» folder.exe
Overview
Analysis
File Details
Behaviors (1)

folder.exe

Microsoft Windows Operating System

InfoTec LLC

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable folder.exe has been detected as malware by 4 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘windows32.exe’.

File name:

folder.exe

Publisher:

Microsoft Corporation (signed by InfoTec LLC)

Product:

Microsoft® Windows® Operating System

Version:

6.1.7600

MD5:

d558dc716d2ddd9101247315f9e1aab3

SHA-1:

4d166f2c424887f9f41a38ad3a539fba77319b37

SHA-256:

ab6fc3e9b7ddd043f582f88611a7e8171c32feffc096ceed8f434c2b604a0287

Scanner detections:

4 / 68

Status:

Malware

Analysis date:

11/27/2024 6:35:37 PM UTC (today)

Scan engine

Detection

Engine version

avast!

MSIL:Crypt-AAE [Trj]

160414-2

Emsisoft Anti-Malware

Gen:Variant.Barys.52190

16.05.20

ESET NOD32

MSIL/Injector.OAP trojan

8.0.319.0

Norman

Gen:Variant.Barys.52190

19.05.2016 05:17:13

File size:

500.7 KB (512,704 bytes)

Product version:

6.1.7600

Original file name:

Scan Copy.exe

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\temp\folder.exe

Digital Signature

Signed by:

InfoTec LLC

Authority:

InfoTec LLC

Valid from:

2/7/2016 1:27:21 AM

Valid to:

2/7/2026 1:27:21 AM

Subject:

E=mail@infotec.com, CN=InfoTec, OU=InfoTec Certification, O=InfoTec LLC, L=Boston, S=Massachusetts, C=US

Issuer:

E=mail@infotec.com, CN=InfoTec, OU=InfoTec Certification, O=InfoTec LLC, L=Boston, S=Massachusetts, C=US

Serial number:

009CCF06675C6BDF8D

File PE Metadata

Compilation timestamp:

2/13/2016 5:58:41 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

12288:xGbP/Dr/1kEpGKqU3dYNfzDFvBYc5JStPeozbuVKwTHcCYYtL95td/Vt+9UnxMya:xGbP/6dU3dYNfzDFvBYQJStP5mjTHcCy

Entry address:

0x7D64E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

6.0795

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

494 KB (505,856 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

windows32.exe

Command:

C:\users\{user}\appdata\local\temp\folder.exe

Remove folder.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.