× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: b1da8cea0e755636f31febdede80a9022d4a1663a38c50c8d9c6e14ef1a7cae6
File name: vt-upload-_gyLv
Detection ratio: 21 / 51
Analysis date: 2014-03-21 22:33:16 UTC ( 3 years ago )
Antivirus Result Update
AhnLab-V3 Trojan/Win32.Tenagour 20140321
AntiVir TR/Dropper.VB.13100 20140321
AVG Luhe.Fiha.A 20140321
Baidu-International Trojan.Win32.Zbot.adFp 20140321
Bkav HW32.CDB.5ffb 20140321
ByteHero Virus.Win32.Heur.p 20140321
ESET-NOD32 a variant of Win32/Injector.AZKA 20140321
Fortinet W32/Zbot.RRGP!tr 20140321
Kaspersky Trojan-Spy.Win32.Zbot.rrgp 20140321
Kingsoft Win32.Troj.Zbot.rr.(kcloud) 20140321
Malwarebytes Backdoor.Bot 20140321
McAfee Artemis!18C6675CF081 20140321
McAfee-GW-Edition Artemis!18C6675CF081 20140321
Norman Injector.GDCU 20140321
Panda Trj/Genetic.gen 20140321
Qihoo-360 Malware.QVM03.Gen 20140321
Sophos Mal/Generic-S 20140321
TrendMicro TROJ_FORUCON.BMC 20140321
TrendMicro-HouseCall TROJ_FORUCON.BMC 20140321
VBA32 TrojanSpy.Zbot.rrgp 20140321
VIPRE Trojan.Win32.Generic!BT 20140321
Ad-Aware 20140321
AegisLab 20140321
Yandex 20140321
Antiy-AVL 20140320
Avast 20140321
BitDefender 20140321
CAT-QuickHeal 20140320
ClamAV 20140321
CMC 20140319
Commtouch 20140321
Comodo 20140321
DrWeb 20140321
Emsisoft 20140321
F-Prot 20140321
F-Secure 20140321
GData 20140321
Ikarus 20140321
Jiangmin 20140321
K7AntiVirus 20140321
K7GW 20140321
Microsoft 20140321
eScan 20140321
NANO-Antivirus 20140321
nProtect 20140321
Rising 20140321
SUPERAntiSpyware 20140321
Symantec 20140321
TheHacker 20140321
TotalDefense 20140321
ViRobot 20140321
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Publisher Flash
Product Flash game
Original name Xaz185papolim.exe
Internal name Xaz185papolim
File version 1.00.0062
Comments Flash game
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2014-03-03 16:27:13
Entry Point 0x00001B78
Number of sections 3
PE sections
PE imports
_adj_fdivr_m64
__vbaGenerateBoundsError
__vbaInputFile
__vbaGet3
_adj_fprem
__vbaAryMove
__vbaObjVar
_adj_fdiv_r
_allmul
__vbaObjSetAddref
__vbaFixstrConstruct
Ord(100)
__vbaHresultCheckObj
__vbaAryUnlock
_CIlog
Ord(595)
__vbaVarLateMemCallLd
_adj_fptan
__vbaFileClose
Ord(581)
__vbaI4Var
__vbaAryCopy
__vbaFreeStr
__vbaStrI2
__vbaStrI4
__vbaFreeVarg
__vbaI2I4
_adj_fdiv_m16i
EVENT_SINK_QueryInterface
_CIsin
Ord(531)
__vbaI4Str
__vbaLenBstr
__vbaResume
Ord(617)
__vbaStrToUnicode
_adj_fdiv_m32i
Ord(717)
__vbaExceptHandler
__vbaSetSystemError
DllFunctionCall
__vbaFreeVar
__vbaFileOpen
__vbaUI1I2
Ord(711)
__vbaAryLock
EVENT_SINK_Release
__vbaVarTstEq
__vbaFreeStrList
__vbaOnError
_adj_fdivr_m32i
__vbaStrCat
__vbaVarDup
__vbaChkstk
__vbaPrintFile
__vbaLsetFixstr
Ord(570)
__vbaErase
__vbaVarLateMemSt
__vbaFreeObjList
__vbaVar2Vec
__vbaFreeVarList
__vbaStrVarMove
__vbaCastObj
__vbaExitProc
__vbaAryConstruct2
Ord(520)
__vbaFreeObj
_adj_fdivr_m32
__vbaStrVarVal
_CIcos
Ord(713)
__vbaVarMove
__vbaErrorOverflow
__vbaNew2
__vbaAryDestruct
__vbaStrMove
_adj_fprem1
_adj_fdiv_m32
Ord(685)
EVENT_SINK_AddRef
_adj_fpatan
Ord(712)
__vbaVarVargNofree
__vbaStrCopy
__vbaFPException
__vbaAryVar
_adj_fdivr_m16i
__vbaVarAdd
_adj_fdiv_m64
Ord(526)
_CIsqrt
__vbaVarCopy
_CIatan
__vbaLateMemCall
__vbaObjSet
Ord(644)
__vbaVarCat
_CIexp
__vbaStrToAnsi
_CItan
GetUserNameA
TextOutA
CallWindowProcW
InternetGetLastResponseInfoA
Number of PE resources by type
RT_ICON 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 2
ENGLISH NEUTRAL 1
PE resources
ExifTool file metadata
UninitializedDataSize
0

Comments
Flash game

InitializedDataSize
16384

ImageVersion
1.0

FileSubtype
0

FileVersionNumber
1.0.0.62

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

CharacterSet
Unicode

LinkerVersion
6.0

FileOS
Win32

MIMEType
application/octet-stream

FileVersion
1.00.0062

TimeStamp
2014:03:03 17:27:13+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Xaz185papolim

FileAccessDate
2014:03:21 23:34:51+01:00

ProductVersion
1.00.0062

SubsystemVersion
4.0

OSVersion
4.0

FileCreateDate
2014:03:21 23:34:51+01:00

OriginalFilename
Xaz185papolim.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Flash

CodeSize
32768

ProductName
Flash game

ProductVersionNumber
1.0.0.62

EntryPoint
0x1b78

ObjectFileType
Executable application

File identification
MD5 18c6675cf0813a9109310ea5ff983eea
SHA1 1bd0df2452772723f9bcc19d6c8108f2c89c27f8
SHA256 b1da8cea0e755636f31febdede80a9022d4a1663a38c50c8d9c6e14ef1a7cae6
ssdeep
3072:qUfLvc1XeHLgZNXJ+6ZES9guK89pf0vgM1blHh1R2:pfiZNo6ZES9bLJ0vgef1R2

imphash d9931a42c7d33b428df6636c5236c5fa
File size 191.2 KB ( 195758 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (68.1%)
Win64 Executable (generic) (22.9%)
Win32 Executable (generic) (3.7%)
Win32 Executable MS Visual FoxPro 7 (1.8%)
Generic Win/DOS Executable (1.6%)
Tags
peexe

VirusTotal metadata
First submission 2014-03-21 22:33:16 UTC ( 3 years ago )
Last submission 2014-03-21 22:33:16 UTC ( 3 years ago )
File names b1da8cea0e755636f31febdede80a9022d4a1663a38c50c8d9c6e14ef1a7cae6.exe
Xaz185papolim
vt-upload-_gyLv
Xaz185papolim.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.