setup CommView.exe
This report is generated from a file or URL submitted to this webservice on June 7th 2019 12:00:05 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
-
Found a string that may be used as part of an injection method
Hooks API calls - Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
PE file is protected by VMProtect
Possibly tries to evade analysis by sleeping many times - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "CV.EXE" created file "%WINDIR%\{4B9A1497-0817-47C4-9612-D6A1C53ACF57}"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Environment Awareness
-
PE file is protected by VMProtect
- details
-
"preinst.exe" has a section named ".vmp0"
"preinst.exe" has a section named ".vmp1"
"Updater.exe" has a section named ".vmp0"
"Updater.exe" has a section named ".vmp1"
"rwatch.exe" has a section named ".vmp0"
"rwatch.exe" has a section named ".vmp1" - source
- Static Parser
- relevance
- 7/10
-
PE file is protected by VMProtect
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/41 Antivirus vendors marked sample as malicious (4% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/65 Antivirus vendors marked dropped file "ch1213.exe" as malicious (classified as "Trojan.Heur" with 1% detection rate)
1/65 Antivirus vendors marked dropped file "preinst.exe" as malicious (classified as "Trojan.Delphi" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "CV.EXE" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"setupCommView.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\CommViewWiFi\CV.EXE" (Handle: 440)
"setupCommView.exe" wrote 52 bytes to a remote process "C:\Program Files\CommViewWiFi\CV.EXE" (Handle: 440)
"setupCommView.exe" wrote 4 bytes to a remote process "C:\Program Files\CommViewWiFi\CV.EXE" (Handle: 440)
"CV.EXE" wrote 52 bytes to a remote process "C:\Program Files\CommViewWiFi\dhelper.exe" (Handle: 200)
"CV.EXE" wrote 4 bytes to a remote process "C:\Program Files\CommViewWiFi\dhelper.exe" (Handle: 200)
"CV.EXE" wrote 32 bytes to a remote process "C:\Program Files\CommViewWiFi\dhelper.exe" (Handle: 200)
"CV.EXE" wrote 1500 bytes to a remote process "C:\Program Files\CommViewWiFi\Updater.exe" (Handle: 1716)
"CV.EXE" wrote 4 bytes to a remote process "C:\Program Files\CommViewWiFi\Updater.exe" (Handle: 1716)
"CV.EXE" wrote 32 bytes to a remote process "C:\Program Files\CommViewWiFi\Updater.exe" (Handle: 1716)
"CV.EXE" wrote 52 bytes to a remote process "C:\Program Files\CommViewWiFi\Updater.exe" (Handle: 1716) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
-
"CV.EXE" checked file "C:"
"CV.EXE" checked file "%WINDIR%\{4B9A1497-0817-47C4-9612-D6A1C53ACF57}" - source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 39
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "CV.EXE" at 00051294-00001288-00000105-217881526784
- source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-234107802343
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-237786077672
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-272430282403
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-273764826109
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-315322344092
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-336854785264
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-358258318309
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-379705904576
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-401256144675
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-422533024780
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-444124155462
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-465607312356
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-487059785444
"CV.EXE" queried SystemProcessInformation at 00051294-00001288-00000105-508650477858 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99908615521
- source
- Static Parser
- relevance
- 10/10
-
Sets the 'ThreadHideFromDebugger' thread data structure
- details
- "CV.EXE" is setting 'ThreadHideFromDebugger' data for thread ID 0xfffffffeL
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "Rijndael" (Indicator: "rijndael"; File: "00052257-00001976.00000001.53041.00400000.00000002.mdmp")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to measure performance
- details
-
rdtsc (Show Stream)
rdtsc (Show Stream)
rdtsc (Show Stream)
rdtsc (Show Stream)
rdtsc (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
- details
-
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to evade analysis by sleeping many times
- details
- "CV.EXE" (Thread ID: 1248) slept "520" times (threshold: 500)
- source
- API Call
- relevance
- 10/10
-
Reads the active computer name
- details
-
"setupCommView.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"CV.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Updater.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
General
-
Reads configuration files
- details
-
"CV.EXE" read file "%PROGRAMFILES%\CommViewWiFi\Lang.ini"
"CV.EXE" read file "%ALLUSERSPROFILE%\TamoSoft\CommView for WiFi\LANG.INI"
"CV.EXE" read file "C:\Program Files\desktop.ini"
"CV.EXE" read file "C:\Users\desktop.ini"
"CV.EXE" read file "C:\Users\%USERNAME%\Documents\desktop.ini"
"CV.EXE" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"CV.EXE" read file "C:\Program Files\CommViewWiFi\Lic.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"WdfCoInstaller01011.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"ch1213.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"CV.EXE" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"preinst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Updater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"fcd.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninst_CommViewWiFi.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"WdfCoInstaller01011.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"dhelper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"QtStub.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libspeex.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"tsremind.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ca2k.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"tsappact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"rwatch.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Translator.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
The input sample dropped/contains a certificate file
- details
-
File "ts_athr.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "ts_athr.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "ts_athr.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "ts_athr.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "ts_athr.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "ts_athw.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "ts_athw.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "ts_athw.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "ts_athw.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "ts_athw.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "tsrltkx.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "tsrltkx.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "tsrltkx.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "tsrltkx.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "tsrltkx.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "ts_arusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "ts_arusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "ts_arusb.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "ts_arusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "ts_arusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "tsrltk.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "tsrltk.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "tsrltk.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "tsrltk.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "tsrltk.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "tsrlusbx.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "tsrlusbx.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "tsrlusbx.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "tsrlusbx.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "tsrlusbx.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "tsrlusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "tsrlusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "tsrlusb.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "tsrlusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "tsrlusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "tslwwff.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "tslwwff.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "tslwwff.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "tslwwff.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "tslwwff.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "ts_arnusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "ts_arnusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "ts_arnusb.cat" is a certificate (Owner: CN=TamoSoft Ltd, OU=Application Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=TamoSoft Ltd, L=Christchurch, ST=New Zealand, C=NZ; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 3cd1573766f79d2b3db89d43fa987ec5; Valid From: 08/08/2012 00:00:00; Until: 10/22/2015 23:59:59; Fingerprints: MD5=15:DA:CB:08:D7:F8:71:EA:08:CE:D7:C6:FF:50:52:BD; SHA1=A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF)
File "ts_arnusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 611993e400000000001c; Valid From: 02/22/2011 19:25:17; Until: 02/22/2021 19:35:17; Fingerprints: MD5=8D:91:3B:CB:70:53:0B:AF:CB:EC:15:BB:74:CF:73:D4; SHA1=57:53:4C:CC:33:91:4C:41:F7:0E:2C:BB:21:03:A1:DB:18:81:7D:8B)
File "ts_arnusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F) - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "DriverVer = 07/22/2023,2.0.0.72"
Heuristic match: "DriverVer= 02/12/2024,1.0.0.137"
Heuristic match: "<?xml version="1.0" encoding="UTF-8"?>
<VersionInfo>
<FileVersion>9</FileVersion>
<AppVersion>5.1.2.22</AppVersion>
<ProdVersion>2.0.5.0</ProdVersion>
</VersionInfo>" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"CV.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"Updater.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setupCommView.exe" marked "%TEMP%\~SBEA14.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA15.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\LSBE88A.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\LSBE89C.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA25.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA36.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA47.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\106d0b20-890c-11e9-4823-0041d8810029\EULA CommView for WiFi.rtf" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA48.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA58.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA69.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA7A.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA8A.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA8B.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA9C.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA9D.tmp" for deletion
"C:\setupCommView.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEAAD.tmp" for deletion
"%PROGRAMFILES%\CommViewWiFi\CV.EXE" marked "C:\Program Files\CommViewWiFi\Lang.ini" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"setupCommView.exe" opened "%TEMP%\~SBEA14.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA15.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\LSBE88A.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\LSBE89C.tmp" with delete access
"setupCommView.exe" opened "C:\v@!" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA25.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA36.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\106d0b20-890c-11e9-4823-0041d8810029\EULA CommView for WiFi.rtf" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA47.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA48.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA58.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA69.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA7A.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA8A.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA8B.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA9C.tmp" with delete access
"setupCommView.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~SBEA9D.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Hooks API calls
- details
-
"SetScrollRange@USER32.DLL" in "CV.EXE"
"SetScrollInfo@USER32.DLL" in "CV.EXE"
"SetScrollPos@USER32.DLL" in "CV.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"CV.EXE" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"CV.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"CV.EXE" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"ch1213.exe" claimed CRC 368547 while the actual is CRC 1809253
"CV.EXE" claimed CRC 8626664 while the actual is CRC 368547
"preinst.exe" claimed CRC 470964 while the actual is CRC 5234536
"Updater.exe" claimed CRC 1507780 while the actual is CRC 470964
"fcd.dll" claimed CRC 308500 while the actual is CRC 1507780
"Uninst_CommViewWiFi.exe" claimed CRC 33886904 while the actual is CRC 308500
"WdfCoInstaller01011.dll" claimed CRC 1669995 while the actual is CRC 332472
"dhelper.exe" claimed CRC 51657631 while the actual is CRC 1669995
"libspeex.dll" claimed CRC 280779 while the actual is CRC 247728
"ca2k.dll" claimed CRC 262244 while the actual is CRC 217085
"tsappact.dll" claimed CRC 348624 while the actual is CRC 262244
"rwatch.exe" claimed CRC 912963 while the actual is CRC 348624
"Translator.dll" claimed CRC 92543 while the actual is CRC 912963 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
-
"CV.EXE" has an entrypoint in section ".KISS1"
"preinst.exe" has an entrypoint in section ".vmp1"
"Updater.exe" has an entrypoint in section ".vmp1"
"tsappact.dll" has an entrypoint in section ".gla2"
"rwatch.exe" has an entrypoint in section ".vmp1" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
OutputDebugStringW
GetModuleFileNameW
GetVersionExW
GetTickCount
LockResource
UnhandledExceptionFilter
LoadLibraryExW
CreateDirectoryW
DeleteFileW
GetProcAddress
WriteFile
LoadLibraryW
FindNextFileW
FindFirstFileW
GetModuleHandleW
TerminateProcess
FindResourceW
CreateFileW
CreateProcessW
Sleep
GetStartupInfoW
GetFileAttributesW
LoadLibraryA
GetCommandLineW
VirtualAlloc
VirtualProtect
GetModuleFileNameA
GetModuleHandleA
ShellExecuteExW
InternetCloseHandle
RegOpenKeyExA
IsDebuggerPresent
CreateThread
GetModuleHandleExW
DeleteFileA
CreateFileMappingA
GetCommandLineA
MapViewOfFile
CreateProcessA
WriteProcessMemory
GetThreadContext
GetTempPathA
VirtualProtectEx
GetStartupInfoA
GetTempFileNameA
CreateFileA
GetFileAttributesA
GetVersionExA
OutputDebugStringA
RegCreateKeyExA
LoadLibraryExA
FindFirstFileA
FindResourceA
ShellExecuteA
GetCursorPos
GetLastActivePopup
GetWindowThreadProcessId
RegOpenKeyA
StartServiceW
RegEnumKeyA
DeviceIoControl
ExitThread
GetFileSize
SetWindowsHookExA
HttpSendRequestA
InternetReadFile
InternetOpenA
InternetConnectA
RegDeleteValueW
OpenProcessToken - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"CV.EXE" wrote bytes "e98fa54f00ec53565733db895dec894d" to virtual address "0x006095E0" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e739f676e1a6fa762e71fa76ee29fa7685e2f5766da0fa769064f9763ad5007726e4f576d16dfa76003df876804bf87600000000ad378b758b2d8b75b6418b7500000000" to virtual address "0x74811000" (part of module "WSHIP6.DLL")
"CV.EXE" wrote bytes "d055dc756473e5750000000051c1757594987575ee9c757575dc7775273e77750fb37b7500000000acdc60751bf76075c1086275c0d96075152e607536da6075d5d9607530c66075a0c4607542c660751bc6607586c4607572c6607500000000" to virtual address "0x72631000" (part of module "SHFOLDER.DLL")
"CV.EXE" wrote bytes "e94972158e000000" to virtual address "0x758F8E8B" ("SetScrollRange@USER32.DLL")
"CV.EXE" wrote bytes "e993a94f00f053568bf18bda8945fcb2" to virtual address "0x006086C4" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e9039c4f00d885f674138bc6e8fbecff" to virtual address "0x006097E4" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e9ebaa4f0053568bf28bd833c055685e" to virtual address "0x00608DE4" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e99fa84f008bd885f6750f33c933d28b" to virtual address "0x006088AC" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e93b9b4f00e98bf28bd885f6741d8bc3" to virtual address "0x006097AC" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e903a84f00ffffffc38d40005356578b" to virtual address "0x00608E6C" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e933a74f00008b5d0853e8d9feffff5b" to virtual address "0x006095CC" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e993ad4f00f053568bf18bda8945fcb2" to virtual address "0x00608790" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e97fbc4f00f0535633db895df08bf18b" to virtual address "0x006089F4" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e9bba44f005d08536affe8edfeffff5b" to virtual address "0x006095B8" (part of module "CV.EXE")
"CV.EXE" wrote bytes "e9cfbd4f00e8535633db895de8895dec" to virtual address "0x00608B18" (part of module "CV.EXE")
"CV.EXE" wrote bytes "c04ef8762054f976e065f976b538fa760000000000d0607500000000c5ea60750000000088ea607500000000e968e8748228fa76ee29fa7600000000d269e874000000007dbb60750000000009bee87400000000ba18607500000000" to virtual address "0x77191000" (part of module "NSI.DLL")
"CV.EXE" wrote bytes "e951b7148e000000" to virtual address "0x759048AA" ("SetScrollInfo@USER32.DLL")
"CV.EXE" wrote bytes "d5d9607530c66075a0c4607542c6607510c66075acdc6075a0df607536da607587f16075000000009177cf75c090cf757f6fcf751ffacf75def4cf75f282cf75857dcf7500000000" to virtual address "0x725B1000" (part of module "MSIMG32.DLL")
"CV.EXE" wrote bytes "e937fd128e000000" to virtual address "0x7592048E" ("SetScrollPos@USER32.DLL")
"CV.EXE" wrote bytes "e93ba84f00ea8bf03bcd7d298bf98bdd" to virtual address "0x0060973C" (part of module "CV.EXE") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"setupCommView.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"CV.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"CV.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
"Updater.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 13 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 34
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from setupCommView.exe (PID: 1040) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".tls" is zero
Raw size of ".text" is zero
Raw size of ".itext" is zero
Raw size of ".data" is zero
Raw size of ".idata" is zero
Raw size of ".didata" is zero
Raw size of ".rdata" is zero
Raw size of ".KISS0" is zero
Raw size of ".vmp0" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from setupCommView.exe (PID: 1040) (Show Stream)
GetLocalTime@kernel32.dll (Show Stream)
GetLocalTime@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesW@kernel32.dll (Show Stream)
EnumSystemLocalesW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@kernel32.dll directly followed by "cmp edx, 05h" and "jne 004099D2h" (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp byte ptr [0044FB7Ch], 00h" and "je 004082C6h" (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp al, 4Dh" and "jns 006C6182h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.DLL from setupCommView.exe (PID: 1040) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-153215987805
"setupCommView.exe" queries volume information of "%PROGRAMFILES%\CommViewWiFi\CV.CHM" at 00045630-00001040-0000010C-153217583527
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-166059339472
"setupCommView.exe" queries volume information of "%PROGRAMFILES%\CommViewWiFi\Uninst_CommViewWiFi.exe" at 00045630-00001040-0000010C-166088243094
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-166463240775
"setupCommView.exe" queries volume information of "%PROGRAMFILES%\CommViewWiFi\CV.EXE" at 00045630-00001040-0000010C-166464630481
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-167119025581
"setupCommView.exe" queries volume information of "%PROGRAMFILES%\CommViewWiFi\CV.EXE" at 00045630-00001040-0000010C-167120780038 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-153215987805
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-166059339472
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-166463240775
"setupCommView.exe" queries volume information of "C:\" at 00045630-00001040-0000010C-167119025581 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"setupCommView.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUPCOMMVIEW.EXE")
"setupCommView.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUPCOMMVIEW.EXE")
"setupCommView.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\COMMVIEW FOR WIFI")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CV.EXE")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CV.EXE")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UPDATER.EXE")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UPDATER.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/72 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\2E4916B07F3DE90C8DDE2566FD9B9B400D89BBBA"; Key: "BLOB")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E6A3B45B062D509B3382282D196EFE97D5956CCB"; Key: "BLOB")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"CV.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
- details
-
"WdfCoInstaller01011.pdb"
"d:\Murad\Tamos\QT\QTStub\release\QtStub.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"setupCommView.exe" created file "%TEMP%\~SBEA14.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA15.tmp"
"setupCommView.exe" created file "%TEMP%\LSBE88A.tmp"
"setupCommView.exe" created file "%TEMP%\LSBE89B.tmp"
"setupCommView.exe" created file "%TEMP%\LSBE89C.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA25.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA36.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA47.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA48.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA58.tmp"
"setupCommView.exe" created file "%TEMP%\~SBEA69.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\CA2KMTX"
"\Sessions\1\BaseNamedObjects\HookApi:{7DDF4ADB-4A01-4F4B-83AA-8D91C21E99D2}:1288:Lock"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_Speech_Voices_Tokens_MS-Anna-1033-20-DSK_Mutex"
"\Sessions\1\BaseNamedObjects\Global\SBUILDER_MX_CA"
"\Sessions\1\BaseNamedObjects\Global\NetCfgWriteLock"
"\Sessions\1\BaseNamedObjects\Global\d3b1bbc7-c020-4056-9ded-7c6f40b5a2fc"
"\Sessions\1\BaseNamedObjects\.NET CLR Data_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NET CLR Networking_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NET Data Provider for Oracle_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NET Data Provider for SqlServer_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NET Memory Cache 4.0_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\.NETFramework_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\ASP.NET_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\ASP.NET_4.0.30319_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\aspnet_state_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\BITS_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\ESENT_Perf_Library_Lock_PID_508"
"\Sessions\1\BaseNamedObjects\Lsa_Perf_Library_Lock_PID_508" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "WdfCoInstaller01011.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "Updater.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "fcd.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Uninst_CommViewWiFi.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "WdfCoInstaller01011.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "QtStub.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "libspeex.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "tsremind.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ca2k.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "tsappact.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "rwatch.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Translator.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "EULA CommView for WiFi.rtf" as clean (type is "Rich Text Format data version 1 ANSI")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"setupCommView.exe" loaded module "%WINDIR%\System32\riched32.dll" at 70620000
"setupCommView.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E9B0000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"setupCommView.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"setupCommView.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"setupCommView.exe" touched "Microsoft Windows Font Folder" (Path: "HKCU\CLSID\{BD84B380-8CA2-1069-AB1D-08000948F534}")
"setupCommView.exe" touched "UsersFiles" (Path: "HKCU\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"setupCommView.exe" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"CV.EXE" touched "Destkop Undo Manager" (Path: "HKCU\CLSID\{3EEF301F-B596-4C0B-BD92-013BEAFCE793}")
"CV.EXE" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}")
"CV.EXE" touched "Shell Undo Parent Unit" (Path: "HKCU\CLSID\{078759D3-423B-48AD-AB6A-5638C2884DBE}\TREATAS")
"CV.EXE" touched "Property System Both Class Factory" (Path: "HKCU\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\TREATAS")
"CV.EXE" touched "Shell Copy Hook" (Path: "HKCU\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\INPROCSERVER32")
"CV.EXE" touched "Shell extensions for sharing" (Path: "HKCU\CLSID\{40DD6E20-7C17-11CE-A804-00AA003CA9F6}\INPROCSERVER32")
"CV.EXE" touched "Share Manager" (Path: "HKCU\CLSID\{EDB5F444-CB8D-445A-A523-EC5AB6EA33C7}\TREATAS")
"CV.EXE" touched "Inplace Share Engine" (Path: "HKCU\CLSID\{6311429E-2F1A-4777-880F-C7289FD10169}\TREATAS")
"CV.EXE" touched "Enhanced Storage Icon Overlay Handler Class" (Path: "HKCU\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\INPROCSERVER32")
"CV.EXE" touched "Sharing Overlay (Private)" (Path: "HKCU\CLSID\{08244EE6-92F0-47F2-9FC9-929BAA2E7235}\INPROCSERVER32")
"CV.EXE" touched "SpVoice Class" (Path: "HKCU\CLSID\{96749377-3391-11D2-9EE3-00C04F797396}\TREATAS")
"CV.EXE" touched "SpObjectTokenCategory Class" (Path: "HKCU\CLSID\{A910187F-0C7A-45AC-92CC-59EDAFB77B53}\TREATAS")
"CV.EXE" touched "SpDataKey Class" (Path: "HKCU\CLSID\{D9F6EE60-58C9-458B-88E1-2F908FD7F87C}\TREATAS")
"CV.EXE" touched "SpResourceManager Class" (Path: "HKCU\CLSID\{96749373-3391-11D2-9EE3-00C04F797396}\TREATAS")
"CV.EXE" touched "SpTaskManager Class" (Path: "HKCU\CLSID\{4C6F940C-3CFE-11D2-9EE7-00C04F797396}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Reads Windows Trust Settings
- details
- "CV.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"CV.EXE" searching for class "Photoshop"
"CV.EXE" searching for class "TApplication"
"CV.EXE" searching for class "TfrmSiteSurvey"
"CV.EXE" searching for class "Shell_TrayWnd"
"CV.EXE" searching for class "TAppBuilder" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "CV.EXE" (Show Process)
Spawned process "dhelper.exe" with commandline "1288" (Show Process)
Spawned process "Updater.exe" with commandline "/regtask" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "CV.EXE" (Show Process)
Spawned process "dhelper.exe" with commandline "1288" (Show Process)
Spawned process "Updater.exe" with commandline "/regtask" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=NZ, S=New Zealand, L=Christchurch, O=TamoSoft Ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Application Development, CN=TamoSoft Ltd" (SHA1: A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c10, CN=VeriSign Class 3 Code Signing 2010 CA" (SHA1: 49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign
Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5" (SHA1: 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"setupCommView.exe" connecting to "\ThemeApiPort"
"CV.EXE" connecting to "\ThemeApiPort"
"Updater.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"WdfCoInstaller01011.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"CV.CHM" has type "MS Windows HtmlHelp Data"
"ts_athr.cat" has type "data"
"ch1213.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"CV.EXE" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"preinst.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"CommView for WiFi.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Icon number=0 Archive ctime=Wed Aug 14 10:50:58 2013 mtime=Thu Feb 13 11:36:28 2014 atime=Thu Feb 13 11:36:45 2014 length=8596384 window=hide"
"Updater.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ts_athr.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"ts_athw.cat" has type "data"
"tsrltkx.cat" has type "data"
"fcd.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninst_CommViewWiFi.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"WdfCoInstaller01011.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"dhelper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ts_arusb.cat" has type "data"
"ts_arnusb.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"ts_rltkx.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"tsrltk.cat" has type "data"
"QtStub.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"setupCommView.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"setupCommView.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\desktop.ini"
"setupCommView.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu"
"setupCommView.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"setupCommView.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"setupCommView.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001f.db"
"setupCommView.exe" touched file "C:\Windows\Fonts\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini"
"setupCommView.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini"
"setupCommView.exe" touched file "C:\Windows\System32\en-US\user32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "uscript.sb"
Heuristic match: "script.sb"
Heuristic match: "ts_athwx.cat"
Heuristic match: "ts_arnusbx.cat"
Heuristic match: "ts_athrx.cat"
Heuristic match: "C[i.o`.ch"
Heuristic match: "ts_athw.cat"
Heuristic match: "ts_arnusb.cat"
Heuristic match: "~@X{(n.ir"
Heuristic match: "ts_athr.cat"
Heuristic match: "tslwwff.cat"
Heuristic match: "tsrlusbx.cat"
Heuristic match: "tsrlusb.cat"
Heuristic match: "tsrltkx.cat"
Heuristic match: "tsrltk.cat"
Heuristic match: "ts_arusb.cat"
Heuristic match: "7UM{'J.Tv"
Heuristic match: "G&LI(%h5.md"
Heuristic match: ").]Vo..km"
Heuristic match: "lry09?erq.ir"
Pattern match: "s.com/contact/}}{\fldrslt{\ul\cf1"
Heuristic match: "support@tamos.com"
Pattern match: "http://www.tamos.com"
Pattern match: "http://www.tamos.com/download/main/"
Pattern match: "http://www.tamos.com/support/"
Heuristic match: "CatalogFile = ts_athr.cat"
Heuristic match: "CatalogFile = ts_arnusb.cat"
Pattern match: "www.tamos.com}}{\fldrslt{\ul\cf1"
Pattern match: "www.tamos.com/activation}}{\fldrslt{\ul\cf1"
Pattern match: "www.tamos.com/privacy.php}}{\fldrslt{\ul\cf1"
Pattern match: "www.tamos.com/contact/}}{\fldrslt{\ul\cf1"
Heuristic match: "CatalogFile=tsrltkx.cat"
Pattern match: "www.tamos.com/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "CV.EXE" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"setupCommView.exe" opened "\Device\KsecDD"
"CV.EXE" opened "\Device\KsecDD"
"Updater.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
-
"tsremind.dll" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jan 1 00:00:00 1970
"tsappact.dll" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jan 1 00:00:00 1970 - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"ch1213.exe" was detected as "Borland Delphi 4.0"
"fcd.dll" was detected as "Borland Delphi 3.0 (???)"
"Uninst_CommViewWiFi.exe" was detected as "Borland Delphi 3.0 (???)"
"WdfCoInstaller01011.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"QtStub.dll" was detected as "Borland Delphi 3.0 (???)"
"tsremind.dll" was detected as "Borland Delphi 4.0"
"ca2k.dll" was detected as "Borland Delphi 3.0 (???)"
"Translator.dll" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Found Delphi 4 - Delphi 2006 artifact
File Details
setup CommView.exe
- Filename
- setup CommView.exe
- Size
- 47MiB (49423368 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 037654e475315f4d4e595b83ed615dd57eba20c674da0d865264c8d7b0588768
- MD5
- 6b6060dcb29cb17ce6b2ee72ca325bb3
- SHA1
- 46a23a66578a66a98ebfefab8f4bcedc867c8a93
Classification (TrID)
- 64.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 13.6% (.DLL) Win32 Dynamic Link Library (generic)
- 9.3% (.EXE) Win32 Executable (generic)
- 4.1% (.EXE) OS/2 Executable (generic)
- 4.1% (.EXE) Generic Win/DOS Executable
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.9KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=NZ, S=New Zealand, L=Christchurch, O=TamoSoft Ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Application Development, CN=TamoSoft Ltd | C=NZ, S=New Zealand, L=Christchurch, O=TamoSoft Ltd, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Application Development, CN=TamoSoft Ltd Serial: 3cd1573766f79d2b3db89d43fa987ec5 |
08/08/2012 02:00:00 10/23/2015 01:59:59 |
A9:2A:47:18:6D:64:34:AC:83:2E:97:C5:4F:49:83:97:C4:45:26:CF: (sha1RSA(RSA)) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c10, CN=VeriSign Class 3 Code Signing 2010 CA | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa c10, CN=VeriSign Class 3 Code Signing 2010 CA Serial: 5200e5aa2556fc1a86ed96c9d44b33c7 |
02/08/2010 02:00:00 02/08/2020 01:59:59 |
49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F: (sha1RSA(RSA)) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 Serial: 18dad19e267de8bb4a2158cdcc6b3b4a |
11/08/2006 02:00:00 07/17/2036 01:59:59 |
4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
setupCommView.exe
(PID: 1040)
2/97
-
CV.EXE
(PID: 1288)
- dhelper.exe 1288 (PID: 1216)
- Updater.exe /regtask (PID: 1976)
-
CV.EXE
(PID: 1288)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 47 extracted file(s). The remaining 56 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
ch1213.exe
- Size
- 344KiB (352336 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Heur" (1/65)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- cc8286e4fe47b8b33975c5d35d07a15a
- SHA1
- bbb2ad6cc3c6b2434c2314f18f573a23e92ae120
- SHA256
- 51a7ee97662987980fe47a356ff0e56fe8b54d8090d66bfe9eb21c3bf9babe6b
-
preinst.exe
- Size
- 404KiB (413776 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Delphi" (1/65)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- ed2780bd54113504f309e0edd358857c
- SHA1
- 3dc9aa887ea23c640af22e0927fbb825b6b3ce88
- SHA256
- 6ef4786b71995aed201af8f84548c874d666cd40bf3edb6fac6df413fdaa80a6
-
-
Clean 11
-
-
QtStub.dll
- Size
- 184KiB (188416 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- bb893ce99703213214203b83ae85a369
- SHA1
- edec2f45de572acaaf188b572bf5f583fca648c8
- SHA256
- e8a842e44f8282afc2e943bf92e510245a48257a1ae969c45655830b203afa6b
-
WdfCoInstaller01011.dll
- Size
- 1.6MiB (1629040 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 3d2a2d921135801835073451f002480f
- SHA1
- dee0ddc820cd0da546dff8bcf2bc490326da90a2
- SHA256
- c7649879a10c9332fc0f9744c7e3224647aee9e7e62c7e21cf9e987462e3dd06
-
Translator.dll
- Size
- 89KiB (91512 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 4111090ca6275e3493add694b51eeda6
- SHA1
- bb6151c2abcfc8a40f677e1396983383f2c2929f
- SHA256
- 811af9f315de9bb116f0be7398ad955c6142abc1def77775269c85ee8edcc931
-
Uninst_CommViewWiFi.exe
- Size
- 307KiB (314000 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- b33e0635ebc8fb670695b15a0bbde14b
- SHA1
- 1dbef85b8246ad9d06f047242426512e87fe6b2c
- SHA256
- fe79b2437ad282876d2ee238acf0d5d595f63569671300dc3f361c835fff0707
-
Updater.exe
- Size
- 1.4MiB (1442680 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- dada6f704eda41b5319fd43e6debeadd
- SHA1
- bd1be40eab51df6d48cd490c1ef0e46b93a5bb40
- SHA256
- fbf188e9ee018eb16034a3c5a25a24762cf23bf95f0e0aa4d56db449505d0c10
-
ca2k.dll
- Size
- 228KiB (233336 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 106d9f53aec697c32115390fb4b108b4
- SHA1
- 083d98d390d4017cd6b309578e0db9eb5e43584e
- SHA256
- 5c92f07bc8d387c63e28e2b55f1e25c3bc189969d1fb198f83af8396cdac5b68
-
fcd.dll
- Size
- 295KiB (302456 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/96
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- da906602858030c20a92f7f06ec57b60
- SHA1
- 96fb59d708070622f54f346e6b30a72927455e2c
- SHA256
- 8211f989049b1edb73fb601be4c967f797cd000be8fd20e1b280e8f956a94df5
-
libspeex.dll
- Size
- 240KiB (245248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- f15041e10ffc1a390c500ea16bb1ff34
- SHA1
- 1db17ac2bd08eac958ac358b60d1a92d2ef2230e
- SHA256
- c598962f60cfdd56bb005ae3b9f26a2f11f4fc33e50282f5ea3a6e2120e21096
-
rwatch.exe
- Size
- 874KiB (895352 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- b5d60c733940144ab530c30608a15ba2
- SHA1
- 5e1aaaaccabd933d5d573de3ac86a52c8321b6c3
- SHA256
- 889e864f1638af83639951ddfecb03f7cef986cd5b979940f0949ebfe26bc3d2
-
tsappact.dll
- Size
- 292KiB (299392 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- dbfc55bdb0ccf059458df388d428f2b1
- SHA1
- 020e4c1bdfe85e5c8d8b79717adc47d1cec6df16
- SHA256
- 1211c4c4558fa8ebd1a6caccd8ca7554eb0c6855e41761060330c43566f39006
-
tsremind.dll
- Size
- 194KiB (198144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- d233dd0de34af43143236f45d715c14a
- SHA1
- 44594c2759099f82089706e8d9fa2dca328e54f6
- SHA256
- f57208b11b7b39291cbd26db8de5e69a2fd82a6401d217d31c80577872693795
-
-
Informative Selection 1
-
-
CV.EXE
- Size
- 4.9MiB (5177344 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 4b8322edf4db7f961f963f7949df6c4a
- SHA1
- 9be2a532a3c04449bfa1c41ec4e0466d8cc2ca6d
- SHA256
- 6fe5d1edf636343d6a68b0fb08b59be6cdbd792eb6b74851bafab5c4701a1491
-
-
Informative 33
-
-
CommView for WiFi Help.lnk
- Size
- 1.7KiB (1777 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Icon number=0, Archive, ctime=Mon Nov 18 11:13:47 2013, mtime=Fri May 10 10:01:21 2013, atime=Mon Nov 18 11:13:48 2013, length=1644103, window=hide
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- f113319e4b09d27a185f81f588d9e477
- SHA1
- 61fcadba156460fde14026d5c6bfdeaf172c78f5
- SHA256
- 784d5b923118a552b372489c066fa3fb5dc90a5f78b423e69ced95805b9037c2
-
Uninstall.lnk
- Size
- 2KiB (2020 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Fri Jun 7 10:04:00 2019, mtime=Fri Jun 7 10:04:00 2019, atime=Fri Jun 7 10:02:10 2019, length=314000, window=hide
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 345741f2c44de008ad3545e7e3f6e737
- SHA1
- 5ab633eb4a0db447e47b47e9d85d19a0546b31ac
- SHA256
- 1d1dc74cf8d1c036f6840db237b8d67700b29c5d41d13d31d6b444cf31430b7b
-
LANG.INI
- Size
- 23B (23 bytes)
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 1ffa7c3866e90bd9bdae07241ac73afd
- SHA1
- 8a5219053a0fec8ed1cc625b51c5367671720d6f
- SHA256
- 945cb27070511c81b25394ba66b336ed01ff6f7545bd41d6bffbfb761c33bbd5
-
1031.tlf
- Size
- 262KiB (268058 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- f57f2c3c5c10603fde180417b77d631c
- SHA1
- feb341c2a558950425892546cae5f3e89c8dd9b4
- SHA256
- 82ec635ef1bb30fb05ebff15e06ed0af6828bbe267218b3d10e7039a929e8a95
-
1034.tlf
- Size
- 261KiB (267394 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 8a10b6ab621a962dd5b886801f158e80
- SHA1
- e8a6d64b453c2bde5bdbc52d5a144c287d06a7c7
- SHA256
- 1f557a40c9d0671e634dba9d3540bdfc2f50722d3653b3db300e6bb1ae97721f
-
1036.tlf
- Size
- 276KiB (282122 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 0bdb7ca3caa539001384ecff8b573523
- SHA1
- acabd2b182eac61211b8cebb332a906d986429d9
- SHA256
- f2de236e8d417d3af9478b8ee6002693e08360af9580120f401612420ecae63d
-
1041.tlf
- Size
- 212KiB (217496 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 4adaf7185dd686beb5b7e85a833db105
- SHA1
- 337b25be379e89a473878226af7de98b8c6521c0
- SHA256
- 62ebe886eb04c117a1f0c6c2029e45e54e361ac335c5b9e5308c1a3dbb1ac019
-
1049.tlf
- Size
- 255KiB (260936 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 5c20be326ad8d5fbb8cf2c5bdb58e162
- SHA1
- 04098fe80f50e6b46a9b0a9f40e397afd53f1b68
- SHA256
- e9a171e87d64e2fe98cff8bd7e4e45c3dfb1bc327573e3c73cee70010240a8b5
-
tslwwff.sys
- Size
- 29KiB (29384 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 5a0b4cf8851252027ae97cc117315c71
- SHA1
- c322d688a059655c035d5f698b99e7abc2905fc5
- SHA256
- ec08cbbba7ced0fc83224507e4e046410702e30612ba4e6ec9fc04b96ed8b6c3
-
tslwwff.cat
- Size
- 9.3KiB (9508 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 654b3d7e0a3f14bf6228acf344c24387
- SHA1
- a8c2030a676f4cd48a8ec42b55e10c6cee73724d
- SHA256
- 77764f62f6aa975e47b200d0fa64191061e4329893428f47ef3c045f72c01664
-
tslwwff.inf
- Size
- 2.4KiB (2508 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 5c68971984b786e9c9addcccea8e406d
- SHA1
- 3e98a30df15cb2ebc2a0de86d32a5b9e10067491
- SHA256
- 5b5af36e738ab4a901c99cc37df71885da4d9bbb3ac84714fe095e371c710c08
-
CV.CHM
- Size
- 1.6MiB (1644103 bytes)
- Type
- text mshelp
- Description
- MS Windows HtmlHelp Data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 6c250d238c4f8cb737a7140ff7d75fc2
- SHA1
- 75e15415d2178083fece285895b19528dc645ad4
- SHA256
- 7898748e276d36f0b4f5404cb9a43f2de8f5c0ec93e03905b99cafa2929fef8b
-
ts_arnusb.cat
- Size
- 10KiB (10557 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 416955640eb6863d870c24630d215a8b
- SHA1
- 9f48992750167f8ed3e51269661be18cf5cc0e46
- SHA256
- ba0498e185f08ea3349d2958cfea4132aedb77a126a3a4db896b8f2aa5af1d25
-
ts_arnusb.inf
- Size
- 30KiB (30933 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 3981621a70784a078a00cfbd11ac78bc
- SHA1
- 8f79b5c5926a1fec0148c802a78fc998218c6167
- SHA256
- 3ef0700a785cdffc565335c7e22f509c2ddd476a4648b8a18ef68b0f4a1a25c3
-
ts_arnusb.sys
- Size
- 1.5MiB (1613512 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 39c49f10bb9e0c492a9f47525a5034ca
- SHA1
- de9e0c981029943df917e650d883d97ce249a2d3
- SHA256
- f034106b2d1c6d8ae78408a3f09c5bad3eafedee0ec957c582989c1f10c114f3
-
ts_arusb.cat
- Size
- 11KiB (10786 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 098d94dfb19e4a61494ff905dfaca3a5
- SHA1
- a68afc7bb37269790ac0797d4d46e353291fc91c
- SHA256
- 49de2d322dd80e874af27a00c730f8ecf924baf2950dea8a76dcccfce543401f
-
ts_arusb.inf
- Size
- 45KiB (46076 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 72ca557574a4dce1efb52aeb535aca40
- SHA1
- db68729dde2bdd8f7ca65496475fffa3a13d9bbb
- SHA256
- c82d1ed82faf1632164837ed688599479bf623743bbb6b7e57440abe72a53036
-
ts_arusb.sys
- Size
- 1MiB (1056456 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 7481cc5037631fbea8193bbdf588b786
- SHA1
- 2e198a7c2a779c1f334e693752e98c2f36d20d38
- SHA256
- 3373fd0b9f07a30e9146968fdc7d424b7070d7cb34c9367ddaa55d6534866603
-
ts_arusbx.sys
- Size
- 1.2MiB (1208776 bytes)
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- bce00226b34b93a4c2e8dc196abaf1c5
- SHA1
- 97cd9708d936159b9aa4c1b39efa384e99308b20
- SHA256
- d554a8fe689c6c398d77e9364c07867b98d70f34559f129b9d9e5444d71c5105
-
ts_athr.cat
- Size
- 40KiB (40653 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 56c07201f45e4377fd98e53075900452
- SHA1
- 2351a542145002382cb13087a55d4b7dcae8c873
- SHA256
- aad8448faeb3af927b6bd2ae6cab56d113d75f58370af74fd4fe0e89260cf7a4
-
ts_athr.inf
- Size
- 402KiB (412022 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- adff38b4dfb86ff812e491a203d4f8ac
- SHA1
- f6740aa766bc3da8eb9ee62e0a5e6fd5ea19671a
- SHA256
- 32e5d5baab5b97bb28a60392fa04307719fccf80201cb6a012c50473ebcba314
-
ts_athw.cat
- Size
- 57KiB (58779 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 15ffca54f8ded4ba7fec3fc416601b96
- SHA1
- 334ee74f953fc1a7e53196cbaa6f72875e7cc6e3
- SHA256
- 2063110712a6a428ff661ca9a4dda7a3f3377f1702109afab6c5210d6f54e58a
-
ts_athw.inf
- Size
- 211KiB (216201 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 2dfdf3c8b38053bab568e52b8417952a
- SHA1
- b4b485cee65b43845eced51f6bc4daa2499fc21a
- SHA256
- b6e48434ce2262987579594d5986a5b06b8854964f4819a6e168a06f2835e71d
-
tsrlusbx.cat
- Size
- 9.6KiB (9869 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 1b8eab515cfbf791427f6f6f54f5ccbc
- SHA1
- 7df34368346287e10a499c2b6dc402bad328e2d4
- SHA256
- d25ed661dca044d0f15d6b9bee411f279ead515202873ecbb3d67e6b673c2f98
-
tsrlusbx.inf
- Size
- 2.8KiB (2911 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 5602b19874ef61f0cfa39dda80491238
- SHA1
- 8cd49914b7f22b032a50241429207aa10b9472b1
- SHA256
- acb72aec99a8c0213f0d05fb9c8e1d4949d8bb44d50cbbd3679e92ed7fb8a99c
-
tsrlusb.cat
- Size
- 9.6KiB (9830 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- c4c32b2bcb0495204fd3d00f0a58c67d
- SHA1
- 63a5eb944cabc2affd409851614de7f015cb472e
- SHA256
- d2e5b038bc35bb060734ff4a2c5278936d230bff208e509e47d9d2fea449d7fc
-
tsrlusb.inf
- Size
- 2.8KiB (2903 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 0974c759f7fcdee7c976842c7accd850
- SHA1
- 178eaf3f4785fca9e64555243fe997e8ab059e37
- SHA256
- e1ffc0b827f5640288b788abf0fc3fb31364455d17850d546b607672cfd15b6a
-
ts_rltkx.inf
- Size
- 3.1KiB (3177 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 7c4b5dd5c96c393e708500647c9a63a5
- SHA1
- 44b88aa05cbd21c11a79e2d8d25192268eacd7c3
- SHA256
- 2507460762942e385ae42828999fce58d2c65cfc1b7898b83a39ad0003545600
-
tsrltkx.cat
- Size
- 9.8KiB (10033 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- d3ac2d521ff4aae787a0c60bf215924f
- SHA1
- 40eed5fd56a64d0d90bec6550e4a20eea94e54b9
- SHA256
- 2790085b4adc88162377ab244c9a6b70b2d7c5a28c4736fd28ce149985435c05
-
ts_rltk.inf
- Size
- 3.1KiB (3169 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 85bce206cd87f9d956a487c5fd5ef4e9
- SHA1
- 30d995a88b5a683472052724fd1ece9c65d100f7
- SHA256
- b8ffe83eb9da5938731e19614b89df033e7f91c327b9fa7fc366deaa2dba4ff0
-
tsrltk.cat
- Size
- 9.8KiB (9994 bytes)
- Type
- data
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- a79a087cc9c6312e8b65507d63c6071e
- SHA1
- 5193663a18120beeedbec2cdc9faec27b631fbc5
- SHA256
- 8a01aeb22c06240369df32d80a5f0f45b6e0a2c3a0c8d3cc5b50fce3f11d644b
-
dhelper.exe
- Size
- 4.9MiB (5177344 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- CV.EXE (PID: 1288)
- MD5
- 02f36e5e3ca0807aea5e86ec4350ee6a
- SHA1
- 940097d8ea90365156d53e464a4ff57a4ed97547
- SHA256
- 82340af2d6c16d4d42b3f84bf0bc833df3ac71fc77b1598da20f3d493359280d
-
CommView for WiFi.lnk
- Size
- 1.8KiB (1837 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Wed Aug 14 10:50:58 2013, mtime=Thu Feb 13 11:36:28 2014, atime=Thu Feb 13 11:36:45 2014, length=8596384, window=hide
- Runtime Process
- setupCommView.exe (PID: 1040)
- MD5
- 64c02263794e97e0f24ad97555836874
- SHA1
- 7993d2e775287583415a0b9dfce4058f22db81e1
- SHA256
- 2b329b7a026ea1a8eac834ba09401623e8def52bfa2f40eef0f9b071585b303e
-
Notifications
-
Runtime
- Extracted file "ts_arnusb.cat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/ba0498e185f08ea3349d2958cfea4132aedb77a126a3a4db896b8f2aa5af1d25/analysis/1559909347/")
- Extracted file "ts_arusb.cat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/49de2d322dd80e874af27a00c730f8ecf924baf2950dea8a76dcccfce543401f/analysis/1559909345/")
- Extracted file "ts_athr.cat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/aad8448faeb3af927b6bd2ae6cab56d113d75f58370af74fd4fe0e89260cf7a4/analysis/1559909344/")
- Extracted file "tsrlusb.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/e1ffc0b827f5640288b788abf0fc3fb31364455d17850d546b607672cfd15b6a/analysis/1559909346/")
- Extracted file "tsrlusbx.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/acb72aec99a8c0213f0d05fb9c8e1d4949d8bb44d50cbbd3679e92ed7fb8a99c/analysis/1559909348/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "static-1" are available in the report
- Not all sources for indicator ID "static-5" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "static-60" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report