× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4cfa780d93d15d05b38544c4db3f2a9284b2dd29fd06675729775e3717032c42
File name: KingNeptunes.exe
Detection ratio: 3 / 49
Analysis date: 2014-03-12 16:56:53 UTC ( 11 months, 3 weeks ago ) View latest
Antivirus Result Update
AntiVir GAME/Casino.Gen 20140312
ESET-NOD32 a variant of Win32/PrimeCasino.A 20140312
F-Prot W32/Casino.P.gen!Eldorado 20140312
AVG 20140311
Ad-Aware 20140312
Agnitum 20140312
AhnLab-V3 20140312
Antiy-AVL 20140311
Avast 20140312
Baidu-International 20140312
BitDefender 20140312
Bkav 20140312
ByteHero 20140312
CAT-QuickHeal 20140312
CMC 20140312
ClamAV 20140312
Commtouch 20140312
Comodo 20140312
DrWeb 20140312
Emsisoft 20140312
F-Secure 20140312
Fortinet 20140312
GData 20140312
Ikarus 20140312
Jiangmin 20140312
K7AntiVirus 20140312
K7GW 20140312
Kaspersky 20140312
Kingsoft 20140312
Malwarebytes 20140312
McAfee 20140312
McAfee-GW-Edition 20140312
MicroWorld-eScan 20140312
Microsoft 20140312
NANO-Antivirus 20140312
Norman 20140312
Panda 20140312
Qihoo-360 20140302
Rising 20140312
SUPERAntiSpyware 20140311
Sophos 20140312
Symantec 20140312
TheHacker 20140312
TotalDefense 20140312
TrendMicro 20140312
TrendMicro-HouseCall 20140312
VBA32 20140312
VIPRE 20140312
ViRobot 20140312
nProtect 20140312
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Publisher Microgaming Software Systems Limited
Product MicrogamingInstall
Internal name Install Program
File version 16.9.4.1282
Description Install Program
Signature verification Signed file, verified signature
Signing date 4:13 PM 10/3/2013
Signers
[+] Microgaming Software Systems Limited
Status Valid
Valid from 12:41 PM 3/21/2013
Valid to 7:35 PM 3/21/2016
Valid usage Code Signing, 1.3.6.1.4.1.311.61.1.1
Algorithm SHA1
Thumbrint 1D9845CA814E20FF1B6971959EF0F22D2D1C0A1B
Serial number 4C 17 40 9A
[+] Entrust Code Signing Certification Authority - L1D
Status Valid
Valid from 4:41 PM 11/11/2011
Valid to 9:51 AM 11/12/2021
Valid usage All
Algorithm SHA1
Thumbrint D0D7578B7317228E31D42EDF356A7C64F1050473
Serial number 4C 0E 8C 3A
[+] Entrust.net Certification Authority (2048)
Status Valid
Valid from 4:18 PM 3/23/2009
Valid to 4:48 PM 3/23/2019
Valid usage All
Algorithm SHA1
Thumbrint B975811DDA15107EF5E0DC28141C7B938EBE4C26
Serial number 46 9E 91 1A
[+] Entrust
Status Valid
Valid from 5:09 PM 5/25/1999
Valid to 5:39 PM 5/25/2019
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, IPSEC Tunnel, IPSEC User, 1.3.6.1.5.5.8.2.2, Timestamp Signing, EFS
Algorithm SHA1
Thumbrint 99A69BE61AFE886B4D2B82007CB854FC317E1539
Serial number 37 4A D2 43
Counter signers
[+] Entrust Time Stamping Authority
Status Valid
Valid from 4:51 PM 12/16/2011
Valid to 9:44 PM 12/16/2014
Valid usage Timestamp Signing
Algorithm SHA1
Thumbrint 5FA4726FEC4B97187508EB0AD05876D5A5F9148E
Serial number 4C 17 06 D5
[+] Entrust Code Signing Certification Authority - L1D
Status Valid
Valid from 4:41 PM 11/11/2011
Valid to 9:51 AM 11/12/2021
Valid usage All
Algorithm SHA1
Thumbrint D0D7578B7317228E31D42EDF356A7C64F1050473
Serial number 4C 0E 8C 3A
[+] Entrust.net Certification Authority (2048)
Status Valid
Valid from 4:18 PM 3/23/2009
Valid to 4:48 PM 3/23/2019
Valid usage All
Algorithm SHA1
Thumbrint B975811DDA15107EF5E0DC28141C7B938EBE4C26
Serial number 46 9E 91 1A
[+] Entrust
Status Valid
Valid from 5:09 PM 5/25/1999
Valid to 5:39 PM 5/25/2019
Valid usage Server Auth, Client Auth, Code Signing, Email Protection, IPSEC Tunnel, IPSEC User, 1.3.6.1.5.5.8.2.2, Timestamp Signing, EFS
Algorithm SHA1
Thumbrint 99A69BE61AFE886B4D2B82007CB854FC317E1539
Serial number 37 4A D2 43
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2013-10-03 13:55:13
Entry Point 0x00038FBE
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
CloseServiceHandle
SetEntriesInAclW
RegCloseKey
OpenServiceA
RegSetValueExW
FreeSid
RegQueryValueExA
RegOpenKeyExW
RegSetValueExA
GetUserNameA
RegSetValueA
RegEnumKeyW
RegCreateKeyExA
RegOpenKeyExA
RegSetValueW
OpenSCManagerA
RegQueryValueExW
RegQueryValueW
DeleteDC
SelectObject
GetStockObject
GetDIBits
BitBlt
CreateDIBSection
CreateCompatibleDC
DeleteObject
GetVolumePathNameW
GetStdHandle
GetDriveTypeW
ReleaseMutex
FileTimeToSystemTime
GetComputerNameA
GetFileAttributesA
WaitForSingleObject
GetDriveTypeA
EncodePointer
GetFileAttributesW
GetLocalTime
DeleteCriticalSection
GetCurrentProcess
GetCurrentDirectoryA
GetConsoleMode
lstrcatA
OpenFileMappingA
FreeEnvironmentStringsW
SetStdHandle
GetTempPathA
WideCharToMultiByte
LoadLibraryW
InterlockedExchange
WriteFile
MoveFileA
GetSystemTimeAsFileTime
GetThreadTimes
GlobalMemoryStatusEx
HeapReAlloc
GetStringTypeW
GetFullPathNameA
GetOEMCP
LocalFree
FormatMessageW
ResumeThread
GetLogicalDriveStringsA
GetEnvironmentVariableA
FindClose
InterlockedDecrement
FormatMessageA
SetFileAttributesW
QueueUserWorkItem
OutputDebugStringA
SetLastError
PeekNamedPipe
DeviceIoControl
CopyFileW
RemoveDirectoryW
CopyFileA
ExitProcess
FlushFileBuffers
RemoveDirectoryA
FreeLibrary
HeapSetInformation
GetVolumeInformationA
SetThreadPriority
SetHandleCount
UnhandledExceptionFilter
TlsGetValue
MultiByteToWideChar
GetPrivateProfileStringW
CreateMutexA
SetFilePointer
CreateSemaphoreA
CreateThread
SetFileAttributesA
GetExitCodeThread
SetUnhandledExceptionFilter
IsProcessorFeaturePresent
GetSystemDirectoryA
MoveFileExA
SetEnvironmentVariableA
TerminateProcess
SetEndOfFile
GetCurrentThreadId
LeaveCriticalSection
SetCurrentDirectoryA
WriteConsoleW
CreateToolhelp32Snapshot
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
OpenProcess
lstrcmpiA
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
GetVersionExA
LoadLibraryA
RtlUnwind
ExitThread
Process32Next
DecodePointer
GetFileSize
Process32First
GetPrivateProfileIntA
CreateDirectoryA
DeleteFileA
GetStartupInfoW
CreateDirectoryW
DeleteFileW
WaitForMultipleObjects
GetProcessHeap
CompareStringW
GetModuleFileNameW
GetFileInformationByHandle
FindFirstFileExA
FindFirstFileA
lstrcpyA
GetTempFileNameA
CreateFileMappingA
FindNextFileA
GetDiskFreeSpaceExA
GetProcAddress
GetTimeZoneInformation
CreateFileW
CreateEventA
IsDebuggerPresent
GetFileType
TlsSetValue
CreateFileA
HeapAlloc
InterlockedIncrement
GetLastError
LCMapStringW
HeapCreate
GetSystemInfo
lstrlenA
GetConsoleCP
GetEnvironmentStringsW
GetModuleFileNameA
FileTimeToLocalFileTime
GetCurrentDirectoryW
GetCurrentProcessId
lstrlenW
GetCPInfo
HeapSize
GetCommandLineA
InterlockedCompareExchange
GetCurrentThread
lstrcpynW
RaiseException
ReleaseSemaphore
MapViewOfFile
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
lstrcpynA
GetACP
GetModuleHandleW
CreateProcessA
IsValidCodePage
UnmapViewOfFile
CreateProcessW
Sleep
VariantChangeType
SafeArrayAccessData
VariantTimeToSystemTime
SysStringLen
SysAllocStringLen
SafeArrayUnaccessData
VariantClear
SysAllocString
VariantCopy
SafeArrayCreateVector
SysFreeString
VariantInit
GetModuleFileNameExA
SHGetFolderPathW
SHChangeNotify
SHGetPathFromIDListW
SHGetSpecialFolderPathA
SHGetSpecialFolderLocation
SHGetMalloc
ShellExecuteA
Shell_NotifyIconA
StrStrA
PathAppendA
PathCanonicalizeA
SHDeleteKeyA
PathAppendW
PathCanonicalizeW
MapWindowPoints
SetFocus
UpdateWindow
SetLayeredWindowAttributes
OffsetRect
DefWindowProcW
DefWindowProcA
ShowWindow
FlashWindowEx
SetWindowPos
GetSystemMetrics
SetWindowLongW
MessageBoxW
GetWindowRect
DispatchMessageA
EnableWindow
PostMessageA
MoveWindow
MessageBoxA
PeekMessageA
ChildWindowFromPoint
SetWindowLongA
wvsprintfA
TranslateMessage
IsWindowEnabled
GetWindowDC
PostThreadMessageA
GetCursorPos
CreatePopupMenu
GetDlgCtrlID
SetWindowTextA
RegisterClassW
GetWindowLongW
IsWindowVisible
SendMessageA
GetClientRect
RegisterClassA
InvalidateRect
wsprintfA
SendMessageTimeoutA
CreateWindowExA
LoadCursorA
LoadIconA
TrackPopupMenu
GetMessageA
GetActiveWindow
AdjustWindowRect
CopyRect
LoadImageA
CreateWindowExW
ReleaseDC
wsprintfW
SetForegroundWindow
AppendMenuW
IsDialogMessageA
DestroyWindow
GetFileVersionInfoSizeA
GetFileVersionInfoA
VerQueryValueA
HttpSendRequestA
InternetOpenUrlA
InternetSetOptionA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlW
InternetGetLastResponseInfoA
InternetOpenA
InternetConnectA
InternetQueryOptionA
InternetOpenUrlW
HttpQueryInfoA
InternetCrackUrlA
InternetOpenW
InternetCreateUrlA
InternetCloseHandle
WSAAddressToStringA
getservbyport
htons
htonl
inet_addr
ioctlsocket
WSAStartup
gethostbyname
ntohs
WSASetLastError
WSACleanup
gethostbyaddr
WSAGetLastError
getservbyname
OleUninitialize
OleCreate
CoInitialize
OleInitialize
OleSetContainedObject
StringFromIID
CoCreateInstance
CLSIDFromProgID
CoUninitialize
CoCreateGuid
CoTaskMemFree
CoSetProxyBlanket
CoTaskMemAlloc
CoInternetGetSession
PE exports
Number of PE resources by type
RT_ICON 1
RT_GROUP_ICON 1
RT_DIALOG 1
RT_VERSION 1
RT_MANIFEST 1
Number of PE resources by language
ENGLISH SOUTH AFRICA 3
NEUTRAL 1
ENGLISH US 1
ExifTool file metadata
SubsystemVersion
5.1

LinkerVersion
10.0

ImageVersion
0.0

FileSubtype
0

FileVersionNumber
16.9.4.1282

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
144384

MIMEType
application/octet-stream

FileVersion
16.9.4.1282

TimeStamp
2013:10:03 14:55:13+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
Install Program

FileAccessDate
2014:03:17 13:03:07+01:00

ProductVersion
16.9.4

FileDescription
Install Program

OSVersion
5.1

FileCreateDate
2014:03:17 13:03:07+01:00

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CodeSize
421376

ProductName
MicrogamingInstall

ProductVersionNumber
16.9.4.0

EntryPoint
0x38fbe

ObjectFileType
Executable application

File identification
MD5 1cd6db7edbbc07d1c68968f584c0ac82
SHA1 265d94526e8424c3a06d1b37438f7f1d66e591db
SHA256 4cfa780d93d15d05b38544c4db3f2a9284b2dd29fd06675729775e3717032c42
ssdeep
24576:5KHfERhsCjwu9kb0E8BpxXjCYzomxpE90yph:5EusgkbEpdCYzLxpEVph

imphash 368908feefa0aa1ba4668affa866b84d
File size 923.0 KB ( 945168 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Windows Screen Saver (46.4%)
Win32 Dynamic Link Library (generic) (23.3%)
Win32 Executable (generic) (15.9%)
Generic Win/DOS Executable (7.1%)
DOS Executable Generic (7.0%)
Tags
peexe signed

VirusTotal metadata
First submission 2014-03-12 16:44:40 UTC ( 11 months, 3 weeks ago )
Last submission 2014-03-17 12:03:08 UTC ( 11 months, 2 weeks ago )
File names vti-rescan
Install Program
KingNeptunes.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!
Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
Opened files
Read files
Created mutexes
Opened mutexes
Searched windows
Hooking activity
Runtime DLLs
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.