× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: e17b71ae262adf7fdde45e1da2549617abed49978926bb5439486b7416d70cee
File name: payload_1.exe
Detection ratio: 35 / 66
Analysis date: 2019-03-06 09:30:31 UTC ( 1 month, 2 weeks ago ) View latest
Antivirus Result Update
Ad-Aware Trojan.GenericKD.31752427 20190306
ALYac Trojan.GenericKD.31752427 20190306
Arcabit Trojan.Generic.D1E480EB 20190306
Avast Win32:Malware-gen 20190306
AVG Win32:Malware-gen 20190306
Avira (no cloud) TR/Injector.dkomt 20190306
BitDefender Trojan.GenericKD.31752427 20190306
Comodo Malware@#3tid0icjefvdg 20190306
CrowdStrike Falcon (ML) win/malicious_confidence_60% (W) 20190212
DrWeb Trojan.PWS.Siggen2.8271 20190306
Emsisoft Trojan.GenericKD.31752427 (B) 20190306
Endgame malicious (moderate confidence) 20190215
ESET-NOD32 a variant of Win32/Injector.YXM 20190306
F-Secure Trojan.TR/Injector.dkomt 20190306
Fortinet W32/GenericRXGI.CF!tr 20190306
GData Trojan.GenericKD.31752427 20190306
Ikarus Trojan.Inject 20190305
K7AntiVirus Trojan ( 004775081 ) 20190306
K7GW Trojan ( 004775081 ) 20190306
Kaspersky HEUR:Trojan-Spy.Win32.Noon.gen 20190306
McAfee Artemis!D56900241425 20190306
McAfee-GW-Edition GenericRXGI-CF!48151C7EF725 20190306
Microsoft PWS:Win32/Mocrt.A!MTB 20190306
eScan Trojan.GenericKD.31752427 20190306
Palo Alto Networks (Known Signatures) generic.ml 20190306
Panda Trj/GdSda.A 20190303
Qihoo-360 Win32/Trojan.Spy.9dd 20190306
Rising Backdoor.Remcos!8.B89E (CLOUD) 20190306
Sophos AV Mal/Generic-S 20190306
Symantec ML.Attribute.HighConfidence 20190306
Tencent Win32.Trojan.Ursu.Wqmr 20190306
TrendMicro-HouseCall TROJ_GEN.R020H06C519 20190306
VBA32 Trojan.Fuerboos 20190306
Webroot W32.Noon.Gen 20190306
ZoneAlarm by Check Point HEUR:Trojan-Spy.Win32.Noon.gen 20190306
Acronis 20190222
AegisLab 20190306
AhnLab-V3 20190305
Alibaba 20180921
Antiy-AVL 20190306
Avast-Mobile 20190306
Babable 20180918
Baidu 20190306
Bkav 20190304
CAT-QuickHeal 20190304
ClamAV 20190305
CMC 20190306
Cybereason 20190109
Cyren 20190306
eGambit 20190306
Sophos ML 20181128
Jiangmin 20190306
Kingsoft 20190306
Malwarebytes 20190306
MAX 20190306
NANO-Antivirus 20190306
SentinelOne (Static ML) 20190203
SUPERAntiSpyware 20190227
Symantec Mobile Insight 20190220
TACHYON 20190306
TheHacker 20190304
TotalDefense 20190306
Trapmine 20190301
Trustlook 20190306
ViRobot 20190306
Yandex 20190305
Zoner 20190306
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
© 2019 NTWind Software

Product Hidden Start
Original name hstart64.exe
Internal name hstart64.exe
File version 4.6.0.0
Description Hidden Start (64-bit)
Packers identified
F-PROT UPX
PEiD UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00115400
Number of sections 3
PE sections
PE imports
VirtualProtect
LoadLibraryA
ExitProcess
GetProcAddress
RegOpenKeyA
ImageList_Add
GetSaveFileNameA
SaveDC
OleDraw
VariantCopy
ShellExecuteA
SHGetFolderPathA
VerQueryValueA
Number of PE resources by type
RT_STRING 18
RT_BITMAP 11
RT_RCDATA 8
RT_GROUP_CURSOR 7
RT_CURSOR 7
RT_ICON 6
RT_VERSION 2
RT_GROUP_ICON 2
RT_DIALOG 1
Number of PE resources by language
NEUTRAL 57
RUSSIAN 3
ARABIC EGYPT 1
ENGLISH US 1
PE resources
ExifTool file metadata
SubsystemVersion
4.0

InitializedDataSize
28672

ImageVersion
0.0

ProductName
Hidden Start

FileVersionNumber
4.6.0.0

UninitializedDataSize
618496

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi

CharacterSet
Windows, Latin1

LinkerVersion
2.25

FileTypeExtension
exe

OriginalFileName
hstart64.exe

MIMEType
application/octet-stream

Subsystem
Windows GUI

FileVersion
4.6.0.0

TimeStamp
1992:06:19 23:22:17+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
hstart64.exe

ProductVersion
4.6.0.0

FileDescription
Hidden Start (64-bit)

OSVersion
4.0

FileOS
Win32

LegalCopyright
2019 NTWind Software

MachineType
Intel 386 or later, and compatibles

CompanyName
NTWind Software

CodeSize
516096

FileSubtype
0

ProductVersionNumber
4.6.0.0

Warning
Possibly corrupt Version resource

EntryPoint
0x115400

ObjectFileType
Executable application

File identification
MD5 d5690024142544e597facc7cbc091022
SHA1 92fcbdd6f9e73ff74078e085acb9ded98a44c3eb
SHA256 e17b71ae262adf7fdde45e1da2549617abed49978926bb5439486b7416d70cee
ssdeep
12288:gNvjXqDP1juox1koosliezDZZzIfayCBcPphppv5XpBiI+3gk349/z:gNL6bwox1kopq1WcxHZ7YID

authentihash 0a87572c148475eeeed1a5c6dac58f3a28ef514b557783af8192801853e303e5
imphash 21e983b8c3b5cec5ac22e7c00df38fd5
File size 530.0 KB ( 542720 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID UPX compressed Win32 Executable (37.1%)
Win32 EXE Yoda's Crypter (36.4%)
Win32 Dynamic Link Library (generic) (9.0%)
Win32 Executable (generic) (6.1%)
Win16/32 Executable Delphi generic (2.8%)
Tags
peexe upx

VirusTotal metadata
First submission 2019-03-05 10:49:04 UTC ( 1 month, 2 weeks ago )
Last submission 2019-03-05 10:49:04 UTC ( 1 month, 2 weeks ago )
File names tuesday.exe
hstart64.exe
payload_1.exe
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Written files
Deleted files
Created processes
Code injections in the following processes
Opened mutexes
Runtime DLLs