0a58677abe0e7ec3dca0c897f7a462e6_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

0a58677abe0e7ec3dca0c897f7a462e6_JaffaCakes118
Size

1.9MB
MD5

0a58677abe0e7ec3dca0c897f7a462e6
SHA1

a8c34d62b24a76f1757abb34c0c4a52574a6520c
SHA256

a16371a2a8780503e04066bade11551c07d02f7d294e19282c4c0a4d2d59ce09
SHA512

b4c50d911fa78a56ee2b59becd467010e914b7a34afbc1368707f385cc43fbb3dae9cf2a8dfac581464d19a68acebadc191ea1f24e1499a3ae232c74ae721f22
SSDEEP

49152:7q53vza/N0F9Qqqle9JY4S7pGeaSZxkXLS0LQNxofMsf:Ua/N0DAla2tZ+XLS08aNf

Score

5^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
sample	upx

Unsigned PE 6 IoCs

Checks for missing Authenticode signature.

resource
unpack001/$PLUGINSDIR/NSISdl.dll
unpack001/$PLUGINSDIR/System.dll
unpack001/$PLUGINSDIR/TvGetVersion.dll
unpack001/$PLUGINSDIR/UAC.dll
unpack001/$PLUGINSDIR/UserInfo.dll
unpack001/out.upx

NSIS installer 1 IoCs

installer

resource	yara_rule
static1/unpack001/out.upx	nsis_installer_2

Files

0a58677abe0e7ec3dca0c897f7a462e6_JaffaCakes118
.exe windows:4 windows x86 arch:x86

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:b9:59:8c:4e:ad:03:bc:d4:0a:b2:a2:2c:91:fe:cd:7f:41:e2:c5
Signer

Actual PE Digest

16:b9:59:8c:4e:ad:03:bc:d4:0a:b2:a2:2c:91:fe:cd:7f:41:e2:c5

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 196KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 17KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$EXEDIR/SAS.exe
.exe windows:4 windows x86 arch:x86

3a185b08fc1b907727e1e8ee4170f949

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9
Signer

Actual PE Digest

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer\SAS Lib\release\SAS.pdb

Imports

kernel32

ProcessIdToSessionId
LocalAlloc
GetModuleHandleW
GetCurrentThread
GetSystemDirectoryW
Sleep
CloseHandle
LocalFree
VerifyVersionInfoW
VerSetConditionMask
GetCurrentProcess
SetLastError
GetProcAddress
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameA
GetModuleFileNameW
FreeEnvironmentStringsA
MultiByteToWideChar
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
DeleteCriticalSection
TlsGetValue
GetLastError
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
SetFilePointer
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LoadLibraryA
InitializeCriticalSection
VirtualAlloc
HeapReAlloc
RtlUnwind
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
CreateFileA
FlushFileBuffers
TlsAlloc
GetCurrentProcessId

user32

MessageBoxA

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

msvcr80

_vsnwprintf

advapi32

GetTokenInformation
RevertToSelf
RegOpenKeyExW
RegDeleteValueW
ImpersonateSelf
OpenThreadToken
LookupPrivilegeValueW
OpenProcessToken
RegSetValueExW
RegCloseKey
SetTokenInformation
RegQueryValueExW

Exports

Exports

_SASLibEx_GetFeatures@0
_SASLibEx_GetVersion@0
_SASLibEx_Init@0
_SASLibEx_LockWorkstation@4
_SASLibEx_SendSAS@4

Sections

.text
Size: 42KB - Virtual size: 41KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 428B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/TV.dll
.dll windows:4 windows x86 arch:x86

487562c07c58e33a8342c55c7172e6d7

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

81:ee:64:86:8a:0c:0e:6e:6b:2e:75:18:ca:d9:c2:a4:88:b6:f9:7e
Signer

Actual PE Digest

81:ee:64:86:8a:0c:0e:6e:6b:2e:75:18:ca:d9:c2:a4:88:b6:f9:7e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb

Imports

comctl32

InitCommonControlsEx

kernel32

GetLastError
HeapSize
RtlUnwind
InitializeCriticalSection
WriteFile
GetLocaleInfoA
GetStringTypeW
GetStringTypeA
HeapReAlloc
VirtualAlloc
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
QueryPerformanceCounter
VirtualFree
HeapCreate
HeapDestroy
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
DeleteCriticalSection
GetStartupInfoA
GetFileType
GetStdHandle
SetHandleCount
Sleep
ExitProcess
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
LCMapStringW
MultiByteToWideChar
WideCharToMultiByte
LCMapStringA
GetVersionExA
ReleaseMutex
GetCurrentThreadId
LocalAlloc
GetTickCount
CreateMutexA
OpenMutexA
LoadLibraryA
FreeLibrary
LocalUnlock
GetModuleFileNameA
LocalFree
LocalLock
WaitForSingleObject
GetCurrentProcessId
GetProcAddress
CloseHandle
VirtualQuery
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
GetModuleHandleA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
SetLastError

user32

UnhookWindowsHookEx
GetDesktopWindow
GetClassNameA
RegisterWindowMessageA
LoadBitmapA
BeginPaint
GetSysColor
TrackMouseEvent
SystemParametersInfoA
SetWindowPos
GetWindowRect
UnregisterClassA
GetSystemMetrics
IsWindowVisible
SetActiveWindow
GetWindowLongA
GetDC
ShowWindow
GetWindowDC
CallNextHookEx
GetWindowThreadProcessId
CreateWindowExA
RegisterClassA
GetWindowInfo
GetActiveWindow
ReleaseDC
GetClassInfoA
MoveWindow
EndPaint
IsWindow
MapWindowPoints
FindWindowExA
PostMessageA
SendNotifyMessageA
IsRectEmpty
DestroyWindow
FindWindowA
IsZoomed
GetClientRect
DefWindowProcA
SetRect
LoadCursorA
SetWindowsHookExA
SetWindowLongA
SendMessageA
RedrawWindow
UnionRect
InvalidateRect
SetRectEmpty

gdi32

CreateCompatibleBitmap
Rectangle
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject
Polyline
CreatePen
CreateCompatibleDC
CreateSolidBrush
LineTo
ExtCreatePen
MoveToEx
GetPixel
GetObjectA
GetStockObject
BitBlt
SetPixel

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

Exports

Exports

AddProcessExclusion
GetChangeRect
GetChangedWindowList
IsTitleBarButtonPressed
RemoveProcessExclusion
SetButtonXOffset
SetSingleWindow
ShowTitleBarButton
StartHooks
StopHooks

Sections

.text
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sharedv
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$EXEDIR/TeamViewer.exe
.exe windows:4 windows x86 arch:x86

4d07c2d1cd47a1015a5fab4e7a5e9418

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

a7:c7:ed:cb:98:87:b5:0d:12:5f:12:90:f8:aa:9e:1a:00:78:f6:98
Signer

Actual PE Digest

a7:c7:ed:cb:98:87:b5:0d:12:5f:12:90:f8:aa:9e:1a:00:78:f6:98

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb

Imports

winmm

waveOutGetNumDevs
mixerOpen
mixerSetControlDetails
mixerClose
timeEndPeriod
timeBeginPeriod
waveInClose
waveInUnprepareHeader
waveInAddBuffer
waveInPrepareHeader
waveInOpen
waveInGetNumDevs
waveInReset
waveInStart
waveOutReset
waveOutRestart
waveOutClose
waveOutUnprepareHeader
waveOutWrite
waveOutPause
waveOutPrepareHeader
waveOutOpen
mixerGetID

comctl32

ImageList_SetBkColor
ImageList_Create
ImageList_Remove
ImageList_ReplaceIcon
InitCommonControlsEx

avicap32

capCreateCaptureWindowA
capGetDriverDescriptionA

msvfw32

DrawDibClose
DrawDibDraw
DrawDibOpen

sensapi

IsNetworkAlive

kernel32

VirtualFree
TryEnterCriticalSection
CreateThread
SetThreadPriority
GetPriorityClass
SetPriorityClass
GetExitCodeThread
ResetEvent
GetCurrentThread
LocalLock
LocalSize
LocalUnlock
SetProcessShutdownParameters
GlobalFree
GlobalHandle
CompareStringA
GetModuleHandleA
GetWindowsDirectoryA
GetSystemDirectoryA
LoadLibraryA
QueryPerformanceCounter
QueryPerformanceFrequency
WriteConsoleA
IsValidLocale
EnumSystemLocalesA
GetEnvironmentStrings
FreeEnvironmentStringsA
GetTimeZoneInformation
GetOEMCP
GetConsoleMode
GetConsoleCP
SetHandleCount
HeapCreate
ExitThread
GetStringTypeA
LCMapStringA
GetStdHandle
GetFileType
ExitProcess
GetStartupInfoA
VirtualAlloc
RtlUnwind
GetDateFormatA
GetTimeFormatA
IsDebuggerPresent
UnhandledExceptionFilter
TerminateProcess
CreateWaitableTimerA
SetWaitableTimer
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
CreateFileMappingA
MapViewOfFileEx
SetEndOfFile
UnmapViewOfFile
FormatMessageA
GetFileTime
GetThreadLocale
GetACP
GetVersionExA
IsProcessorFeaturePresent
InterlockedCompareExchange
HeapSize
HeapReAlloc
HeapDestroy
GetOverlappedResult
ResumeThread
DeviceIoControl
LocalAlloc
GetUserDefaultLCID
GetLocaleInfoA
SetUnhandledExceptionFilter
FindNextFileA
FindFirstFileA
FileTimeToLocalFileTime
CreateFileA
DeleteFileA
CompareFileTime
HeapAlloc
GetLocalTime
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetEnvironmentVariableA
SetStdHandle
GetConsoleOutputCP
WaitForSingleObject
CloseHandle
DuplicateHandle
GetCurrentProcess
GetProcessHeap
GetCurrentThreadId
ReleaseSemaphore
HeapFree
SetEvent
CreateSemaphoreA
GetSystemTimeAsFileTime
CreateEventA
GetTickCount
LeaveCriticalSection
RaiseException
FlushInstructionCache
SetLastError
EnterCriticalSection
FindClose
SetErrorMode
LocalFileTimeToFileTime
SystemTimeToFileTime
SetFilePointer
SetFileTime
LockResource
LoadResource
FlushFileBuffers
FreeLibrary
WriteFile
LocalFree
GetModuleFileNameA
GetCommandLineW
ReleaseMutex
CreateMutexA
SizeofResource
ReadFile
GetFileSize
MoveFileExW
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
GlobalUnlock
GlobalLock
GlobalAlloc
GetLastError
MulDiv
OpenProcess
InitializeCriticalSection
Sleep
DeleteCriticalSection
WaitForMultipleObjects
GetCurrentProcessId
GetCommandLineA

user32

IsMenu
CloseDesktop
GetUserObjectInformationW
GetThreadDesktop
GetIconInfo
GetCursorInfo
GetWindowRgn
SetThreadDesktop
OpenInputDesktop
SetCursorPos
CreateIconIndirect
InvalidateRgn
CreatePopupMenu
MsgWaitForMultipleObjects
GetSystemMenu
GetMessagePos
DestroyAcceleratorTable
GetSysColor
GetNextDlgTabItem
DrawEdge
EndDeferWindowPos
BeginDeferWindowPos
GetWindowPlacement
SetWindowPlacement
GetCapture
SetDlgItemTextA
CreateWindowExA
GetMenuState
DestroyCursor
DrawFocusRect
FrameRect
SetWindowContextHelpId
UnregisterClassA
OpenDesktopW
CreateMenu
SendDlgItemMessageA
MoveWindow
SetTimer
GetWindow
InflateRect
GetWindowRect
MapWindowPoints
IsWindow
SetWindowPos
InvalidateRect
TranslateMessage
FlashWindow
GetDialogBaseUnits
MapDialogRect
DeferWindowPos
DrawIconEx
ScrollWindowEx
SetScrollInfo
SetScrollPos
GetScrollInfo
SetParent
GetSysColorBrush
GetDesktopWindow
MessageBeep
GetWindowDC
WindowFromPoint
SetRectEmpty
BeginPaint
EndPaint
TrackMouseEvent
GetMenuItemCount
DestroyIcon
BlockInput
PtInRect
IsWindowEnabled
IsChild
GetDlgItemTextA
DestroyWindow
GetParent
GetCursorPos
ScreenToClient
KillTimer
GetClientRect
SetWindowRgn
SetRect
GetSubMenu
CheckMenuRadioItem
ClientToScreen
TrackPopupMenuEx
EnableMenuItem
ShowWindow
SetFocus
DestroyMenu
OffsetRect
RemoveMenu
CheckMenuItem
IsIconic
UpdateWindow
IntersectRect
SetForegroundWindow
CopyRect
ShowScrollBar
GetSystemMetrics
FillRect
AdjustWindowRect
UnionRect
GetCursor
SetCapture
SetCursor
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
SetClipboardViewer
ChangeClipboardChain
ToAscii
GetKeyboardState
ToUnicode
GetKeyState
SendInput
GetFocus
GetAsyncKeyState
CallNextHookEx
UnhookWindowsHookEx
MessageBoxA
SetActiveWindow
IsRectEmpty
GetDC
EndDialog
GetDlgItem
GetActiveWindow
EqualRect
GetForegroundWindow
PostQuitMessage
RedrawWindow
ReleaseDC
GetWindowThreadProcessId
GetGUIThreadInfo
EnumWindows
IsWindowVisible
BringWindowToTop
DeleteMenu
GetDlgCtrlID
ReleaseCapture

gdi32

PtInRegion
CreateRectRgnIndirect
SelectClipRgn
BitBlt
SetRectRgn
CombineRgn
CreateRectRgn
CreatePolygonRgn
DeleteObject
GetStockObject
DeleteDC
SetBkColor
DPtoLP
StretchBlt
SetViewportOrgEx
SetWindowOrgEx
CreatePatternBrush
CreateBitmap
PatBlt
RoundRect
CreateDIBSection
CreateCompatibleBitmap
MaskBlt
CreatePalette
SelectPalette
RealizePalette
GetObjectType
SetBrushOrgEx
SetStretchBltMode
SetPixel
GetSystemPaletteEntries
GetDIBits
GetDCOrgEx
CreateRoundRectRgn
FrameRgn
SetDIBitsToDevice
CreateCompatibleDC
SetTextColor
CreatePen
CreateSolidBrush
SelectObject
SetBkMode
Ellipse
Polygon
Rectangle
SetDIBColorTable
GetPixel
MoveToEx
LineTo
RectInRegion
OffsetRgn
GetDeviceCaps

advapi32

DeregisterEventSource
GetTokenInformation
EqualSid
RegSetValueExA
RegEnumKeyExA
RegEnumValueA
GetSidIdentifierAuthority
DuplicateTokenEx
SetTokenInformation
CreateProcessAsUserW
AllocateAndInitializeSid
SetEntriesInAclW
SetNamedSecurityInfoW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
FreeSid
RevertToSelf
ImpersonateLoggedOnUser
RegisterEventSourceW
ReportEventW
LookupAccountNameW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegCloseKey
CryptAcquireContextA
CryptReleaseContext
CryptGenRandom

shell32

ord680
SHGetSpecialFolderLocation
ord155
SHAppBarMessage
CommandLineToArgvW
DragAcceptFiles

ole32

CoTaskMemFree
CoInitializeEx
CoInitializeSecurity
StringFromGUID2
OleUninitialize
CreateStreamOnHGlobal
CoTaskMemRealloc
OleLockRunning
OleInitialize
CLSIDFromProgID
CLSIDFromString
CoCreateInstance
CoCreateGuid
CoUninitialize
CoGetClassObject
CoTaskMemAlloc

oleaut32

OleCreatePropertyFrame
SysStringByteLen
OleCreateFontIndirect
LoadRegTypeLi
VariantClear
SysAllocString
SysStringLen
VariantCopy
VariantChangeType
VarUI4FromStr
SafeArrayGetElement
SafeArrayGetDim
SysAllocStringLen
VariantInit
LoadTypeLi
SysFreeString

iphlpapi

DeleteIPAddress
GetAdapterIndex
GetAdaptersInfo

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

shlwapi

PathRemoveFileSpecW
PathCompactPathW

wsock32

ioctlsocket
recv
shutdown
closesocket
gethostname
inet_addr
gethostbyname
WSAStartup
WSACleanup
select
htonl
ntohs
__WSAFDIsSet
getpeername
getsockname
connect
getsockopt
recvfrom
bind
accept
listen
setsockopt
socket
sendto
htons
send
inet_ntoa
WSAGetLastError

wininet

HttpSendRequestA
InternetGoOnlineA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestExA
InternetWriteFile
HttpEndRequestA
HttpQueryInfoA
InternetQueryDataAvailable
InternetConnectW
HttpOpenRequestW
HttpSendRequestW
HttpQueryInfoW
InternetErrorDlg
InternetReadFile
InternetOpenW
InternetSetOptionW
InternetQueryOptionW
InternetCloseHandle

ws2_32

WSACreateEvent
WSAWaitForMultipleEvents
WSAResetEvent
WSACloseEvent
WSASetEvent
WSAEventSelect

crypt32

CertGetNameStringA
CertGetNameStringW
CertFreeCertificateContext
CryptVerifyMessageSignature

imagehlp

ImageGetCertificateHeader
ImageEnumerateCertificates
ImageGetCertificateData

Sections

.text
Size: 3.3MB - Virtual size: 3.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 875KB - Virtual size: 874KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 150KB - Virtual size: 698KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 2B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/TeamViewer.ini
$EXEDIR/TeamViewer_Service.exe
.exe windows:4 windows x86 arch:x86

2ef267176cf9764152b520ba31fcea75

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

40:31:74:57:f0:66:b2:59:7c:ab:c9:35:2c:a7:10:83:ed:c0:68:1e
Signer

Actual PE Digest

40:31:74:57:f0:66:b2:59:7c:ab:c9:35:2c:a7:10:83:ed:c0:68:1e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\TeamViewer5_Release\HostService\Release\TeamViewer_Service.pdb

Imports

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

crypt32

CertFreeCertificateContext
CryptVerifyMessageSignature
CertGetNameStringA

imagehlp

ImageEnumerateCertificates
ImageGetCertificateHeader
ImageGetCertificateData

wintrust

WinVerifyTrust

wtsapi32

WTSQuerySessionInformationA
WTSFreeMemory

kernel32

GetExitCodeProcess
ProcessIdToSessionId
DisconnectNamedPipe
ReadFile
CreateProcessA
DeleteFileA
SetEvent
FindFirstFileA
CreateEventA
GetConsoleCP
SetFilePointer
IsValidLocale
GetCurrentProcess
GetModuleFileNameA
SetCurrentDirectoryA
MultiByteToWideChar
CreateFileA
LocalAlloc
LocalFree
FreeLibrary
CreateNamedPipeA
GetVersionExA
LoadLibraryA
GetProcAddress
GetCurrentProcessId
OpenProcess
GetLastError
CloseHandle
TerminateProcess
Sleep
GetConsoleMode
GetLocaleInfoW
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
WritePrivateProfileStringA
GetPrivateProfileIntA
SetLastError
GetPrivateProfileStringA
WaitForSingleObject
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
HeapFree
HeapAlloc
RtlUnwind
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCommandLineA
GetProcessHeap
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
VirtualAlloc
HeapReAlloc
GetModuleHandleA
ExitProcess
WriteFile
GetStdHandle
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThreadId
LCMapStringA
WideCharToMultiByte
LCMapStringW
HeapSize
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
SetHandleCount
GetFileType
QueryPerformanceCounter
GetTickCount
GetSystemTimeAsFileTime
InitializeCriticalSection
InterlockedExchange
GetStringTypeA
GetStringTypeW

user32

MessageBoxA
ExitWindowsEx

advapi32

ChangeServiceConfigA
StartServiceCtrlDispatcherA
SetServiceStatus
CreateServiceA
QueryServiceConfigA
RegDeleteKeyA
CreateProcessAsUserA
DuplicateToken
ImpersonateLoggedOnUser
RevertToSelf
RegCreateKeyA
RegCreateKeyExA
RegCloseKey
RegQueryValueExA
RegSetValueExA
RegOpenKeyExA
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAce
RegSetKeySecurity
DuplicateTokenEx
SetTokenInformation
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
OpenSCManagerA
OpenServiceA
CloseServiceHandle
QueryServiceStatus
DeleteService
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges

shell32

ShellExecuteExA
ShellExecuteA

Sections

.text
Size: 129KB - Virtual size: 128KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$EXEDIR/Teamviewer_Resource_en.dll
.dll windows:4 windows x86 arch:x86

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16-07-2004 00:00

Not After

15-07-2014 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

16-01-2008 00:00

Not After

22-02-2011 23:59

Subject

CN=TeamViewer GmbH,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=TeamViewer GmbH,ST=Baden Wuerttemberg,C=DE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

b2:91:ca:33:38:8c:20:a4:05:bc:76:a5:e3:d5:8d:1e:e7:92:9f:63
Signer

Actual PE Digest

b2:91:ca:33:38:8c:20:a4:05:bc:76:a5:e3:d5:8d:1e:e7:92:9f:63

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 720KB - Virtual size: 720KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$EXEDIR/logo.bmp
$PLUGINSDIR/NSISdl.dll
.dll windows:4 windows x86 arch:x86

9cce555dd3ff1b6c7dc92d64c794c51a

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

WaitForSingleObject
lstrcpynA
lstrlenA
lstrcatA
GlobalAlloc
GlobalFree
CloseHandle
GetTickCount
DeleteFileA
Sleep
WriteFile
CreateFileA
lstrcmpiA
lstrcpyA
MulDiv
CreateThread

user32

CharPrevA
SetWindowLongA
RegisterWindowMessageA
CallWindowProcA
DestroyWindow
EnableWindow
GetWindowLongA
CreateWindowExA
GetWindowRect
GetClientRect
ShowWindow
IsWindowVisible
GetFocus
GetDlgItem
FindWindowExA
SetWindowTextA
SendMessageA
wsprintfA
SetDlgItemTextA

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey

ws2_32

gethostbyname
inet_addr
ioctlsocket
htons
socket
closesocket
shutdown
connect
__WSAFDIsSet
select
recv
WSAGetLastError
send
WSACleanup
WSAStartup

Exports

Exports

download
download_quiet

Sections

.text
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 836B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

2017f2acbdaa42ab3e4adeb8b4c37e7b

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GlobalAlloc
GlobalFree
GlobalSize
GetLastError
lstrcpyA
lstrcpynA
FreeLibrary
lstrcatA
GetProcAddress
LoadLibraryA
GetModuleHandleA
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
VirtualAlloc
VirtualProtect

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 784B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 520B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/TvGetVersion.dll
.dll windows:4 windows x86 arch:x86

a147e98bc4c8de2e7a562af6dc54045c

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetLastError
GlobalFree
CloseHandle
ReadFile
GlobalAlloc
GetFileSize
CreateFileA
GetDriveTypeA
GetCurrentThreadId
GetCommandLineA
HeapFree
HeapAlloc
GetProcessHeap
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ExitProcess
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
Sleep
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
lstrlenA
HeapCreate
VirtualFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
WriteFile
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSection
VirtualAlloc
HeapReAlloc
RtlUnwind
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
GetLocaleInfoA
HeapSize
lstrcpynA
lstrcpyA
lstrcmpiA
GetSystemInfo
GetModuleHandleA
GetProcAddress
lstrcatA
HeapDestroy
GetVersionExA

user32

wsprintfA
GetSystemMetrics
SendMessageA

advapi32

RegOpenKeyExA
RegQueryValueExA
RegCloseKey
CloseServiceHandle
OpenServiceA
OpenSCManagerA
DeleteService
ControlService

Exports

Exports

IsNetPath
IsTvPasswordSet
LoadFile
RemoveService
WindowsName
WindowsPlatformArchitecture
WindowsPlatformId
WindowsServerName
WindowsServicePack
WindowsServicePackBuild
WindowsType
WindowsVersion
WindowsVersionMajor
WindowsVersionMinor

Sections

.text
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UAC.dll
.dll windows:4 windows x86 arch:x86

70dd3dc09a6a9df40b2eeb3eb051c3ff

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleFileNameA
SetLastError
CloseHandle
GlobalFree
LocalFree
FormatMessageA
MultiByteToWideChar
GetLastError
CreateProcessA
GlobalAlloc
lstrlenA
LoadLibraryA
FreeLibrary
lstrcatA
GetExitCodeProcess
WaitForSingleObject
lstrcmpiA
lstrcpyA
GetVersionExA
GetCurrentProcess
GetCurrentThread
GetCurrentProcessId
Sleep
CreateThread
GetStartupInfoA
GetCommandLineA
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetModuleHandleA

user32

EnableWindow
GetWindowLongA
DestroyWindow
LoadImageA
SetWindowLongA
EndDialog
MessageBoxA
SendMessageW
DialogBoxParamA
CharNextA
SendMessageTimeoutA
DefWindowProcA
PostQuitMessage
SetForegroundWindow
DispatchMessageA
GetMessageA
CreateWindowExA
RegisterClassA
UnregisterClassA
PostMessageA
IsWindow
ShowWindow
SetWindowTextA
wsprintfA
GetDlgItem
LoadStringA
SendMessageA

advapi32

RegCloseKey
RegOpenKeyExA
RegQueryValueExA

shell32

ShellExecuteExA

ole32

CoInitialize
CoUninitialize

Exports

Exports

Exec
ExecCodeSegment
ExecWait
GetElevationType
IsAdmin
RunElevated
ShellExec
ShellExecWait
SupportsUAC
Unload

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1020B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 820B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$PLUGINSDIR/UserInfo.dll
.dll windows:4 windows x86 arch:x86

afa8e526425f3585465337467d0b5909

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersion
GetCurrentThread
lstrcpynA
GetCurrentProcess
GetModuleHandleA
GetProcAddress
GetLastError
GlobalFree
CloseHandle
GlobalAlloc

advapi32

OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
GetUserNameA
OpenThreadToken

Exports

Exports

GetAccountType
GetName
GetOriginalAccountType

Sections

.text
Size: 1024B - Virtual size: 741B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 673B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 190B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
out.upx
.exe windows:4 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 107KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 44KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

16:b9:59:8c:4e:ad:03:bc:d4:0a:b2:a2:2c:91:fe:cd:7f:41:e2:c5Signer

Headers

DLL Characteristics

File Characteristics

Sections

UPX0 Size: - Virtual size: 196KB

UPX1 Size: 17KB - Virtual size: 20KB

.rsrc Size: 24KB - Virtual size: 24KB

3a185b08fc1b907727e1e8ee4170f949

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9Signer

Headers

File Characteristics

PDB Paths

Imports

kernel32

user32

wtsapi32

version

msvcr80

advapi32

Exports

Exports

Sections

.text Size: 42KB - Virtual size: 41KB

.rdata Size: 10KB - Virtual size: 9KB

.data Size: 4KB - Virtual size: 11KB

.rsrc Size: 512B - Virtual size: 428B

487562c07c58e33a8342c55c7172e6d7

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01Certificate

Extended Key Usages

Key Usages

81:ee:64:86:8a:0c:0e:6e:6b:2e:75:18:ca:d9:c2:a4:88:b6:f9:7eSigner

Headers

File Characteristics

PDB Paths

Imports

comctl32

kernel32

user32

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

16:b9:59:8c:4e:ad:03:bc:d4:0a:b2:a2:2c:91:fe:cd:7f:41:e2:c5
Signer

UPX0
Size: - Virtual size: 196KB

UPX1
Size: 17KB - Virtual size: 20KB

.rsrc
Size: 24KB - Virtual size: 24KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

92:19:06:19:33:94:38:d1:48:69:f3:73:47:f8:66:69:f4:a9:30:c9
Signer

.text
Size: 42KB - Virtual size: 41KB

.rdata
Size: 10KB - Virtual size: 9KB

.data
Size: 4KB - Virtual size: 11KB

.rsrc
Size: 512B - Virtual size: 428B

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

81:ee:64:86:8a:0c:0e:6e:6b:2e:75:18:ca:d9:c2:a4:88:b6:f9:7e
Signer

.text
Size: 48KB - Virtual size: 47KB

.rdata
Size: 12KB - Virtual size: 10KB

.data
Size: 4KB - Virtual size: 7KB

.sharedv
Size: 16KB - Virtual size: 14KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 8KB - Virtual size: 4KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate

a7:c7:ed:cb:98:87:b5:0d:12:5f:12:90:f8:aa:9e:1a:00:78:f6:98
Signer

.text
Size: 3.3MB - Virtual size: 3.3MB

.rdata
Size: 875KB - Virtual size: 874KB

.data
Size: 150KB - Virtual size: 698KB

.tls
Size: 512B - Virtual size: 2B

.rsrc
Size: 24KB - Virtual size: 24KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

25:c9:02:d0:26:e3:12:44:c1:25:99:67:71:c9:dc:01
Certificate