× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: f181aafa4cc93117631f2376cb3543d7f4f6c0570cf95cb8bb526e99ab56f095
File name: paddle.jpg.exe
Detection ratio: 8 / 67
Analysis date: 2017-12-19 20:46:11 UTC ( 1 year, 1 month ago ) View latest
Antivirus Result Update
Baidu Win32.Trojan.WisdomEyes.16070401.9500.9825 20171219
CrowdStrike Falcon (ML) malicious_confidence_60% (D) 20171016
Endgame malicious (high confidence) 20171130
ESET-NOD32 a variant of Win32/GenKryptik.BJGR 20171219
Fortinet W32/GenKryptik.BECV!tr 20171219
Sophos ML heuristic 20170914
Qihoo-360 HEUR/QVM03.0.F401.Malware.Gen 20171219
Webroot W32.Adware.Gen 20171219
Ad-Aware 20171219
AegisLab 20171219
AhnLab-V3 20171219
Alibaba 20171219
ALYac 20171219
Antiy-AVL 20171219
Arcabit 20171219
Avast 20171219
Avast-Mobile 20171219
AVG 20171219
Avira (no cloud) 20171219
AVware 20171219
BitDefender 20171219
Bkav 20171218
CAT-QuickHeal 20171219
ClamAV 20171219
CMC 20171218
Comodo 20171219
Cybereason 20171103
Cylance 20171219
Cyren 20171219
DrWeb 20171219
eGambit 20171219
Emsisoft 20171219
F-Prot 20171219
F-Secure 20171219
GData 20171219
Ikarus 20171219
Jiangmin 20171219
K7AntiVirus 20171219
K7GW 20171219
Kaspersky 20171219
Kingsoft 20171219
Malwarebytes 20171219
MAX 20171219
McAfee 20171219
McAfee-GW-Edition 20171219
Microsoft 20171219
eScan 20171219
NANO-Antivirus 20171219
nProtect 20171219
Palo Alto Networks (Known Signatures) 20171219
Panda 20171219
Rising 20171219
SentinelOne (Static ML) 20171207
Sophos AV 20171219
SUPERAntiSpyware 20171219
Symantec 20171219
Symantec Mobile Insight 20171219
Tencent 20171219
TheHacker 20171219
TotalDefense 20171219
TrendMicro-HouseCall 20171219
Trustlook 20171219
VBA32 20171219
VIPRE 20171219
ViRobot 20171219
WhiteArmor 20171204
Yandex 20171219
Zillya 20171219
ZoneAlarm by Check Point 20171219
Zoner 20171219
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
FileVersionInfo properties
Copyright
ITIBITI INc.

Product eSET
Original name Creationism.exe
Internal name Creationism
File version 5.05.0004
Description EaSY_HIDE_IP VPN
Comments
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2017-12-19 16:46:03
Entry Point 0x000013A4
Number of sections 3
PE sections
Overlays
MD5 620f0b67a91f7f74151bc5be745b7110
File type ASCII text
Offset 290816
Size 4096
Entropy 0.00
PE imports
_adj_fdiv_m32
__vbaChkstk
__vbaLenVar
_adj_fpatan
__vbaEnd
__vbaStrCmp
_allmul
_CIsin
_adj_fdivr_m64
__vbaBoolVar
_adj_fprem
__vbaLateMemSt
Ord(596)
__vbaVarTstNe
__vbaObjVar
_adj_fdiv_m32i
__vbaFreeObjList
__vbaLateMemCall
__vbaVarForInit
EVENT_SINK_QueryInterface
Ord(647)
__vbaVarAnd
__vbaSetSystemError
__vbaFreeVarList
DllFunctionCall
__vbaFPException
_adj_fdivr_m16i
__vbaStrMove
EVENT_SINK_Release
_adj_fdiv_r
Ord(100)
__vbaVarAdd
__vbaFreeVar
__vbaBoolVarNull
__vbaLateMemCallLd
EVENT_SINK_AddRef
Ord(519)
__vbaAryConstruct2
__vbaVarLateMemCallLd
_adj_fdiv_m64
Ord(651)
__vbaHresultCheckObj
_CIsqrt
__vbaVarSub
_CIlog
__vbaVarMul
_CIcos
Ord(595)
__vbaVarTstEq
_adj_fptan
_CItan
Ord(539)
__vbaI4Var
__vbaVarMove
__vbaVarLateMemSt
_CIatan
__vbaNew2
__vbaVarForNext
__vbaLateIdCallLd
__vbaOnError
_adj_fdivr_m32i
__vbaAryDestruct
_CIexp
__vbaInStrVar
_adj_fprem1
_adj_fdivr_m32
__vbaVarDup
__vbaFreeStr
_adj_fdiv_m16i
__vbaExceptHandler
Number of PE resources by type
RT_ICON 8
RT_BITMAP 1
RT_VERSION 1
RT_GROUP_ICON 1
Number of PE resources by language
NEUTRAL 9
ENGLISH US 2
PE resources
ExifTool file metadata
CodeSize
45056

SubsystemVersion
4.0

LinkerVersion
6.0

ImageVersion
5.5

FileSubtype
0

FileVersionNumber
5.5.0.4

LanguageCode
English (U.S.)

FileFlagsMask
0x0000

FileDescription
EaSY_HIDE_IP VPN

ImageFileCharacteristics
No relocs, Executable, No line numbers, No symbols, 32-bit

CharacterSet
Unicode

InitializedDataSize
245760

EntryPoint
0x13a4

OriginalFileName
Creationism.exe

MIMEType
application/octet-stream

LegalCopyright
ITIBITI INc.

FileVersion
5.05.0004

TimeStamp
2017:12:19 17:46:03+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Creationism

ProductVersion
5.05.0004

UninitializedDataSize
0

OSVersion
4.0

FileOS
Win32

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
APPLE

LegalTrademarks
AUDACITY TEam

ProductName
eSET

ProductVersionNumber
5.5.0.4

FileTypeExtension
exe

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 5e1b9a7c7b905c4b9f01f718c008a14b
SHA1 227f2057e08a58cbc87aeab1fca55dcdb3b64075
SHA256 f181aafa4cc93117631f2376cb3543d7f4f6c0570cf95cb8bb526e99ab56f095
ssdeep
3072:M7w1ggbwzPHKOG4lMWiZfUMRu7X9W3XFjfpUtrJ4:MkSzPJdfofM98BUt

authentihash 2d12876ae4b61a437f4b3d9aa862e8236e84802a5a25178f1dce866eb7107eb5
imphash f4a58e67c567d0dd0c20e27282cfa250
File size 288.0 KB ( 294912 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable Microsoft Visual Basic 6 (88.6%)
Win32 Executable (generic) (4.8%)
OS/2 Executable (generic) (2.1%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
Tags
peexe overlay

VirusTotal metadata
First submission 2017-12-19 20:46:11 UTC ( 1 year, 1 month ago )
Last submission 2018-05-14 23:56:47 UTC ( 8 months, 1 week ago )
File names 1002-227f2057e08a58cbc87aeab1fca55dcdb3b64075
Creationism.exe
paddle.jpg.exe
paddle.jpg.exe
Creationism
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created processes
Opened mutexes
Searched windows
Hooking activity
Runtime DLLs
Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
UDP communications