× Cookies are disabled! This site requires cookies to be enabled to work properly
VirusTotal
SHA256: 98bbe7548b6c51247bd2ef0bcf4f4ac45df9851a3dd9c5ceb5e04b9320c55645
File name: updateflashplayer.exe
Detection ratio: 6 / 42
Analysis date: 2012-09-01 01:00:31 UTC ( 4 years, 10 months ago ) View latest
Antivirus Result Update
AhnLab-V3 Trojan/Win32.Plosa 20120831
DrWeb Trojan.PWS.Panda.2363 20120901
Kaspersky Trojan-Spy.Win32.Zbot.etbe 20120901
McAfee PWS-Zbot.gen.aln 20120901
Microsoft PWS:Win32/Zbot.gen!AF 20120901
Panda Suspicious file 20120831
AntiVir 20120831
Antiy-AVL 20120831
Avast 20120901
AVG 20120901
BitDefender 20120901
ByteHero 20120817
CAT-QuickHeal 20120831
ClamAV 20120828
Commtouch 20120831
Comodo 20120901
Emsisoft 20120901
eSafe 20120830
ESET-NOD32 20120831
F-Prot 20120831
F-Secure 20120901
Fortinet 20120830
GData 20120901
Ikarus 20120831
Jiangmin 20120831
K7AntiVirus 20120831
McAfee-GW-Edition 20120831
Norman 20120831
nProtect 20120831
PCTools 20120901
Rising 20120831
Sophos 20120901
SUPERAntiSpyware 20120831
Symantec 20120901
TheHacker 20120830
TotalDefense 20120831
TrendMicro 20120901
TrendMicro-HouseCall 20120901
VBA32 20120831
VIPRE 20120901
ViRobot 20120831
VirusBuster 20120831
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
Copyright (C) Microsoft Corp. 1991-1996

Publisher ysnhceewwizsxemjaosjtymceuzooutmqmekiqjalrzgzyrecpptbcqcxlkoypusfjiospauviqwnjrenj...
Product Microsoft(R) Windows (R) 2000 Operating System
Original name WINHLP32.EXE
Internal name WINHSTB
File version 5.00.2134.1
Description Windows Winhlp32 Stub
Signature verification A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Signers
[+] ysnhceewwizsxemjaosjtymceuzooutmqmekiqjalrzgzyrecpptbcqcxlkoypusfjiospauviqwnjrenj...
Status A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Issuer None
Valid from 7:14 PM 8/31/2012
Valid to 12:59 AM 1/1/2040
Valid usage Code Signing
Algorithm SHA1
Thumbprint 6D0EFA914941CD54EA3EFF0C7C7559D808A9608A
Serial number 28 CC 54 E3 7A 6A D7 90 40 9B 14 6C 48 DA 11 C2
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-08-31 21:40:33
Entry Point 0x00001350
Number of sections 4
PE sections
Overlays
MD5 034f6a52375a3330e80c1bc3ebcbd0df
File type data
Offset 366080
Size 7032
Entropy 5.40
PE imports
[+] ADVAPI32.dll
RegCloseKey
[+] COMDLG32.dll
PrintDlgA
PrintDlgExW
ReplaceTextA
FindTextA
GetFileTitleW
GetOpenFileNameW
ChooseColorW
ChooseFontW
GetSaveFileNameW
PageSetupDlgA
GetFileTitleA
ChooseColorA
FindTextW
GetOpenFileNameA
ReplaceTextW
CommDlgExtendedError
PrintDlgExA
PageSetupDlgW
GetSaveFileNameA
ChooseFontA
[+] KERNEL32.dll
SetThreadLocale
CreateJobObjectA
GetOverlappedResult
DeleteFiber
GetDriveTypeA
EnumUILanguagesW
SetConsoleCursorPosition
GetTapeParameters
DeleteCriticalSection
SetSystemTime
OpenFileMappingA
lstrcatW
HeapWalk
IsDBCSLeadByteEx
GetTempPathA
WriteFile
SwitchToFiber
SetProcessAffinityMask
GlobalMemoryStatusEx
SetFileAttributesA
QueryDosDeviceA
GetProfileIntW
InitializeCriticalSection
GlobalHandle
QueryDosDeviceW
GetStringTypeExA
GetUserDefaultUILanguage
LoadLibraryA
UpdateResourceA
SetConsoleCtrlHandler
GetProfileSectionW
OpenWaitableTimerW
MultiByteToWideChar
DeleteTimerQueueTimer
FreeEnvironmentStringsA
EnumSystemLanguageGroupsA
SetUnhandledExceptionFilter
GetConsoleDisplayMode
MulDiv
FindAtomW
WriteConsoleA
SleepEx
ReadConsoleOutputA
LocalCompact
HeapFree
SetHandleCount
MoveFileWithProgressW
lstrcmp
TlsAlloc
WriteConsoleOutputAttribute
GlobalSize
GetWindowsDirectoryW
AddAtomA
SetProcessPriorityBoost
ReadProcessMemory
CreateDirectoryW
GetProcAddress
AddAtomW
GetProfileStringW
lstrcpyW
WaitNamedPipeW
EnumDateFormatsExA
FindFirstFileExA
FindNextFileW
GlobalFix
FreeConsole
GetProcessWorkingSetSize
GetTimeZoneInformation
ReadDirectoryChangesW
CreateFileW
CreateEventA
GetFileType
TlsSetValue
ReadConsoleOutputAttribute
GlobalGetAtomNameW
GetConsoleAliasesLengthA
VirtualAllocEx
FindResourceW
UnregisterWaitEx
GetShortPathNameA
SwitchToThread
GetCurrentDirectoryW
GetCurrentProcessId
ContinueDebugEvent
GetCommandLineW
ClearCommBreak
EnumResourceTypesA
QueryPerformanceFrequency
SetFilePointer
DeleteVolumeMountPointW
SetConsoleTitleA
CloseHandle
GetCommConfig
GetModuleHandleW
CreateProcessA
SetComputerNameExA
GetDefaultCommConfigW
FindFirstChangeNotificationA
GetConsoleAliasExesLengthW
DnsHostnameToComputerNameA
[+] SHELL32.dll
SHBindToParent
SHPathPrepareForWriteA
SHChangeNotify
ExtractIconW
SHQueryRecycleBinW
Shell_NotifyIcon
DragQueryFileA
SHGetDiskFreeSpaceExW
DuplicateIcon
ShellExecuteEx
ExtractIconEx
SHGetDesktopFolder
DragQueryFile
SHBrowseForFolder
SHFreeNameMappings
SHGetSpecialFolderPathW
DragFinish
SHGetFileInfo
SHGetSettings
ShellHookProc
SHGetInstanceExplorer
SHGetDataFromIDListA
SHGetPathFromIDList
CommandLineToArgvW
[+] SHLWAPI.dll
StrChrW
StrRChrW
StrCmpNW
StrChrIW
StrRStrIA
StrChrA
StrStrW
StrChrIA
StrRStrIW
StrCmpNIW
[+] USER32.dll
GetForegroundWindow
SetMenuItemBitmaps
DrawAnimatedRects
PostQuitMessage
BroadcastSystemMessageW
OpenWindowStationW
GetInputState
GetDC
DrawTextA
DefFrameProcW
SendMessageA
GetClientRect
GetNextDlgTabItem
InSendMessage
CopyAcceleratorTableA
RegisterHotKey
DdeConnectList
GetWindowTextLengthW
GetMenuItemCount
DeregisterShellHookWindow
GetMessageA
SendIMEMessageExA
UpdateWindow
SetPropA
CallMsgFilterA
SendIMEMessageExW
ShowWindow
EnumPropsExW
CharToOemBuffA
PeekMessageW
EnableWindow
CharUpperW
GetClipboardFormatNameW
TranslateMessage
SetThreadDesktop
GetDlgItemTextW
CharUpperA
ActivateKeyboardLayout
GetTabbedTextExtentW
EnumDisplayDevicesA
IsCharLowerA
CloseWindow
DrawMenuBar
OpenDesktopA
GetPriorityClipboardFormat
SetTimer
SwitchToThisWindow
CopyRect
GetDialogBaseUnits
RealChildWindowFromPoint
CreateAcceleratorTableA
RegisterWindowMessageW
MapVirtualKeyA
GetOpenClipboardWindow
GetKeyboardLayoutNameA
OffsetRect
VkKeyScanExA
CheckMenuRadioItem
ReleaseCapture
WaitMessage
CreateMenu
CreateWindowStationW
SetWindowsHookExA
PostThreadMessageW
GetMenuStringA
CreateDesktopW
NotifyWinEvent
GetScrollBarInfo
LoadMenuA
RemovePropA
RemoveMenu
MessageBoxExA
DdeUninitialize
LookupIconIdFromDirectory
SendMessageCallbackA
SetRectEmpty
CascadeChildWindows
DestroyCursor
wvsprintfA
MessageBoxIndirectW
CopyImage
EndDeferWindowPos
GetWindowRgn
SetSysColors
SetDoubleClickTime
SubtractRect
SetCursorPos
WinHelpA
SetMessageQueue
ModifyMenuW
GetClassNameA
SetCursor
Number of PE resources by type
RT_ICON 2
RT_STRING 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
ENGLISH US 5
PE resources
ExifTool file metadata
SubsystemVersion
4.0

LinkerVersion
2.5

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
5.0.2134.1

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
52224

EntryPoint
0x1350

OriginalFileName
WINHLP32.EXE

MIMEType
application/octet-stream

LegalCopyright
Copyright (C) Microsoft Corp. 1991-1996

FileVersion
5.00.2134.1

TimeStamp
2012:08:31 22:40:33+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
WINHSTB

ProductVersion
5.00.2134.1

FileDescription
Windows Winhlp32 Stub

OSVersion
4.0

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
312832

ProductName
Microsoft(R) Windows (R) 2000 Operating System

ProductVersionNumber
5.0.2134.1

FileTypeExtension
exe

ObjectFileType
Executable application

File identification
MD5 04f9d2e4bfb3188257c5a31b65bb14c1
SHA1 0ff36c17025ec85cff3ae080da56cb10c7729a9f
SHA256 98bbe7548b6c51247bd2ef0bcf4f4ac45df9851a3dd9c5ceb5e04b9320c55645
ssdeep
6144:NbCdhPuyzFFiIX0zE9NKFEWNFfK4CS0NwIt2+fFBFFrkiL:NmdQWiIXxcXNkjNtZf1Frn

authentihash b9aba1ce0cf548a9d06ac54b1cd112fe8285526e635fde2739fc6830e63e3c8d
imphash 97ee12ccf175dad3b3741eec99929329
File size 364.4 KB ( 373112 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ 4.x (81.6%)
Windows screen saver (7.9%)
Win32 Dynamic Link Library (generic) (3.9%)
Win32 Executable (generic) (2.7%)
Win16/32 Executable Delphi generic (1.2%)
Tags
peexe signed overlay

VirusTotal metadata
First submission 2012-08-31 21:54:50 UTC ( 4 years, 10 months ago )
Last submission 2015-09-23 16:03:09 UTC ( 1 year, 9 months ago )
File names file-7059816_vir
04F9D2E4BFB3188257C5A31B65BB14C1.vir
WINHSTB
updateflashplayer.exe
WINHLP32.EXE
virussign.com_04f9d2e4bfb3188257c5a31b65bb14c1.vir
04f9d2e4bfb3188257c5a31b65bb14c1
04f9d2e4bfb3188257c5a31b65bb14c1.virobj
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!
More comments

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

Sign in Join the community
No votes. No one has voted on this item yet, be the first one to do so!
More votes
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Opened mutexes
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
Blog | Twitter | | Google groups | ToS | Privacy policy