Edit tour

Windows Analysis Report
TeamViewer_Setup.exe

Overview

General Information

Sample name:	TeamViewer_Setup.exe
Analysis ID:	1454831
MD5:	7dd4249d398182c34691d1161d844eee
SHA1:	ca3da851cf5871c4580fa8e86b95c2c400258906
SHA256:	2e547f6118a778517fdd883c127c5e427c205a35208267014cce6fe49b63a2b3
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Registers a DLL

Sigma detected: Installation of TeamViewer Desktop

Sigma detected: Office Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: TeamViewer Remote Session

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

TeamViewer_Setup.exe (PID: 4072 cmdline: "C:\Users\user\Desktop\TeamViewer_Setup.exe" MD5: 7DD4249D398182C34691D1161D844EEE)

TeamViewer_.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" MD5: 9BAACAEAC47AAB1242A9D56A8291E3C4)

schtasks.exe (PID: 6984 cmdline: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TeamViewer_Service.exe (PID: 1240 cmdline: "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" -install MD5: E61BE4384327DF6AC8087803A7904BFD)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TeamViewer.exe (PID: 6316 cmdline: "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" api --install MD5: DFA1EDAEE9FCC286C1AD2CD2EF600908)

regsvr32.exe (PID: 2736 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

schtasks.exe (PID: 3412 cmdline: C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 1376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6292 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6328 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6372 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6416 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6584 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 1732 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6680 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5696 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

TeamViewer_Service.exe (PID: 3316 cmdline: "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" MD5: E61BE4384327DF6AC8087803A7904BFD)

TeamViewer.exe (PID: 2708 cmdline: "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" MD5: DFA1EDAEE9FCC286C1AD2CD2EF600908)

chrome.exe (PID: 4472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.teamviewer.com/documents/?lng=en&version=15.3.8497%20&cid=295016706 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5016 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1960,i,12863219482279789888,7413247670318756557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

tv_w32.exe (PID: 3776 cmdline: "C:\Program Files (x86)\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log MD5: E1506CA998F9DF296D8876E52C67524C)

tv_x64.exe (PID: 3916 cmdline: "C:\Program Files (x86)\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log MD5: 375704CC129FC32235A1A1318042504C)

cleanup

Sigma Signatures

Sigma detected: Installation of TeamViewer Desktop

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe, ProcessId: 5672, TargetFilename: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 2736, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\Outlook\Addins\TeamViewerMeetingAddIn.AddIn\Description

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F, CommandLine: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe, ParentProcessId: 5672, ParentProcessName: TeamViewer_.exe, ProcessCommandLine: C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F, ProcessId: 6984, ProcessName: schtasks.exe

Sigma detected: TeamViewer Remote Session

Source: File created

Author: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe, ProcessId: 1240, TargetFilename: C:\Users\user\AppData\Roaming\TeamViewer\TeamViewer15_Logfile.log

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1376, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: TeamViewer_Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

File created: C:\Users\user\AppData\Local\Temp\TeamViewer\TV15Install.log

PE / OLE file has a valid certificate

Source: TeamViewer_Setup.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49738 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: TeamViewer_Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\Documents\desktop.ini

Networking

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.17:49720 -> 188.172.233.172:5938

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200

Source: global traffic	DNS traffic detected: DNS query: router13.teamviewer.com
Source: global traffic	DNS traffic detected: DNS query: download.teamviewer.com
Source: global traffic	DNS traffic detected: DNS query: www.teamviewer.com
Source: global traffic	DNS traffic detected: DNS query: client.teamviewer.com
Source: global traffic	DNS traffic detected: DNS query: assets.adobedtm.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdn.cookielaw.org
Source: global traffic	DNS traffic detected: DNS query: s7g10.scene7.com
Source: global traffic	DNS traffic detected: DNS query: teamviewer.scene7.com

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.17:49738 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\teamviewervpn.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\tvmonitor.cat	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

File dropped: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\Lizenz_TeamViewer_EN_unicode.txt -> encrypted connections (handshake) and for the forwarding of data packets (routing) in connection with the use of the software ("server services"), and (iii) related support services ("support services"). the server services and the support services are collectively referred to herein as "services".1.2.formation and content of the contract for subscription and perpetual licenses. a paid contract pursuant to this eula for subscription and perpetual software licenses shall be formed, if (i) the customer consummates the web-based order process on the teamviewer website (www.teamviewer.com) and, at the end, clicks on the "purchase" / "order" / "subscribe" or similarly named button after having accepted this eula, or if (ii) the customer and teamviewer sign a written order form which references this eula, or if (iii) the customer orders by phone and receives an order confirmation attaching the eula by e-mail. details regarding the contract (e.g. selected software, scope of functions, price, term, services

Jump to dropped file

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Windows\Fonts\teamviewer15.otf
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches

Uses 32bit PE files

Source: TeamViewer_Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.rans.spyw.evad.winEXE@36/98@15/46

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

File created: C:\Program Files (x86)\TeamViewer

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

File created: C:\Users\Public\Desktop\TVTest.tmp

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Program Files (x86)_TeamViewer_TeamViewer.exe
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Mutant created: \BaseNamedObjects\Global\TeamViewer_AssignmentTrigger_Mtx
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_Win32_Instance_Mutex
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Mutant created: \BaseNamedObjects\Local\TeamViewer_LogMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3836:120:WilError_03
Source: C:\Program Files (x86)\TeamViewer\tv_w32.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewerHooks_Loader_w32
Source: C:\Program Files (x86)\TeamViewer\tv_x64.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewerHooks_Loader_x64
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer_DynGateInstanceMutex
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Mutant created: \BaseNamedObjects\Global\TeamViewer_LogMutex
Source: C:\Program Files (x86)\TeamViewer\tv_w32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\TeamViewer_LogMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Mutant created: \Sessions\1\BaseNamedObjects\TeamViewer3_Win32_Instance_Mutex

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsqC3E4.tmp

Source: TeamViewer_Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

File read: C:\Users\user\Desktop\TeamViewer_Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\TeamViewer_Setup.exe "C:\Users\user\Desktop\TeamViewer_Setup.exe"
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" -install
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer.exe "C:\Program Files (x86)\TeamViewer\TeamViewer.exe" api --install
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" -install
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll"
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe"
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer.exe "C:\Program Files (x86)\TeamViewer\TeamViewer.exe"
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\tv_w32.exe "C:\Program Files (x86)\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\tv_x64.exe "C:\Program Files (x86)\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.teamviewer.com/documents/?lng=en&version=15.3.8497%20&cid=295016706
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1960,i,12863219482279789888,7413247670318756557,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll"
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer.exe "C:\Program Files (x86)\TeamViewer\TeamViewer.exe"
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\tv_w32.exe "C:\Program Files (x86)\TeamViewer\tv_w32.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process created: C:\Program Files (x86)\TeamViewer\tv_x64.exe "C:\Program Files (x86)\TeamViewer\tv_x64.exe" --action hooks --log C:\Program Files (x86)\TeamViewer\TeamViewer15_Logfile.log
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.teamviewer.com/documents/?lng=en&version=15.3.8497%20&cid=295016706

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: fwbase.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Section loaded: msi.dll

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe

File written: C:\Users\user\AppData\Local\Temp\TeamViewer\tvinfo.ini

Checks if Microsoft Office is installed

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\24.0\Outlook

PE / OLE file has a valid certificate

Source: TeamViewer_Setup.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: TeamViewer_Setup.exe

Static file information: File size 26985448 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: TeamViewer_Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll"

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Service.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_w32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\TvGetVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Note.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\linker.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_w32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nslC462.tmp\TvGetVersion.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsArray.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_			Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

File created: C:\Users\user\AppData\Local\Temp\TeamViewer\TV15Install.log

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TVTest.tmp
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\TeamViewer_Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe

Memory allocated: 9440000 memory reserve | memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe

Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Note.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\linker.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\FindProcDLL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_w32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_x64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsArray.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Dropped PE file which has not been started: C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6156	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Memory allocated: C:\Program Files (x86)\TeamViewer\TeamViewer.exe base: 51D0000 protect: page read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Memory written: C:\Program Files (x86)\TeamViewer\TeamViewer.exe base: 51D0000
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Memory written: C:\Program Files (x86)\TeamViewer\TeamViewer.exe base: 53082D8
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Memory written: C:\Program Files (x86)\TeamViewer\TeamViewer.exe base: 53091E8

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe /RESTORE" /RU SYSTEM /SC ONLOGON /F
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe" -install
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll"
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.teamviewer.com/documents/?lng=en&version=15.3.8497%20&cid=295016706

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe	Queries volume information: C:\ VolumeInformation

Queries time zone information

Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Source: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\arvhxlpc.default\prefs.js
Source: C:\Program Files (x86)\TeamViewer\TeamViewer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\prefs.js

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	22 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	4 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	61 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	61 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Regsvr32	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Source	Detection	Scanner	Label	Link
TeamViewer_Setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\TvGetVersion.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\linker.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslC462.tmp\TvGetVersion.dll	2%	ReversingLabs
C:\Program Files (x86)\TeamViewer\Printer\x64\TeamViewer_XPSDriverFilter.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Note.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_en.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_es.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_fr.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_he.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hr.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_hu.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_it.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ja.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_nl.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_no.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pl.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_pt.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ro.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sk.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sr.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_sv.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_th.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_tr.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_uk.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_vi.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	2%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhTW.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Service.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_StaticRes.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\ManagedAggregator.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddIn.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\outlook\TeamViewerMeetingAddinShim64.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_w32.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_w32.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_x64.dll	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\tv_x64.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\uninstall.exe	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\TVMonitor.sy_	0%	ReversingLabs
C:\Program Files (x86)\TeamViewer\TVExtractTemp\x64\teamviewervpn.sy_	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\FindProcDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsArray.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsExec.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiCAFA.tmp\nsis7z.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
www.google.com	142.250.186.36	true	false	unknown
routerpool13.rlb.teamviewer.com	188.172.233.172	true	false	unknown
cdn.cookielaw.org	104.19.177.52	true	false	unknown
assets.adobedtm.com	unknown	unknown	false	unknown
router13.teamviewer.com	unknown	unknown	false	unknown
www.teamviewer.com	unknown	unknown	true	unknown
teamviewer.scene7.com	unknown	unknown	false	unknown
client.teamviewer.com	unknown	unknown	false	unknown
s7g10.scene7.com	unknown	unknown	false	unknown
download.teamviewer.com	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.46	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
20.79.107.7	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
2.16.202.128	unknown	European Union	16625	AKAMAI-ASUS	false
104.19.177.52	cdn.cookielaw.org	United States	13335	CLOUDFLARENETUS	false
173.194.76.84	unknown	United States	15169	GOOGLEUS	false
2.19.104.72	unknown	European Union	16625	AKAMAI-ASUS	false
188.172.233.172	routerpool13.rlb.teamviewer.com	Austria	42473	AS-ANEXIAANEXIAInternetdienstleistungsGmbHAT	false
20.190.159.75	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.104.20	unknown	European Union	16625	AKAMAI-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.16.63.16	unknown	United States	13335	CLOUDFLARENETUS	false
104.16.62.16	unknown	United States	13335	CLOUDFLARENETUS	false
23.211.8.123	unknown	United States	16625	AKAMAI-ASUS	false
172.217.18.99	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1454831
Start date and time:	2024-06-10 23:27:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	TeamViewer_Setup.exe
Detection:	MAL
Classification:	mal64.rans.spyw.evad.winEXE@36/98@15/46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.75, 20.190.159.71, 20.190.159.4, 20.190.159.64, 20.190.159.23, 40.126.31.67, 40.126.31.71, 20.190.159.2
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: TeamViewer_Setup.exe

Process:	C:\Users\user\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	E6875A4A62E57DBB66F071CAA853F281
SHA1:	78FA5A447A63768983836C67B94A63AE7F13F4BB
SHA-256:	F77B387824B0A7272225DAA7DF4AC845CD183D75E7CBD6013498BA7BB0A6EE64
SHA-512:	C6B6DB19CD11C9C4A264D8ADA3DC4721B9E0E8E74B709CAA11A8A785494E1884B38C4288B37DC06E824669B5DE142B0FB0FA99FA7B88D339EE0953667D1CD696
Malicious:	false
Reputation:	unknown
Preview:	TEAMVIEWER COPYRIGHT ..====================..see License.txt......THIRD-PARTY COPYRIGHTS OF INTEGRATED COMPONENTS..===============================================....Copyright (c) 2007 Henri Torgemane..All Rights Reserved.....BigInteger, RSA, Random and ARC4 are derivative works of the jsbn library..(http://www-cs-students.stanford.edu/~tjw/jsbn/)..The jsbn library is Copyright (c) 2003-2005 Tom Wu (tjw@cs.Stanford.EDU)....MD5, SHA1, and SHA256 are derivative works (http://pajhome.org.uk/crypt/md5/)..Those are Copyright (c) 1998-2002 Paul Johnston & Contributors (paj@pajhome.org.uk)....SHA256 is a derivative work of jsSHA2 (http://anmar.eu.org/projects/jssha2/)..jsSHA2 is Copyright (c) 2003-2004 Angel Marin (anmar@gmx.net)....AESKey is a derivative work of aestable.c (http://www.geocities.com/malbrain/aestable_c.html)..aestable.c is Copyright (c) Karl Malbrain (malbrain@yahoo.com)....BlowFishKey, DESKey and TripeDESKey are derivative works of the Bouncy Castle Crypto Package ..(http:/

Process:	C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
File Type:	ASCII text, with very long lines (812), with CRLF line terminators
Category:	modified
Size (bytes):	26249
Entropy (8bit):	5.340629791018915
Encrypted:	false
SSDEEP:
MD5:	60699558F0811BC145B8D5EDFE6315B0
SHA1:	F384192732FAEDDCDDD7C371BD468A88898222B1
SHA-256:	61AC005BA0F2B3B8F6277167C1EE7463617EA99D5B63C1DDB1177BEF54E75D15
SHA-512:	08DC9F2D9B05C63677FA59F379051286C171F811DF69E62A944EC8105E8E5418C2CC8C6BA38520239EB911775BA8780391D940E43EAC1702B61B915BE9C52D5F
Malicious:	false
Reputation:	unknown
Preview:	2024/06/10 17:28:35.559 3316 1928 0 IsWindowsServerVerifyOnce(): Is a windows server 0..2024/06/10 17:28:35.559 3316 1928 0 Logger started...2024/06/10 17:28:35.606 3316 1876 0! AsioSettings::FindExternalIP: found 0 external IPs instead of 1!..2024/06/10 17:28:35.606 3316 1876 0! AsioSettings::FindExternalIP: found 0 external IPs instead of 1!..2024/06/10 17:28:35.606 3316 1876 0 Generating new RSA private/public key pair..2024/06/10 17:28:35.655 3316 1876 0 InitializeRemoteAccessAPI..2024/06/10 17:28:35.655 3316 1876 0 QueryVPNRegKey: Subkey 'SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\Configuration' (11) has no 'MatchingDeviceID' entry. Continuing.....2024/06/10 17:28:35.655 3316 1876 0 QueryVPNRegKey: Subkey 'SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\Properties' (12) has no 'MatchingDeviceID' entry. Continuing.....2024/06/10 17:28:35.655 3316 1876 0 IdentityManagement: Lo

Process:	C:\Users\user\Desktop\TeamViewer_Setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	26260456
Entropy (8bit):	7.9951424122766195
Encrypted:	true
SSDEEP:
MD5:	9BAACAEAC47AAB1242A9D56A8291E3C4
SHA1:	6075F442E6B475B90936835CB8718A27477CBD44
SHA-256:	745814BF52F3394FB9B28532C585D9ED4BF8EF1EA3B1E3EBAC96705458FE6E86
SHA-512:	A13E889B3B9FBD0B0D08DF99A467C0E82CD6D59D4616507FE10DAFB81609B5A1CA7DC604F0159CDBA4B127DF452C9F518C8D41A10ED03BCEE28F8E48632B7F3B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@.................................Ps....@.............................................@...........................................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...`...............................rsrc...@...........................@..@................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	2464
Entropy (8bit):	3.2492262213420755
Encrypted:	false
SSDEEP:
MD5:	CF12DB522F5D4B3DD43BA639EDD88351
SHA1:	171FF2D6C85A0F3F7EAFE501E2655B5FDF8BF131
SHA-256:	E41CD7440CBD12834701B8E294D25C19DC1C8B5AC5489F6F7691BAA3C2DCFBC7
SHA-512:	8CE96487DF7A9C9B1EE93E3CE68EAC6F207DF59562E33296B3BCB2EDF70E17F42DD3D426D0BD4132177AA2C8867B89B548BA91D7C3F71B15B87244AA44AD5B84
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. J.u.n. .. 1.0. .. 2.0.2.4. .1.7.:.2.8.:.5.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Entrypoint:	0x4030d9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AA7 [Sun Apr 3 20:18:47 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b78ecf47c0a3e24a6f4af114e2d1f5de

Signature Valid:	true
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/12/2019 01:00:00 23/12/2020 13:00:00
Subject Chain	CN=TeamViewer Germany GmbH, O=TeamViewer Germany GmbH, L=Gppingen, S=Baden-Wrttemberg, C=DE
Version:	3
Thumbprint MD5:	545BEC2FAA9BFEB2BE446B39CC98DE76
Thumbprint SHA-1:	05CDF79B0EFFFF361DAC0363ADAA75B066C49DE0
Thumbprint SHA-256:	61C15147A45994BF2AEDD5FA9818DB317CB470E6A9BBFCDE3CDA239BA8364A19
Serial:	0B446546C36525BF5F084F6BBBBA7097

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0x465a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x19b8968	0x3a80
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c5b	0x5e00	3d4c7426917ca8533fbfc9cd63e19ba3	False	0.6603640292553191	data	6.411487375491561	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1246	0x1400	43fab6a80651bd97af8f34ecf44cd8ac	False	0.42734375	data	5.005029341587408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	00798d060e552892531c88ed1710ae2c	False	0.6376953125	data	5.108396988130901	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xb000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2f000	0x465a0	0x46600	4c08bed7c5c9e347110411c32ea86cfc	False	0.09178993672291297	data	3.8032202112249776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2f268	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.07970381986566855
RT_ICON	0x71290	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.187448132780083
RT_ICON	0x73838	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.2568011257035647
RT_ICON	0x748e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4574468085106383
RT_DIALOG	0x74d48	0x100	data	English	United States	0.5234375
RT_DIALOG	0x74e48	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x74f68	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x74fc8	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x75008	0x258	data	English	United States	0.48833333333333334
RT_MANIFEST	0x75260	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States	0.5540865384615384

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, GetFileAttributesA, SetFileAttributesA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, GetFullPathNameA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, GlobalUnlock, GetDiskFreeSpaceA, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TeamViewer_Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\TeamViewer\CopyRights.txt (copy)

C:\Program Files (x86)\TeamViewer\CopyRights_DE.txt (copy)

C:\Program Files (x86)\TeamViewer\CopyRights_EN.txt (copy)

C:\Program Files (x86)\TeamViewer\Lizenz_TeamViewer_DE_unicode.txt (copy)

C:\Program Files (x86)\TeamViewer\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xml (copy)

C:\Program Files (x86)\TeamViewer\Printer\TeamViewer_XPSDriverFilter-manifest.ini (copy)

C:\Program Files (x86)\TeamViewer\Printer\TeamViewer_XPSDriverFilter.gpd (copy)

C:\Program Files (x86)\TeamViewer\Printer\TeamViewer_XPSDriverFilter.inf (copy)

C:\Program Files (x86)\TeamViewer\Printer\teamviewer_xpsdriverfilter.cat (copy)

C:\Program Files (x86)\TeamViewer\Printer\x64\TeamViewer_XPSDriverFilter.dll (copy)

C:\Program Files (x86)\TeamViewer\TVExtractTemp\CopyRights_DE.txt

C:\Program Files (x86)\TeamViewer\TVExtractTemp\CopyRights_EN.txt

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Lizenz_TeamViewer_DE_unicode.txt

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-PipelineConfig.xml

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter-manifest.ini

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.gpd

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\TeamViewer_XPSDriverFilter.inf

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\teamviewer_xpsdriverfilter.cat

C:\Program Files (x86)\TeamViewer\TVExtractTemp\Printer\x64\TeamViewer_XPSDriverFilter.dll

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer.exe

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer15.otf

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Desktop.exe

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Note.exe

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_bg.dll

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll

C:\Program Files (x86)\TeamViewer\TVExtractTemp\TeamViewer_Resource_de.dll

Windows Analysis Report
TeamViewer_Setup.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre