General Info

File name

21DA.tmp.exe

Full analysis
https://app.any.run/tasks/f1f68597-62b4-42a4-9f5c-4bfc14092db7
Verdict
Malicious activity
Analysis date
3/14/2019, 08:59:39
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

teamviewer

tvrat

rat

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

7bf19d0e1db07d9e80ca936827758dc5

SHA1

5636cc0b60c02cf343665b36e01aecb90bcbe3ce

SHA256

0d758334d47efc6d6fe78ec1f117cd53633625cd76a8ef96d52ef9264aee4890

SSDEEP

98304:AD7omlFQuRAgjz+QoKatBMnmusZdB4YdEczeNrV8sAuzeIax:uokFqge9YmFXB4YiczwbABD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • 21DA.tmp.exe (PID: 3224)
  • apg.exe (PID: 3348)
Application was dropped or rewritten from another process
  • apg.exe (PID: 3348)
  • 7za.exe (PID: 4048)
Changes the autorun value in the registry
  • apg.exe (PID: 3348)
Connects to CnC server
  • apg.exe (PID: 3348)
Connects to unusual port
  • apg.exe (PID: 3348)
Executable content was dropped or overwritten
  • 7za.exe (PID: 4048)
  • 21DA.tmp.exe (PID: 3224)
Creates files in the user directory
  • 7za.exe (PID: 4048)
Starts CMD.EXE for commands execution
  • 21DA.tmp.exe (PID: 3224)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (67.4%)
.dll
|   Win32 Dynamic Link Library (generic) (14.2%)
.exe
|   Win32 Executable (generic) (9.7%)
.exe
|   Generic Win/DOS Executable (4.3%)
.exe
|   DOS Executable Generic (4.3%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:07:25 02:56:37+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
24064
InitializedDataSize:
3926016
UninitializedDataSize:
8192
EntryPoint:
0x30ec
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
7.9.8.6
ProductVersionNumber:
7.9.8.6
FileFlagsMask:
0x0000
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
Tag51mlx0qxu:
null
Tag629ux9ftf:
null
Tag6uwexw1p1:
null
Tag8e6gqpmqt:
null
fm6eb9mf8:
null
h6vfl356q:
null
lcmzz1v2d:
null
q3bs45xv2:
null
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
25-Jul-2016 00:56:37
Detected languages
English - United States
51mlx0qxu:
null
629ux9ftf:
null
6uwexw1p1:
null
8e6gqpmqt:
null
fm6eb9mf8:
null
h6vfl356q:
null
lcmzz1v2d:
null
q3bs45xv2:
null
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
25-Jul-2016 00:56:37
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00005DB6 0x00005E00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.50176
.rdata 0x00007000 0x00001246 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.00503
.data 0x00009000 0x003BC038 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.10433
.ndata 0x003C6000 0x00060000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00426000 0x00002F38 0x00003000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.67041
Resources
1

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
37
Monitored processes
5
Malicious processes
4
Suspicious processes
1

Behavior graph

+
start 21da.tmp.exe cmd.exe no specs 7za.exe cmd.exe no specs apg.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3224
CMD
"C:\Users\admin\AppData\Local\Temp\21DA.tmp.exe"
Path
C:\Users\admin\AppData\Local\Temp\21DA.tmp.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\21da.tmp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nstead2.tmp\system.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\nstead2.tmp\blowfish.dll
c:\users\admin\appdata\local\temp\nstead2.tmp\execcmd.dll

PID
3600
CMD
C:\Windows\system32\cmd.exe /C "7za.exe x -p7c06aaaf2618d2783e6186a216b58ae2 C:\Users\admin\AppData\Local\Temp\u3mkrs3clh.bmp -aoa -oC:\Users\admin\AppData\Roaming"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
21DA.tmp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\7za.exe

PID
4048
CMD
7za.exe x -p7c06aaaf2618d2783e6186a216b58ae2 C:\Users\admin\AppData\Local\Temp\u3mkrs3clh.bmp -aoa -oC:\Users\admin\AppData\Roaming
Path
C:\Users\admin\AppData\Local\Temp\7za.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Igor Pavlov
Description
7-Zip Standalone Console
Version
9.20
Modules
Image
c:\users\admin\appdata\local\temp\7za.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2912
CMD
C:\Windows\system32\cmd.exe /C "start "" C:\Users\admin\AppData\Roaming\b7mg81\apg.exe"
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
21DA.tmp.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\b7mg81\apg.exe

PID
3348
CMD
C:\Users\admin\AppData\Roaming\b7mg81\apg.exe
Path
C:\Users\admin\AppData\Roaming\b7mg81\apg.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
TeamViewer GmbH
Description
TeamViewer 8
Version
8.0.43331.0
Modules
Image
c:\users\admin\appdata\roaming\b7mg81\apg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\b7mg81\msi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
c:\windows\system32\secur32.dll
c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-service-management-l1-1-0.dll
c:\windows\system32\api-ms-win-service-core-l1-1-0.dll
c:\windows\system32\api-ms-win-service-winsvc-l1-1-0.dll
c:\windows\system32\api-ms-win-service-management-l2-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\api-ms-win-security-lsalookup-l1-1-0.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\version.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\winsta.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\api-ms-win-security-sddl-l1-1-0.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\psapi.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\magnification.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\webio.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\crtdll.dll
c:\windows\system32\devenum.dll
c:\windows\system32\msdmo.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\midimap.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\atl.dll
c:\windows\system32\slc.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\dsound.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\msvcr100.dll
c:\users\admin\appdata\roaming\b7mg81\tv_w32.dll
c:\users\admin\appdata\roaming\b7mg81\teamviewer_resource_en.dll
c:\users\admin\appdata\roaming\b7mg81\teamviewer_staticres.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\wship6.dll
c:\windows\system32\sxs.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll

Registry activity

Total events
475
Read events
445
Write events
30
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
apg.exe
3348
apg.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
apg
C:\Users\admin\AppData\Roaming\b7mg81\apg.exe
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
EnableFileTracing
0
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
EnableConsoleTracing
0
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
FileTracingMask
4294901760
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
ConsoleTracingMask
4294901760
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
MaxFileSize
1048576
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASAPI32
FileDirectory
%windir%\tracing
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
EnableFileTracing
0
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
EnableConsoleTracing
0
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
FileTracingMask
4294901760
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
ConsoleTracingMask
4294901760
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
MaxFileSize
1048576
3348
apg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\apg_RASMANCS
FileDirectory
%windir%\tracing
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3348
apg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
18
Suspicious files
3
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\nstEAD2.tmp\System.dll
executable
MD5: b0c77267f13b2f87c084fd86ef51ccfc
SHA256: a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x64\install.exe
executable
MD5: 112b0c8b6b0c0a6c24f90081cc8a77d0
SHA256: f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x86\install.exe
executable
MD5: b36c5e40f25c8afe8c8acc7e895d9c6d
SHA256: 64f42467a18009ae3d7cd24ed140141afd31826761944bd4e1891ea9f02411c9
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\apg.exe
executable
MD5: fa323f50abd7815b132bc3bdaa0ba0b3
SHA256: 99e0fbb8b4d6bbd5fe4eec1530aa51a818d06e245efb2c2fb41199a390a73db8
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x64\teamviewervpn.sys
executable
MD5: f5520dbb47c60ee83024b38720abda24
SHA256: b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\t2k5v9i
executable
MD5: d792004b2b0c652d5755411b3c60bfaf
SHA256: a8bd8b66f3b231d8101ff9c26be8b7d93f314dbe6aef2a1bf93943237174af6e
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\TeamViewer_StaticRes.dll
executable
MD5: 6967e0965b13b104e842bf0446b00605
SHA256: ff8e7636c0a169f66d05978dfc77771e84a8016e9cf625d003c9ce6c496e89ab
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\7za.exe
executable
MD5: 42badc1d2f03a8b1e4875740d3d49336
SHA256: c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\tv_w32.dll
executable
MD5: dda2fe1f8c2c10e2796e8e9582be2cae
SHA256: 9f209b206ec1033514e7103d6fe0a77543c312e40c6f8609846c6c9215720ac8
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\nstEAD2.tmp\ExecCmd.dll
executable
MD5: b9380b0bea8854fd9f93cc1fda0dfeac
SHA256: 1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\tv_x64.exe
executable
MD5: e17b63381f6d53a2807d7c8cc4d70bc2
SHA256: 24dc9a92b8656ed90970dbedd7cabe22f1a7735e45215a581e14f05caa4e2c6d
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x86\teamviewervpn.sys
executable
MD5: 9101fffcfccd1a30e870a5b8a9091b10
SHA256: 58aab0f6ff78fd0ecdd8d9da1b6852e9e57e3daa39489abddba106ece0b3bca7
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\tv_w32.exe
executable
MD5: 046ad7bb6b88b630a8b6b148977eb41a
SHA256: 8c6ac2e162c939a8479aaf24703f4f30f7836b6997f324ee556b3fd54a9cc32e
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\nstEAD2.tmp\blowfish.dll
executable
MD5: 5afd4a9b7e69e7c6e312b2ce4040394a
SHA256: 053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\TeamViewer_Resource_en.dll
executable
MD5: 00abf22e32025c7993c584600419f8fc
SHA256: 512a7be1d680a3bbb4d930f4301f2e57cb769f9ae699a5e4054b63570e37fe53
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\TeamViewer_Desktop.exe
executable
MD5: b7df79f13794065168bf1275e25a4800
SHA256: e1ae1350f6974bf95d95d7d26c6d97ecb97350219858440f57ab67ac0c00ba2b
3224
21DA.tmp.exe
C:\Users\admin\AppData\Roaming\b7mg81\msi.dll
executable
MD5: d792004b2b0c652d5755411b3c60bfaf
SHA256: a8bd8b66f3b231d8101ff9c26be8b7d93f314dbe6aef2a1bf93943237174af6e
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\tv_x64.dll
executable
MD5: a15d25d1d9d286552c8b36e8de6a5b71
SHA256: 43c6542d93980ebee6f1dd95c958ef41d0c80892e64c89673f8642d570c3cb89
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\7za.tmp
––
MD5:  ––
SHA256:  ––
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x64\TeamViewerVPN.inf
binary
MD5: 447fc733747db11cd4492ae01c5652fe
SHA256: a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\itdzsl.cfg
flc
MD5: 04d0d0105e3182007e6ea856b5fc8c17
SHA256: c1e8e1532810711a1121cdf7411fb02a41cd8688c3d94a91c9a70e7cad44dad3
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\bo9wlssx6i3b.bmp
image
MD5: cfd2489306eabe43a6b7a3789ad28ee6
SHA256: 8c2d2becbb14929cb5b0715ccba1a724f8f6754bc1ae6c30d14806668784e4d7
3348
apg.exe
C:\Users\admin\AppData\Roaming\b7mg81\itdzsl.cfg
binary
MD5: 7244e4778ef30ab81bdcd90c6a021c44
SHA256: f1560578e2fc4c76b732a8460afd222eca161905897bbbf5a3335471ff43b5b7
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x86\TeamViewerVPN.inf
binary
MD5: ea43320244bc11fa4445e80294a5330e
SHA256: 6f15408132b38c37e1d12998d0df67bbe9664c4e0e927d5f87896fc251653769
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x86\teamviewervpn.cat
cat
MD5: e5c3624879ebcc3e37431c5163067e35
SHA256: 28a25533a42223867256e64c1a75a9fa4831cd09e12a1bff3c63930583333a9b
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\u3mkrs3clh.bmp
image
MD5: bc348e0d330587b6e699af7950d84425
SHA256: 1ee44de4e512d098d90d90bcea4440be4a41acc3c494c0b443061d031768aa91
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\rq5ilcweqx5v
text
MD5: 92d01f384d261fde565f04234dbd42a5
SHA256: 2c56ec8312a1b67131507cb9c7fd4cdc4485dec76243b9741b55d87a2465d728
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\TeamViewer.ini
text
MD5: 8fc2e199aa5721f837d2ce2766a5860d
SHA256: 044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5
3224
21DA.tmp.exe
C:\Users\admin\AppData\Local\Temp\hewp9mfi9d.bmp
––
MD5:  ––
SHA256:  ––
4048
7za.exe
C:\Users\admin\AppData\Roaming\b7mg81\x64\teamviewervpn.cat
cat
MD5: 5cffe65f36b60bc151486c90382f1627
SHA256: aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
14
DNS requests
6
Threats
8

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
–– –– GET 200 91.199.212.52:80 http://crt.comodoca.com/COMODORSAAddTrustCA.crt GB
der
whitelisted
–– –– GET 200 195.138.255.16:80 http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D DE
der
whitelisted
–– –– GET 200 195.138.255.17:80 http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D DE
der
whitelisted
3348 apg.exe GET 200 195.123.219.87:80 http://195.123.219.87/js/update.php?id=1182080480&stat=1b64dddb75725ccc29d868d33df5da88 NL
text
malicious
3348 apg.exe GET 200 195.123.219.87:80 http://195.123.219.87/js/update.php?id=1182080480&stat=1b64dddb75725ccc29d868d33df5da88&cmd=2 NL
text
malicious
3348 apg.exe GET 200 195.123.219.87:80 http://195.123.219.87/js/update.php?id=1182080480&stat=1b64dddb75725ccc29d868d33df5da88 NL
––
––
malicious
3348 apg.exe GET 200 195.123.219.87:80 http://195.123.219.87/js/update.php?id=1182080480&stat=1b64dddb75725ccc29d868d33df5da88 NL
––
––
malicious
3348 apg.exe GET 200 195.123.219.87:80 http://195.123.219.87/js/update.php?id=1182080480&stat=1b64dddb75725ccc29d868d33df5da88 NL
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3348 apg.exe 188.172.219.158:5938 ANEXIA Internetdienstleistungs GmbH NL suspicious
3348 apg.exe 185.188.32.3:5938 TeamViewer GmbH DE suspicious
3348 apg.exe 188.172.246.171:5938 ANEXIA Internetdienstleistungs GmbH AT suspicious
3348 apg.exe 52.168.20.22:443 Microsoft Corporation US whitelisted
–– –– 91.199.212.52:80 Comodo CA Ltd GB unknown
–– –– 195.138.255.16:80 AS33891 Netzbetrieb GmbH DE unknown
–– –– 195.138.255.17:80 AS33891 Netzbetrieb GmbH DE unknown
3348 apg.exe 195.123.219.87:80 ITL Company NL malicious

DNS requests

Domain IP Reputation
ping3.teamviewer.com 188.172.219.158
213.227.162.126
188.172.246.190
213.227.168.190
188.172.198.158
shared
master11.teamviewer.com 185.188.32.3
shared
client.teamviewer.com 52.168.20.22
shared
crt.comodoca.com 91.199.212.52
whitelisted
ocsp.usertrust.com 195.138.255.16
195.138.255.24
whitelisted
ocsp.comodoca.com 195.138.255.17
195.138.255.24
whitelisted

Threats

PID Process Class Message
3348 apg.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TeamViewer connection
3348 apg.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TeamViewer connection
3348 apg.exe Potential Corporate Privacy Violation POLICY [PTsecurity] TeamViewer negotiation
3348 apg.exe A Network Trojan was detected ET TROJAN Win32.Spy/TVRat Checkin
3348 apg.exe A Network Trojan was detected ET TROJAN Win32.Spy/TVRat Checkin
3348 apg.exe A Network Trojan was detected ET TROJAN Win32.Spy/TVRat Checkin
3348 apg.exe A Network Trojan was detected ET TROJAN Win32.Spy/TVRat Checkin
–– –– A Network Trojan was detected ET TROJAN Win32.Spy/TVRat Checkin

Debug output strings

No debug info.