d14514434487588cb65be5e1f68aae81_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

d14514434487588cb65be5e1f68aae81_JaffaCakes118
Size

1.9MB
MD5

d14514434487588cb65be5e1f68aae81
SHA1

f17d10c4abecba80f4010578014f9247ab83e358
SHA256

1448ad8c5b46bbc07eec82e0ec18757cc5b6d8251a54692131df3036b8f66838
SHA512

a2f31b2bf06c53e66c48c326c59ccd40e04d5d5b274f61714f71ce42906ea361a0620022ec5eb75dbe483fb130011e963d61e153bb12121ca965f238c291b0de
SSDEEP

49152:nqUvc3Wlq7zez0HgaR68mREx8nAemqefhF5Y4p:q+chzgy68Px8Ajqefq4p

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/NSISdl.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/TvGetVersion.dll
unpack001/$PLUGINSDIR/UAC.dll
unpack001/$PLUGINSDIR/UserInfo.dll
unpack001/out.upx

NSIS installer 1 IoCs

installer

resource	yara_rule
static1/unpack001/out.upx	nsis_installer_2

Files

d14514434487588cb65be5e1f68aae81_JaffaCakes118
.exe windows:4 windows x86 arch:x86

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

19:c6:4c:71:95:dc:04:06:4b:21:e7:ac:35:4b:19:fd:1c:e0:48:b3
Signer

Actual PE Digest

19:c6:4c:71:95:dc:04:06:4b:21:e7:ac:35:4b:19:fd:1c:e0:48:b3

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 196KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$EXEDIR/SAS.exe
.exe windows:4 windows x86 arch:x86

3a185b08fc1b907727e1e8ee4170f949

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9
Signer

Actual PE Digest

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer\SAS Lib\release\SAS.pdb

Imports

kernel32

ProcessIdToSessionId
LocalAlloc
GetModuleHandleW
GetCurrentThread
GetSystemDirectoryW
Sleep
CloseHandle
LocalFree
VerifyVersionInfoW
VerSetConditionMask
GetCurrentProcess
SetLastError
GetProcAddress
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsA
MultiByteToWideChar
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
GetLastError
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LoadLibraryA
InitializeCriticalSection
VirtualAlloc
HeapReAlloc
RtlUnwind
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
CreateFileA
FlushFileBuffers
TlsAlloc
GetCurrentProcessId

user32

MessageBoxA

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

msvcr80

_vsnwprintf

advapi32

GetTokenInformation
RevertToSelf
RegOpenKeyExW
RegDeleteValueW
ImpersonateSelf
OpenThreadToken
LookupPrivilegeValueW
OpenProcessToken
RegSetValueExW
RegCloseKey
SetTokenInformation
RegQueryValueExW

Exports

Exports

_SASLibEx_GetFeatures@0
_SASLibEx_GetVersion@0
_SASLibEx_Init@0
_SASLibEx_LockWorkstation@4
_SASLibEx_SendSAS@4

Sections

.text
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 428B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/TV.dll
.dll windows:4 windows x86 arch:x86

f9c1f91bb47cfe5f11652860e2ad6982

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

64:98:a6:22:ab:45:3c:be:f3:fd:bb:66:38:6f:7d:96:ef:21:51:51
Signer

Actual PE Digest

64:98:a6:22:ab:45:3c:be:f3:fd:bb:66:38:6f:7d:96:ef:21:51:51

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb

Imports

comctl32

InitCommonControlsEx

kernel32

GetVersionExA
HeapSize
RtlUnwind
InitializeCriticalSection
WriteFile
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
HeapReAlloc
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
QueryPerformanceCounter
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
Sleep
ExitProcess
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
LCMapStringW
MultiByteToWideChar
WideCharToMultiByte
LCMapStringA
ReleaseMutex
GetCurrentThreadId
LocalAlloc
CreateMutexA
OpenMutexA
GetTickCount
LoadLibraryA
GetModuleFileNameA
FreeLibrary
LocalUnlock
LocalFree
LocalLock
GetCurrentProcessId
WaitForSingleObject
GetProcAddress
CloseHandle
GetLastError
VirtualQuery
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError

user32

BeginPaint
LoadBitmapA
GetClassNameA
RedrawWindow
InvalidateRect
RegisterWindowMessageA
TrackMouseEvent
GetDesktopWindow
GetWindowRect
UnhookWindowsHookEx
GetSysColor
SetWindowPos
SystemParametersInfoA
SetActiveWindow
UnregisterClassA
GetDC
GetSystemMetrics
GetWindowDC
GetWindowLongA
CallNextHookEx
IsWindowVisible
ShowWindow
InflateRect
GetWindowInfo
CreateWindowExA
GetWindowThreadProcessId
EndPaint
GetActiveWindow
RegisterClassA
ReleaseDC
FindWindowExA
SendNotifyMessageA
GetClassInfoA
IsWindow
MoveWindow
DestroyWindow
MapWindowPoints
IsZoomed
PostMessageA
GetClientRect
SetRect
IsRectEmpty
FindWindowA
SendMessageA
SetWindowLongA
DefWindowProcA
UnionRect
SetWindowsHookExA
LoadCursorA

gdi32

GetStockObject
CreateCompatibleBitmap
DeleteDC
Rectangle
DeleteObject
SelectObject
GetDeviceCaps
Polyline
CreatePen
LineTo
CreateCompatibleDC
ExtCreatePen
CreateSolidBrush
MoveToEx
CreateRectRgn
GetPixel
BitBlt
SetPixel
CombineRgn
GetObjectA

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

Exports

Exports

AddProcessExclusion
GetChangeRegion
GetChangedWindowList
IsTitleBarButtonPressed
RemoveProcessExclusion
SetButtonXOffset
SetSingleWindow
ShowTitleBarButton
StartHooks
StopHooks

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sharedv
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$EXEDIR/TeamViewer.exe
.exe windows:4 windows x86 arch:x86

8a333c8870f050a3b3dc12c77b28b7da

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

d3:8d:f5:cc:1f:99:73:0a:02:08:0d:45:21:b7:8e:7c:f9:01:cf:3f
Signer

Actual PE Digest

d3:8d:f5:cc:1f:99:73:0a:02:08:0d:45:21:b7:8e:7c:f9:01:cf:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb

Imports

winmm

waveOutRestart
mixerClose
mixerGetID
mixerOpen
timeEndPeriod
timeBeginPeriod
waveInOpen
waveInGetNumDevs
waveInReset
waveInStart
waveInClose
waveInUnprepareHeader
waveInAddBuffer
waveInPrepareHeader
waveOutClose
waveOutUnprepareHeader
waveOutWrite
waveOutPause
waveOutPrepareHeader
waveOutOpen
waveOutGetNumDevs
waveOutReset
mixerSetControlDetails

comctl32

ImageList_GetIcon
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Create
ImageList_Remove
InitCommonControlsEx
ImageList_GetImageCount

avicap32

capGetDriverDescriptionA
capCreateCaptureWindowA

msvfw32

DrawDibClose
DrawDibDraw
DrawDibOpen

sensapi

IsNetworkAlive

kernel32

GetPriorityClass
SetPriorityClass
GetExitCodeThread
TryEnterCriticalSection
CreateThread
ResumeThread
ResetEvent
GetCurrentThread
LocalLock
LocalSize
LocalUnlock
SetProcessShutdownParameters
GlobalFree
GlobalHandle
CompareStringA
GetModuleHandleA
GetWindowsDirectoryA
GetSystemDirectoryA
LoadLibraryA
QueryPerformanceCounter
QueryPerformanceFrequency
SetStdHandle
IsValidLocale
EnumSystemLocalesA
GetEnvironmentStrings
FreeEnvironmentStringsA
GetConsoleMode
GetConsoleCP
SetHandleCount
GetTimeZoneInformation
GetOEMCP
HeapCreate
ExitThread
GetStringTypeA
LCMapStringA
GetStdHandle
GetFileType
ExitProcess
GetStartupInfoA
SetThreadPriority
RtlUnwind
GetDateFormatA
GetTimeFormatA
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
CreateWaitableTimerA
SetWaitableTimer
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
CreateFileMappingA
MapViewOfFileEx
SetEndOfFile
UnmapViewOfFile
GetSystemInfo
FormatMessageA
GetFileTime
GetThreadLocale
GetACP
GetVersionExA
IsProcessorFeaturePresent
InterlockedCompareExchange
HeapSize
HeapReAlloc
HeapDestroy
GetOverlappedResult
DeviceIoControl
LocalAlloc
GetUserDefaultLCID
GetLocaleInfoA
FileTimeToLocalFileTime
CreateFileA
DeleteFileA
SetUnhandledExceptionFilter
FindNextFileA
FindFirstFileA
VirtualFree
VirtualAlloc
HeapAlloc
GetLocalTime
CompareFileTime
SetEnvironmentVariableA
GetConsoleOutputCP
WriteConsoleA
DuplicateHandle
GetCurrentProcess
GetCurrentThreadId
SetEvent
GetSystemTimeAsFileTime
CreateSemaphoreA
ReleaseSemaphore
GetProcessHeap
HeapFree
CreateEventA
GetTickCount
WaitForSingleObject
CloseHandle
FlushInstructionCache
SetLastError
EnterCriticalSection
LeaveCriticalSection
RaiseException
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
FindClose
SetErrorMode
LockResource
SystemTimeToFileTime
SetFilePointer
SetFileTime
LocalFileTimeToFileTime
ReadFile
GetFileSize
MoveFileExW
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
LoadResource
FlushFileBuffers
FreeLibrary
WriteFile
LocalFree
GetModuleFileNameA
GetCommandLineW
ReleaseMutex
CreateMutexA
SizeofResource
GlobalUnlock
GlobalLock
GlobalAlloc
MulDiv
OpenProcess
InitializeCriticalSection
Sleep
DeleteCriticalSection
GetCurrentProcessId
GetLastError
WaitForMultipleObjects
GetCommandLineA

user32

IsMenu
GetIconInfo
SetThreadDesktop
GetWindowRgn
GetCursorInfo
OpenInputDesktop
CloseDesktop
GetUserObjectInformationW
GetThreadDesktop
SetCursorPos
CreateIconIndirect
InvalidateRgn
CreatePopupMenu
MsgWaitForMultipleObjects
GetSystemMenu
BeginDeferWindowPos
GetWindowPlacement
SetWindowPlacement
CreateMenu
GetSysColor
GetMessagePos
DestroyAcceleratorTable
GetNextDlgTabItem
DrawEdge
EndDeferWindowPos
FlashWindow
GetDialogBaseUnits
SendDlgItemMessageA
GetDlgItemTextA
GetMenuState
FrameRect
DestroyCursor
DrawFocusRect
SetWindowContextHelpId
UnregisterClassA
OpenDesktopW
SetDlgItemTextA
GetCapture
MoveWindow
TranslateMessage
GetWindow
GetWindowRect
MapWindowPoints
SetWindowPos
IsWindow
InvalidateRect
SetTimer
InflateRect
MapDialogRect
DeferWindowPos
DrawIconEx
SetScrollPos
GetScrollInfo
ScrollWindowEx
SetScrollInfo
SetParent
GetSysColorBrush
GetDesktopWindow
MessageBeep
GetWindowDC
WindowFromPoint
SetRectEmpty
GetMenuItemCount
DestroyIcon
TrackMouseEvent
PtInRect
DestroyWindow
BlockInput
BringWindowToTop
SetActiveWindow
GetParent
DeleteMenu
IsChild
CreateWindowExA
GetCursorPos
ScreenToClient
KillTimer
GetClientRect
BeginPaint
EndPaint
EnableMenuItem
SetFocus
ShowWindow
DestroyMenu
OffsetRect
SetWindowRgn
SetRect
GetSubMenu
CheckMenuRadioItem
ClientToScreen
TrackPopupMenuEx
RemoveMenu
CheckMenuItem
CopyRect
ShowScrollBar
GetSystemMetrics
AdjustWindowRect
FillRect
IsIconic
UpdateWindow
IntersectRect
SetForegroundWindow
IsRectEmpty
ReleaseCapture
GetCursor
SetCapture
EmptyClipboard
SetClipboardData
CloseClipboard
SetClipboardViewer
ChangeClipboardChain
GetClipboardViewer
OpenClipboard
ToAscii
GetKeyboardState
ToUnicode
GetKeyState
SendInput
GetFocus
GetAsyncKeyState
CallNextHookEx
UnhookWindowsHookEx
MessageBoxA
GetDC
GetDlgItem
EndDialog
GetActiveWindow
EqualRect
GetForegroundWindow
GetWindowThreadProcessId
RedrawWindow
GetDlgCtrlID
IsWindowEnabled
GetGUIThreadInfo
EnumWindows
IsWindowVisible
SetCursor
PostQuitMessage
ReleaseDC
UnionRect

gdi32

SetRectRgn
SelectClipRgn
BitBlt
GetRegionData
GetRgnBox
CombineRgn
CreateRectRgn
CreatePolygonRgn
DeleteDC
DeleteObject
GetStockObject
CreateSolidBrush
DPtoLP
SetBkColor
StretchBlt
SetViewportOrgEx
SetWindowOrgEx
CreatePatternBrush
CreateBitmap
PatBlt
RoundRect
CreateDIBSection
CreateCompatibleBitmap
CreateRectRgnIndirect
MaskBlt
GetObjectType
SetBrushOrgEx
SetStretchBltMode
SetPixel
CreatePalette
SelectPalette
RealizePalette
GetDIBits
GetDCOrgEx
GetSystemPaletteEntries
CreateRoundRectRgn
FrameRgn
SetDIBitsToDevice
PtInRegion
CreateCompatibleDC
SelectObject
SetBkMode
Ellipse
Polygon
Rectangle
SetDIBColorTable
GetDeviceCaps
MoveToEx
GetPixel
LineTo
SetTextColor
RectInRegion
OffsetRgn
CreatePen

advapi32

EqualSid
GetTokenInformation
InitializeSecurityDescriptor
RegSetValueExA
RegEnumKeyExA
RegEnumValueA
GetSidIdentifierAuthority
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserW
AllocateAndInitializeSid
SetEntriesInAclW
SetNamedSecurityInfoW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
FreeSid
RevertToSelf
ImpersonateLoggedOnUser
RegisterEventSourceW
ReportEventW
DeregisterEventSource
SetSecurityDescriptorDacl
RegCloseKey
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom
LookupAccountNameW

shell32

ord155
ord680
CommandLineToArgvW
SHAppBarMessage
SHGetSpecialFolderLocation
DragAcceptFiles

ole32

CoTaskMemAlloc
CoUninitialize
CoCreateInstance
StringFromGUID2
OleUninitialize
CreateStreamOnHGlobal
CoInitializeSecurity
OleLockRunning
OleInitialize
CLSIDFromProgID
CLSIDFromString
CoInitializeEx
CoCreateGuid
CoTaskMemFree
CoGetClassObject
CoTaskMemRealloc

oleaut32

OleCreatePropertyFrame
SysStringByteLen
OleCreateFontIndirect
LoadRegTypeLi
SafeArrayGetDim
VariantCopy
SysAllocStringLen
SysStringLen
VariantInit
VariantClear
VarUI4FromStr
VariantChangeType
SysAllocString
SafeArrayGetElement
LoadTypeLi
SysFreeString

iphlpapi

DeleteIPAddress
GetAdapterIndex
GetAdaptersInfo

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

shlwapi

PathRemoveFileSpecW
PathCompactPathW

wsock32

ioctlsocket
recv
shutdown
closesocket
gethostname
inet_addr
gethostbyname
WSAStartup
WSACleanup
select
htonl
ntohs
__WSAFDIsSet
getpeername
getsockname
connect
getsockopt
recvfrom
bind
accept
listen
setsockopt
socket
sendto
htons
send
inet_ntoa
WSAGetLastError

wininet

HttpSendRequestA
InternetGoOnlineA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA
HttpQueryInfoA
InternetQueryDataAvailable
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
InternetErrorDlg
InternetReadFile
InternetOpenW
InternetSetOptionW
InternetQueryOptionW
InternetCloseHandle

ws2_32

WSACreateEvent
WSAWaitForMultipleEvents
WSAResetEvent
WSACloseEvent
WSASetEvent
WSAEventSelect

crypt32

CertGetNameStringW
CertGetNameStringA
CertFreeCertificateContext
CryptVerifyMessageSignature

imagehlp

ImageGetCertificateHeader
ImageEnumerateCertificates
ImageGetCertificateData

Sections

.text
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 891KB - Virtual size: 891KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 150KB - Virtual size: 697KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/TeamViewer.ini
$EXEDIR/TeamViewer_Service.exe
.exe windows:4 windows x86 arch:x86

2c77b3039a24ad9724c4aadd32b49d78

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

4d:d0:dd:fc:2e:ce:3b:b0:9b:e1:4a:98:f9:c1:16:84:f8:8f:d9:35
Signer

Actual PE Digest

4d:d0:dd:fc:2e:ce:3b:b0:9b:e1:4a:98:f9:c1:16:84:f8:8f:d9:35

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer5_Release\HostService\Release\TeamViewer_Service.pdb

Imports

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

crypt32

CertFreeCertificateContext
CryptVerifyMessageSignature
CertGetNameStringA

imagehlp

ImageEnumerateCertificates
ImageGetCertificateHeader
ImageGetCertificateData

wintrust

WinVerifyTrust

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

kernel32

GetExitCodeProcess
ProcessIdToSessionId
DisconnectNamedPipe
ReadFile
CreateProcessA
DeleteFileA
SetEvent
FindFirstFileA
CreateEventA
GetConsoleCP
SetFilePointer
IsValidLocale
GetCurrentProcess
GetModuleFileNameA
SetCurrentDirectoryA
MultiByteToWideChar
CreateFileA
LocalAlloc
FreeLibrary
SetLastError
CreateNamedPipeA
GetVersionExA
LoadLibraryA
GetProcAddress
GetCurrentProcessId
OpenProcess
GetLastError
CloseHandle
TerminateProcess
Sleep
GetConsoleMode
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
WritePrivateProfileStringA
GetPrivateProfileIntA
LocalFree
GetPrivateProfileStringA
WaitForSingleObject
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
HeapFree
HeapAlloc
RtlUnwind
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
SetFileAttributesA
GetFileAttributesA
GetCommandLineA
GetProcessHeap
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
LCMapStringA
WideCharToMultiByte
LCMapStringW
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSection
InterlockedExchange
GetStringTypeA
GetStringTypeW

user32

MessageBoxA
ExitWindowsEx

advapi32

QueryServiceConfigA
StartServiceCtrlDispatcherA
SetServiceStatus
CreateServiceA
ChangeServiceConfigA
CreateProcessAsUserA
DuplicateToken
ImpersonateLoggedOnUser
RevertToSelf
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
RegSetKeySecurity
DuplicateTokenEx
SetTokenInformation
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
OpenSCManagerA
OpenServiceA
CloseServiceHandle
QueryServiceStatus
DeleteService
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

shell32

ShellExecuteExA
ShellExecuteA

Sections

.text
Size: 129KB - Virtual size: 129KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/Teamviewer_Resource_en.dll
.dll windows:4 windows x86 arch:x86

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15/06/2007, 00:00

Not After

14/06/2012, 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16/01/2008, 00:00

Not After

22/02/2011, 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3b:b6:ec:e9:c2:a2:0c:df:4a:1e:c4:58:b9:1e:f2:ca:00:02:7b:2f
Signer

Actual PE Digest

3b:b6:ec:e9:c2:a2:0c:df:4a:1e:c4:58:b9:1e:f2:ca:00:02:7b:2f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 720KB - Virtual size: 716KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$EXEDIR/logo.bmp
$PLUGINSDIR/NSISdl.dll
.dll windows:4 windows x86 arch:x86

9cce555dd3ff1b6c7dc92d64c794c51a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

WaitForSingleObject
lstrcpynA
lstrlenA
lstrcatA
GlobalAlloc
GlobalFree
CloseHandle
GetTickCount
DeleteFileA
Sleep
WriteFile
CreateFileA
lstrcmpiA
lstrcpyA
MulDiv
CreateThread

user32

CharPrevA
SetWindowLongA
RegisterWindowMessageA
CallWindowProcA
DestroyWindow
EnableWindow
GetWindowLongA
CreateWindowExA
GetWindowRect
GetClientRect
ShowWindow
IsWindowVisible
GetFocus
GetDlgItem
FindWindowExA
SetWindowTextA
SendMessageA
wsprintfA
SetDlgItemTextA

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

ws2_32

gethostbyname
inet_addr
ioctlsocket
htons
socket
closesocket
shutdown
connect
__WSAFDIsSet
select
recv
WSAGetLastError
send
WSACleanup
WSAStartup

Exports

Exports

download
download_quiet

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 836B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/TvGetVersion.dll
.dll windows:4 windows x86 arch:x86

a147e98bc4c8de2e7a562af6dc54045c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetLastError
GlobalFree
CloseHandle
ReadFile
GlobalAlloc
GetFileSize
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
lstrlenA
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WriteFile
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
VirtualAlloc
HeapReAlloc
RtlUnwind
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
lstrcpynA
lstrcpyA
lstrcmpiA
GetSystemInfo
GetModuleHandleA
GetProcAddress
lstrcatA
HeapDestroy
GetVersionExA

user32

wsprintfA
GetSystemMetrics
SendMessageA

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey
CloseServiceHandle
OpenServiceA
OpenSCManagerA
DeleteService
ControlService

Exports

Exports

IsNetPath
IsTvPasswordSet
LoadFile
RemoveService
WindowsName
WindowsPlatformArchitecture
WindowsPlatformId
WindowsServerName
WindowsServicePack
WindowsServicePackBuild
WindowsType
WindowsVersion
WindowsVersionMajor
WindowsVersionMinor

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UAC.dll
.dll windows:4 windows x86 arch:x86

70dd3dc09a6a9df40b2eeb3eb051c3ff

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleFileNameA
SetLastError
CloseHandle
GlobalFree
LocalFree
FormatMessageA
MultiByteToWideChar
GetLastError
CreateProcessA
GlobalAlloc
lstrlenA
LoadLibraryA
FreeLibrary
lstrcatA
GetExitCodeProcess
WaitForSingleObject
lstrcmpiA
lstrcpyA
GetVersionExA
GetCurrentProcess
GetCurrentThread
GetCurrentProcessId
Sleep
CreateThread
GetStartupInfoA
GetCommandLineA
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetModuleHandleA

user32

EnableWindow
GetWindowLongA
DestroyWindow
LoadImageA
SetWindowLongA
EndDialog
MessageBoxA
SendMessageW
DialogBoxParamA
CharNextA
SendMessageTimeoutA
DefWindowProcA
PostQuitMessage
SetForegroundWindow
DispatchMessageA
GetMessageA
CreateWindowExA
RegisterClassA
UnregisterClassA
PostMessageA
IsWindow
ShowWindow
SetWindowTextA
wsprintfA
GetDlgItem
LoadStringA
SendMessageA

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

shell32

ShellExecuteExA

ole32

CoInitialize
CoUninitialize

Exports

Exports

Exec
ExecCodeSegment
ExecWait
GetElevationType
IsAdmin
RunElevated
ShellExec
ShellExecWait
SupportsUAC
Unload

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1020B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UserInfo.dll
.dll windows:4 windows x86 arch:x86

afa8e526425f3585465337467d0b5909

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersion
GetCurrentThread
lstrcpynA
GetCurrentProcess
GetModuleHandleA
GetProcAddress
GetLastError
GlobalFree
CloseHandle
GlobalAlloc

advapi32

OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
GetUserNameA
OpenThreadToken

Exports

Exports

GetAccountType
GetName
GetOriginalAccountType

Sections

.text
Size: 1024B - Virtual size: 741B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 673B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 190B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
out.upx
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 44KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

19:c6:4c:71:95:dc:04:06:4b:21:e7:ac:35:4b:19:fd:1c:e0:48:b3Signer

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 196KB

UPX1 Size: 17KB - Virtual size: 20KB

.rsrc Size: 24KB - Virtual size: 24KB

3a185b08fc1b907727e1e8ee4170f949

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9Signer

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

wtsapi32

version

msvcr80

advapi32

Exports

Exports

Sections

.text Size: 42KB - Virtual size: 41KB

.rdata Size: 10KB - Virtual size: 9KB

.data Size: 4KB - Virtual size: 11KB

.rsrc Size: 512B - Virtual size: 428B

f9c1f91bb47cfe5f11652860e2ad6982

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

64:98:a6:22:ab:45:3c:be:f3:fd:bb:66:38:6f:7d:96:ef:21:51:51Signer

Headers

File Characteristics

PDB Paths

Imports

comctl32

kernel32

user32

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

19:c6:4c:71:95:dc:04:06:4b:21:e7:ac:35:4b:19:fd:1c:e0:48:b3
Signer

UPX0
Size: - Virtual size: 196KB

UPX1
Size: 17KB - Virtual size: 20KB

.rsrc
Size: 24KB - Virtual size: 24KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9
Signer

.text
Size: 42KB - Virtual size: 41KB

.rdata
Size: 10KB - Virtual size: 9KB

.data
Size: 4KB - Virtual size: 11KB

.rsrc
Size: 512B - Virtual size: 428B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

64:98:a6:22:ab:45:3c:be:f3:fd:bb:66:38:6f:7d:96:ef:21:51:51
Signer

.text
Size: 48KB - Virtual size: 47KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 4KB - Virtual size: 7KB

.sharedv
Size: 20KB - Virtual size: 16KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 8KB - Virtual size: 5KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

d3:8d:f5:cc:1f:99:73:0a:02:08:0d:45:21:b7:8e:7c:f9:01:cf:3f
Signer

.text
Size: 3.3MB - Virtual size: 3.3MB

.rdata
Size: 891KB - Virtual size: 891KB

.data
Size: 150KB - Virtual size: 697KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 24KB - Virtual size: 24KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate