Manalyze report for 4b7ec33052e838f6744d5f242307c227

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2016-Apr-03 20:18:56
Detected languages	English - United States
Comments	TeamViewer Remote Control Application
CompanyName	TeamViewer
LegalCopyright	TeamViewer
ProductName	TeamViewer QS
ProductVersion	`15.33.7.0`

Plugin Output

Info	Interesting strings found in the binary:	`Contains domain names: http://nsis.sf.net http://nsis.sf.net/NSIS_Error nsis.sf.net`
Suspicious	The PE is an NSIS installer	`Unusual section name found: .ndata`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW` `Can access the registry: RegDeleteKeyW RegOpenKeyExW RegEnumValueW RegDeleteValueW RegCloseKey RegCreateKeyExW RegSetValueExW RegQueryValueExW RegEnumKeyW` `Possibly launches other programs: CreateProcessW ShellExecuteW` `Can create temporary files: CreateFileW GetTempPathW` `Functions related to the privilege level: OpenProcessToken AdjustTokenPrivileges` `Changes object ACLs: SetFileSecurityW` `Can shut the system down or lock the screen: ExitWindowsEx`
Info	The PE is digitally signed.	`Signer: TeamViewer Germany GmbH` `Issuer: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`4b7ec33052e838f6744d5f242307c227`
SHA1	`aa59241978ada8c11b18e9e72a1a9dcbdfa93dfe`
SHA256	`8be440f36b00fe0c5d6b08d086bffc8754a0de860c795bd8eb45ba4d7f8bdef1`
SHA3	`cb9f45195981e6bedfa02caf6a5e97860d7f19fa11ce60236fe9c21e64c51c5f`
SSDeep	`786432:0y2xI3BqzQ1Vk5Pz0bv9WbC285d0cPIsOSkT:0c3BX1Vf5G1eTA`
Imports Hash	`4ea4df5d94204fc550be1874e1b77ea7`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2016-Apr-03 20:18:56
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED` `IMAGE_FILE_RELOCS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`6.0`
SizeOfCode	`0x6200`
SizeOfInitializedData	`0x22a00`
SizeOfUninitializedData	`0x800`
AddressOfEntryPoint	`0x000033B6 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x8000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`4.0`
ImageVersion	`6.0`
SubsystemVersion	`4.0`
Win32VersionValue	`0`
SizeOfImage	`0x8c000`
SizeOfHeaders	`0x400`
Checksum	`0x180f8c7`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NO_SEH` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`c5c0065fc4c103ac2469dafdce131fb4`
SHA1	`9300bba1c84ff05797dba42567ab800e9635be21`
SHA256	`79cf14e09b456fbe712dfcc986aa91557ce38522a875dee2d3883bcac5a95feb`
SHA3	`fa680f44b2ea4a1aa73f62ffb51c36923236b89f346ffed6bb21c84cd67b0d11`
VirtualSize	`0x615d`
VirtualAddress	`0x1000`
SizeOfRawData	`0x6200`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.45041`

.rdata

MD5	`4ac891d4ddf58633f14436f9f80ac6b6`
SHA1	`810f2c2ff89cf08aff94b68a4acc610f8106a828`
SHA256	`263adb39a8d456748febcf9254b4fdf6622dc6bed2b2b62518a24d0985003da2`
SHA3	`1fd3eb0b4d98749dd95bc956345a238c3f66a13d9cf3d98e007040f636ed2960`
VirtualSize	`0x13a4`
VirtualAddress	`0x8000`
SizeOfRawData	`0x1400`
PointerToRawData	`0x6600`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.163`

.data

MD5	`66b45fceba0f24d768fb09e0afe23c99`
SHA1	`73e01d0a890ca230f5e5f9e7524b9f34eb53df99`
SHA256	`b3fa20d6329a2ce09e5d5a5cbafcae958b30cc5f82225f150ce5cc27a997e87d`
SHA3	`276ede53c77e546d75c248a99c555189160e70c635ab611bdef0caf9f09007c6`
VirtualSize	`0x20338`
VirtualAddress	`0xa000`
SizeOfRawData	`0x600`
PointerToRawData	`0x7a00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.9824`

.ndata

MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
SHA3	`a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a`
VirtualSize	`0x19000`
VirtualAddress	`0x2b000`
SizeOfRawData	`0`
PointerToRawData	`0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_UNINITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`

.rsrc

MD5	`3ecfa414e3679ea08769a3eaaebf50f6`
SHA1	`7a6eae9da82b971a450520e4d9c7a032e97141da`
SHA256	`6d4e40e6c42855a3c54b4add318851e36d70858c2a97fd8dc9385a05541bb6f5`
SHA3	`cc862d8a01d61c1c93efa7578ebb5fcfb838ca999afa44c6b6fa56f21ced545f`
VirtualSize	`0x471f8`
VirtualAddress	`0x44000`
SizeOfRawData	`0x47200`
PointerToRawData	`0x8000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.81972`

Imports

KERNEL32.dll	`SetCurrentDirectoryW` `GetFileAttributesW` `GetFullPathNameW` `Sleep` `GetTickCount` `CreateFileW` `GetFileSize` `MoveFileW` `SetFileAttributesW` `GetModuleFileNameW` `CopyFileW` `ExitProcess` `SetEnvironmentVariableW` `GetWindowsDirectoryW` `GetTempPathW` `GetCommandLineW` `GetVersion` `SetErrorMode` `WaitForSingleObject` `GetCurrentProcess` `CompareFileTime` `GlobalUnlock` `GlobalLock` `CreateThread` `GetLastError` `CreateDirectoryW` `CreateProcessW` `RemoveDirectoryW` `lstrcmpiA` `GetTempFileNameW` `WriteFile` `lstrcpyA` `lstrcpyW` `MoveFileExW` `lstrcatW` `GetSystemDirectoryW` `GetProcAddress` `GetModuleHandleA` `GlobalFree` `GlobalAlloc` `GetShortPathNameW` `SearchPathW` `lstrcmpiW` `SetFileTime` `CloseHandle` `ExpandEnvironmentStringsW` `lstrcmpW` `GetDiskFreeSpaceW` `lstrlenW` `lstrcpynW` `GetExitCodeProcess` `FindFirstFileW` `FindNextFileW` `DeleteFileW` `SetFilePointer` `ReadFile` `FindClose` `MulDiv` `MultiByteToWideChar` `lstrlenA` `WideCharToMultiByte` `GetPrivateProfileStringW` `WritePrivateProfileStringW` `FreeLibrary` `LoadLibraryExW` `GetModuleHandleW`
USER32.dll	`GetSystemMenu` `SetClassLongW` `IsWindowEnabled` `EnableMenuItem` `SetWindowPos` `GetSysColor` `GetWindowLongW` `SetCursor` `LoadCursorW` `CheckDlgButton` `GetMessagePos` `LoadBitmapW` `CallWindowProcW` `IsWindowVisible` `CloseClipboard` `SetClipboardData` `EmptyClipboard` `OpenClipboard` `wsprintfW` `ScreenToClient` `GetWindowRect` `GetSystemMetrics` `SetDlgItemTextW` `GetDlgItemTextW` `MessageBoxIndirectW` `CharPrevW` `CharNextA` `wsprintfA` `DispatchMessageW` `PeekMessageW` `GetDC` `ReleaseDC` `EnableWindow` `InvalidateRect` `SendMessageW` `DefWindowProcW` `BeginPaint` `GetClientRect` `FillRect` `EndDialog` `RegisterClassW` `SystemParametersInfoW` `CreateWindowExW` `GetClassInfoW` `DialogBoxParamW` `CharNextW` `ExitWindowsEx` `DestroyWindow` `LoadImageW` `SetTimer` `SetWindowTextW` `PostQuitMessage` `ShowWindow` `GetDlgItem` `IsWindow` `SetWindowLongW` `FindWindowExW` `TrackPopupMenu` `AppendMenuW` `CreatePopupMenu` `DrawTextW` `EndPaint` `CreateDialogParamW` `SendMessageTimeoutW` `SetForegroundWindow`
GDI32.dll	`SelectObject` `SetBkMode` `CreateFontIndirectW` `SetTextColor` `DeleteObject` `GetDeviceCaps` `CreateBrushIndirect` `SetBkColor`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListW` `SHBrowseForFolderW` `SHGetFileInfoW` `ShellExecuteW` `SHFileOperationW`
ADVAPI32.dll	`RegDeleteKeyW` `SetFileSecurityW` `OpenProcessToken` `LookupPrivilegeValueW` `AdjustTokenPrivileges` `RegOpenKeyExW` `RegEnumValueW` `RegDeleteValueW` `RegCloseKey` `RegCreateKeyExW` `RegSetValueExW` `RegQueryValueExW` `RegEnumKeyW`
COMCTL32.dll	`ImageList_AddMasked` `#17` `ImageList_Destroy` `ImageList_Create`
ole32.dll	`OleUninitialize` `OleInitialize` `CoTaskMemFree` `CoCreateInstance`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x42028`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.71548`
MD5	`db765e98ca24b0f43ad475ef1c3abcb2`
SHA1	`110b7e6bd42bf8434e457b06255b11a48b1e3290`
SHA256	`65b24ba4b1d73550d3498dd9ec6498fb01a403e11923428e212f0f901100283b`
SHA3	`be1ee3f34a5ba3f885749962bf5e63348261966655a9b18bc8deb0b2ef1892f7`

2

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.22479`
MD5	`67fe7373d08b0e46d29bdadd1408e46f`
SHA1	`a93c2ade89d71c539424e2af0b940f0c45e3aa54`
SHA256	`c9f61293148819ed60efc37b90801c868016c57991cf395a4f94f7d2cfdfb664`
SHA3	`257c2ae14f967ddf85d28559087741957b0168045163d0242d1f466e162e3d80`

3

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.43297`
MD5	`cb763dc0d401defc72a6e996340f701b`
SHA1	`2b21b2384148bbdc3627feff512714b39ddfe957`
SHA256	`3f1c6866b5dcb1fda69c91c3c2018bb81fcde06646de1e9b8810400fc9b53c03`
SHA3	`75b01b0271794526dafd116c7fce1a30936d43783f0e8aa3ea5fe964fd204ee1`

4

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x568`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.39572`
MD5	`830283ec9722c82208e5644ec8e252af`
SHA1	`7a94a1e58428711517c10488cc2ead329dddf978`
SHA256	`2dec0b339af50d0b100944ca675b3313f6b8e33ecc147282ca30ae12d47409ac`
SHA3	`c43760b5ee5e343cd3a5ef18ce050891a52e691ed4c66c80801e8a322af9376e`

5

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`7e1b34650fb04bc15a494a1d712cffee`
SHA1	`43e1808e4308baf093556946552f4fabc05278d8`
SHA256	`3731b0a75ab19d96b774da62d37eccacd517c6593af20aa66525dc0b951cdba9`
SHA3	`79a9c096a1a56ae4f98f1e8ad4c44fa5c08e5d98e745898df9031e3b3a13c46c`

6

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x2e8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`809457c05fe696f5d34ac5ac8768cdd4`
SHA1	`a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9`
SHA256	`1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be`
SHA3	`002d1b10f28d74c7572fc7c5b403eb32f2a0540c4958d7878ef67edfd17c8109`

7

Type	`RT_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x128`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`0`
MD5	`982079681d7ad12766abc44f06946f3e`
SHA1	`50f73ed0787bf5911bb907e487efbc84a9714e48`
SHA256	`250f52cb2d6f1966a29f6ac771fa1cd185b8f8531396c8a4026c0fe635617e0c`
SHA3	`b8805d45012d79cfa8bb45e23c9b4a4421cd91538d569e58437efa0f545cf4d4`

105

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0x202`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.73893`
MD5	`386770584473e271f23dced36427f4ff`
SHA1	`d14ce95f784b35e4e3ebee535476ebcd3e380c19`
SHA256	`425b8270f7ca42a927eae6bea468acf414a3e4b58b5ba2c56aaae4d1b2c11014`
SHA3	`db13e5969376b27e8443eebff685230e2b74685aeb2fba73973f06e5cddc8662`

106

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xf8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.91148`
MD5	`fa83652660409e90e0db9731ad2adb17`
SHA1	`0a8f0af67723c87fe26ccf676b8e19ec6357b4dc`
SHA256	`4a55bd714f5d50cd8eabba10e57f0618f1842717dcfa582d73a917b1933cd1d4`
SHA3	`5b3e1cb25be7a2dbae4f08f0d4794ed23dbd6ea37a3f9702be12dba588f42a7b`

111

Type	`RT_DIALOG`
Language	English - United States
Codepage	UNKNOWN
Size	`0xee`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.89887`
MD5	`663040d6315b1d6ce8c0334d182ed8fc`
SHA1	`ebcfff801a12fb8ad1200a4526fca8bd2c3e96cf`
SHA256	`cb3c86cbcb579244a6f819f9c1807a7e89b6e600982ec6ea0841fcdcb16a9efd`
SHA3	`6a25a2cb16aeb17693f10e8aaa0245c701701db571b458fde7830291a4a01cfc`

103

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	UNKNOWN
Size	`0x68`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.00583`
Detected Filetype	Icon file
MD5	`9c11237284717eae59d23ffa0cbd0ffa`
SHA1	`70b22902e396b3bd0177eb973e7fae3052c55849`
SHA256	`8cfc58dd1d77e77fe4a84eae8deefde23c87e46612e3a0973203e7f2278af472`
SHA3	`442cffad38211d1fee4ea7e1a199e4e8c2fbde5afa90d0d06a720c63c77917ad`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x228`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.32322`
MD5	`9721899877d3fb8d6c3e10d0ac60d86a`
SHA1	`27ddddcaa6b8d35a450a1d20947d8241f38f3b40`
SHA256	`754fcae6071ba16c87d966a06979cb90ffdc348ffb01a0c04d912ab426294251`
SHA3	`c5ba9bf47956ce04f0a4168cab5f8c78e4ff1f79d1ac2a5af51b5cb1ae5f4323`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x425`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.29548`
MD5	`f01a1df5e72d4d076dfb6748f16fe780`
SHA1	`235b0a15415c3abae2a2d6843193160b6f942af5`
SHA256	`c2370192aa209fb9d19d0b11eeccb768bf6e8e231a3e4e64a3f086c9cc51552b`
SHA3	`d81fbc50f1634b33e5ac47637af96c7a6e35578e24aba80c601c6af2b5292441`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0`
FileVersion	15.33.7.0
ProductVersion	15.33.7.0
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT_WINDOWS32` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	TeamViewer Remote Control Application
CompanyName	TeamViewer
LegalCopyright	TeamViewer
ProductName	TeamViewer QS
ProductVersion (#2)	15.33.7.0

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0xd28650e9`
Unmarked objects	`0`
C objects (VS2003 (.NET) build 4035)	`2`
Total imports	`166`
Imports (VS2003 (.NET) build 4035)	`15`
48 (9044)	`10`
Resource objects (VS98 SP6 cvtres build 1736)	`1`

Errors

[*] Warning: Section .ndata has a size of 0!