Report #7489 check_circle

  • Creation Date: Feb. 21, 2020, 4:33 p.m.
  • Last Update: Feb. 22, 2020, 11:30 a.m.
  • File: TeamViewer.exe
  • Results:
Binary
DLL
False cancel
Size
7.66MB
trid
72.2% Windows ActiveX control
17.1% Win64 Executable
4.0% Win32 Dynamic Link Library
2.7% Win32 Executable
1.2% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
67d8db4b105cdc3408799ca30144e0d0
sha1
79c221694191cc48e4486a14ac13e62bccb16426
crc32
0xdcaf6b83
sha224
1886c06d02c5a019cc98d937114a0df82136a8226a11d2e5e684a584
sha256
96578ec1817e9a5144cfa427b6c9aa6c14dd42b08d9d51fe1e2a98281024632e
sha384
6280cce8fe8f8a5978fabc65b46144ab94a1740b43ec1d63f39fdbe7da75afbbbca50cde0d852556e3e370c1f9f6fb0b
sha512
98c5114d2b0da94de3ad49798f484c11f4480266915b26bf91ab4b1b348b62a3411218c3da0148ad451b3aa97ab6e7d72d1d538eb7363cb03fee7b04fcc05cdc
ssdeep
196608:WeLvxb/+ZUOSJufDyRcQvMLZWrMz3w5IW:1dNu2RcQvvB5IW
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
IP, Dropper_Strings, CRC32b_poly_Constant, HasDebugData, Antivirus, CRC32_poly_Constant, BASE64_table, escalate_priv, HasRichSignature, VC8_Random, VC8_Microsoft_Corporation, RIPEMD160_Constants, spreading_share, create_service, CRC32_table, network_dns, Browsers, network_http, win_files_operation, IsPE32, win_hook, RijnDael_AES_CHAR, contentis_base64, network_tcp_socket, Misc_Suspicious_Strings, screenshot, win_token, win_mutex, keylogger, sniff_audio, migrate_apc, anti_dbg, IsWindowsGUI, SHA512_Constants, HasDigitalSignature, network_tcp_listen, url, SHA1_Constants, WMI_strings, win_registry, HasOverlay, RijnDael_AES_LONG, network_dga, Advapi_Hash_API, MD5_Constants, System_Tools, Big_Numbers1

Suspicious
True check_circle

Strings
List
http://login.teamviewer.com/register.aspx
http://login.teamviewer.com/requestpassword.aspx
<html><body>This site is running <a href='http://www.TeamViewer.com'>TeamViewer</a>.<br /><br /> Free Port 80 for other applications in advanced settings.</body></html>
master.teamviewer.com
ftp@example.com
master.dyngate.com
download.teamviewer.com
http://sf.symcb.com/sf.crt0
http://sf.symcb.com/sf.crl0f
https://d.symcb.com/rpa0
http://login.teamviewer.com/validation.aspx
https://d.symcb.com/cps0%
http://www.teamviewer.com 0
http://www.teamviewer.com/
www-int.teamviewer.com
tvmonitor.cat
teamviewervpn.cat
ConnTcp.m_Socket.is.not.INVALID_SOCKET socket:
https://www.teamviewer.com:443/
W.tvs
CInetDownload::ThreadRun - file.open '%1%' failed.
<?xml version="1.0"?><cross-domain-policy><site-control permitted-cross-domain-policies="all"/><allow-http-request-headers-from domain="*" headers="*" /><allow-access-from domain="*.teamviewer.com" /></cross-domain-policy>
ping3.teamviewer.com
t.Ht
t.Ht
Ht.Ht
Ht.Ht
GWT.Run.CmdRequestKeepalive.KeepAliveSession.Already.exists.for.ClientID:
CHttp.Conned.Fast
.tmp.tvs
t.PS
C:\TeamViewer_7.0_Release\TeamViewer\Release2008\TeamViewer.pdb
CT.Run
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity version="1.0.0.0" processorArchitecture="x86" name="TeamViewer.exe" type="win32"></assemblyIdentity><description>TeamViewer</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><asmv2:trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><asmv2:security><asmv2:requestedPrivileges><asmv2:requestedExecutionLevel level="asInvoker" uiAccess="false"></asmv2:requestedExecutionLevel></asmv2:requestedPrivileges></asmv2:security></asmv2:trustInfo><asmv3:application><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></asmv3:windowsSettings></asmv3:application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
127.0.0.1:5938
127.0.0.1:80
ncSocklist.No.ConnectionThread.for.SessionID:
xWaitingThread.new ConnectionThread.Failed , LE=
ftp://%s:%s@%s
network.proxy.http
C:\TeamViewer_7.0_Release\Libraries\boost\boost/uuid/sha1.hpp
Login.run: Read failed
network.proxy.ssl
CRemoteInfoDialog.Show.Stream
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0
A call to m_File.Open failed.
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
<?xml version="1.0"?><cross-domain-policy><site-control permitted-cross-domain-policies="all"/><allow-access-from domain="*.teamviewer.com" to-ports="5938" /></cross-domain-policy>
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
2Terms of use at https://www.verisign.com/rpa (c)101.0,
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
https://www.verisign.com/rpa0
https://www.verisign.com/cps0*
OnDirectoryFound_UploadThread failed because m_WindowClient.lock() failed.
winhttp.dll
127.0.0.1
127.0.0.1
d\\.\pipe\*
nwinhttp5.dll
C:\TeamViewer_7.0_Release\Libraries\boost\boost/uuid/string_generator.hpp
ProxySearch.GetIEProxySettings: WinHttpGetIEProxyConfigForCurrentUser failed with error %1%
boot.ini
fteamviewerdebug.exe
CRYPT32.dll
security.dll
ProxySearch.GetWinHTTPSettings: WinHttpGetDefaultProxyConfiguration failed with error %1%
winsta.dll
ROOT\CIMV2
explorer.exe
bdagent.exe
t8Ht.Ht$Ht
cmd.exe
uninstall.exe
chrome.exe
CT.Receive.WrongDataSize commandlength=%1% bytesreceived=%2%. Dump(max 1KiB):
ProxySearch.GetProxyAutoConfigSettings: WinHttpOpen failed with error %1%
t.Ht$Ht
t.Ht$Ht
Ht.Ht$Ht
+t.Ht Ht
t.Ht Ht
GWT.CmdUDPPing.PR.Send.Failed, Err=
tGHt.Ht&
tGHt.Ht&
CServerGUI::TryRestoreWallpaper(): SystemParametersInfo(SPI_GETDESKWALLPAPER) failed with error %1%
CONNECT %s HTTP/%s
GWT.CmdUDPPing.PR.SendUDPPunches.Failed, Err=
DriverConnector.Open: CreateFile failed with error
KeepAliveThreadServer.Error.while.sending.KeepAliveBeeps.to.ClientID:
CT.Run.RecFailed
KeepaliveThreadServer.Select.Socket_Error:
CTcpProcessConnector::Stop() Shutdown socket to process %1% returned error %2%: %3%
http://sf.symcd.com0&
ncSocklist.Socket.TimedOut.With.No.Action:
CTcpProcessConnector::CloseConnection(): Shutdown socket returned error %1%: %2%
HTTP/1.%d %d
HTTP/%d.%d %3d

Foremost
Matches
11557.htm, 179 B
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 127.0.0.1, 1, localhost.
Suspicious: 7.0.0.1, 0, Unknown
hasAllowed: True check_circle
hasSuspicious: True check_circle

URLs
Allowed: http://schemas.microsoft.com/smi/2005/windowssettings
hasURLs: True check_circle
Suspicious: http://www.teamviewer.com, http://ts-ocsp.ws.symantec.com07, http://ocsp.verisign.com0, https://www.verisign.com/rpa, http://www.teamviewer.com, https://www.verisign.com/rpa0, https://d.symcb.com/cps0%, http://login.teamviewer.com/requestpassword.aspx, ftp://%s:%s@%s, http://, http://crl.verisign.com/pca3-g5.crl04, https://d.symcb.com/rpa0, https://www.verisign.com/cps0, http://login.teamviewer.com/register.aspx, http://crl.thawte.com/thawtetimestampingca.crl0, file://, http://sf.symcb.com/sf.crl0f, http://ocsp.thawte.com0, ftp://, http://login.teamviewer.com/validation.aspx, http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://sf.symcb.com/sf.crt0, http://logo.verisign.com/vslogo.gif04, https://, http://sf.symcd.com0&, https://www.teamviewer.com:443/, http://www.teamviewer.com/, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hasAllowed: True check_circle
hasSuspicious: True check_circle

Files
Allowed: user32.dll, secur32.dll, dwmapi.dll, kernel32.dll, winhttp.dll, winsta.dll, ddraw.dll, Magnification.dll, wtsapi32.dll, security.dll, TeamViewer_StaticRes.dll, Netapi32.dll, TeamViewer_Resource.dll, mscoree.dll, nwinhttp5.dll, lOleAut32.dll, OLEAUT32.DLL, emsdmo.dll, Psapi.dll, gdiplus.dll, Shell32.dll, DBGHELP.DLL, ole32.dll, TV_x64.dll, dsound.dll, advapi32.dll, TV_w32.dll, uxtheme.dll, quartz.dll, WAdvapi32.dll, RICHED20.DLL, mapi32.dll, MSIMG32.dll, imagehlp.dll, WINTRUST.dll, AVICAP32.dll, VERSION.dll, COMCTL32.dll, IPHLPAPI.DLL, WINMM.dll, SHLWAPI.dll, WS2_32.dll, GDI32.dll, WININET.dll, SensApi.dll, USERENV.dll, MSWSOCK.dll, SETUPAPI.dll, COMDLG32.dll, CRYPT32.dll, MSVFW32.dll, MPR.dll
hasFiles: True check_circle
Suspicious: *.txt, fConnections.txt, Connections_incoming.txt, __test__wf.tmp, TeamViewer7_Logfile_OLD.log, TeamViewer7_Logfile.log, TeamViewer7_Logfile2.log, \*.reg
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 2492416
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 8051476
Suspicous: False cancel

Sections
Allowed: .text, .rdata, .data, .tls, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 9.0
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 4358592
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: user32.dll, secur32.dll, dwmapi.dll, kernel32.dll, winhttp.dll, winsta.dll, ddraw.dll, magnification.dll, wtsapi32.dll, security.dll, netapi32.dll, mscoree.dll, oleaut32.dll, psapi.dll, gdiplus.dll, shell32.dll, dbghelp.dll, ole32.dll, dsound.dll, advapi32.dll, uxtheme.dll, quartz.dll, riched20.dll, mapi32.dll, msimg32.dll, imagehlp.dll, wintrust.dll, avicap32.dll, version.dll, comctl32.dll, winmm.dll, shlwapi.dll, ws2_32.dll, gdi32.dll, wininet.dll, sensapi.dll, userenv.dll, mswsock.dll, setupapi.dll, comdlg32.dll, crypt32.dll, msvfw32.dll, mpr.dll
hasLibs: True check_circle
Suspicious: teamviewer_staticres.dll, teamviewer_resource.dll, nwinhttp5.dll, loleaut32.dll, emsdmo.dll, tv_x64.dll, tv_w32.dll, wadvapi32.dll, iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-02-16 14:58:43
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 1
.rsrc: 5
.text: 14
.rdata: 77
.reloc: 2

nopsequence
.text: 1

pushpopmath
.data: 11
.rsrc: 3
.text: 28
.rdata: 177
.reloc: 299

garbagebytes
.data: 1
.rsrc: 2
.text: 5
.rdata: 32
.reloc: 1

hookdetection
.text: 3
.rdata: 4
.reloc: 11

stealthimport
.text: 12

software breakpoint
.text: 23
.rdata: 2
.reloc: 132

fakeconditionaljumps
.rdata: 2

programcontrolflowchange
.data: 1
.rsrc: 2
.text: 5
.rdata: 30
.reloc: 1

cpuinstructionsresultscomparison
.data: 2
.rsrc: 3
.rdata: 127
.reloc: 5

AVclass
None
1
VirusTotal
md5
67d8db4b105cdc3408799ca30144e0d0
sha1
79c221694191cc48e4486a14ac13e62bccb16426
SCANS (DETECTION RATE = 0.00%)
AVG
update: 20181221
version: 18.4.3895.0
detected: False cancel

CMC
update: 20181220
version: 1.1.0.977
detected: False cancel

MAX
update: 20181221
version: 2018.9.12.1
detected: False cancel

Bkav
update: 20181220
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20181221
version: 11.18.29417
detected: False cancel

ALYac
update: 20181221
version: 1.1.1.5
detected: False cancel

Avast
update: 20181221
version: 18.4.3895.0
detected: False cancel

Avira
update: 20181220
version: 8.3.3.8
detected: False cancel

Baidu
update: 20181207
version: 1.0.0.2
detected: False cancel

Cyren
update: 20181220
version: 6.2.0.1
detected: False cancel

DrWeb
update: 20181221
version: 7.0.34.11020
detected: False cancel

GData
update: 20181221
version: A:25.19870B:25.13945
detected: False cancel

Panda
update: 20181220
version: 4.6.4.2
detected: False cancel

VBA32
update: 20181220
version: 3.34.0
detected: False cancel

Zoner
update: 20181221
version: 1.0
detected: False cancel

ClamAV
update: 20181220
version: 0.101.0.0
detected: False cancel

Comodo
update: 20181220
version: 30152
detected: False cancel

F-Prot
update: 20181221
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20181221
version: 0.1.5.2
detected: False cancel

McAfee
update: 20181221
version: 6.0.6.653
detected: False cancel

Rising
update: 20181221
version: 25.0.0.24
detected: False cancel

Sophos
update: 20181221
version: 4.98.0
detected: False cancel

Yandex
update: 20181220
version: 5.5.1.3
detected: False cancel

Zillya
update: 20181219
version: 2.0.0.3716
detected: False cancel

Acronis
update: 20180726
version: 1.0.1.25
detected: False cancel

Alibaba
update: 20180921
version: 0.1.0.2
detected: False cancel

Arcabit
update: 20181221
version: 1.0.0.837
detected: False cancel

Babable
update: 20180918
version: 9107201
detected: False cancel

Cylance
update: 20181221
version: 2.3.1.101
detected: False cancel

Endgame
update: 20181108
version: 3.0.2
detected: False cancel

TACHYON
update: 20181221
version: 2018-12-21.01
detected: False cancel

Tencent
update: 20181221
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20181220
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20181221
version: 1.0.0.403
detected: False cancel

eGambit
update: 20181221
version: v4.3.5
detected: False cancel

Ad-Aware
update: 20181221
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20181221
version: 4.2
detected: False cancel

Emsisoft
update: 20181221
version: 2018.4.0.1029
detected: False cancel

F-Secure
update: 20181221
version: 11.0.19100.45
detected: False cancel

Fortinet
update: 20181221
version: 5.4.247.0
detected: False cancel

Invincea
update: 20181128
version: 6.3.6.26157
detected: False cancel

Jiangmin
update: 20181221
version: 16.0.100
detected: False cancel

Kingsoft
update: 20181221
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20181221
version: 1.0
detected: False cancel

Symantec
update: 20181221
version: 1.8.0.0
detected: False cancel

Trapmine
update: 20181205
version: 3.0.29.679
detected: False cancel

AhnLab-V3
update: 20181220
version: 3.14.1.22785
detected: False cancel

Antiy-AVL
update: 20181221
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20181221
version: 15.0.1.13
detected: False cancel

Microsoft
update: 20181220
version: 1.1.15500.2
detected: False cancel

Qihoo-360
update: 20181221
version: 1.0.0.1120
detected: False cancel

TheHacker
update: 20181220
version: 6.8.0.5.3904
detected: False cancel

ZoneAlarm
update: 20181221
version: 1.0
detected: False cancel

Cybereason
update: 20180225
version: 1.2.27
detected: False cancel

ESET-NOD32
update: 20181221
version: 18579
detected: False cancel

TrendMicro
update: 20181221
version: 10.0.0.1040
detected: False cancel

BitDefender
update: 20181220
version: 7.2
detected: False cancel

CrowdStrike
update: 20181022
version: 1.0
detected: False cancel

K7AntiVirus
update: 20181221
version: 11.18.29416
detected: False cancel

SentinelOne
update: 20181011
version: 1.0.19.245
detected: False cancel

Avast-Mobile
update: 20181220
version: 181220-02
detected: False cancel

Malwarebytes
update: 20181221
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20181220
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20181220
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20181221
version: 1.0.134.24576
detected: False cancel

MicroWorld-eScan
update: 20181221
version: 14.0.297.0
detected: False cancel

SUPERAntiSpyware
update: 20181220
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20181220
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20181221
version: 10.0.0.1040
detected: False cancel

total
69
sha256
96578ec1817e9a5144cfa427b6c9aa6c14dd42b08d9d51fe1e2a98281024632e
scan_id
96578ec1817e9a5144cfa427b6c9aa6c14dd42b08d9d51fe1e2a98281024632e-1545363612
resource
67d8db4b105cdc3408799ca30144e0d0
positives
0
scan_date
2018-12-21 03:40:12
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Secur32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\secur32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\secur32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\WTSAPI32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\wtsapi32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\wtsapi32.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\MSWSOCK.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
22/2/2020 - 10:45:44.168Open2308C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\imm32.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\WindowsShell.Manifest
22/2/2020 - 10:45:44.356Unknown2308C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
22/2/2020 - 10:45:44.356Unknown2308C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
22/2/2020 - 10:45:44.356Open2308C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\kernel32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\kernel32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\user32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\user32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\psapi.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\psapi.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\winsta.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\winsta.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\shell32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\shell32.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\malware.exe.Local
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.559Unknown2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dll
22/2/2020 - 10:45:44.559Unknown2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dll
22/2/2020 - 10:45:44.559Read2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.559Read2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.559Read2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.559Read2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.559Open2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dll
22/2/2020 - 10:45:44.575Unknown2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\malware.exe.Local
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.575Unknown2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\d3d9.dll
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\Windows\SysWOW64\d3d9.dll
22/2/2020 - 10:45:44.575Open2308C:\malware.exeC:\Windows\SysWOW64\d3d9.dll
22/2/2020 - 10:45:44.887Open2308C:\malware.exeC:\d3d8thk.dll
22/2/2020 - 10:45:44.887Open2308C:\malware.exeC:\Windows\SysWOW64\d3d8thk.dll
22/2/2020 - 10:45:44.887Open2308C:\malware.exeC:\Windows\SysWOW64\d3d8thk.dll
22/2/2020 - 10:45:45.215Read2308C:\malware.exeC:\Windows\SysWOW64\Magnification.dllMagnification.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.356Unknown2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\riched20.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\riched20.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\CRYPTSP.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.356Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dll
22/2/2020 - 10:45:45.372Unknown2308C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dllp2pcollab.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dll
22/2/2020 - 10:45:45.372Unknown2308C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dllp2pcollab.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\qagentrt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\ncrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\ncrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\ncrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\bcrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
22/2/2020 - 10:45:45.372Unknown2308C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
22/2/2020 - 10:45:45.372Open2308C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
22/2/2020 - 10:45:45.372Unknown2308C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
22/2/2020 - 10:45:45.465Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
22/2/2020 - 10:45:45.465Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
22/2/2020 - 10:45:45.465Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
22/2/2020 - 10:45:45.465Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
22/2/2020 - 10:45:45.465Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
22/2/2020 - 10:45:45.465Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
22/2/2020 - 10:45:45.512Open2308C:\malware.exeC:\GPAPI.dll
22/2/2020 - 10:45:45.512Open2308C:\malware.exeC:\Windows\SysWOW64\gpapi.dll
22/2/2020 - 10:45:45.512Open2308C:\malware.exeC:\Windows\SysWOW64\gpapi.dll
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
22/2/2020 - 10:45:45.606Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
22/2/2020 - 10:45:45.606Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
22/2/2020 - 10:45:45.606Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\cryptnet.dll
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Windows\SysWOW64\cryptnet.dll
22/2/2020 - 10:45:45.606Open2308C:\malware.exeC:\Windows\SysWOW64\cryptnet.dll
22/2/2020 - 10:45:45.653Unknown2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.653Unknown2308C:\malware.exeC:\malware.exe
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\TeamViewer_StaticRes.dll
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming
22/2/2020 - 10:45:45.653Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\Windows\SysWOW64\shell32.dll
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\malware.exe.Local
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
22/2/2020 - 10:45:45.653Unknown2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
22/2/2020 - 10:45:45.653Open2308C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\
22/2/2020 - 10:45:45.668Unknown2308C:\malware.exeC:\
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Windows\SysWOW64\propsys.dll
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Windows\SysWOW64\propsys.dll
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\desktop.ini
22/2/2020 - 10:45:45.668Read2308C:\malware.exeC:\Users\desktop.ini
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users
22/2/2020 - 10:45:45.668Unknown2308C:\malware.exeC:\Users
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot
22/2/2020 - 10:45:45.668Unknown2308C:\malware.exeC:\Users\Behemot
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData
22/2/2020 - 10:45:45.668Unknown2308C:\malware.exeC:\Users\Behemot\AppData
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
22/2/2020 - 10:45:45.668Read2308C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer
22/2/2020 - 10:45:45.668Unknown2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.log
22/2/2020 - 10:45:45.668Write2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.logTeamViewer7_Logfile.log
22/2/2020 - 10:45:45.668Write2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.logTeamViewer7_Logfile.log
22/2/2020 - 10:45:45.668Write2308C:\malware.exeC:\Users\Behemot\AppData\Roaming\TeamViewer\TeamViewer7_Logfile.logTeamViewer7_Logfile.log
22/2/2020 - 10:45:45.668Open2308C:\malware.exeC:\Windows\Fonts\StaticCache.dat
22/2/2020 - 10:45:45.668Read2308C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\imageres.dll
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\imageres.dll
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\imageres.dll
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\pt-BR\imageres.dll.mui
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\System32\pt-BR\imageres.dll.mui
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\pt\imageres.dll.mui
22/2/2020 - 10:45:45.684Unknown2308C:\malware.exeC:\Windows\SysWOW64\en-US
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.mui
22/2/2020 - 10:45:45.684Read2308C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.muiimageres.dll.mui
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\ole32.dll
22/2/2020 - 10:45:45.684Open2308C:\malware.exeC:\Windows\SysWOW64\ole32.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
22/2/2020 - 10:45:45.356Write2308C:\malware.exeHKCU\Software\Microsoft\Direct3D\MostRecentApplicationName
22/2/2020 - 10:45:45.372Write2308C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
22/2/2020 - 10:45:45.372Write2308C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
22/2/2020 - 10:45:45.372Write2308C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
22/2/2020 - 10:45:45.372Write2308C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
22/2/2020 - 10:45:45.372Write2308C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
22/2/2020 - 10:45:45.653Delete2308C:\malware.exe\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CertificatesBE36A4562FB2EE05DBB3D32323ADF445084ED656
22/2/2020 - 10:45:45.653Write2308C:\malware.exe\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656Blob

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 86.15%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 83.00%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 77.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 47.99%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download