× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344
File name: 429937eab224a811d06463d46d62a56b
Detection ratio: 37 / 49
Analysis date: 2014-03-07 10:30:45 UTC ( 1 month, 2 weeks ago )
Antivirus Result Update
AVG PSW.OnlineGames4.AZJS 20140306
Ad-Aware Trojan.PWS.Wow.NHV 20140307
Agnitum Trojan.PWS.Wow!pcRwedVrBrk 20140307
AhnLab-V3 Trojan/Win32.Infostealer 20140307
AntiVir TR/Spy.Gen 20140307
Avast Win64:Malware-gen 20140307
Baidu-International Trojan.Win64.Agent.Aag 20140307
BitDefender Trojan.PWS.Wow.NHV 20140307
Bkav W32.VieluotLTV.Trojan 20140306
Commtouch W64/PWS.JMJQ-0549 20140307
Comodo TrojWare.Win64.PSW.Wow.er 20140307
DrWeb Trojan.PWS.Wow.2473 20140307
ESET-NOD32 Win64/PSW.Agent.B 20140307
Emsisoft Trojan.PWS.Wow.NHV (B) 20140307
F-Prot W64/Agent.B 20140307
F-Secure Trojan.PWS.Wow.NHV 20140307
Fortinet W64/OnlineGame.CK!tr.pws 20140307
GData Trojan.PWS.Wow.NHV 20140307
Ikarus Trojan-PWS.WOW 20140307
Jiangmin TrojanSpy.Agent.zrx 20140307
K7AntiVirus Password-Stealer ( 00492b971 ) 20140306
Kaspersky Trojan-Spy.Win64.Agent.f 20140307
Malwarebytes Spyware.OnlineGames.WOW 20140307
McAfee RDN/PWS-OnlineGame.ck!c 20140307
McAfee-GW-Edition RDN/PWS-OnlineGame.ck!c 20140307
MicroWorld-eScan Trojan.PWS.Wow.NHV 20140307
Norman Wow.TCT 20140307
Panda Trj/WLT.A 20140307
Sophos Troj/WowSpy-A 20140307
Symantec WS.Reputation.1 20140307
TotalDefense Win64/Gamepass.HENGANC 20140306
TrendMicro TSPY64_WOWSPY.A 20140307
TrendMicro-HouseCall TSPY64_WOWSPY.A 20140307
VBA32 TrojanSpy.Win64.Agent 20140307
VIPRE Trojan.Win32.Generic!BT 20140307
ViRobot Trojan.Win64.A.Agent.385536 20140307
nProtect Trojan.PWS.Wow.NHV 20140307
Antiy-AVL 20140307
ByteHero 20140307
CAT-QuickHeal 20140307
CMC 20140307
ClamAV 20140307
K7GW 20140306
Kingsoft 20140307
Microsoft 20140307
NANO-Antivirus 20140307
Qihoo-360 20140302
Rising 20140307
SUPERAntiSpyware 20140307
TheHacker 20140305
The file being studied is a Portable Executable file! More specifically, it is a Win32 DLL file for the Windows GUI subsystem.
PE header basic information
Target machine x64
Compilation timestamp 2013-12-13 06:55:12
Link date 7:55 AM 12/13/2013
Entry Point 0x00018444
Number of sections 8
PE sections
PE imports
RegDeleteKeyA
LookupPrivilegeValueA
RegCloseKey
OpenProcessToken
RegSetValueExA
AdjustTokenPrivileges
RegOpenKeyExA
GetStdHandle
GetFileAttributesA
HeapDestroy
EncodePointer
FlsGetValue
FlsSetValue
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
FreeEnvironmentStringsW
GetThreadContext
SetStdHandle
GetTempPathA
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
HeapReAlloc
GetStringTypeW
GetThreadPriority
MoveFileA
ResumeThread
InitializeCriticalSection
SetLastError
OpenThread
GetModuleFileNameW
IsDebuggerPresent
HeapAlloc
GetVersionExA
GetModuleFileNameA
HeapSetInformation
SetThreadPriority
RtlVirtualUnwind
UnhandledExceptionFilter
MultiByteToWideChar
FlushInstructionCache
GetModuleHandleA
CreateThread
SetUnhandledExceptionFilter
DecodePointer
TerminateProcess
GetVersion
VirtualQuery
SetEndOfFile
GetCurrentThreadId
WriteConsoleW
InitializeCriticalSectionAndSpinCount
HeapFree
EnterCriticalSection
SetHandleCount
LoadLibraryW
GetOEMCP
QueryPerformanceCounter
GetTickCount
FlushFileBuffers
RtlPcToFileHeader
GetPrivateProfileIntA
DeleteFileA
GetStartupInfoW
GetProcAddress
VirtualProtectEx
GetProcessHeap
RtlLookupFunctionEntry
GetComputerNameA
RtlUnwindEx
CreateFileW
GetFileType
CreateFileA
ExitProcess
LeaveCriticalSection
GetLastError
LCMapStringW
GetSystemInfo
GetConsoleCP
GetEnvironmentStringsW
WritePrivateProfileStringA
GetCurrentProcessId
WideCharToMultiByte
HeapSize
FlsAlloc
GetCommandLineA
FlsFree
GetCurrentThread
SuspendThread
RaiseException
SetFilePointer
ReadFile
RtlCaptureContext
CloseHandle
GetACP
GetModuleHandleW
IsValidCodePage
HeapCreate
VirtualFree
Sleep
VirtualAlloc
wsprintfA
GetSystemMetrics
SetWindowsHookExA
DispatchMessageA
UnhookWindowsHookEx
MessageBoxA
TranslateMessage
GetMessageA
CallNextHookEx
setsockopt
socket
closesocket
WSAStartup
inet_addr
send
recvfrom
gethostbyname
ntohs
connect
sendto
inet_ntoa
htons
recv
getpeername
PE exports
Number of PE resources by type
RT_MANIFEST 1
Number of PE resources by language
ENGLISH US 1
ExifTool file metadata
MIMEType
application/octet-stream

Subsystem
Windows GUI

MachineType
AMD AMD64

TimeStamp
2013:12:13 07:55:12+01:00

FileType
Win64 DLL

PEType
PE32+

CodeSize
145408

LinkerVersion
10.0

FileAccessDate
2014:03:07 11:30:56+01:00

EntryPoint
0x18444

InitializedDataSize
239104

SubsystemVersion
5.2

ImageVersion
0.0

OSVersion
5.2

FileCreateDate
2014:03:07 11:30:56+01:00

UninitializedDataSize
0

Compressed bundles
File identification
MD5 429937eab224a811d06463d46d62a56b
SHA1 bf0e427ad0c6f0dd822e7cc0e80bc414f3e035a1
SHA256 850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344
ssdeep
6144:W7433JJWaec+vUR+JUwdqb7XqTvujEW9TB3A2AL:W7o3LwUR+nYd9TG

imphash 95fd8462957951a009654766d57a899e
File size 376.5 KB ( 385536 bytes )
File type Win32 DLL
Magic literal
PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly

TrID Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Tags
assembly pedll

VirusTotal metadata
First submission 2013-12-25 03:53:12 UTC ( 3 months, 4 weeks ago )
Last submission 2014-03-07 10:30:45 UTC ( 1 month, 2 weeks ago )
File names w_64.DLL
vti-rescan
6.exe
w_64.DLL
0DC035F3.vLL
429937eab224a811d06463d46d62a56b
w_64.dll
w_64.dll
Behaviour characterization
Zemana
keylogger

No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!